Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL

Chapter 3. TCP/IP Over ATM > L2TP Tunneling

L2TP Tunneling

Layer 2 Tunneling Protocol (L2TP) is an emerging IETF standard that combines the best features of two existing tunneling protocols: Cisco's L2F and Microsoft's Point-to-Point Tunneling Protocol (PPTP). L2TP supports multiple protocols, as well as private IP addresses, over the Internet. This section describes the components of an L2TP tunnel, identifies the encapsulations supported over an L2TP tunnel, and describes L2TP connectivity.

Using L2TP, an ISP or other access service can create a virtual tunnel to link the customer's remote sites or remote users with corporate home networks. Think of a field employee who must dial in from different remote sites and who needs direct access to her company's intranet. This employee's corporate notebook computer or other device can be configured to open a secure, transparent virtual tunnel with a minimum of login requirements. This quick, secure connection is called a virtual private network (VPN).


A VPN is a way to use a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. A VPN can be contrasted with an expensive system of owned or leased lines that can be used by only one organization. A VPN works by using the shared public infrastructure while maintaining privacy through security procedures and tunneling protocols such as L2TP. By encrypting data at the sending end and decrypting it at the receiving end, the protocols in effect send the data through a tunnel that cannot be entered by data that is not properly encrypted. An additional level of security involves encrypting not only the data, but also the originating and receiving network addresses.

Virtual Private Dialup Networking (VPDN) is very similar to VPN. It uses the same technology used in VPNs to let remote users connect to a corporate office at a significantly reduced cost. Typically, a remote user uses a phone line to connect to a corporate office. Long distance charges accrue if the required phone call is not a local one. This expense can be avoided through the use of a VPDN. The user makes a local call to an ISP. The user's data is then encrypted and tunneled to the VPDN router at the corporate office. Special software and/or hardware is used to make this happen on the user's computer.

Traditional dialup networking services are not standardized for field employees and present their own headaches. Moreover, dialup services support only registered IP addresses, which limits the types of applications that are implemented over VPNs. L2TP supports unregistered and privately administered IP addresses over the Internet, as well as multiple routed protocols. This enables the use of the existing access infrastructure, such as modems, access servers, and ISDN terminal adapters. It also allows enterprise customers to outsource dialout support, thus reducing overhead for hardware maintenance costs and 800-number fees. It also allows them to concentrate corporate gateway resources.

VPNs provide the appearance, functionality, and usefulness of a dedicated private network within the public infrastructure. VPNs are cost-effective because users can connect to the Internet locally and tunnel back to connect to corporate resources.

As you will read elsewhere in this book, the VPN feature for MPLS allows a Cisco IOS network to deploy scalable Layer 3 VPN backbone service with private addressing, controlled access, and service-level guarantees between sites.

The ATU-R can be configured for bridging (PPPoE) or routing (PPPoA). The hosts must be configured with the tunnel destination IP address and may be configured with L2TP client software drivers, such as Microsoft's L2TP product.

L2TP Elements

L2TP is made up of the following components, which are also shown in Figure 3-11:

  • L2TP access concentrator (LAC)— The user PC or the ATU-R connects to the LAC, which resides between the home (corporate) network and the remote user. The LAC's job is to tunnel PPP frames through the Internet to the local L2TP network server (LNS). This includes any protocol carried within PPP. From the last mile, the DSL network viewpoint, the LAC initiates incoming calls (from the remote Internet service) and receives outgoing calls (from the DSL CPE to the remote Internet service). The LAC and its counterpart, the LNS, may be the same type of device, such as a Cisco 6400 or another capable router.

  • L2TP network server (LNS)— The LNS is the termination point for the L2TP tunnel where the home LAN is located. From the point of view of the DSL CPE, the LNS is the LAN access point where PPP frames are processed and passed to higher-layer protocols. An LNS can operate on any platform capable of PPP termination. The LNS handles the server side of the L2TP protocol, although it can initiate the outgoing call to create a tunnel. The LNS and its counterpart, the LAC, may be the same type of device, such as a Cisco 6400 or another capable router.

  • Tunnel— A virtual pipe between the LAC and the LNS that carries multiple PPP sessions. It consists of user traffic and header information necessary to support the tunnel. The tunnel profile can be in the local router configuration or on a remote RADIUS server.

  • Session— A single, tunneled PPP session. Also referred to as a call.

  • AAA— The authentication, authorization, and accounting server used to store domain and user information. These industry-standard functions verify the user's account, validate the user's permissions, and track the actions taken and selections made, such as extended services, for each user. At the LAC, the AAA server stores domain information necessary to identify and establish the tunnel to the remote LNS. The LAC may authenticate the tunnel using either a RADIUS server or a locally defined database of usernames and passwords. At the LNS, the AAA server stores user information needed to authenticate the user to the remote LAC. In the case of PPPoE, the user logs in as For PPPoA, the ATU-R is preconfigured with this username.

Figure 3-11. L2TP Components

L2TP Protocol Stack and Encapsulation

The L2TP protocol stack, shown in Figure 3-12, is an extension to PPP, which is an important component of VPNs. L2TP can support either PPPoA or PPPoE encapsulation on the PVC coming from the CPE. The LAC accepts this PPP session and establishes the L2TP tunnel to the LNS. After LCP has been negotiated, the LAC partially authenticates the end user with CHAP or PAP but does not process PPP packets. User authentication is done on the LNS, where the call terminates. At the provider's site, such as the corporate home, information necessary to identify the remote LNS can be stored in the AAA server or can be entered directly into the LNS configuration.

