Welcome to the Network Engineering Domain
Pape O. Fall's Blog

Layer 2 Bridging over GRE – L2TPv3

This use case consist of a company wanting to temporarily extend the users broadcast domain from one site to another. The issue here is that the sites are geophysically disjointed and each remote site only has a DIA circuit. In order to resolve the problem, we need a solution capable of encapsulating L2 traffic through an IP network. One comes to mind right off the bat and you can read about it here is MPLS L2VPN.

Considering that VPLS deployment can be a bit expensive and rather complex, the fastest and inexpensive way to provide ethernet-based session over IP is L2TPv3. It is an IETF standard protocol (IP Protocol 115) which allows us to extend multiple broadcast domains between 2 IP nodes.

This is the use case diagram we will be working with today.

 

Here, we have 2 remote sites HQ and REMOTE OFFICE each equipped with hosts that are on the same broadcast domain (192.168.1.0/24). The idea here is to be able to reach the far side host from the local host. Note that we’re mimicking a real life scenario here where we’re going through an ISP and there’s a firewall at each site proxying our traffic. Each router sits behind the firewall while the ASA peers with the ISP via eBGP. Here are the steps we will focus on in order to extend the 192.168.1.0/24 range across:

  1. NAT the source of the GRE tunnel to a public IP on the firewall in order to route to the Internet
  2. Build the GRE tunnel
  3. Encrypt the tunnels with IPSec
  4. Configure L2TPv3 on each router
  5. Bind the Pseudowire and map it to the tunnel interface
  6. Verify our configuration
  7. Test end to end connectivity

Let’s dive into the CLI now. Let me first show you the interface configuration which I’m sourcing the tunnels from.

HQ-RTR1#sh ip int br | exc una
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                172.16.100.1    YES NVRAM  up                    up
OFF-RTR#sh ip int br | exc una
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                172.16.200.1    YES NVRAM  up                    up

Ethernet0/0 on each router is going to be the source of our GRE tunnel. Let me show you the public IP we will map them to on the ASAs.

HQ-ASA# sh run object
object network GRE-IN
 host 172.16.100.1
object network GRE-OUT
 host 1.1.1.100
HQ-ASA#      
HQ-ASA# sh run nat
nat (INSIDE,OUTSIDE) source static GRE-IN GRE-OUT
OFF-ASA# sh run object
object network GRE-IN
 host 172.16.200.1
object network GRE-OUT
 host 2.2.2.100
OFF-ASA# 
OFF-ASA# sh run nat
nat (INSIDE,OUTSIDE) source static GRE-IN GRE-OUT

Simple enough, I’m mapping 172.16.100.1 to 1.1.1.100 at the HeadQuarter and I’m also mapping 172.16.200.1 to 2.2.2.100 at the Remote Office. Note here that I have a default route from the routers to the ASAs and I already have eBGP sessions between the ASAs and the ISP. I’m receiving a quad zero from the provider which is then announced by the ASAs and installed at the router level. Let me show you what it looks like.

HQ-ASA# sh ip add
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method 
GigabitEthernet0/0.100   OUTSIDE                1.1.1.254       255.255.255.0   CONFIG
GigabitEthernet0/0.200   INSIDE                 172.16.100.254  255.255.255.0   CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method 
GigabitEthernet0/0.100   OUTSIDE                1.1.1.254       255.255.255.0   CONFIG
GigabitEthernet0/0.200   INSIDE                 172.16.100.254  255.255.255.0   CONFIG
HQ-ASA# 
HQ-ASA# sh bgp sum | b Neighbor
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1.1.1.1         4        65100 57      47             2    0    0 00:48:53  1       
172.16.100.1    4        65101 57      48             2    0    0 00:48:53  0       

HQ-ASA# 
HQ-ASA# sh bgp        

BGP table version is 2, local router ID is 172.16.100.254
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*> 0.0.0.0          1.1.1.1                            0  65100 i
HQ-ASA# 
HQ-ASA# sh run router       
router bgp 65101
 bgp log-neighbor-changes
 address-family ipv4 unicast
  neighbor 1.1.1.1 remote-as 65100
  neighbor 1.1.1.1 activate
  neighbor 172.16.100.1 remote-as 65101
  neighbor 172.16.100.1 activate
  neighbor 172.16.100.1 next-hop-self
  no auto-summary
  no synchronization
 exit-address-family

Here, the HQ ASA is peering with the ISP (1.1.1.1) and receives a default route from it. It is also peering with the HQ router (172.16.100.1). Let me show you what the configuration on the router looks like.

HQ-RTR1#sh run | s bgp
router bgp 65101
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 172.16.100.254 remote-as 65101
 !
 address-family ipv4
  neighbor 172.16.100.254 activate
 exit-address-family
HQ-RTR1#
HQ-RTR1#sh ip bgp | b RPKI
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 0.0.0.0          172.16.100.254           0    100      0 65100 i

Here is what the far side looks like.

OFF-ASA#  sh ip add
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method 
GigabitEthernet0/0.100   OUTSIDE                2.2.2.254       255.255.255.0   CONFIG
GigabitEthernet0/0.200   INSIDE                 172.16.200.254  255.255.255.0   CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method 
GigabitEthernet0/0.100   OUTSIDE                2.2.2.254       255.255.255.0   CONFIG
GigabitEthernet0/0.200   INSIDE                 172.16.200.254  255.255.255.0   CONFIG
OFF-ASA# 
OFF-ASA# sh bgp sum | b Neighbor
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
2.2.2.1         4        65100 60      49             2    0    0 00:51:58  1       
172.16.200.1    4        65102 60      51             2    0    0 00:51:58  0       

OFF-ASA# 
OFF-ASA# sh bgp       

BGP table version is 2, local router ID is 172.16.200.254
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*> 0.0.0.0          2.2.2.1                            0  65100 i
OFF-ASA# 
OFF-ASA# sh run router   
router bgp 65102
 bgp log-neighbor-changes
 address-family ipv4 unicast
  neighbor 2.2.2.1 remote-as 65100
  neighbor 2.2.2.1 activate
  neighbor 172.16.200.1 remote-as 65102
  neighbor 172.16.200.1 activate
  neighbor 172.16.200.1 next-hop-self
  no auto-summary
  no synchronization
 exit-address-family
OFF-RTR#sh run | s bgp
router bgp 65102
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 172.16.200.254 remote-as 65102
 !
 address-family ipv4
  neighbor 172.16.200.254 activate
 exit-address-family
OFF-RTR#
OFF-RTR#sh ip bgp | b RPKI
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 0.0.0.0          172.16.200.254           0    100      0 65100 i

Great ! Let’s now build a basic GRE tunnel between the sites.

HQ-RTR1#sh run int tu100
Building configuration...

Current configuration : 121 bytes
!
interface Tunnel100
 ip address 10.1.1.1 255.255.255.252
 tunnel source Ethernet0/0
 tunnel destination 2.2.2.100
end

HQ-RTR1#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms
OFF-RTR#sh run int tu100
Building configuration...

Current configuration : 121 bytes
!
interface Tunnel100
 ip address 10.1.1.2 255.255.255.252
 tunnel source Ethernet0/0
 tunnel destination 1.1.1.100
end

OFF-RTR#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/6 ms

We’re in good shape so far ! Encryption is next.

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 19
 lifetime 3600
crypto isakmp key RouteL3@k address 0.0.0.0        
!
!
crypto ipsec transform-set RTLEAK_TS esp-aes esp-sha512-hmac 
 mode tunnel
!
crypto ipsec profile RTLEAK_PROF
 set transform-set RTLEAK_TS 
!         
!         
!         
!         
!         
!         
!         
interface Tunnel100
 ip address 10.1.1.1 255.255.255.252
 tunnel source Ethernet0/0
 tunnel destination 2.2.2.100
 tunnel protection ipsec profile RTLEAK_PROF
!         
          
HQ-RTR1#
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 19
 lifetime 3600
crypto isakmp key RouteL3@k address 0.0.0.0        
!
!
crypto ipsec transform-set RTLEAK_TS esp-aes esp-sha512-hmac 
 mode tunnel
!
crypto ipsec profile RTLEAK_PROF
 set transform-set RTLEAK_TS 
!         
!         
!         
!         
!         
!         
!         
interface Tunnel100
 ip address 10.1.1.2 255.255.255.252
 tunnel source Ethernet0/0
 tunnel destination 1.1.1.100
 tunnel protection ipsec profile RTLEAK_PROF
!         
          
OFF-RTR#

Great ! Let’s quickly confirm that our encryption actually works.

OFF-RTR#sh crypto ipsec sa

interface: Tunnel100
    Crypto map tag: Tunnel100-head-0, local addr 172.16.200.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.200.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (1.1.1.100/255.255.255.255/47/0)
   current_peer 1.1.1.100 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.200.1, remote crypto endpt.: 1.1.1.100
     plaintext mtu 1426, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
HQ-RTR1#ping 10.1.1.2 repeat 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 10/10/10 ms
OFF-RTR#sh crypto ipsec sa

interface: Tunnel100
    Crypto map tag: Tunnel100-head-0, local addr 172.16.200.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.200.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (1.1.1.100/255.255.255.255/47/0)
   current_peer 1.1.1.100 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
    #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.200.1, remote crypto endpt.: 1.1.1.100
     plaintext mtu 1426, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0xE2781AF5(3799522037)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xCE2DA59B(3459098011)

We’re in good shape here so far. Let’s now focus on extending the 192.168.1.0/24 subnet across. This is a 2 step configuration process which are as follow:

  1. Configure a Pseudowire class and select a source interface (Tunnel100)
  2. Bind the profile to the LAN interface facing the hosts. This is going to be the interface which we want to bridge the L2 traffic from (Ethernet0/1)

Let’s do that.

pseudowire-class HQ-RO
 encapsulation l2tpv3
 ip local interface Tunnel100
!         
          
HQ-RTR1#
pseudowire-class HQ-RO
 encapsulation l2tpv3
 ip local interface Tunnel100
!         
          
OFF-RTR#

Here, we created a Pseudowire class and configured an encapsulation type which is L2TPv3. Since we want to encapsulate L2 traffic through our GRE tunnel, we called on the tunnel interface as the local interface of the L2 session. Let’s now bind the Pseudowire class to the router interface facing our hosts which is Ethernet0/1 on both sides.

HQ-RTR1(config)#do sh run int Ethernet0/1 
Building configuration...

Current configuration : 44 bytes
!
interface Ethernet0/1
 no ip address
end

HQ-RTR1(config)#interface Ethernet0/1
HQ-RTR1(config-if)# no ip address
HQ-RTR1(config-if)# xconnect 10.1.1.2 1 encapsulation l2tpv3 pw-class HQ-RO
HQ-RTR1(config-if-xconn)#
OFF-RTR(config)#do sh run int eth0/1
Building configuration...

Current configuration : 44 bytes
!
interface Ethernet0/1
 no ip address
end

OFF-RTR(config)#interface Ethernet0/1
OFF-RTR(config-if)# no ip address
OFF-RTR(config-if)# xconnect 10.1.1.1 1 encapsulation l2tpv3 pw-class HQ-RO
OFF-RTR(config-if-xconn)#

That’s all there is to it. Note that “1” highlighted in blue references a VC ID value and it has to match on both sides. This value differentiates the L2TPv3 sessions. Also notice how once we configure xconnect, we enter a xconnect mode where we have the capability of tuning the protocol such as adding a backup peer for redundancy or configuring delay metrics for the session.

Let’s now verify and confirm that we have end to end reachability here.

HQ-HOST#sh ip int br | exc una
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                192.168.1.1     YES NVRAM  up                    up      

HQ-HOST#ping 192.168.1.2      
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/13 ms
REMOTE-HOST#sh ip int br | exc una
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                192.168.1.2     YES NVRAM  up                    up      

REMOTE-HOST#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/6 ms

Fantastic ! Here we can ping remote host on the far side going through the Internet and they’re both part of 192.168.1.0/24. Let’s see additional commands we can use to confirm L2TPv3 is up and running.

HQ-RTR1#sh l2tp 

L2TP Tunnel and Session Information Total tunnels 1 sessions 1

LocTunID   RemTunID   Remote Name   State  Remote Address  Sessn L2TP Class/
                                                           Count VPDN Group 
2762039292 2395514761 OFF-RTR       est    10.1.1.2        1     l2tp_default_cl

LocID      RemID      TunID      Username, Intf/      State  Last Chg Uniq ID   
                                 Vcid, Circuit                                  
4154590038 2286929823 2762039292 1, Et0/1             est    00:06:30 0

The “Sh l2tp” provides valuable information such as the interface which the L2 traffic is coming from, our Tunnel ID and Virtual Circuit ID.

HQ-RTR1#sh l2tp session all 

L2TP Session Information Total tunnels 1 sessions 1

Session id 4154590038 is up, logical session id 32803, tunnel id 2762039292
  Remote session id is 2286929823, remote tunnel id 2395514761
  Locally initiated session
  Unique ID is 0
Session Layer 2 circuit, type is Ethernet, name is Ethernet0/1
  Session vcid is 1
  Circuit state is UP
    Local circuit state is UP
    Remote circuit state is UP
Call serial number is 1391200002
Remote tunnel name is OFF-RTR
  Internet address is 10.1.1.2
Local tunnel name is HQ-RTR1
  Internet address is 10.1.1.1
IP protocol 115
  Session is L2TP signaled
  Session state is established, time since change 00:07:32
    74 Packets sent, 75 received
    8343 Bytes sent, 8447 received
  Last clearing of counters never
  Counters, ignoring last clear:
    74 Packets sent, 75 received
    8343 Bytes sent, 8447 received
    Receive packets dropped:
      out-of-order:             0
      other:                    0
      total:                    0
    Send packets dropped:
      exceeded session MTU:     0
      other:                    0
      total:                    0
  DF bit off, ToS reflect disabled, ToS value 0, TTL value 255
  Sending UDP checksums are disabled
  Received UDP checksums are verified
  No session cookie information available
  FS cached header information:
    encap size = 24 bytes
    45000014 00000000 ff73a572 0a010101
    0a010102 884fc79f 
  Sequencing is off
  Conditional debugging is disabled
  SSM switch id is 4126, SSM segment id is 8230

This is even more detailed as we can see the number of packet flows, the L2 type, the IP protocol and whether or not the session is up.

HQ-RTR1#sh xconnect all 
Legend:    XC ST=Xconnect State  S1=Segment1 State  S2=Segment2 State
  UP=Up       DN=Down            AD=Admin Down      IA=Inactive
  SB=Standby  HS=Hot Standby     RV=Recovering      NH=No Hardware

XC ST  Segment 1                         S1 Segment 2                         S2
------+---------------------------------+--+---------------------------------+--
UP pri   ac Et0/1:4(Ethernet)            UP l2tp 10.1.1.2:1                   UP

The “sh xconnect all” provides similar information but gives us a quick overview in terms of the session state.

That’s I wanted to show you today.

Leave a Reply

Your email address will not be published. Required fields are marked *

A Little About Myself

Hello I'm Pape. My friends call me Pop. I'm CCIE #48357. I enjoy my field and love to share it with others. I love to write so I'm sharing my blog with you.

Sign up to receive notifications and updates whenever new topics or videos are uploaded!

RouteLeak Calendar

November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930