Downloads |
Table Of Contents
Layer 2 Tunnel Protocol Version 3
Prerequisites for Layer 2 Tunnel Protocol Version 3
Restrictions for Layer 2 Tunnel Protocol Version 3
Supported Port Adapters for the Cisco 7200 Series and Cisco 7500 Series Routers
Cisco 7200 Series-Specific Restrictions
Cisco 7500 Series-Specific Restrictions
Cisco 10720-Specific Restrictions
Cisco 12000 Series-Specific Restrictions
Frame Relay-Specific Restrictions
ATM VP Mode Single Cell Relay over L2TPv3 Restrictions
ATM AAL5 SDU over L2TPv3 and Single Cell Relay VC Mode over L2TPv3 Restrictions
ATM Port Mode Cell Relay over L2TPv3 Restrictions
ATM Cell Packing over L2TPv3 Restrictions
Protocol Demultiplexing for L2TPv3 Restrictions
L2TPv3 Control Message Hashing Restrictions
L2TPv3 Digest Secret Graceful Switchover Restrictions
Quality of Service Restrictions in L2TPv3 Tunneling
Information About Layer 2 Tunnel Protocol Version 3
Pseudowire Control Encapsulation
L2TPv3 Type of Service Marking
L2TPv3 Control Message Hashing
L2TPv3 Control Message Rate Limiting
L2TPv3 Digest Secret Graceful Switchover
Manual Clearing of L2TPv3 Tunnels
L2TPv3 and UTI Feature Comparison
IEEE 802.1QinQ and QinAny VLAN
How to Configure Layer 2 Tunnel Protocol Version 3
Configuring L2TP Control Channel Parameters
Configuring L2TP Control Channel Timing Parameters
Configuring L2TPv3 Control Channel Authentication Parameters
Configuring L2TP Control Channel Maintenance Parameters
Configuring the L2TPv3 Pseudowire
Configuring the Xconnect Attachment Circuit
Manually Configuring L2TPv3 Session Parameters
Configuring the Xconnect Attachment Circuit for ATM VP Mode Single Cell Relay over L2TPv3
Configuring the Xconnect Attachment Circuit for ATM Single Cell Relay VC Mode over L2TPv3
Configuring the Xconnect Attachment Circuit for ATM Port Mode Cell Relay over L2TPv3
Configuring the Xconnect Attachment Circuit for ATM Cell Packing over L2TPv3
Configuring Port Mode ATM Cell Packing over L2TPv3
Configuring VP Mode ATM Cell Packing over L2TPv3
Configuring VC Mode ATM Cell Packing over L2TPv3
Configuring the Xconnect Attachment Circuit for ATM AAL5 SDU Mode over L2TPv3
Configuring ATM AAL5 SDU Mode over L2TPv3 in ATM VC Configuration Mode
Configuring ATM AAL5 SDU Mode over L2TPv3 in VC Class Configuration Mode
Configuring OAM Local Emulation for ATM AAL5 over L2TPv3
Configuring OAM Local Emulation for ATM AAL5 over L2TPv3 in ATM VC Configuration Mode
Configuring OAM Local Emulation for ATM AAL5 over L2TPv3 in VC Class Configuration Mode
Configuring Protocol Demultiplexing for L2TPv3
Configuring Protocol Demultiplexing for Ethernet Interfaces
Configuring Protocol Demultiplexing for Frame Relay Interfaces
Manually Clearing L2TPv3 Tunnels
Configuration Examples for Layer 2 Tunnel Protocol Version 3
Configuring a Static L2TPv3 Session for an Xconnect Ethernet Interface: Example
Configuring a Negotiated L2TPv3 Session for an Xconnect VLAN Subinterface: Example
Configuring a Negotiated L2TPv3 Session for Local HDLC Switching: Example
Verifying an L2TPv3 Session: Example
Verifying an L2TP Control Channel: Example
Configuring L2TPv3 Control Channel Authentication: Examples
Configuring L2TPv3 Digest Secret Graceful Switchover: Example
Verifying L2TPv3 Digest Secret Graceful Switchover: Example
Configuring a Pseudowire Class for Fragmentation of IP Packets: Example
Configuring ATM VP Mode Single Cell Relay over L2TPv3: Example
Verifying ATM VP Mode Single Cell Relay over L2TPv3 Configuration: Example
Configuring ATM Single Cell Relay VC Mode over L2TPv3: Example
Verifying ATM Single Cell Relay VC Mode over L2TPv3: Example
Configuring ATM Port Mode Cell Relay over L2TPv3: Example
Configuring ATM Cell Packing over L2TPv3: Examples
Configuring ATM AAL5 SDU Mode over L2TPv3: Examples
Verifying ATM AAL5 SDU Mode over L2TPv3 Configuration: Examples
Configuring OAM Local Emulation for ATM AAL5 over L2TPv3: Examples
Verifying OAM Local Emulation for ATM AAL5 over L2TPv3 Configuration: Examples
Configuring Protocol Demultiplexing for L2TPv3: Examples
Manually Clearing an L2TPv3 Tunnel: Example
Configuring Frame Relay DLCI-to-DLCI Switching: Example
Configuring Frame Relay Trunking: Example
Configuring QoS for L2TPv3 on the Cisco 7500 Series: Example
Configuring QoS for L2TPv3 on the Cisco 12000 Series: Examples
Configuring QoS on a Frame Relay Interface in a TSC-Based L2TPv3 Tunnel Session
Configuring Traffic Policing on an ISE Interface in a Native L2TPv3 Tunnel Session
Configuring Tunnel Marking in a Native L2TPv3 Tunnel Session
Configuring Traffic Shaping in a Native L2TPv3 Tunnel Session
Configuring a QoS Policy for Committed Information Rate Guarantees: Example
Setting the Frame Relay DE Bit Configuration: Example
Matching the Frame Relay DE Bit Configuration: Example
Configuring MLFR for L2TPv3 on the Cisco 12000 Series: Example
Configuring an MQC for Committed Information Rate Guarantees: Example
snmp-server enable traps l2tun session
Layer 2 Tunnel Protocol Version 3
The Layer 2 Tunnel Protocol Version 3 feature expands on Cisco support of the Layer 2 Tunnel Protocol Version 3 (L2TPv3). L2TPv3 is an Internet Engineering Task Force (IETF) l2tpext working group draft that provides several enhancements to L2TP for the capability to tunnel any Layer 2 payload over L2TP. Specifically, L2TPv3 defines the L2TP protocol for tunneling Layer 2 payloads over an IP core network using Layer 2 virtual private networks (VPNs). Benefits of this feature include the following:
•
L2TPv3 simplifies deployment of VPNs
•
•
History for the L2TPv3 Feature
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
•
•
•
•
Prerequisites for Layer 2 Tunnel Protocol Version 3
•
•
•
Restrictions for Layer 2 Tunnel Protocol Version 3
The following subsections contain information on restrictions:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Supported Port Adapters for the Cisco 7200 Series and Cisco 7500 Series Routers
L2TPv3 is supported on the following port adapters in the Cisco 7200 series and Cisco 7500 series routers:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
L2TPv3 is supported on the following port adapters for the Cisco 7200 series routers only:
•
•
General L2TPv3 Restrictions
•
•
•
When L2TPv3 is used to tunnel Frame Relay D channel data-link connection identifiers (DLCIs), an IDB is not required for each circuit. As a result, the memory requirements are much lower. The scalability targets for the Engineering Field Test (EFT) program are 4000 L2TP session.
•
•
•
•
•
•
Cisco 7200 Series-Specific Restrictions
•
•
•
Cisco 7500 Series-Specific Restrictions
•
•
•
•
Cisco 10720-Specific Restrictions
•
•
•
•
You can also configure a LAN interface as the IP local interface so that the tunnel control session is tied to an operational LAN (Gigabit Ethernet or Fast Ethernet) interface or subinterface. However, in this case, the tunnel control plane is used only as long as the Gigabit Ethernet or Fast Ethernet interface is operational.
Cisco 12000 Series-Specific Restrictions
Tunnel Server Card Versus Native L2TPv3 Implementation
On the Cisco 12000 series Internet router, L2TPv3 is implemented in two different ways:
•
•
Different combinations of engine types are supported as customer-facing and backbone-facing line cards for encapsulation and decapsulation in L2TPv3 tunneling.
L2TPv3 Encapsulation
When a Layer 2 packet arrives on a customer-facing interface, if the interface is bound to an L2TPv3 tunnel, L2TPv3 encapsulation is supported as follows:
•
•
A backbone-facing line card of any engine type sends the packet across the service provider backbone network.
L2TPv3 Decapsulation
When an L2TPv3 packet arrives on a backbone-facing interface, L2TPv3 decapsulation is supported as follows:
•
–
–
•
–
–
Note
- The customer-facing line card is Engine-2 or an earlier engine line card.
- The customer-facing line card is ISE and the backbone-facing line card is non-ISE.
In these cases, packets received on the backbone-facing interface are dropped. A warning message, "L2TPv3 decapsulation packet dropped", is logged.Cisco 12000 Series Line Cards—General Restrictions
•
•
•
•
–
–
–
•
•
Engine 2 and Earlier Engine-Specific Restrictions
•
•
To configure the server card, you must enter the ip unnumbered command and configure the IP address on the PoS interface of the server card before you configure hardware modules. Then enter the hw-module slot slot-number mode server command.
This initial configuration makes the server card IP-aware for backbones requiring an Address Resolution Protocol (ARP) to be generated by the line card. The backbone types that require this configuration are Ethernet and Spatial Reuse Protocol (SRP).
This configuration is also a requirement for session keepalives. The interface port of the server card is automatically set to loopback internal and no keepalives when the hw-module slot slot-number mode server command is configured.
Note
•
•
•
•
•
•
•
•
•
•
•
•
•
–
–
IP Services Engine-Specific Restrictions
•
To configure the feature mode, enter the hw-module slot slot-number np mode feature command. You cannot unconfigure the feature mode on a customer-facing ISE line card until all L2TPv3 Xconnect attachment circuits on the line card are removed.
A backbone-facing ISE line card can operate in any mode and no special feature mode configuration is required.
•
•
–
–
Table 1 ISE Interfaces Supported in a Native L2TPv3 Tunnel Session
•
•
This means that if you enter the ip pmtu command to enable the discovery of a path maximum transmission unit (PMTU) for L2TPv3 traffic, and a customer IP packet exceeds the PMTU, IP fragmentation is not performed on the IP packet before L2TPv3 encapsulation. These packets are dropped.
•
Table 2 L2TPv3 Features Supported in a Native L2TPv3 Session
Native L2TPv3 tunneling (fast-path)
Native L2TPv3 tunneling supports the same L2TPv3 features that are supported by server card-based L2TPv3 tunneling (see the "L2TPv3 Features" section), except that IP packet fragmentation is not supported.
4-port OC-3 POS ISE
8-port OC-3 POS ISE
16-port OC-3 POS ISE
4-port OC-12 POS ISE
1-port OC-48 POS ISE
4-port OC-3 ATM ISE
4-port OC-12 ATM ISE
1-port Channelized OC-12 (DS1) ISEL2TP class and pseudowire class configuration
You can create an L2TP template of L2TP control channel parameters that can be inherited by different pseudowire classes configured on a PE router.
You can also configure a pseudowire template of L2TPv3 session-level parameters that can be used to configure the transport Layer 2 traffic over an Xconnect attachment circuit.
See the sections "Configuring L2TP Control Channel Parameters" and "Configuring the L2TPv3 Pseudowire."
4-port OC-3 POS ISE
8-port OC-3 POS ISE
16-port OC-3 POS ISE
4-port OC-12 POS ISE
1-port OC-48 POS ISE
4-port OC-3 ATM ISE
4-port OC-12 ATM ISE
1-port Channelized OC-12 (DS1) ISEFrame Relay DLCI-to-DLCI tunneling
Frame Relay DLCIs are connected to create an end-to-end Frame Relay PVC. Traffic arriving on a DLCI on one interface is forwarded across an L2TPv3 tunnel to another DLCI on the other interface.
See "DLCI-to-DLCI Switching" in the "Frame Relay" section.
4-port OC-3 POS ISE
8-port OC-3 POS ISE
16-port OC-3 POS ISE
4-port OC-12 POS ISE
1-port OC-48 POS ISE
1-port Channelized OC-12 (DS1) ISEATM single cell and packed cell relay: VC mode
Each VC is mapped to a single L2TPv3 tunnel session. The following ATM cell relay modes are supported:
•
•
See the "ATM" section.
4-port OC-3 ATM ISE
4-port OC-12 ATM ISEATM single cell and packed cell relay: VP mode
ATM cells arriving into a predefined PVP on the ATM interface are transported to a predefined PVP on the egress ATM interface. The following ATM cell relay modes are supported:
•
•
See the "ATM" section.
4-port OC-3 ATM ISE
4-port OC-12 ATM ISEATM single cell relay and packed cell relay: Port mode
ATM cells arriving at an ingress ATM interface are encapsulated into L2TPv3 data packets and transported to the egress ATM interface.The following ATM cell relay modes are supported:
•
•
See the "ATM" section.
4-port OC-3 ATM ISE
4-port OC-12 ATM ISEATM AAL5 PVC tunneling
The ATM AAL5 payload of an AAL5 PVC is mapped to a single L2TPv3 session.
See "ATM AAL5" in the "ATM" section.
4-port OC-3 ATM ISE
4-port OC-12 ATM ISEOAM emulation mode for ATM AAL5
OAM local emulation mode for ATM AAL5 payloads is supported. Instead of being passed through the pseudowire, OAM cells are terminated and handled locally. On the L2TPv3-based pseudowire, the CE device sends an SLI message across the pseudowire to notify the peer PE node about the defect, rather than tearing down the session.
See "ATM AAL5 over L2TPv3: OAM Local Emulation Mode" in the "ATM" section.
4-port OC-3 ATM ISE
4-port OC-12 ATM ISEOAM transparent mode for ATM AAL5
OAM transparent mode for ATM AAL5 payloads is supported. The PE routers pass OAM cells transparently across the L2TPv3 tunnel.
See "ATM AAL5 over L2TPv3: OAM Transparent Mode" in the "ATM" section.
4-port OC-3 ATM ISE
4-port OC-12 ATM ISEL2TPv3 tunnel marking and traffic policing on the following types of ISE ingress interfaces, when bound to a native L2TPv3 tunnel session:
- ATM
- Frame Relay DLCIsThe following "conform," "exceed," and "violate" values for the action argument are supported for the police command when QoS policies are configured on an ISE ingress interface bound to a native L2TPv3 tunnel.
The set commands can also be used to set (or mark) the IP precedence or DSCP value in the tunnel header of a L2TPv3 tunneled packet on an ingress interface.
conform-action actions:
set-prec-tunnel
set-dscp-tunnel
transmitexceed-action actions:
drop
set-clp (ATM only)
set-dscp-tunnel
set-dscp-tunnel and set-clp (ATM only)
set-dscp-tunnel and set-frde
(Frame Relay only)
set-frde (Frame Relay only)
set-prec-tunnel
set-prec-tunnel and set-clp (ATM only)
set-prec-tunnel and set-frde
(Frame Relay only)
transmitviolate-action actions:
drop
See "QoS: Tunnel Marking for L2TPv3 Tunnels" for information about how to use the L2TPv3 tunnel marking and traffic policing features on on Engine 2 (and earlier engine) interfaces bound to a TSC-based L2TPv3 tunnel session.
4-port OC-3 POS ISE
8-port OC-3 POS ISE
16-port OC-3 POS ISE
4-port OC-12 POS ISE
1-port OC-48 POS ISE
4-port OC-3 ATM ISE
4-port OC-12 ATM ISE
1-port Channelized OC-12 (DS1) ISEDual rate, 3-Color Marker for traffic policing on Frame Relay DLCIs of ISE ingress interfaces, when bound to a native L2TPv3 tunnel session1
The dual rate, 3-Color Marker in color-aware and color-blind modes, as defined in RFC 2698 for traffic policing, is supported on ingress ISE interfaces to classify packets.
See "QoS: Color-Aware Policer" for more information about this feature.
4-port OC-3 POS ISE
8-port OC-3 POS ISE
16-port OC-3 POS ISE
4-port OC-12 POS ISE
1-port OC-48 POS ISE
1-port Channelized OC-12 (DS1) ISETraffic shaping on ATM and Frame Relay ISE egress interfaces
Traffic shaping on ATM and Frame Relay egress interfaces based on class map configuration is supported.
Traffic shaping is supported on ATM egress interfaces for the following service categories:
•
•
•
•
See "Traffic Shaping on ATM Line Cards for the Cisco 12000 Series."
4-port OC-3 POS ISE
8-port OC-3 POS ISE
16-port OC-3 POS ISE
4-port OC-12 POS ISE
1-port OC-48 POS ISE
4-port OC-3 ATM ISE
4-port OC-12 ATM ISE
1-port Channelized OC-12 (DS1) ISE
1 Although the dual-rate, 3-Color Marker policer is not supported on ATM ISE interfaces, the ATM Forum Traffic Management Version 4.1-compliant Generic Cell Rate Algorithm (GCRA) policer is supported. The GCRA policer uses rate, peak rate, delay tolerance, and ATM maximum burst size, and supports the following options:
- set-dscp-tunnel
- set-dscp-tunnel and set-clp-transmit
- set-prec-tunnel
- set-prec-tunnel and set-clp-transmit2 Note that VBR-rt and CBR share the same high priority shaping. ATM traffic shaping restricts traffic to the maximum rate configured on an ATM VC or PVP with due priority among the respective service categories.
You can configure queue limits for an ATM VC or PVP. The queue limits are dual thresholds in which two different thresholds can be configured for CLP=1 cells and CLP0+1 cells. The CLP1 threshold must be lower than the queue limit threshold so that CLP=1 cells are dropped earlier than CLP=0 cells when packets start to fill the queue.
Frame Relay-Specific Restrictions
•
•
•
•
•
•
•
•
•
•
VLAN-Specific Restrictions
•
•
•
ATM VP Mode Single Cell Relay over L2TPv3 Restrictions
•
•
ATM AAL5 SDU over L2TPv3 and Single Cell Relay VC Mode over L2TPv3 Restrictions
•
•
•
•
•
ATM Port Mode Cell Relay over L2TPv3 Restrictions
•
•
•
ATM Cell Packing over L2TPv3 Restrictions
•
•
Protocol Demultiplexing for L2TPv3 Restrictions
•
•
•
•
•
•
•
•
L2TPv3 Control Message Hashing Restrictions
•
•
L2TPv3 Digest Secret Graceful Switchover Restrictions
•
•
Quality of Service Restrictions in L2TPv3 Tunneling
Quality of service (QoS) policies configured with the modular QoS command-line interface (MQC) are supported in L2TPv3 tunnel sessions with the following restrictions:
Frame Relay Interface (Non-ISE)
•
•
–
•
•
•
•
•
•
–
•
–
•
•
•
- With both a low latency (priority) queue and class-default queue configured. (The low latency queue is supported only in combination with the class-default queue, and cannot be configured with normal distributed round robin (DRR) queues.)
- Without a low latency queue configured. (In this case, only six queues are supported, including the class-default queue.)
•
For an example, see Configuring QoS on a Frame Relay Interface in a TSC-Based L2TPv3 Tunnel Session.
IP Services Engine (ISE) Interface
On the Cisco 12000 series, a QoS policy is supported in native L2TPv3 tunnel sessions on ISE interfaces (see Table 2 for a list of supported line cards) with the following restrictions:
•
conform-action actions:
set-prec-tunnel
set-dscp-tunnel
transmitexceed-action actions:
drop
set-clp (ATM only)
set-dscp-tunnel
set-dscp-tunnel and set-clp (ATM only)
set-dscp-tunnel and set-frde (Frame Relay only)
set-frde (Frame Relay only)
set-prec-tunnel
set-prec-tunnel and set-clp (ATM only)
set-prec-tunnel and set-frde (Frame Relay only)
transmitviolate-action actions:
drop•
–
–
–
–
–
•
–
•
Second priority: VBR-nrt (variable bit rate nonreal-time)
Highest priority: VBR-rt (VBR real time)
Highest priority: CBR (constant bit rate)•
•
–
set-dscp-tunnel
set-dscp-tunnel and set-clp-transmit
set-prec-tunnel
set-prec-tunnel and set-clp-transmitFor detailed information about QoS configuration tasks and command syntax, refer to:
•
•
Information About Layer 2 Tunnel Protocol Version 3
To configure the Layer 2 Tunnel Protocol Version 3 feature, you must understand the following concepts:
•
Migration from UTI to L2TPv3
UTI is a Cisco proprietary protocol that offers a simple high-speed transparent Layer 2-to-Layer 2 service over an IP backbone. The UTI protocol lacks the signaling capability and standards support necessary for large-scale commercial service. To begin to answer the need for a standard way to provide large-scale VPN connectivity over an IP core network, limited migration from UTI to L2TPv3 was introduced in Cisco IOS Release 12.0(21)S. The L2TPv3 feature in Cisco IOS Release 12.0(23)S introduced a more robust version of L2TPv3 to replace UTI.
As described in the section "L2TPv3 Header Description," the UTI data header is identical to the L2TPv3 header but with no sequence numbers and an 8-byte cookie. By manually configuring an L2TPv3 session using an 8-byte cookie (see the section "Manually Configuring L2TPv3 Session Parameters") and by setting the IP protocol number of outgoing data packets to 120 (as described in the section "Configuring the L2TPv3 Pseudowire"), you can ensure that a PE running L2TPv3 may interoperate with a peer PE running UTI. However, because UTI does not define a signaling plane, dynamically established L2TPv3 sessions cannot interoperate with UTI.
When a customer upgrades from a pre-L2TPv3 Cisco IOS release to a post-L2TPv3 release, an internal UTI-to-Xconnect command-line interface (CLI) migration utility will automatically convert the UTI commands to Xconnect and pseudowire class configuration commands without the need for any user intervention. After the CLI migration, the UTI commands that were replaced will not be available. The old-style UTI CLI will be hidden from the user.
Note
L2TPv3 Operation
L2TPv3 provides similar and enhanced services to replace the current UTI implementation, including the following features:
•
•
The initial Cisco IOS Release 12.0(23)S features supported only the following features:
•
•
•
•
The attachment circuit is the physical interface or subinterface attached to the pseudowire.
Figure 1 shows an example of how the L2TPv3 feature is used for setting up VPNs using Layer 2 tunneling over an IP network. All traffic between two customer network sites is encapsulated in IP packets carrying L2TP data messages and sent across an IP network. The backbone routers of the IP network treat the traffic as any other IP traffic and need not know anything about the customer networks.
Figure 1 L2TPv3 Operation
In Figure 1, the PE routers R1 and R2 provide L2TPv3 services. The R1 and R2 routers communicate with each other using a pseudowire over the IP backbone network through a path comprising the interfaces int1 and int2, the IP network, and interfaces int3 and int4.
In this example, the CE routers R3 and R4 communicate through a pair of Xconnect Ethernet or 802.1q VLAN interfaces using an L2TPv3 session. The L2TPv3 session tu1 is a pseudowire configured between interface int1 on R1 and interface int4 on R2. Any packet arriving on interface int1 on R1 is encapsulated and sent via the pseudowire control channel (tu1) to R2. R2 decapsulates the packet and sends it on interface int4 to R4. When R4 needs to send a packet to R3, the packet follows the same path in reverse.
Please note the following features regarding L2TPv3 operation:
•
•
•
Benefits of Using L2TPv3
L2TPv3 Simplifies Deployment of VPNs
L2TPv3 is an industry-standard Layer 2 tunneling protocol that ensures interoperability among vendors, increasing customer flexibility and service availability.
L2TPv3 Does Not Require MPLS
With L2TPv3 service providers need not deploy MPLS in the core IP backbone to set up VPNs using L2TPv3 over the IP backbone, resulting in operational savings and increased revenue.
L2TPv3 Supports Layer 2 Tunneling over IP for Any Payload
L2TPv3 provides enhancements to L2TP to support Layer 2 tunneling of any payload over an IP core network. L2TPv3 defines the base L2TP protocol as being separate from the Layer 2 payload that is tunneled.
L2TPv3 Header Description
The migration from UTI to L2TPv3 also requires the standardization of the UTI header. As a result, the L2TPv3 header has the new format shown in Figure 2.
Figure 2
L2TPv3 Header Format
Each L2TPv3 packet contains an L2TPv3 header that includes a unique session ID representing one session and a variable cookie length. The L2TPv3 session ID and the Tunnel Cookie field length are assigned via the CLI. See the section "How to Configure Layer 2 Tunnel Protocol Version 3" for more information on the CLI commands for L2TPv3.