Figure 3-12. L2TP Protocol Stack

L2TP uses the User Data Protocol (UDP) as the transport layer protocol.

L2TP Connectivity

The tunnel endpoints, the LAC and the LNS, authenticate each other before any sessions are attempted within a tunnel (see Figure 3-13). Alternatively, the LNS can accept tunnel creation without any tunnel authentication by the LAC. As soon as the tunnel exists, an L2TP session is created for the end user.

Figure 3-13. L2TP Connections

The PPP session can be terminated on a Cisco 6400 or tunneled to another L2TP network server. If the L2TP session is terminated on the Cisco 6400, you can use another form of tunnel to transport traffic to the service provider. (MPLS, which is described later, is an important form of tunnel.)

L2TP uses two types of messages—control and data. Control messages are used to establish, maintain, and clear a tunnel and to set up and clear sessions. Data messages are used to encapsulate PPP frames being carried over the tunnel.

L2TP guarantees the delivery of control messages through a control channel. Messages in the control channel have sequence numbers used to detect loss or out-of-order delivery. Lost control messages are retransmitted. Data messages may also use sequence numbers to reorder packets and detect lost packets.

Suppose that the scenario requires a VPDN, meaning that the tunnel is established through the public switched telephone network (PSTN). The VPDN connection between a remote user and the LNS using L2TP is accomplished as follows:

Step 1.
The remote user initiates a PPP connection to the ISP, using the analog telephone system, such as a field employee who dials the local modem bank, or ISDN.

Step 2.
The ISP network LAC accepts the connection at the service provider's Point Of Presence (POP), and the PPP link is established.

Step 3.
After the subscriber-end host and the LNS negotiate LCP, the LAC partially authenticates the end user with CHAP or PAP. In DSL's implementation of VPDN, the username or domain name is used to determine whether the user is a VPDN client.

Step 4.
The LAC propagates the LCP-negotiated options and the partially authenticated CHAP/PAP information to the virtual template interface on the LNS. If the options configured on the virtual template interface do not match the negotiated options with the LAC, the connection fails, and a disconnect is sent to the LAC.

Step 5.
If everything is configured properly, the username@domain** name is used to verify that the user is a VPDN client and to provide a mapping to a specific endpoint LNS. The tunnel endpoints (LAC and LNS) authenticate each other, and the tunnel opens.

L2TP tunnels are described by identifiers that have only local significance at each end of the tunnel. The LAC and LNS ends of the tunnel have different tunnel IDs. The tunnel ID sent in each message is that of the recipient's end of the tunnel, not the sender. Tunnel IDs are selected and exchanged during the tunnel setup process. The LAC uses the tunnel ID declared by the LNS, and the LNS uses the ID declared by the LAC.

As soon as the tunnel exists, an L2TP session is created for the end user. L2TP defines that multiple PPP connections can share the same tunnel using independent sessions. L2TP sessions exist within the tunnel and also have session identifiers defined during the session setup process. Like the tunnel IDs, these session IDs also have only local significance. The session ID sent in a message is that of the recipient's side, not that of the sender's side.

The end result is that the exchange process appears to be between the dialup client and the remote LNS exclusively, as if no intermediary device (the LAC) were involved. PPP frames from remote users are accepted by the ISP's POP, encapsulated in L2TP, and forwarded over the appropriate tunnel. The customer's home gateway accepts these L2TP frames, strips the L2TP encapsulation, and processes the incoming frames.

L2TP IP Addressing

NCP negotiates what Layer 3 protocol to use. For IP you can use IPCP. During IPCP the Cisco 6400 or a similar device can dynamically assign IP addresses over PPP.

IPCP, a function of PPP, is a means by which a remote host (computer) gains an IP address when connected to the IP-based Internet. This address is used to route data to that host while the host is communicating across the Internet.

PPP/IPCP and DHCP are different methods of assigning addresses. The former method is valid only for PPPoA and PPPoE, and the latter address assignment method is valid for all DSL network architectures, including bridging. For the DHCP method, the gateway router or RADIUS server allocates the IP address to the xTU-R. The xTU-R acts as a DHCP server for the PC connected to the LAN interface.

For the host PPP session, you can use local pools, RADIUS, or Proxy RADIUS. If you are using L2TP multihop, the host gets a new IP address from the service provider during L2TP tunnel negotiations. These addresses are not routable within the service provider core.

Advantages and Disadvantages of L2TP

Advantages and disadvantages of L2TP include the following:

  • L2TP is a good solution for roaming customers and combinations of remote sites. It can also be used with simple, legacy DSL CPE.

  • L2TP requires one tunnel (or more) per service provider per POP. Each router, such as each node route processor on the Cisco 6400, establishes one tunnel with the service provider's LNS. This might demand more hardware. The available number of tunnels and sessions per tunnel might limit very large deployments.

  • L2TP requires an IP path between the hosts and the aggregator, which adds some complexity to the initial configuration.

L2TP Summary

Tunneling provides the security and standardization of a private network, transparent to the user within the public network. The components of L2TP tunneling are the L2TP access concentrator and the L2TP network server. A tunnel is a virtual pipe between the LAC and the LNS. The tunnel and the interim sessions have identification numbers of local significance only. An AAA server can be used to store both tunnel and user attributes. L2TP can support either PPPoA or PPPoE encapsulation on the PVC coming from the CPE.

  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint