TIP Here are two more uses for VPN. First, when you connect to a Wi-Fi hotspot, you can use a VPN to secure your Internet traffic against snooping. Second, you can use a VPN when you need to make your computer appear to be in a different location than it actually is.

Oct 25, 2009. Tried a few cant understand some, i dual box on same computer was wondering if there was a easy to use program out there for someone who uses 1 computer to dual box. If the User Account Control dialog box is displayed on the screen and prompts you to elevate your administrator token, clickContinue. Locate and then click the following. 12tp remote-access is not a valid command. Has anyone followed these directions to setup L2TP VPN with the Edgerouter running the latest software?

For example, if you subscribe to a U.S.-based media service, you may not be able to access it when you travel abroad. But by connecting to a VPN server within the U.S., you can make your computer appear to be in the country, enabling you to use the service. Leading VPN services include IPVanish (), StrongVPN (), and CyberGhost VPN (). Setting Up a VPN Connection To set up a VPN connection on your computer, you’ll need to know the following: • VPN type. This can be PPTP, L2TP/IPSec, SSTP, or IKEv2. • Server address. This can be a server name (such as vpnserv.surrealpcs.com) or an IP address (such as 209.14.241.1).

• L2TP secret. This is a text string used for securing some L2TP connections. • IPSec identifier. This is a text string used for some IPSec connections. • IPSec preshared key. This is a text string used for some IPSec connections. Ask the VPN’s administrator for this information.

Ask also for your user name and password for the VPN connection. You don’t need these for setting up the connection, but you’ll need them when you connect. When you’ve gathered this information, follow these steps to set up the VPN on your computer: • Choose Start, Settings to open a Settings window. • Choose Network & Internet to display the Network & Internet screen.

• Choose VPN in the left pane to display the VPN pane. • Choose Add a VPN Connection to display the Add a VPN Connection pane (shown in with settings chosen).

In the Add a VPN Connection pane, enter the details for the VPN connection and click Save. • Open the VPN Provider drop-down menu and choose the provider.

If you’re not sure what the provider is, choose Windows (Built-In). • Type a descriptive name for the connection in the Connection Name box. This name is to help you identify the VPN—for example, Work VPN. • Type the server’s hostname (such as vpn1.surrealpcs.com) or IP address (such as 205.14.152.18) in the Server Name or Address box. • Open the VPN Type drop-down menu and choose the VPN type, such as Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec).

• Open the Type of Sign-In Info drop-down menu and then choose User Name and Password, Smart Card, or One-Time Password, as appropriate. • For a VPN that uses a user name for signing in, type the user name in the User Name box. NOTE The User Name box and Password box are marked “optional” because, instead of entering them while setting up the connection, you can enter them each time you use the connection. Entering your credentials each time is more secure but takes more time and effort.

• For a VPN that uses a password for signing in, type the password in the Password box. • Check the Remember My Sign-In Info check box if you want Windows to store your sign-in information.

• Click Save. Connecting via the VPN After you’ve set up a VPN connection, you can connect via the VPN like this: • Choose Start, Settings to open a Settings window. • Choose Network & Internet to display the Network & Internet screen. • Choose VPN in the left pane to display the VPN pane. • Click the VPN in the VPN list to display control buttons for it (see ). In the VPN pane in the Settings app, click the VPN to display its control buttons, and then click Connect. • Click Connect.

Windows establishes the connection, and then displays the Connected readout and the Disconnect button. After connecting, you can work across the VPN connection in much the same way as a local network connection. Normally, the speeds will be much slower across the VPN, so you may need to be patient while transferring data. When you’re ready to stop using the VPN, click the Disconnect button in the VPN pane. If you’ve left the VPN pane open, you can go straight there; if you’ve closed it, click the Network icon in the notification area, click the VPN’s name at the top of the network fly-out, click the VPN’s name in the VPN pane, and then click Disconnect.

Layer 2 Tunnel Protocol Version 3 Table Of Contents Layer 2 Tunnel Protocol Version 3 The Layer 2 Tunnel Protocol Version 3 feature expands on Cisco support of the Layer 2 Tunnel Protocol Version 3 (L2TPv3). L2TPv3 is an Internet Engineering Task Force (IETF) l2tpext working group draft that provides several enhancements to L2TP for the capability to tunnel any Layer 2 payload over L2TP. Specifically, L2TPv3 defines the L2TP protocol for tunneling Layer 2 payloads over an IP core network using Layer 2 virtual private networks (VPNs). Benefits of this feature include the following: • L2TPv3 simplifies deployment of VPNs • L2TPv3 does not require Multiprotocol Label Switching (MPLS) • L2TPv3 supports Layer 2 tunneling over IP for any payload Feature Specifications for Layer 2 Tunneling Protocol Version 3. Modification 12.0(21)S Initial data plane support for L2TPv3 was introduced on the Cisco 7200 series, Cisco 7500 series, Cisco 10720, and Cisco 12000 series platforms.

12.0(23)S L2TPv3 control plane support was introduced on the Cisco 7200 series, Cisco 7500 series, Cisco 10720, and Cisco 12000 series platforms. 12.0(24)S L2TPv3 was enhanced to support fragmentation of IP packets before entering the pseudowire on the Cisco 7200 series, Cisco 7500 series, and Cisco 12000 series Internet routers. 12.0(25)S Support was added for the ATM VP Mode Single Cell Relay over L2TPv3 feature on the Cisco 7200 and Cisco 7500 series routers with ATM Deluxe PA-A3 interfaces.

12.0(23)S3 12.0(24)S1 12.0(25)S L2TPv3 control plane support was introduced on the Cisco 12000 series One-Port Channelized OC-12(DS3) line card. 12.0(27)S Support for the following features was added to Cisco 12000 series Two-Port Channelized OC-3/STM-1 (DS1/E1) and Six-Port Channelized T3 (T1) line cards: • QoS for Frame Relay attachment circuits • Binding L2TPv3 sessions to Multilink Frame Relay (MLFR) interfaces.

Note Software images for Cisco 12000 series Internet routers have been deferred to Cisco IOS Release 12.0(27)S1. Finding Support Information for Platforms and Cisco IOS Software Images Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents • • • • • • • • Prerequisites for Layer 2 Tunnel Protocol Version 3 • Before you configure an Xconnect attachment circuit for a customer edge (CE) device (see the section '), the CEF feature must be enabled. To enable CEF on an interface, use the ip cef or ip cef distributed command.

• You must configure a loopback interface on the router for originating and terminating the L2TPv3 traffic. The loopback interface must have an IP address that is reachable from the remote PE device at the other end of an L2TPv3 control channel. • To enable Simple Network Management Protocol (SNMP) notifications of L2TP session up and down events, enter the snmp-server enable traps l2tun session command before configuring L2TPv3. Note The UTI keepalive feature will not be migrated. The UTI keepalive feature will no longer be supported in post-L2TPv3 releases.

You should convert to using dynamic L2TPv3 sessions in order to preserve the functionality provided by the UTI keepalive. In, the PE routers R1 and R2 provide L2TPv3 services. The R1 and R2 routers communicate with each other using a pseudowire over the IP backbone network through a path comprising the interfaces int1 and int2, the IP network, and interfaces int3 and int4. In this example, the CE routers R3 and R4 communicate through a pair of Xconnect Ethernet or 802.1q VLAN interfaces using an L2TPv3 session. The L2TPv3 session tu1 is a pseudowire configured between interface int1 on R1 and interface int4 on R2. Any packet arriving on interface int1 on R1 is encapsulated and sent via the pseudowire control channel (tu1 ) to R2.

R2 decapsulates the packet and sends it on interface int4 to R4. When R4 needs to send a packet to R3, the packet follows the same path in reverse. Please note the following features regarding L2TPv3 operation: • All packets received on interface int1 will be forwarded to R4. R3 and R4 cannot detect the intervening network. • For Ethernet interfaces, any packet received from LAN1 by R1 on Ethernet interface e1 will be encapsulated directly in IP and sent via the pseudowire session tu2 to R2 interface e2, where it will be sent on LAN2. • ]A VLAN on an Ethernet interface can be mapped to an L2TPv3 session.

• For Cisco 12000 series Internet routers, the other LAN ports on the 8-port Fast Ethernet line card that are not being used for L2TPv3 must have a router connected to them: When content-addressable memory (CAM) assisted MAC filtering is turned OFF to allow L2TPv3 to work, it is turned OFF on all ports. Benefits of Using L2TPv3 L2TPv3 Simplifies Deployment of VPNs L2TPv3 is an industry-standard Layer 2 tunneling protocol that ensures interoperability among vendors, increasing customer flexibility and service availability. L2TPv3 Does Not Require MPLS With L2TPv3 service providers need not deploy MPLS in the core IP backbone to set up VPNs using L2TPv3 over the IP backbone, resulting in operational savings and increased revenue. L2TPv3 Supports Layer 2 Tunneling over IP for Any Payload L2TPv3 provides enhancements to L2TP to support Layer 2 tunneling of any payload over an IP core network. L2TPv3 defines the base L2TP protocol as being separate from the Layer 2 payload that is tunneled. L2TPv3 Header Description The migration from UTI to L2TPv3 also requires the standardization of the UTI header. As a result, the L2TPv3 header has the new format shown in.

Each L2TPv3 packet contains an L2TPv3 header that includes a unique session ID representing one session and a variable cookie length. The L2TPv3 session ID and the Tunnel Cookie field length are assigned via the CLI.

See the section ' for more information on the CLI commands for L2TPv3. Figure 2 L2TPv3 Header Format. IP Delivery Header (20 bytes) Protocol ID: 115 L2TPV3 Header consisting of: Session ID (4 bytes) Cookie (0, 4, or 8 bytes) Pseudowire Control Encapsulation (4 bytes by default) Layer 2 Payload Session ID The L2TPv3 session ID is similar to the UTI session ID, and identifies the session context on the decapsulating system. For dynamic sessions, the value of the session ID is selected to optimize the context identification efficiency of the decapsulating system. A decapsulation implementation may therefore elect to support a smaller session ID bit field. In this L2TPv3 implementation, an upper value for the L2TPv3 session ID was set at 023.

The L2TPv3 session ID value 0 is reserved for use by the protocol. For static sessions, the session ID is manually configured. Note The local session ID must be unique on the decapsulating system and is restricted to the least significant ten bits.

Session Cookie The L2TPv3 header contains a control channel cookie field that is similar to the UTI control channel key field. The control channel cookie field, however, has a variable length of 0, 4, or 8 bytes according to the cookie length supported by a given platform for packet decapsulation. The control channel cookie length can be manually configured for static sessions, or dynamically determined for dynamic sessions.

The variable cookie length does not present a problem when the same platform is at both ends of an L2TPv3 control channel. However, when different platforms interoperate across an L2TPv3 control channel, both platforms need to encapsulate packets with a 4-byte cookie length. Pseudowire Control Encapsulation The L2TPv3 pseudowire control encapsulation consists of 32 bits (4 bytes) and contains information used to sequence L2TP packets (see the section '). For the purposes of sequencing, only the first bit and bits 8 to 31 are relevant. Bit 1 indicates whether the Sequence Number field, bits 8 to 31, contains a valid sequence number and is to be updated. L2TPv3 Features L2TPv3 provides Xconnect support for Ethernet, 802.1q (VLAN), Frame Relay, HDLC, and PPP, using the sessions described in the following sections: • (nonnegotiated, PVC-like forwarded sessions) • (negotiated, forwarded sessions using the L2TPv3 control plane for session negotiation) L2TPv3 also includes support for the features described in the following sections: • • • • • • • Static L2TPv3 Sessions Typically, the L2TP control plane is responsible for negotiating session parameters, such as the session ID or the cookie, in order to set up the session.

However, some IP networks require sessions to be configured so that no signaling is required for session establishment. You can, therefore, set up static L2TPv3 sessions for a PE router by configuring fixed values for the fields in the L2TP data header. A static L2TPv3 session allows the PE to tunnel Layer 2 traffic as soon as the attachment circuit to which the session is bound comes up. Note In an L2TPv3 static session, you can still run the L2TP control channel to perform peer authentication and dead-peer detection. If the L2TP control channel cannot be established or is torn down because of a hello failure, the static session is also torn down. When you use a static L2TPv3 session, you cannot perform circuit interworking, such as LMI, because there is no facility to exchange control messages. To perform circuit interworking, you must use a dynamic session.

Dynamic L2TPv3 Sessions A dynamic L2TP session is established through the exchange of control messages containing attribute-value pairs (AVPs). Each AVP contains information about the nature of the Layer 2 link being forwarded: the payload type, virtual circuit (VC) ID, and so on. Multiple L2TP sessions (one for each forwarded Layer 2 circuit) can exist between a pair of PEs, and can be maintained by a single control channel. Session IDs and cookies are dynamically generated and exchanged as part of a dynamic session setup. Information such as sequencing configuration is also exchanged. Circuit state changes (UP/DOWN) are conveyed using the SLI message.