Session ID
The L2TPv3 session ID is similar to the UTI session ID, and identifies the session context on the decapsulating system. For dynamic sessions, the value of the session ID is selected to optimize the context identification efficiency of the decapsulating system. A decapsulation implementation may therefore elect to support a smaller session ID bit field. In this L2TPv3 implementation, an upper value for the L2TPv3 session ID was set at 023. The L2TPv3 session ID value 0 is reserved for use by the protocol. For static sessions, the session ID is manually configured.
Note
Session Cookie
The L2TPv3 header contains a control channel cookie field that is similar to the UTI control channel key field. The control channel cookie field, however, has a variable length of 0, 4, or 8 bytes according to the cookie length supported by a given platform for packet decapsulation. The control channel cookie length can be manually configured for static sessions, or dynamically determined for dynamic sessions.
The variable cookie length does not present a problem when the same platform is at both ends of an L2TPv3 control channel. However, when different platforms interoperate across an L2TPv3 control channel, both platforms need to encapsulate packets with a 4-byte cookie length.
Pseudowire Control Encapsulation
The L2TPv3 pseudowire control encapsulation consists of 32 bits (4 bytes) and contains information used to sequence L2TP packets (see the section "Sequencing") and to distinguish AAL5 data and OAM cells for AAL5 SDU mode over L2TPv3. For the purposes of sequencing, only the first bit and bits 8 to 31 are relevant.
Bit 1 indicates whether the Sequence Number field, bits 8 to 31, contains a valid sequence number and is to be updated.
L2TPv3 Features
L2TPv3 provides Xconnect support for Ethernet, 802.1q (VLAN), Frame Relay, HDLC, and PPP, using the sessions described in the following sections:
•
•
L2TPv3 also includes support for the features described in the following sections:
•
•
•
•
•
Static L2TPv3 Sessions
Typically, the L2TP control plane is responsible for negotiating session parameters, such as the session ID or the cookie, in order to set up the session. However, some IP networks require sessions to be configured so that no signaling is required for session establishment. You can, therefore, set up static L2TPv3 sessions for a PE router by configuring fixed values for the fields in the L2TP data header. A static L2TPv3 session allows the PE to tunnel Layer 2 traffic as soon as the attachment circuit to which the session is bound comes up.
Note
When you use a static L2TPv3 session, you cannot perform circuit interworking, such as LMI, because there is no facility to exchange control messages. To perform circuit interworking, you must use a dynamic session.
Dynamic L2TPv3 Sessions
A dynamic L2TP session is established through the exchange of control messages containing attribute-value pairs (AVPs). Each AVP contains information about the nature of the Layer 2 link being forwarded: the payload type, virtual circuit (VC) ID, and so on.
Multiple L2TP sessions (one for each forwarded Layer 2 circuit) can exist between a pair of PEs, and can be maintained by a single control channel. Session IDs and cookies are dynamically generated and exchanged as part of a dynamic session setup. Information such as sequencing configuration is also exchanged. Circuit state changes (UP/DOWN) are conveyed using the set link info (SLI) message.
Sequencing
Although the correct sequence of received Layer 2 frames is guaranteed by some Layer 2 technologies (by the nature of the link, such as a serial line) or the protocol itself, forwarded Layer 2 frames may be lost, duplicated, or reordered when they traverse a network as IP packets. If the Layer 2 protocol does not provide an explicit sequencing mechanism, you can configure L2TP to sequence its data packets according to the data channel sequencing mechanism described in the L2TPv3 IETF l2tpext working group draft.
A receiver of L2TP data packets mandates sequencing through the Sequencing Required AVP when the session is being negotiated. A sender that receives this AVP (or that is manually configured to send sequenced packets) uses the Layer 2-specific pseudowire control encapsulation defined in L2TPv3.
Currently, you can configure L2TP only to drop out-of-order packets; you cannot configure L2TP to deliver the packets out-of-order. No reordering mechanism is available.
Cisco IOS Software Release 12.0(28)S introduces support for L2TPv3 distributed sequencing on the Cisco 7500 series routers.
Local Switching
Local switching (from one port to another port in the same router) is supported for both static and dynamic sessions. You must configure separate IP addresses for each Xconnect statement.
See the section "Configuration Examples for Layer 2 Tunnel Protocol Version 3" for an example of how to configure local port switching.
Distributed Switching
Distributed CEF switching is supported for L2TP on the Cisco 7500 series routers.
Note
IP Packet Fragmentation
It is desirable to avoid fragmentation issues in the service provider network because reassembly is computationally expensive. The easiest way to avoid fragmentation issues is to configure the CE routers with an path maximum transmission unit (MTU) value that is smaller than the pseudowire path MTU. However, in scenarios where this is not an option, fragmentation issues must be considered. L2TP initially supported only the following options for packet fragmentation when a packet is determined to exceed the L2TP path MTU:
•
•
•
Cisco IOS Release 12.0(24)S introduced the ability to allow IP traffic from the CE router to be fragmented before the data enters the pseudowire, forcing the computationally expensive reassembly to occur in the CE network rather than in the service provider network. The number of fragments that must be generated is determined based on the discovered pseudowire path MTU. The original Layer 2 header is then copied to each of the generated fragments, the L2TP/IP encapsulation is added, and the frames are then forwarded. This feature will be implicitly enabled whenever the ip pmtu command is enabled in the pseudowire class. It will be applied to any packets received from the CE network that have a Don't Fragment (DF) bit set to 0 and that exceed the L2TP path MTU in size.
Support for the fragmentation of IP packets before the data enters the pseudowire was introduced on the Cisco 7200 series and Cisco 7500 series routers in Cisco IOS Release 12.0(24)S.
L2TPv3 Type of Service Marking
When Layer 2 traffic is tunneled across an IP network, information contained in the ToS bits may be transferred to the L2TP-encapsulated IP packets in one of the following ways:
•
•
See the section "Configuring a Negotiated L2TPv3 Session for Local HDLC Switching: Example" for more information about how to configure ToS information.
Keepalive
The keepalive mechanism for L2TPv3 extends only to the endpoints of the tunneling protocol. L2TP has a reliable control message delivery mechanism that serves as the basis for the keepalive mechanism. The keepalive mechanism consists of an exchange of L2TP hello messages.
If a keepalive mechanism is required, the control plane is used, although it may not be used to bring up sessions. You can manually configure sessions.
In the case of static L2TPv3 sessions, a control channel between the two L2TP peers is negotiated through the exchange of start control channel request (SCCRQ), start control channel replay (SCCRP), and start control channel connected (SCCCN) control messages. The control channel is responsible only for maintaining the keepalive mechanism through the exchange of hello messages.
The interval between hello messages is configurable per control channel. If one peer detects that the other has gone down through the keepalive mechanism, it sends a StopCCN control message and then notifies all of the pseudowires to the peer about the event. This notification results in the teardown of both manually configured and dynamic sessions.
MTU Handling
It is important that you configure an MTU appropriate for a each L2TPv3 tunneled link. The configured MTU size ensures the following:
•
•
L2TPv3 handles the MTU as follows:
•
•
•
–
–
L2TPv3 Control Message Hashing
The L2TPv3 Control Message Hashing feature introduces a new and more secure authentication system that replaces the Challenge Handshake Authentication Protocol (CHAP)-like authentication system inherited from L2TPv2, which uses the Challenge and Challenge Response AVPs in the SCCRQ, SCCRP, and SCCCN messages.
The per-message authentication introduced by the L2TPv3 Control Message Hashing feature is designed to perform a mutual authentication between L2TP nodes, check integrity of all control messages, and guard against control message spoofing and replay attacks that would otherwise be trivial to mount against the network.
The L2TPv3 Control Message Hashing feature incorporates an optional authentication or integrity check for all control messages. The new authentication method uses a computed one-way hash over the header and body of the L2TP control message, a pre-configured shared secret that must be defined on communicating L2TP nodes, and a local and remote random value exchanged via the Nonce AVPs. Received control messages that lack any of the required security elements are dropped.
L2TPv3 control message integrity checking is a unidirectional mechanism that does not require the configuration of a shared secret. If integrity checking is enabled on the local PE router, control messages are sent with the message digest calculated without the shared secret or Nonce AVPs, and are verified by the remote PE router. If verification fails, the remote PE router drops the control message.
L2TPv3 Control Message Rate Limiting
Cisco IOS Release 12.0(29)S introduces the L2TPv3 Control Message Rate Limiting feature to counter the possibility of a denial-of-service attack on a router running L2TPv3. The L2TPv3 Control Message Rate Limiting feature limits the rate at which SCCRQ control packets arriving at the PE that terminates the L2TPv3 tunnel can be processed. SCCRQ control packets initiate the process of bringing up the L2TPv3 tunnel and require a large amount of the control plane resources of the PE router.
On distributed platforms, most control packet filtering will occur at the line card level, and the CPU of the RP will be minimally impacted even in a worst-case denial-of-service attack scenario. This feature will have minimal impact on the shared bus or switching fabric, which are typically the bottleneck of a router.
No configuration is required for the L2TPv3 Control Message Rate Limiting feature. This feature will automatically run in the background of Cisco IOS Release 12.0(29)S and subsequent releases.
L2TPv3 Digest Secret Graceful Switchover
Authentication of L2TPv3 control channel messages occurs using a password that is configured on all participating peer PE routers. In Cisco IOS releases prior to 12.0(30)S, changing this password requires removing the old password from the configuration before adding the new password, causing an interruption in L2TPv3 services.The authentication password must be updated on all peer PE routers, which are often at different physical locations. It is difficult for all peer PE routers be updated with the new password simultaneously to minimize interruptions in L2TPv3 services.
Cisco IOS Release 12.0(30)S introduces the L2TPv3 Digest Secret Graceful Switchover feature. This feature allows the password used to authenticate L2TPv3 control channel messages to be changed without tearing down established L2TPv3 tunnels. This feature works only for authentication passwords configured with the L2TPv3 Control Message Hashing feature. Authentication passwords configured with the older, CHAP-like authentication system cannot be updated without tearing down L2TPv3 tunnels.
The L2TPv3 Digest Secret Graceful Switchover feature allows two control channel passwords to be configured simultaneously, so a new control channel password can be enabled without first removing the old password. Established tunnels are rapidly updated with the new password, but will continue to use the old password until it is removed from the configuration. This allows authentication to continue normally with peer PE routers that have not yet been updated to use the new password. Once all peer PE routers have been configured with the new password, the old password can be removed from the configuration.
Manual Clearing of L2TPv3 Tunnels
Cisco IOS Release 12.0(30)S introduces the ability to clear L2TPv3 tunnels manually. In Cisco IOS releases prior to 12.0(30)S, no provision was made to manually clear a specific L2TPv3 tunnel at will. This functionality provides users more control over an L2TPv3 network.
L2TPv3 and UTI Feature Comparison
Table 3 compares L2TPv3 and UTI feature support for the Cisco 7200 and Cisco 7500 series routers.
Supported L2TPv3 Payloads
L2TPv3 supports the following Layer 2 payloads that can be included in L2TPv3 packets tunneled over the pseudowire:
•
•
•
•
Note
Frame Relay
L2TPv3 supports the Frame Relay functionality described in the following sections:
•
Port-to-Port Trunking
Port-to-port trunking is where two CE Frame Relay interfaces are connected as by a leased line (UTI "raw" mode). All traffic arriving on one interface is forwarded transparently across the pseudowire to the other interface.
For example, in Figure 1, if the two CE routers are connected by a virtual leased line, the PE routers transparently transport all packets between CE R3 and CE R4 over a pseudowire. PE R1 and PE R2 do not examine or change the DLCIs, and do not participate in the LMI protocol. The two CE routers are LMI peers. There is nothing Frame Relay-specific about this service as far as the PE routers are concerned. The CE routers should be able to use any encapsulation based on HDLC framing without needing to change the provider configuration.
DLCI-to-DLCI Switching
Frame Relay DLCI-to-DLCI switching is where individual Frame Relay DLCIs are connected to create an end-to-end Frame Relay PVC. Traffic arriving on a DLCI on one interface is forwarded across the pseudowire to another DLCI on the other interface.
For example, in Figure 1, CE R3 and PE R1 are Frame Relay LMI peers; CE R4 and PE R2 are also LMI peers. You can use a different type of LMI between CE R3 and PE R1 compared to what you use between CE R4 and PE R2.
The CE devices may be a Frame Relay switch or end-user device. Each Frame Relay PVC is composed of multiple segments. The DLCI value is local to each segment and is changed as traffic is switched from segment to segment. Note that, in Figure 1, two Frame Relay PVC segments are connected by a pseudowire. Frame Relay header flags (FECN, BECN, C/R, DE) are preserved across the pseudowire.
PVC Status Signaling
PVC status signaling is propagated toward Frame Relay end users by the LMI protocol. You can configure the LMI to operate in any of the following modes:
•
•
•
L2TPv3 supports all three modes.
The PVC status should be reported as ACTIVE only if the PVC is available from the reporting device to the Frame Relay end-user device. All interfaces, line protocols, and pseudowires must be operational between the reporting device and the Frame Relay end-user device.
Note that any keepalive functions on the session are independent of Frame Relay, but any state changes that are detected are fed into the PVC status reporting. For example, the L2TP control channel uses hello packets as a keepalive function. If the L2TPv3 keepalive fails, all L2TPv3 sessions are torn down. Loss of the session is notified to Frame Relay, which can then report PVCs INACTIVE to the CE devices.
For example, in Figure 1, CE R3 reports ACTIVE to PE R1 only if the PVC is available within CE R3. When CE R3 is a switch, it reports all the way to the user device in the customer network.
PE R1 reports ACTIVE to CE R3 only if the PVC is available within PE R1 and all the way to the end-user device (via PE R2 and CE R3) in the other customer VPN site.
The ACTIVE state is propagated hop-by-hop, independently in each direction, from one end of the Frame Relay network to the other end.
Sequencing
Frame Relay provides an ordered service in which packets sent to the Frame Relay network by one end-user device are delivered in order to the other end-user device. When switching is occurring over the pseudowire, packet ordering must be able to be preserved with a very high probability to closely emulate a traditional Frame Relay service. If the CE router is not using a protocol that can detect misordering itself, configuring sequence number processing may be important. For example, if the Layer 3 protocol is IP and Frame Relay is therefore used only for encapsulation, sequencing is not required. To detect misordering, you can configure sequence number processing separately for transmission or reception. For more information about how to configure sequencing, see the section "Configuring a Negotiated L2TPv3 Session for Local HDLC Switching: Example."
ToS Marking
The ToS bytes in the IP header can be statically configured or reflected from the internal IP header. The Frame Relay discard eligible (DE) bit does not influence the ToS bytes.
CIR Guarantees
In order to provide committed information rate (CIR) guarantees, you can configure a queueing policy that provides bandwidth to each DLCI to the interface facing the customer network on the egress PE.
Note
Binding L2TPv3 Sessions to Multilink Frame Relay Interfaces
The configuration of an L2TPv3 session on a Multilink Frame Relay (MLFR) bundle interface is supported only on Cisco 12000 series Two-Port Channelized OC-3/STM-1 (DS1/E1) and Six-Port Channelized T3 (T1) line cards.
The Multilink Frame Relay feature introduces functionality based on the Frame Relay Forum Multilink Frame Relay UNI/NNI Implementation Agreement (FRF.16). This feature provides a cost-effective way to increase bandwidth for particular applications by enabling multiple serial links to be aggregated into a single bundle of bandwidth.
For an example of how to configure L2TPv3 tunneling on a multilink Frame Relay bundle interface, see Configuring MLFR for L2TPv3 on the Cisco 12000 Series: Example.
For information about how configure and use the MLFR feature, refer to the Multilink Frame Relay (FRF.16) publication.
Ethernet
An Ethernet frame arriving at a PE router is simply encapsulated in its entirety with an L2TP data header. At the other end, a received L2TP data packet is stripped of its L2TP data header. The payload, an Ethernet frame, is then forwarded to the appropriate attachment circuit.
Because the L2TPv3 tunneling protocol serves essentially as a bridge, it need not examine any part of an Ethernet frame. Any Ethernet frame received on an interface is tunneled, and any L2TP-tunneled Ethernet frame is forwarded out the interface.
Note
802.1q (VLAN)
L2TPv3 supports VLAN membership in the following ways:
•
•
In L2TPv3, Ethernet Xconnect supports port-based VLAN membership and the reception of tagged Ethernet frames. A tagged Ethernet frame contains a tag header (defined in 802.1Q), which is 4 bytes long and consists of a 2-byte tag protocol identifier (TPID) field and a 2-byte tag control information (TCI) field. The TPID indicates that a TCI follows. The TCI is further broken down into the following three fields:
•
•
•
For L2TPv3, an Ethernet subinterface configured to support VLAN switching may be bound to an Xconnect service so that all Ethernet traffic, tagged with a VID specified on the subinterface, is tunneled to another PE. The VLAN Ethernet frames are forwarded in their entirety. The receiving PE may rewrite the VID of the tunneled traffic to another value before forwarding the traffic onto an attachment circuit.
To successfully rewrite VLANs, it may be necessary to disable the Spanning Tree Protocol (STP). This can be done on a per-VLAN basis by using the no spanning-tree vlan command.
Note
IEEE 802.1QinQ and QinAny VLAN
The purpose of the IEEE 802.1QinQ and QinAny VLAN tag is to expand the VLAN space by tagging the tagged packets to produce a double-tagged frame. In QinAny tag, the incoming packet is also doubled-tagged, where the user only specifies the outer tag explicitly and inner tag can be any number (i.e. 1-4095).
•
•
The Stacked VLAN Processing feature supports the encapsulation of IEEE 802.1Q VLAN tags within a second layer of 802.1Q tag on provider edge (PE) routers to allow service providers to use a single VLAN to support customers who have multiple VLANs. The core service-provider network carries traffic with double-tagged, stacked VLAN (802.1QinQ) headers of multiple customers while maintaining the VLAN and Layer 2 protocol configurations of each customer and without impacting the traffic of other customers. The Stacked VLAN Processing feature preserves VLAN IDs and keeps traffic in different customer VLANs segregated.
HDLC
L2TPv3 encapsulates an HDLC frame arriving at a PE in its entirety (including the Address, Control, and Protocol fields, but not the Flag fields and the frame check sequence) with an L2TP data header.
PPP
PEs that support L2TPv3 forward PPP traffic using a "transparent pass-through" model, in which the PEs play no role in the negotiation and maintenance of the PPP link. L2TPv3 encapsulates a PPP frame arriving at a PE in its entirety (including the HDLC Address and Control fields) with an L2TP data header.
ATM
L2TPv3 can connect two isolated ATM clouds over a packet-switched network (PSN) while maintaining an end-to-end ATM Service Level Agreement (SLA). The ATM Single Cell Relay features forward one ATM cell per packet. The ATM Cell Packing over L2TPv3 features allows multiple ATM frames to be packed into a single L2TPv3 data packet. All packets are transparently forwarded over the L2TPv3 pseudowire.
Note
Table 4 shows the releases that introduced support for the ATM cell relay features.
ATM VP Mode Single Cell Relay over L2TPv3
The ATM VP Mode Single Cell Relay over L2TPv3 feature allows cells coming into a predefined PVP on the ATM interface to be transported over an L2TPv3 pseudowire to a predefined PVP on the egress ATM interface. A single ATM cell is encapsulated into each L2TPv3 data packet.
ATM Single Cell Relay VC Mode over L2TPv3
The ATM Single Cell Relay VC mode over L2TPv3 feature maps one VC to a single L2TPv3 session. All ATM cells arriving at an ATM interface with the specified VPI and VCI are encapsulated into a single L2TP packet. Each ATM cell will have a 4-byte ATM cell header without Header Error Control Checksum (HEC) and a 48-byte ATM cell payload.
The ATM Single Cell Relay VC mode feature can be used to carry any type of AAL traffic over the pseudowire. It will not distinguish OAM cells from User data cells. In this mode, Performance and Security OAM cells are also transported over the pseudowire.
ATM Port Mode Cell Relay over L2TPv3
The ATM Port Mode Cell Relay over L2TPv3 feature packs ATM cells arriving at an ingress ATM interface into L2TPv3 data packets and transports them to the egress ATM interface. A single ATM cell is encapsulated into each L2TPv3 data packet.
ATM Cell Packing over L2TPv3
The ATM Cell Packing over L2TPv3 feature enhances throughput and uses bandwidth more efficiently than the ATM cell relay features. Instead of a single ATM cell being packed into each L2TPv3 data packet, multiple ATM cells can be packed into a single L2TPv3 data packet. ATM cell packing is supported for Port mode, VP mode, and VC mode. Cell packing must be configured on the PE devices. No configuration is required on the CE devices.
ATM AAL5 over L2TPv3
The ATM AAL5 over L2TPv3 feature maps the AAL5 payload of an AAL5 PVC to a single L2TPv3 session. This service will transport OAM and RM cells, but does not attempt to maintain the relative order of these cells with respect to the cells that comprise the AAL5 common part convergence sublayer protocol data unit (CPCS-PDU). OAM cells that arrive during the reassembly of a single AAL5 CPCS-PDU are sent immediately over the pseudowire, followed by the AAL5 payload without the AAL5 pad and trailer bytes.
VC Class Provisioning for L2TPv3
Beginning in Cisco IOS Release 12.0(30)S, ATM AAL5 encapsulation over L2TPv3 can be configured in VC class configuration mode in addition to ATM VC configuration mode. The ability to configure ATM encapsulation parameters in VC class configuration mode provides greater control and flexibility for AAL5 encapsulation configurations.
OAM Transparent Mode
In OAM transparent mode, the PEs will pass the following OAM cells transparently across the pseudowire:
•
•
Note
VPI or VPI/VCI rewrite is not supported for any ATM transport mode. Both pairs of PE to CE peer routers must be configured with matching VPI and VCI values except in OAM local emulation mode. For example, if PE1 and CE1 are connected by PVC 10/100, PE2 and CE2 should also be connected by PVC 10/100.
OAM Local Emulation Mode
In OAM Local Emulation mode, OAM cells are not passed through the pseudowire. All F5 OAM cells are terminated and handled locally. On the L2TPv3-based pseudowire, the CE device sends an SLI message across the pseudowire to notify the peer PE node about the defect, rather than tearing down the session. The defect can occur at any point in the link between the local CE and the PE. OAM management can also be enabled on the PE node using existing OAM management configurations.
In OAM local emulation mode only, the VPI/VCI values used for each pair of PE to CE routers need not match. PE1 and CE1 may be configured with one VPI/VCI value, and PE2 and CE2 may be configured with a different VPI/VCI value. For example, if PE1 and CE1 are connected by PVC 10/100, PE2 and CE2 may be connected by PVC 20/200.
IPv6 Protocol Demultiplexing
Upgrading a service provider network to support IPv6 is a long and expensive process. As an interim solution, the Protocol Demultiplexing for L2TPv3 feature introduces the ability to provide native IPv6 support by setting up a specialized IPv6 network and offloading IPv6 traffic from the IPv4 network. IPv6 traffic is transparently tunneled to the IPv6 network using L2TPv3 pseudowires without affecting the configuration of the CE routers. IPv4 traffic is routed as usual within the IPv4 network, maintaining the existing performance and reliability of the IPv4 network.
Figure 3 shows a network deployment that offloads IPv6 traffic from the IPv4 network to a specialized IPv6 network. The PE routers demultiplex the IPv6 traffic from the IPv4 traffic. IPv6 traffic is routed to the IPv6 network over an L2TPv3 pseudowire, while IPv4 traffic is routed normally. The IPv4 PE routers must be configured to demultiplex incoming IPv6 traffic from IPv4 traffic. The PE routers facing the IPv6 network do not require demultiplexing configuration.
Figure 3
Protocol Demultiplexing of IPv6 Traffic from IPv4 Traffic
IPv6 protocol demultiplexing is supported only for Ethernet and Frame Relay traffic in Cisco IOS Release 12.0(29)S. Protocol demultiplexing requires supporting the combination of an IP address and an xconnect command configuration on the IPv4 PE interface. This combination of configurations is not allowed without enabling protocol demultiplexing, with the exception of switched Frame Relay PVCs. If no IP address is configured, the protocol demultiplexing configuration is rejected. If an IP address is configured, the xconnect command configuration is rejected unless protocol demultiplexing is enabled in xconnect configuration mode before exiting that mode. If an IP address is configured with an xconnect command configuration and protocol demultiplexing enabled, the IP address cannot be removed. To change or remove the configured IP address, the xconnect command configuration must first be disabled.
Table 5 shows the valid combinations of configurations.