Sequencing Although the correct sequence of received Layer 2 frames is guaranteed by some Layer 2 technologies (by the nature of the link, such as a serial line) or the protocol itself, forwarded Layer 2 frames may be lost, duplicated, or reordered when they traverse a network as IP packets. If the Layer 2 protocol does not provide an explicit sequencing mechanism, you can configure L2TP to sequence its data packets according to the data channel sequencing mechanism described in the L2TPv3 IETF l2tpext working group draft. A receiver of L2TP data packets mandates sequencing through the Sequencing Required AVP when the session is being negotiated. A sender that receives this AVP (or that is manually configured to send sequenced packets) uses the Layer 2-specific pseudowire control encapsulation defined in L2TPv3. Currently, you can configure L2TP only to drop out-of-order packets; you cannot configure L2TP to deliver the packets out-of-order. No reordering mechanism is available. Local Switching Local switching (from one port to another port in the same router) is supported for both static and dynamic sessions.

You must configure separate IP addresses for each Xconnect statement. See the section ' for an example of how to configure local port switching. Distributed Switching Distributed Cisco Express Forwarding (dCEF) switching is supported for L2TP on the Cisco 7500 series and Cisco 12000 series Internet routers. Note For the Cisco 7500 series, sequencing is supported, but all L2TP packets that require sequence number processing are sent to the RSP. Sequencing is not supported for the Cisco 12000 series Internet routers in Release 12.0(24)S. On the Cisco 12000 series Internet routers, sequencing will be supported in a future release with sequence number processing done by the server card fast path.

IP Packet Fragmentation It is desirable to avoid fragmentation issues in the service provider network because reassembly is computationally expensive. The easiest way to avoid fragmentation issues is to configure the CE routers with an MTU value that is smaller than the pseudowire path MTU. However, in scenarios where this is not an option, fragmentation issues must be considered.

Previously, L2TP supported only the following options for packet fragmentation when a packet is determined to exceed the L2TP path MTU: • Unconditionally drop the packet • Fragment the packet after L2TP/IP encapsulation • Drop the packet and send an Internet Control Message Protocol (ICMP) unreachable message back to the CE router Cisco IOS Release 12.0(24)S introduces the ability to allow IP traffic from the CE router to be fragmented before the data enters the pseudowire, forcing the computationally expensive reassembly to occur in the CE network rather than in the service provider network. The number of fragments that must be generated is determined based on the discovered pseudowire path MTU.

The original L2 header is then copied to each of the generated fragments, the L2TP/IP encapsulation is added, and the frames are then forwarded. This feature will be implicitly enabled whenever the ip pmtu command is enabled in the pseudowire class. It will be applied to any packets received from the CE network that have a Don't Fragment (DF) bit set to 0 and that exceed the L2TP path MTU in size.

Fragmentation of IP packets before the data enters the pseudowire is supported on the Cisco 7200 series, Cisco 7500 series, and Cisco 12000 Internet Routers in Cisco IOS Release 12.0(24)S. L2TPv3 Type of Service Marking When Layer 2 traffic is tunneled across an IP network, information contained in the ToS bits may be transferred to the L2TP-encapsulated IP packets in one of the following ways: • If the tunneled Layer 2 frames encapsulate IP packets themselves, it may be desirable to simply copy the ToS bytes of the inner IP packets to the outer IP packet headers. This action is known as 'ToS byte reflection.' • Static ToS byte configuration. You specify the ToS byte value used by all packets sent across the pseudowire.

• On the Cisco 10720, ToS configuration can be done using MQC. If both static ToS byte configuration and MQC ToS byte configuration are implemented, the MQC configuration will take precedence.

See the section ' for more information about how to configure ToS information. Keepalive The keepalive mechanism for L2TPv3 extends only to the endpoints of the tunneling protocol. L2TP has a reliable control message delivery mechanism that serves as the basis for the keepalive mechanism. The keepalive mechanism consists of an exchange of L2TP hello messages. If a keepalive mechanism is required, the control plane is used, although it may not be used to bring up sessions. You can manually configure sessions.