Table 5 Valid Configuration Scenarios
Routing
Yes
No
—
L2VPN
No
Yes
No
IPv6 Protocol Demultiplexing
Yes
Yes
Yes
How to Configure Layer 2 Tunnel Protocol Version 3
This section contains the following procedures:
•
•
•
•
•
•
•
•
•
•
•
•
Configuring L2TP Control Channel Parameters
The L2TP class configuration procedure creates a template of L2TP control channel parameters that can be inherited by different pseudowire classes. L2TP control channel parameters are used in control channel authentication, keepalive messages, and control channel negotiation. In an L2TPv3 session, the same L2TP class must be specified in the pseudowire configured on the PE router at each end of the control channel. Configuring L2TP control channel parameters is optional. However, the L2TP class must be configured before it is with associated a pseudowire class (see the section "Configuring the L2TPv3 Pseudowire").
The three main groups of L2TP control channel parameters that you can configure in an L2TP class are described in the following sections:
•
•
•
After you enter L2TP class configuration mode, you can configure L2TP control channel parameters in any order. If you have multiple authentication requirements you can configure multiple sets of L2TP class control channel parameters with different L2TP class names. However, only one set of L2TP class control channel parameters can be applied to a connection between any pair of IP addresses.
Configuring L2TP Control Channel Timing Parameters
The following L2TP control channel timing parameters can be configured in L2TP class configuration mode:
•
•
•
This task configures a set of timing control channel parameters in an L2TP class. All of the timing control channel parameter configurations are optional and may be configured in any order. If these parameters are not configured, the default values are applied.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configuring L2TPv3 Control Channel Authentication Parameters
Two methods of control channel message authentication are available in Cisco IOS Release 12.0(29)S. The L2TPv3 Control Message Hashing feature introduces a more robust authentication method than the older CHAP-style L2TP control channel method of authentication. You may choose to enable both methods of authentication to ensure interoperability with peers that support only one of these methods of authentication, but this configuration will yield control of which authentication method is used to the peer PE router. Enabling both methods of authentication should be considered an interim solution to solve backward-compatibility issues during software upgrades.
The principal difference between the L2TPv3 Control Message Hashing feature and CHAP-style L2TP control channel authentication is that, instead of computing the hash over selected contents of a received control message, the L2TPv3 Control Message Hashing feature uses the entire message in the hash. In addition, instead of including the hash digest in only the SCCRP and SCCCN messages, it includes it in all messages.
Support for the L2TPv3 Control Message Hashing feature is introduced in Cisco IOS Release 12.0(29)S. Support for L2TP control channel authentication is maintained for backward compatibility. Either or both authentication methods can be enabled to allow interoperability with peers supporting only one of the authentication methods.
Table 6 shows a compatibility matrix for the different L2TPv3 authentication methods. PE1 is running Cisco IOS 12.0(29)S, and the different possible authentication configurations for PE1 are shown in the first column. Each remaining column represents PE2 running software with different available authentication options, and the intersections indicate the different compatible configuration options for PE2. If any PE1/PE2 authentication configuration poses ambiguity on which method of authentication will be used, the winning authentication method is indicated in bold. If both the old and new authentication methods are enabled on PE1 and PE2, both types of authentication will occur.
Table 6 Compatibility Matrix for L2TPv3 Authentication Methods
None
None
None
New integrity check
None
New integrity check
Old authentication
Old authentication
—
Old authentication
Old authentication and new authentication
Old authentication and new integrity check
New authentication
—
New authentication
New authentication
Old authentication and new authentication
New integrity check
None
None
New integrity check
None
New integrity check
Old and new authentication
Old authentication
New authentication
Old authentication
New authentication
Old and new authentication
Old authentication and new integrity check
Old authentication and new integrity check
Old authentication
—
Old authentication
Old authentication and new authentication
Old authentication and new integrity check
1 Any PE software that supports only the old CHAP-like authentication system.
2 Any PE software that supports only the new message digest authentication and integrity checking authentication system, but does not understand the old CHAP-like authentication system. This type of software may be implemented by other vendors based on the latest L2TPv3 draft.
3 Any PE software that supports both the old CHAP-like authentication and the new message digest authentication and integrity checking authentication system, such as Cisco IOS 12.0(29)S or later releases.
Perform one or both of the following tasks to configure authentication parameters for the L2TPv3 control channel messages:
•
•
If you choose to configure authentication using the L2TPv3 Control Message Hashing feature, you may perform the following optional task:
•
Configuring Authentication for the L2TP Control Channel
The L2TP control channel method of authentication is the older, CHAP-like authentication system inherited from L2TPv2.
The following L2TP control channel authentication parameters can be configured in L2TP class configuration mode:
•
•
•
This task configures a set of authentication control channel parameters in an L2TP class. All of the authentication control channel parameter configurations are optional and may be configured in any order. If these parameters are not configured, the default values will be applied.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configuring L2TPv3 Control Message Hashing
The L2TPv3 Control Message Hashing feature introduced in Cisco IOS Release 12.0(29)S is a new authentication system that is more secure than the CHAP-style L2TP control channel method of authentication. L2TPv3 Control Message Hashing incorporates an optional authentication or integrity check for all control messages. This per-message authentication is designed to guard against control message spoofing and replay attacks that would otherwise be trivial to mount against the network.
Enabling the L2TPv3Control Message Hashing feature will impact performance during control channel and session establishment because additional digest calculation of the full message content is required for each sent and received control message. This is an expected trade-off for the additional security afforded by this feature. In addition, network congestion may occur if the receive window size is too small. If the L2TPv3 Control Message Hashing feature is enabled, message digest validation must be enabled. Message digest validation deactivates the data path received sequence number update and restricts the minimum local receive window size to 35.
You may choose to configure control channel authentication or control message integrity checking. Control channel authentication requires participation by both peers, and a shared secret must be configured on both routers. Control message integrity check is unidirectional, and requires configuration on only one of the peers.
This task configures L2TPv3 Control Message Hashing feature for an L2TP class.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
l2tp-class [l2tp-class-name]
Example:Router(config)# l2tp-class class1
Specifies the L2TP class name and enters L2TP class configuration mode.
•
Step 4
digest [secret [0 | 7] password] [hash {md5 | sha}]
Example:Router(config-l2tp-class)# digest secret cisco hash sha
(Optional) Enables L2TPv3 control channel authentication or integrity checking.
•
Note
•
–
–
•
•
–
–
The default hash function is md5.
Step 5
digest check
Example:Router(config-l2tp-class)# digest check
(Optional) Enables the validation of the message digest in received control messages.
•
Note
Step 6
hidden
Example:Router(config-l2tp-class)# hidden
(Optional) Enables AVP hiding when sending control messages to an L2TPv3 peer.
•
•
•
Note
Configuring L2TPv3 Digest Secret Graceful Switchover
L2TPv3 control channel authentication occurs using a password that is configured on all participating peer PE routers. The L2TPv3 Digest Secret Graceful Switchover feature allows a transition from an old control channel authentication password to a new control channel authentication password without disrupting established L2TPv3 tunnels. This feature was introduced in Cisco IOS Release 12.0(30)S.
During the period when both a new and an old password are configured, authentication will occur only with the new password if the attempt to authenticate using the old password fails.
Perform this task to make the transition from an old L2TPv3 control channel authentication password to a new L2TPv3 control channel authentication password without disrupting established L2TPv3 tunnels.
Prerequisites
Before performing this task, you must enable control channel authentication as documented in the task "Configuring L2TPv3 Control Message Hashing."
Restrictions
This task is not compatible with authentication passwords configured with the older, CHAP-like control channel authentication system.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
l2tp-class [l2tp-class-name]
Example:Router(config)# l2tp-class class1
Specifies the L2TP class name and enters L2TP class configuration mode.
•
Step 4
digest [secret [0 | 7] password] [hash {md5 | sha}]
Example:Router(config-l2tp-class)# digest secret cisco2 hash sha
Configures a new password to be used in L2TPv3 control channel authentication.
•
Note
Step 5
end
Example:Router(config-l2tp-class)# end
Ends your configuration session by exiting to privileged EXEC mode.
Step 6
show l2tun tunnel all
Example:Router# show l2tun tunnel all
(Optional) Displays the current state of L2TPv3 tunnels and displays information about currently configured tunnels, including local and remote L2TP hostnames, aggregate packet counts, and L2TP control channels.
•
Note
Step 7
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 8
l2tp-class [l2tp-class-name]
Example:Router(config)# l2tp-class class1
Specifies the L2TP class name and enters L2TP class configuration mode.
•
Step 9
no digest [secret [0 | 7] password] [hash {md5 | sha}]
Example:Router(config-l2tp-class)# no digest secret cisco hash sha
Removes the old password used in L2TPv3 control channel authentication.
Note
Step 10
end
Example:Router(config-l2tp-class)# end
Ends your configuration session by exiting to privileged EXEC mode.
Step 11
show l2tun tunnel all
Example:Router# show l2tun tunnel all
(Optional) Displays the current state of L2TPv3 tunnels and displays information about currently configured tunnels, including local and remote L2TP hostnames, aggregate packet counts, and L2TP control channels.
•
Note
Configuring L2TP Control Channel Maintenance Parameters
The L2TP hello packet keepalive interval control channel maintenance parameter can be configured in L2TP class configuration mode.
This task configures the interval used for hello messages in an L2TP class. This control channel parameter configuration is optional. If this parameter is not configured, the default value will be applied.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuring the L2TPv3 Pseudowire
The pseudowire class configuration procedure creates a configuration template for the pseudowire. You use this template, or class, to configure session-level parameters for L2TPv3 sessions that will be used to transport attachment circuit traffic over the pseudowire.
The pseudowire configuration specifies the characteristics of the L2TPv3 signaling mechanism, including the data encapsulation type, the control protocol, sequencing, fragmentation, payload-specific options, and IP properties. The setting that determines if signaling is used to set up the pseudowire is also included.
For simple L2TPv3 signaling configurations on most platforms, pseudowire class configuration is optional. However, specifying a source IP address to configure a loopback interface is highly recommended. If you do not configure a loopback interface, the router will choose the best available local address, which could be any IP address configured on a core-facing interface. This configuration could prevent a control channel from being established. On the Cisco 12000 series Internet routers, specifying a source IP address is mandatory, and you should configure a loopback interface that is dedicated for the use of L2TPv3 sessions exclusively. If you do not configure other pseudowire class configuration commands, the default values are used.
Once you specify the encapsulation l2tpv3 command, you cannot remove it using the no encapsulation l2tpv3 command. Nor can you change the command's setting using the encapsulation mpls command. Those methods result in the following error message:
Encapsulation changes are not allowed on an existing pw-class.To remove the command, you must delete the pseudowire with the no pseudowire-class command. To change the type of encapsulation, remove the pseudowire with the no pseudowire-class command and re-establish the pseudowire and specify the new encapsulation type.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
pseudowire-class [pw-class-name]
Example:Router(config)# pseudowire-class etherpw
Enters pseudowire class configuration mode and optionally specifies the name of the L2TP pseudowire class.
Step 4
encapsulation l2tpv3
Example:Router(config-pw)# encapsulation l2tpv3
Specifies that L2TPv3 is used as the data encapsulation method to tunnel IP traffic.
Step 5
protocol {l2tpv3 | none}[l2tp-class-name]
Example:Router(config-pw)# protocol l2tpv3 class1
(Optional) Specifies the L2TPv3 signaling protocol to be used to manage the pseudowires created with the control channel parameters in the specified L2TP class (see the section "Configuring L2TP Control Channel Parameters").
•
•
Step 6
ip local interface interface-name
Example:Router(config-pw)# ip local interface e0/0
Specifies the PE router interface whose IP address is to be used as the source IP address for sending tunneled packets.
•
Note
Step 7
ip pmtu
Example:Router(config-pw)# ip pmtu
(Optional) Enables the discovery of the path MTU for tunneled traffic.
•
Note
•
Note
Step 8
ip tos {value value | reflect}
Example:Router(config-pw)# ip tos reflect
(Optional) Configures the value of the ToS byte in IP headers of tunneled packets, or reflects the ToS byte value from the inner IP header.
•
Step 9
ip dfbit set
Example:Router(config-pw)# ip dfbit set
(Optional) Configures the value of the DF bit in the outer headers of tunneled packets.
•
Step 10
ip ttl value
Example:Router(config-pw)# ip ttl 100
(Optional) Configures the value of the time to live (TTL) byte in the IP headers of tunneled packets.
•
Step 11
ip protocol {l2tp | uti | protocol-number}
Example:Router(config-pw)# ip protocol uti
(Optional) Configures the IP protocol to be used for tunneling packets.
•
Step 12
sequencing {transmit | receive | both}
Example:Router(config-pw)# sequencing both
(Optional) Specifies the direction in which sequencing of data packets in a pseudowire is enabled:
•
•
•
Configuring the Xconnect Attachment Circuit
This configuration procedure binds an Ethernet, 802.1q VLAN, or Frame Relay attachment circuit to an L2TPv3 pseudowire for Xconnect service. The virtual circuit identifier that you configure creates the binding between a pseudowire configured on a PE router and an attachment circuit in a CE device. The virtual circuit identifier configured on the PE router at one end of the L2TPv3 control channel must also be configured on the peer PE router at the other end.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
interface type slot/port
Example:Router(config)# interface ethernet 0/0
Specifies the interface by type (for example, Ethernet) and slot and port number, and enters interface configuration mode.
Step 4
xconnect peer-ip-address vcid pseudowire-parameters [sequencing {transmit | receive | both}]
Example:Router(config-if)# xconnect 10.0.3.201 123 pw-class vlan-xconnect
Specifies the IP address of the peer PE router and the 32-bit virtual circuit identifier shared between the PE at each end of the control channel.
•
•
–
•
•
•
–
•
•
Note
Note
•
Manually Configuring L2TPv3 Session Parameters
When you bind an attachment circuit to an L2TPv3 pseudowire for Xconnect service using the xconnect l2tpv3 manual command (see the section "Configuring the Xconnect Attachment Circuit") because you do not want signaling, you must then configure L2TP-specific parameters to complete the L2TPv3 control channel configuration.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
interface type slot/port
Example:Router(config)# interface ethernet 0/0
Specifies the interface by type (for example, Ethernet) and slot and port number, and enters interface configuration mode.
Step 4
xconnect peer-ip-address vc-id encapsulation l2tpv3 manual pw-class pw-class-name
Example:Router(config-if)# xconnect 10.0.3.201 123 encapsulation l2tpv3 manual pw-class vlan-xconnect
Specifies the IP address of the peer PE router and the 32-bit virtual circuit identifier shared between the PE at each end of the control channel.
•
•
•
Step 5
l2tp id local-session-id remote-session-id
Example:Router(config-if-xconn)# l2tp id 222 111
Configures the identifiers for the local L2TPv3 session and for the remote L2TPv3 session on the peer PE router.
•
Step 6
l2tp cookie local size low-value [high-value]
Example:Router(config-if-xconn)# l2tp cookie local 4 54321
(Optional) Specifies the value that the peer PE must include in the cookie field of incoming (received) L2TP packets.
•
•
Step 7
l2tp cookie remote size low-value [high-value]
Example:Router(config-if-xconn)# l2tp cookie remote 4 12345
(Optional) Specifies the value that the router includes in the cookie field of outgoing (sent) L2TP packets.
•
•
Step 8
l2tp hello l2tp-class-name
Example:Router(config-if-xconn)# l2tp hello l2tp-defaults
(Optional) Specifies the L2TP class name to use (see the section "Configuring L2TP Control Channel Parameters") for control channel configuration parameters, including the interval to use between hello keepalive messages.
Note
Configuring the Xconnect Attachment Circuit for ATM VP Mode Single Cell Relay over L2TPv3
The ATM VP Mode Single Cell Relay over L2TPv3 feature allows cells coming into a predefined PVP on the ATM interface to be transported over an L2TPv3 pseudowire to a predefined PVP on the egress ATM interface. This task binds a PVP to an L2TPv3 pseudowire for Xconnect service.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring the Xconnect Attachment Circuit for ATM Single Cell Relay VC Mode over L2TPv3
The ATM Single Cell Relay VC Mode over L2TPv3 feature maps one VCC to a single L2TPv3 session. All ATM cells arriving at an ATM interface with the specified VPI and VCI are encapsulated into a single L2TP packet.
The ATM Single Cell Relay VC mode feature can be used to carry any type of AAL traffic over the pseudowire. It will not distinguish OAM cells from User data cells. In this mode, PM and Security OAM cells are also transported over the pseudowire.
Perform this task to enable the ATM Single Cell Relay VC Mode over L2TPv3 feature.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
interface type slot/port
Example:Router(config)# interface ATM 4/1
Specifies the interface by type, slot, and port number, and enters interface configuration mode.
Step 4
pvc [name] vpi/vci l2transport
Example:Router(config-if)# pvc 5/500 l2transport
Creates or assigns a name to an ATM PVC, specifies the encapsulation type on an ATM PVC, and enters ATM VC configuration mode.
•
Step 5
encapsulation aal0
Example:Router(config-atm-vc)# encapsulation aal0
Specifies ATM AAL0 encapsulation for the PVC.
Step 6
xconnect peer-ip-address vcid pw-class pw-class-name
Example:Router(config-atm-vc)# xconnect 10.0.3.201 888 pw-class atm-xconnect
Specifies the IP address of the peer PE router and the 32-bit VCI shared between the PE at each end of the control channel.
•
•
Note
Configuring the Xconnect Attachment Circuit for ATM Port Mode Cell Relay over L2TPv3
The ATM Port Mode Cell Relay feature packs ATM cells arriving at an ingress ATM interface into L2TPv3 data packets and transports them to the egress ATM interface. A single ATM cell is encapsulated into each L2TPv3 data packet.
Perform this task to enable the ATM Port Mode Cell Relay over L2TPv3 feature.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
interface type slot/port
Example:Router(config)# interface ATM 4/1
Specifies the interface by type, slot, and port number, and enters interface configuration mode.
Step 4
xconnect peer-ip-address vcid pw-class pw-class-name
Example:Router(config-if)# xconnect 10.0.3.201 888 pw-class atm-xconnect
Specifies the IP address of the peer PE router and the 32-bit VCI shared between the PE at each end of the control channel.
•
•
Note
Configuring the Xconnect Attachment Circuit for ATM Cell Packing over L2TPv3
The ATM Cell Packing over L2TPv3 feature allows multiple ATM frames to be packed into a single L2TPv3 data packet. ATM cell packing can be configured for Port mode, VP mode, and VC mode. Perform one of the following tasks to configure the ATM Cell Packing over L2TPv3 feature:
•
•
•
Configuring Port Mode ATM Cell Packing over L2TPv3
Perform this task to configure port mode ATM cell packing over L2TPv3.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configuring VP Mode ATM Cell Packing over L2TPv3
Perform this task to configure VP mode ATM cell packing over L2TPv3.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Configuring VC Mode ATM Cell Packing over L2TPv3
Perform this task to configure VC mode ATM cell packing over L2TPv3.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Configuring the Xconnect Attachment Circuit for ATM AAL5 SDU Mode over L2TPv3
The ATM AAL5 SDU Mode feature maps the AAL5 payload of an AAL5 PVC to a single L2TPv3 session. This service will transport OAM and RM cells, but does not attempt to maintain the relative order of these cells with respect to the cells that comprise the AAL5 CPCS-PDU. OAM cells that arrive during the reassembly of a single AAL5 CPCS-PDU are sent immediately over the pseudowire, followed by the AAL5 SDU payload.
Beginning in Cisco IOS Release 12.0(30)S, you may choose to configure the ATM AAL5 SDU Mode feature in ATM VC configuration mode or in VC class configuration mode.
To enable the ATM AAL5 SDU Mode feature, perform one of the following tasks:
•
•
Configuring ATM AAL5 SDU Mode over L2TPv3 in ATM VC Configuration Mode
Perform this task to bind a PVC to an L2TPv3 pseudowire for ATM AAL5 SDU Mode Xconnect service.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
interface type slot/port
Example:Router(config)# interface ATM 4/1
Specifies the interface by type, slot, and port number, and enters interface configuration mode.
Step 4
pvc [name] vpi/vci [l2transport]
Example:Router(config-if)# pvc 5/500 l2transport
Creates or assigns a name to an ATM permanent virtual circuit (PVC), specifies the encapsulation type on an ATM PVC, and enters ATM VC configuration mode.
•
Step 5
encapsulation aal5
Example:Router(config-atm-vc)# encapsulation aal5
Specifies ATM AAL5 encapsulation for the PVC.
Step 6
xconnect peer-ip-address vcid pw-class pw-class-name
Example:Router(config-atm-vc)# xconnect 10.0.3.201 888 pw-class atm-xconnect
Specifies the IP address of the peer PE router and the 32-bit VCI shared between the PE at each end of the control channel.
•
•
Note
Configuring ATM AAL5 SDU Mode over L2TPv3 in VC Class Configuration Mode
You can create a VC class that specifies AAL5 encapsulation and then attach the VC class to an interface, subinterface, or PVC. Perform this task to create a VC class configured for AAL5 encapsulation and attach the VC class to an interface.
Restrictions
This task requires Cisco IOS Release 12.0(30)S or a later release.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Configuring OAM Local Emulation for ATM AAL5 over L2TPv3
If a PE router does not support the transport of OAM cells across an L2TPv3 session, you can use OAM cell emulation to locally terminate or loopback the OAM cells. You configure OAM cell emulation on both PE routers. You use the oam-ac emulation-enable command on both PE routers to enable OAM cell emulation.
After you enable OAM cell emulation on a router, you can configure and manage the ATM VC in the same manner as you would a terminated VC. A VC that has been configured with OAM cell emulation can send loopback cells at configured intervals toward the local CE router. The endpoint can be either of the following:
•
•
The OAM cells have the following information cells:
•
•
These cells identify and report defects along a VC. When a physical link or interface failure occurs, intermediate nodes insert OAM AIS cells into all the downstream devices affected by the failure. When a router receives an AIS cell, it marks the ATM VC as down and sends an RDI cell to let the remote end know about the failure.
Beginning in Cisco IOS Release 12.0(30)S, you may choose to configure the OAM Local Emulation for ATM AAL5 over L2TPv3 feature in ATM VC configuration mode or in VC class configuration mode.
To enable the OAM Local Emulation for ATM AAL5 over L2TPv3 feature, perform one of the following tasks:
•
•
Configuring OAM Local Emulation for ATM AAL5 over L2TPv3 in ATM VC Configuration Mode
Perform this task to enable the OAM Local Emulation for ATM AAL5 over L2TPv3 feature in ATM VC configuration mode.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
interface type slot/port
Example:Router(config)# interface ATM 4/1
Specifies the interface by type, slot, and port number, and enters interface configuration mode.
Step 4
pvc [name] vpi/vci [l2transport]
Example:Router(config-if)# pvc 5/500 l2transport
Creates or assigns a name to an ATM PVC, specifies the encapsulation type on an ATM PVC, and enters ATM VC configuration mode.
•
Step 5
encapsulation aal5
Example:Router(config-atm-vc)# encapsulation aal5
Specifies ATM AAL5 encapsulation for the PVC.
Step 6
xconnect peer-ip-address vcid pw-class pw-class-name
Example:Router(config-atm-vc)# xconnect 10.0.3.201 888 pw-class atm-xconnect
Specifies the IP address of the peer PE router and the 32-bit VCI shared between the PE at each end of the control channel.
•
•
Note
Step 7
oam-ac emulation-enable [ais-rate]
Example:Router(config-atm-vc)# oam-ac emulation-enable 30
Enables OAM cell emulation on AAL5 over L2TPv3.
•
Step 8
oam-pvc manage [frequency]
Example:Router(config-atm-vc)# oam-pvc manage
(Optional) Enables the PVC to generate end-to-end OAM loopback cells that verify connectivity on the virtual circuit.
•
Note
Configuring OAM Local Emulation for ATM AAL5 over L2TPv3 in VC Class Configuration Mode
This task configures OAM Cell Emulation as part of a VC class. Once a VC class is configured, you can apply the VC class to an interface, a subinterface, or a VC.
When you apply a VC class to an interface, the settings in the VC class apply to all the VCs on that interface unless you specify otherwise at a lower level, such as the subinterface or VC level. For example, if you create a VC class that specifies OAM cell emulation and sets the AIS cell rate to 30 seconds and apply that VC class to an interface, every VC on that interface will use the AIS cell rate of 30 seconds. If you then enable OAM cell emulation on a single PVC and set the AIS cell rate to 15 seconds, the 15 second AIS cell rate configured at the PVC level will take precedence over the 30 second AIS cell rate configured at the interface level.
Perform this task to create a VC class configured for OAM emulation and to attach the VC class to an interface.
Restrictions
This task requires Cisco IOS Release 12.0(30)S or a later release.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
Configuring Protocol Demultiplexing for L2TPv3
The Protocol Demultiplexing feature introduces the ability to provide native IPv6 support by utilizing a specialized IPv6 network to offload IPv6 traffic from the IPv4 network. IPv6 traffic is transparently tunneled to the IPv6 network using L2TPv3 pseudowires without affecting the configuration of the CE routers. IPv4 traffic is routed as usual within the IPv4 network, maintaining the existing performance and reliability of the IPv4 network.
The IPv4 PE routers must be configured to demultiplex incoming IPv6 traffic from IPv4 traffic. The PE routers facing the IPv6 network do not require demultiplexing configuration. The configuration of the IPv6 network is beyond the scope of this document. For more information on configuring an IPv6 network, refer to the Cisco IOS IPv6 Configuration Library.
Perform one of the following tasks on the customer-facing IPv4 PE routers to enable IPv6 protocol demultiplexing:
•
•
Configuring Protocol Demultiplexing for Ethernet Interfaces
Perform this task to configure the Protocol Demultiplexing feature on an Ethernet interface.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
interface type slot/port
Example:Router(config)# interface ethernet 0/1
Specifies the interface by type, slot, and port number, and enters interface configuration mode.
Step 4
ip address ip-address mask [secondary]
Example:Router(config-if)# ip address 172.16.128.4
Sets a primary or secondary IP address for an interface.
Step 5
xconnect peer-ip-address vcid pw-class pw-class-name
Example:Router(config-if)# xconnect 10.0.3.201 888 pw-class demux
Specifies the IP address of the peer PE router and the 32-bit VCI shared between the PE at each end of the control channel and enters Xconnect configuration mode.
•
•
Note
Step 6
match protocol ipv6
Example:Router(config-if-xconn)# match protocol ipv6
Enables protocol demultiplexing of IPv6 traffic.
Configuring Protocol Demultiplexing for Frame Relay Interfaces
Perform this task to configure the Protocol Demultiplexing feature on a Frame Relay interface.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
interface type slot/port-adapter.subinterface- number [multipoint | point-to-point]
Example:Router(config)# interface serial 1/1.2 multipoint
Specifies the interface by type, slot, and port number, and enters interface configuration mode.
Step 4
ip address ip-address mask [secondary]
Example:Router(config-if)# ip address 172.16.128.4
Sets a primary or secondary IP address for an interface.
Step 5
frame-relay interface-dlci dlci [ietf | cisco] [voice-cir cir] [ppp virtual-template-name]
Example:Router(config-if)# frame-relay interface-dlci 100
Assigns a DLCI to a specified Frame Relay subinterface on the router or access server, assigns a specific PVC to a DLCI, or applies a virtual template configuration for a PPP session and enters Frame Relay DLCI interface configuration mode.
Step 6
xconnect peer-ip-address vcid pw-class pw-class-name
Example:Router(config-fr-dlci)# xconnect 10.0.3.201 888 pw-class atm-xconnect
Specifies the IP address of the peer PE router and the 32-bit VCI shared between the PE at each end of the control channel and enters Xconnect configuration mode.
•
•
Note
Step 7
match protocol ipv6
Example:Router(config-if-xconn)# match protocol ipv6
Enables protocol demultiplexing of IPv6 traffic.
Manually Clearing L2TPv3 Tunnels
Perform this task to manually clear a specific L2TPv3 tunnel and all the sessions in that tunnel.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Configuration Examples for Layer 2 Tunnel Protocol Version 3
This section provides the following configuration examples:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Configuring a Static L2TPv3 Session for an Xconnect Ethernet Interface: Example
L2TPv3 is the only encapsulation method that supports a manually provisioned session setup. This example shows how to configure a static session configuration in which all control channel parameters are set up in advance. There is no control plane used and no negotiation phase to set up the control channel. The PE router starts sending tunneled traffic as soon as the Ethernet interface (int e0/0) comes up. The virtual circuit identifier, 123, is not used. The PE sends L2TP data packets with session ID 111 and cookie 12345. In turn, the PE expects to receive L2TP data packets with session ID 222 and cookie 54321.
l2tp-class l2tp-defaultsretransmit initial retries 30cookie-size 8pseudowire-class ether-pwencapsulation l2tpv3protocol noneip local interface Loopback0interface Ethernet 0/0xconnect 10.0.3.201 123 encapsulation l2tpv3 manual pw-class ether-pwl2tp id 222 111l2tp cookie local 4 54321l2tp cookie remote 4 12345l2tp hello l2tp-defaultsConfiguring a Negotiated L2TPv3 Session for an Xconnect VLAN Subinterface: Example
The following is a sample configuration of a dynamic L2TPv3 session for a VLAN Xconnect interface. In this example, only VLAN traffic with a VLAN ID of 5 is tunneled. In the other direction, the L2TPv3 session identified by a virtual circuit identifier of 123 receives forwarded frames whose VLAN ID fields are rewritten to contain the value 5. L2TPv3 is used as both the control plane protocol and the data encapsulation.
l2tp-class class1authenticationpassword secretpseudowire-class vlan-xconnectencapsulation l2tpv3protocol l2tpv3 class1ip local interface Loopback0interface Ethernet0/0.1encapsulation dot1Q 5xconnect 10.0.3.201 123 pw-class vlan-xconnectConfiguring a Negotiated L2TPv3 Session for Local HDLC Switching: Example
The following is a sample configuration of a dynamic L2TPv3 session for local HDLC switching. In this example, note that it is necessary to configure two different IP addresses at the endpoints of the L2TPv3 pseudowire because the virtual circuit identifier must be unique for a given IP address.
interface loopback 1ip address 10.0.0.1 255.255.255.255interface loopback 2ip address 10.0.0.2 255.255.255.255pseudowire-class loopback1encapsulation l2tpv3ip local interface loopback1pseudowire-class loopback2encapsulation l2tpv3ip local interface loopback2interface s0/0encapsulation hdlcxconnect 10.0.0.1 100 pw-class loopback2interface s0/1encapsulation hdlcxconnect 10.0.0.2 100 pw-class loopback1Verifying an L2TPv3 Session: Example
To display detailed information about current L2TPv3 sessions on a router, use the show l2tun session all command:
Router# show l2tunnel session allSession Information Total tunnels 0 sessions 1Session id 111 is up, tunnel id 0Call serial number is 0Remote tunnel name isInternet address is 10.0.0.1Session is manually signalledSession state is established, time since change 00:06:050 Packets sent, 0 received0 Bytes sent, 0 receivedReceive packets dropped:out-of-order: 0total: 0Send packets dropped:exceeded session MTU: 0total: 0Session vcid is 123Session Layer 2 circuit, type is ATM VPC CELL, name is ATM3/0/0:1000007Circuit state is UPRemote session id is 222, remote tunnel id 0DF bit off, ToS reflect disabled, ToS value 0, TTL value 255Session cookie information:local cookie, size 8 bytes, value 00 00 00 00 00 00 00 64remote cookie, size 8 bytes, value 00 00 00 00 00 00 00 C8SSS switching enabledSequencing is offVerifying an L2TP Control Channel: Example
To display detailed information the L2TP control channels that are set up to other L2TP-enabled devices for all L2TP sessions on the router, use the show l2tun tunnel all command. The L2TP control channel is used to negotiate capabilities, monitor the health of the peer PE router, and set up various components of an L2TPv3 session.
Router# show l2tun tunnel allTunnel id 26515 is up, remote id is 41814, 1 active sessionsTunnel state is established, time since change 03:11:50Tunnel transport is IP (115)Remote tunnel name is tun1Internet Address 172.18.184.142, port 0Local tunnel name is RouterInternet Address 172.18.184.116, port 0Tunnel domain isVPDN group for tunnel is0 packets sent, 0 received0 bytes sent, 0 receivedControl Ns 11507, Nr 11506Local RWS 2048 (default), Remote RWS 800Tunnel PMTU checking disabledRetransmission time 1, max 1 secondsUnsent queuesize 0, max 0Resend queuesize 1, max 1Total resends 0, ZLB ACKs sent 11505Current nosession queue check 0 of 5Retransmit time distribution: 0 0 0 0 0 0 0 0 0Sessions disconnected due to lack of resources 0Configuring L2TPv3 Control Channel Authentication: Examples
The following example configures CHAP-style authentication of the L2TPv3 control channel:
l2tp-class class0authenticationpassword ciscoThe following example configures control channel authentication using the L2TPv3 Control Message Hashing feature:
l2tp-class class1digest secret cisco hash shahiddenThe following example configures control channel integrity checking and disables validation of the message digest using the L2TPv3 Control Message Hashing feature:
l2tp-class class2digest hash shano digest checkThe following example disables validation of the message digest using the L2TPv3 Control Message Hashing feature:
l2tp-class class3no digest checkConfiguring L2TPv3 Digest Secret Graceful Switchover: Example
The following example uses the L2TPv3 Digest Secret Graceful Switchover feature to change the L2TP control channel authentication password for the L2TP class named class1. This example assumes that you already have an old password configured for the L2TP class named class1.
Router(config)# l2tp-class class1Router(config-l2tp-class)# digest secret cisco2 hash sha!! Verify that all peer PE routers have been updated to use the new password before ! removing the old password.!Router(config-l2tp-class)# no digest secret cisco hash shaVerifying L2TPv3 Digest Secret Graceful Switchover: Example
The following show l2tun tunnel all command output shows information about the L2TPv3 Digest Secret Graceful Switchover feature:
Router# show l2tun tunnel all! The output below displays control channel password information for a tunnel which has ! been updated with the new control channel authentication password.!Tunnel id 12345 is up, remote id is 54321, 1 active sessionsControl message authentication is on, 2 secrets configuredLast message authenticated with first digest secret!! The output below displays control channel password information for a tunnel which has ! only a single control channel authentication password configured.!Tunnel id 23456 is up, remote id is 65432, 1 active sessions!Control message authentication is on, 1 secrets configuredLast message authenticated with first digest secret!! The output below displays control channel password information for a tunnel which is ! communicating with a peer that has only the new control channel authentication password ! configured.!Tunnel id 56789 is up, remote id is 98765, 1 active sessions!Control message authentication is on, 2 secrets configuredLast message authenticated with second digest secretConfiguring a Pseudowire Class for Fragmentation of IP Packets: Example
The following is a sample configuration of a pseudowire class that will allow IP traffic generated from the CE router to be fragmented before entering the pseudowire:
pseudowire class class1encapsulation l2tpv3ip local interface Loopback0ip pmtuip dfbit setConfiguring ATM VP Mode Single Cell Relay over L2TPv3: Example
The following configuration binds a PVP to an Xconnect attachment circuit to forward ATM cells over an established L2TPv3 pseudowire:
pw-class atm-xconnectencapsulation l2tpv3interface ATM 4/1atm pvp 5 l2transportxconnect 10.0.3.201 888 pw-class atm-xconnectVerifying ATM VP Mode Single Cell Relay over L2TPv3 Configuration: Example
To verify the configuration of a PVP, use the show atm vp command in privileged EXEC mode:
Router# show atm vp 5ATM4/1/0 VPI: 5, Cell-Relay, PeakRate: 155000, CesRate: 0, DataVCs: 0,CesVCs: 0, Status: ACTIVEVCD VCI Type InPkts OutPkts AAL/Encap Status8 3 PVC 0 0 F4 OAM ACTIVE9 4 PVC 0 0 F4 OAM ACTIVETotalInPkts: 0, TotalOutPkts: 0, TotalInFast: 0, TotalOutFast: 0,TotalBroadcasts: 0Configuring ATM Single Cell Relay VC Mode over L2TPv3: Example
The following example shows how to configure the ATM Single Cell Relay VC Mode over L2TPv3 feature:
pw-class atm-xconnectencapsulation l2tpv3interface ATM 4/1pvc 5/500 l2transportencapsulation aal0xconnect 10.0.3.201 888 pw-class atm-xconnectVerifying ATM Single Cell Relay VC Mode over L2TPv3: Example
The following show atm vc command output displays information about VCC cell relay configuration:
Router# show atm vcVCD/ Peak Avg/Min BurstInterface Name VPI VCI Type Encaps Kbps Kbps Cells Sts2/0 4 9 901 PVC AAL0 149760 N/A UPThe following show l2tun session command output displays information about VCC cell relay configuration:
Router# show l2tun session allSession Information Total tunnels 1 sessions 2Session id 41883 is up, tunnel id 18252Call serial number is 3211600003Remote tunnel name is khur-l2tpInternet address is 10.0.0.2Session is L2TP signalledSession state is established, time since change 00:00:388 Packets sent, 8 received416 Bytes sent, 416 receivedReceive packets dropped:out-of-order: 0total: 0Send packets dropped:exceeded session MTU: 0total: 0Session vcid is 124Session Layer 2 circuit, type is ATM VCC CELL, name is ATM2/0:9/901Circuit state is UPRemote session id is 38005, remote tunnel id 52436DF bit off, ToS reflect disabled, ToS value 0, TTL value 255No session cookie information availableFS cached header information:encap size = 24 bytes00000000 00000000 00000000 0000000000000000 00000000Sequencing is offConfiguring ATM Port Mode Cell Relay over L2TPv3: Example
The following example shows how to configure the ATM Port Mode Cell Relay over L2TPv3 feature:
pw-class atm-xconnectencapsulation l2tpv3interface atm 4/1xconnect 10.0.3.201 888 pw-class atm-xconnectConfiguring ATM Cell Packing over L2TPv3: Examples
The following examples show how to configure the ATM Cell Packing over L2TPv3 feature for Port mode, VP mode, and VC mode:
Port Mode
interface atm 4/1atm mcpt-timers 10 100 1000cell-packing 10 mcpt-timer 2xconnect 10.0.3.201 888 encapsulation l2tpv3VP Mode
interface atm 4/1atm mcpt-timers 10 100 1000atm pvp 10 l2transportcell-packing 10 mcpt-timer 2xconnect 10.0.3.201 888 encapsulation l2tpv3VC Mode
interface atm 4/1atm mcpt-timers 10 100 1000pvc 1/32 l2transportencapsulation aal0cell-packing 10 mcpt-timer 2xconnect 10.0.3.201 888 encapsulation l2tpv3Configuring ATM AAL5 SDU Mode over L2TPv3: Examples
Configuring ATM AAL5 SDU Mode over L2TPv3 in ATM VC Configuration Mode
The following configuration binds a PVC to an Xconnect attachment circuit to forward ATM cells over an established L2TPv3 pseudowire:
pw-class atm-xconnectencapsulation l2tpv3interface atm 4/1pvc 5/500 l2transportencapsulation aal5xconnect 10.0.3.201 888 pw-class atm-xconnectConfiguring ATM AAL5 SDU Mode over L2TPv3 in VC-Class Configuration Mode
The following example configures ATM AAL5 over L2TPv3 in VC class configuration mode. The VC class is then applied to an interface.
vc-class atm aal5classencapsulation aal5!interface atm 1/0class-int aal5classpvc 1/200 l2transportxconnect 10.13.13.13 100 encapsulation l2tpv3Verifying ATM AAL5 SDU Mode over L2TPv3 Configuration: Examples
Verifying ATM AAL5 over MPLS in ATM VC Configuration Mode
To verify the configuration of a PVC, use the show atm vc command in privileged EXEC mode:
Router# show atm vcVCD/ Peak Avg/Min BurstInterface Name VPI VCI Type Encaps Kbps Kbps Cells Sts2/0 pvc 9 900 PVC AAL5 2400 200 UP2/0 4 9 901 PVC AAL5 149760 N/A UPThe following show l2tun session command output displays information about ATM VC mode configurations:
Router# show l2tun session briefSession Information Total tunnels 1 sessions 2LocID TunID Peer-address State Username, Intf/sess/cir Vcid, Circuit41875 18252 10.0.0.2 est,UP 124, AT2/0:9/901111 0 10.0.0.2 est,UP 123, AT2/0:9/900Verifying ATM AAL5 over MPLS in VC Class Configuration Mode
To verify that ATM AAL5 over L2TPv3 is configured as part of a VC class, issue the show atm class-links command. The command output shows the type of encapsulation and that the VC class was applied to an interface.
Router# show atm class links 1/100Displaying vc-class inheritance for ATM1/0.0, vc 1/100:no broadcast - Not configured - using defaultencapsulation aal5 - VC-class configured on main interface...Configuring OAM Local Emulation for ATM AAL5 over L2TPv3: Examples
Configuring OAM Cell Emulation for ATM AAL5 over L2TPv3 in ATM VC Configuration Mode
The following configuration binds a PVC to an Xconnect attachment circuit to forward ATM AAL5 frames over an established L2TPv3 pseudowire, enables OAM local emulation, and specifies that AIS cells will be sent every 30 seconds:
pw-class atm-xconnectencapsulation l2tpv3interface ATM 4/1pvc 5/500 l2transportencapsulation aal5xconnect 10.0.3.201 888 pw-class atm-xconnectoam-ac emulation-enable 30Configuring OAM Cell Emulation for ATM AAL5 over L2TPv3 in VC Class Configuration Mode
The following example configures OAM cell emulation for ATM AAL5 over L2TPv3 in VC class configuration mode. The VC class is then applied to an interface.
vc-class atm oamclassencapsulation aal5oam-ac emulation-enable 30
oam-pvc manage
!
interface atm1/0class-int oamclasspvc 1/200 l2transportxconnect 10.13.13.13 100 encapsulation l2tpv3The following example configures OAM cell emulation for ATM AAL5 over L2TPv3 in VC class configuration mode. The VC class is then applied to a PVC.
vc-class atm oamclassencapsulation aal5oam-ac emulation-enable 30
oam-pvc manage
!
interface atm1/0pvc 1/200 l2transportclass-vc oamclassxconnect 10.13.13.13 100 encapsulation l2tpv3The following example configures OAM cell emulation for ATM AAL5 over L2TPv3 in VC class configuration mode. The OAM cell emulation AIS rate is set to 30 for the VC class. The VC class is then applied to an interface. One PVC is configured with OAM cell emulation at an AIS rate of 10. That PVC uses the AIS rate of 10 instead of 30.
vc-class atm oamclassencapsulation aal5oam-ac emulation-enable 30
oam-pvc manage
!
interface atm1/0class-int oamclasspvc 1/200 l2transportoam-ac emulation-enable 10xconnect 10.13.13.13 100 encapsulation l2tpv3Verifying OAM Local Emulation for ATM AAL5 over L2TPv3 Configuration: Examples
The following show atm pvc command output shows that OAM cell emulation is enabled and working on the ATM PVC:
Router# show atm pvc 5/500ATM4/1/0.200: VCD: 6, VPI: 5, VCI: 500UBR, PeakRate: 1AAL5-LLC/SNAP, etype:0x0, Flags: 0x34000C20, VCmode: 0x0OAM Cell Emulation: enabled, F5 End2end AIS Xmit frequency: 1 second(s)OAM frequency: 0 second(s), OAM retry frequency: 1 second(s)OAM up retry count: 3, OAM down retry count: 5OAM Loopback status: OAM DisabledOAM VC state: Not ManagedVerifiedILMI VC state: Not ManagedInPkts: 564, OutPkts: 560, InBytes: 19792, OutBytes: 19680InPRoc: 0, OutPRoc: 0InFast: 4, OutFast: 0, InAS: 560, OutAS: 560InPktDrops: 0, OutPktDrops: 0CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0Out CLP=1 Pkts: 0OAM cells received: 26F5 InEndloop: 0, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 26OAM cells sent: 77F5 OutEndloop: 0, F5 OutSegloop: 0, F5 OutAIS: 77, F5 OutRDI: 0OAM cell drops: 0Status: UPConfiguring Protocol Demultiplexing for L2TPv3: Examples
The following examples show how to configure the Protocol Demultiplexing feature on the IPv4 PE routers. The PE routers facing the IPv6 network do not require demultiplexing configuration.
Ethernet Interface
interface ethernet 0/1ip address 172.16.128.4xconnect 10.0.3.201 888 pw-class demuxmatch protocol ipv6Frame Relay Interface
interface serial 1/1.1 multipointip address 172.16.128.4frame-relay interface-dlci 100xconnect 10.0.3.201 888 pw-class atm-xconnectmatch protocol ipv6Manually Clearing an L2TPv3 Tunnel: Example
The following example demonstrates how to manually clear a specific L2TPv3 tunnel using the tunnel ID:
clear l2tun tunid 65432
Configuring Frame Relay DLCI-to-DLCI Switching: Example
The following is a sample configuration for switching a Frame Relay DLCI over a pseudowire:
pseudowire-class fr-xconnectencapsulation l2tpv3protocol l2tpv3ip local interface Loopback0sequencing both!interface Serial0/0encapsulation frame-relayframe-relay intf-type dce!connect one Serial0/0 100 l2transportxconnect 10.0.3.201 555 pw-class fr-xconnect!connect two Serial0/0 200 l2transportxconnect 10.0.3.201 666 pw-class fr-xconnectConfiguring Frame Relay Trunking: Example
The following is a sample configuration for setting up a trunk connection for an entire serial interface over a pseudowire. All incoming packets are switched to the pseudowire regardless of content.
Note that when you configure trunking for a serial interface, the trunk connection does not require an encapsulation method. You do not, therefore, need to enter the encapsulation frame-relay command. Reconfiguring the default encapsulation removes all Xconnect configuration settings from the interface.
interface Serial0/0xconnect 10.0.3.201 555 pw-class serial-xconnectConfiguring QoS for L2TPv3 on the Cisco 7500 Series: Example
The following example shows the MQC commands used on a Cisco 7500 series router to configure a CIR guarantee of 256 kbps on DLCI 100 and 512 kbps for DLCI 200 on the egress side of a Frame Relay interface that is also configured for L2TPv3 tunneling:
ip cef distributedclass-map dlci100match fr-dlci 100class-map dlci200match fr-dlci 200!policy-map dlciclass dlci100bandwidth 256class dlci200bandwidth 512!interface Serial0/0encapsulation frame-relayframe-relay interface-type dceservice-policy output dlci!connect one Serial0/0 100 l2transportxconnect 10.0.3.201 555 encapsulation l2tpv3 pw-class mqc!connect two Serial0/0 200 l2transportxconnect 10.0.3.201 666 encapsulation l2tpv3 pw-class mqcConfiguring QoS for L2TPv3 on the Cisco 12000 Series: Examples
This section contains the following examples for configuring QoS for L2TPv3 on the Cisco 12000 series:
•
•
•
•
Configuring QoS on a Frame Relay Interface in a TSC-Based L2TPv3 Tunnel Session
To apply a QoS policy for L2TPv3 to a Frame Relay interface on a Cisco 12000 series 2-port Channelized OC-3/STM-1 (DS1/E1) or 6-port Channelized T3 line card in a tunnel server card-based L2TPv3 tunnel session, you must:
•
•
As shown in the following example, when you configure QoS for L2TPv3 on the ingress side of a Cisco 12000 series Frame Relay interface, you may also configure the value of the ToS byte used in IP headers of tunneled packets when you configure the L2TPv3 pseudowire (see the section "Configuring the L2TPv3 Pseudowire").
The following example shows the MQC commands and ToS byte configuration used on a Cisco 12000 series router to apply a QoS policy for DLCI 100 on the ingress side of a Frame Relay interface configured for server card-based L2TPv3 tunneling:
policy-map frtp-policyclass class-defaultpolice cir 8000 bc 6000 pir 32000 be 4000 conform-action transmit exceed-action set-frde-transmit violate-action drop!map-class frame-relay fr-mapservice-policy input frtp-policy!interface Serial0/1/1:0encapsulation frame-relayframe-relay interface-dlci 100 switchedclass fr-mapconnect frol2tp1 Serial0/1/1:0 100 l2transportxconnect 10.0.3.201 666 encapsulation l2tpv3 pw-class aaa!pseudowire-class aaaencapsulation l2tpv3ip tos value 96To apply a QoS policy for L2TPv3 to the egress side of a Frame Relay interface on a Cisco 12000 series 2-port Channelized OC-3/STM-1 (DS1/E1) or 6-port Channelized T3 line card, you must:
•
•
The next example shows the MQC commands used on a Cisco 12000 series Internet router to apply a QoS policy with WRED/MDRR settings for specified IP precedence values to DLCI 100 on the egress side of a Frame Relay interface configured for a server card-based L2TPv3 tunnel session:
class-map match-all d2match ip precedence 2class-map match-all d3match ip precedence 3!policy-map oclass d2bandwidth percent 10random-detectrandom-detect precedence 1 200 packets 500 packets 1class d3bandwidth percent 10random-detectrandom-detect precedence 1 1 packets 2 packets 1!map-class frame-relay fr-mapservice-policy output o!interface Serial0/1/1:0encapsulation frame-relayframe-relay interface-dlci 100 switchedclass fr-mapconnect frol2tp1 Serial0/1/1:0 100 l2transportxconnect 10.0.3.201 666 encapsulation l2tpv3 pw-class aaaConfiguring Traffic Policing on an ISE