In the case of static L2TPv3 sessions, a control channel between the two L2TP peers is negotiated through the exchange of start control channel request (SCCRQ), start control channel replay (SCCRP), and start control channel connected (SCCCN) control messages. The control channel is responsible only for maintaining the keepalive mechanism through the exchange of hello messages. The interval between hello messages is configurable per control channel. If one peer detects that the other has gone down through the keepalive mechanism, it sends a StopCCN control message and then notifies all of the pseudowires to the peer about the event. This notification results in the teardown of both manually configured and dynamic sessions. MTU Handling It is important that you configure an MTU appropriate for a each L2TPv3 tunneled link.

The configured MTU size ensures the following: • The lengths of the tunneled Layer 2 frames fall below the MTU of the destination attachment circuit • The tunneled packets are not fragmented, which forces the receiving PE to reassemble them L2TPv3 handles the MTU as follows: • The default behavior is to fragment packets that are larger than the session MTU. The one exception is on Cisco 12000 series Internet routers, where fragmentation of tunneled packets is not allowed. • If you enable the ip dfbit set command in the pseudowire class, the default MTU behavior changes so that any packets that cannot fit within the tunnel MTU are dropped. • If you enable the ip pmtu command in the pseudowire class, the L2TPv3 control channel participates in the path MTU discovery. When you enable this feature, the following processing is performed: – ICMP unreachable messages sent back to the L2TPv3 router are deciphered and the tunnel MTU is updated accordingly.

In order to receive ICMP unreachable messages for fragmentation errors, the DF bit in the tunnel header is set according to the DF bit value received from the CE, or statically if the ip dfbit set option is enabled. The tunnel MTU is periodically reset to the default value based on a periodic timer. – ICMP unreachable messages are sent back to the clients on the CE side. ICMP unreachable messages are sent to the CE whenever IP packets arrive on the CE-PE interface and have a packet size greater than the tunnel MTU.

A Layer 2 header calculation is performed before the ICMP unreachable message is sent to the CE. L2TPv3 and UTI Feature Comparison compares L2TPv3 and UTI support. UTI Maximum number of sessions Cisco 7200 series:3000 Cisco 7500 series: 3000 Cisco 10720: 2000 Cisco 12000 series: 2000 Cisco 7200 series: 1000 Cisco 7500 series: 1000 Cisco 10720 series: 1000 Cisco 12000 series: 1000 Tunnel cookie length 0-, 4-, or 8-byte cookies are supported for the Cisco 7200 series and the Cisco 7500 series routers.

For the Cisco 10720 Internet router and the Cisco 12000 series Internet routers, only 8-byte cookies can be received in Release 12.0(24)S; 0-, 4-, or 8-byte cookies can be sent. 8 bytes Static sessions Supported in Release 12.0(21)S. Supported Dynamic sessions Supported in Release 12.0(23)S. Not supported Static ToS Supported in Release 12.0(23)S. Supported MQC ToS Supported in Release 12.0(23)S for the Cisco 10720 only.

Supported Inner IP ToS mapping Supported on the Cisco 7200 series routers, Cisco 7500 series routers, and the Cisco 12000 series Internet routers. To be supported in a future release for the Cisco 10720 Internet router. Not supported 802.1p mapping Supported in Release 12.0(23)S for the Cisco 10720 only. Not supported Keepalive Supported in Release 12.0(23)S. Supported on the Cisco 10720 only. Path MTU discovery Supported on the Cisco 7200 series, Cisco 7500 series, and the Cisco 12000 series Internet routers.

To be supported in a future release for the Cisco 10720 Internet router. Not supported ICMP unreachable Supported on the Cisco 7200 series, Cisco 7500 series, and Cisco 12000 Internet routers. To be supported in a future release for the Cisco 10720 Internet router. Not supported VLAN rewrite Supported on the Cisco 7200 series, Cisco 7500 series, and the Cisco 10720 Internet router in Release 12.0(23)S. To be supported in a future release for Cisco 12000 series Internet routers.

Supported VLAN and non-VLAN translation To be supported in a future release. Supported on the Cisco 10720 only. Port trunking Supported in Release 12.0(23)S. Supported IS-IS packet fragmentation through an L2TPv3 session Supported on the Cisco 7200 series, Cisco 7500 series, and Cisco 12000 series Internet routers.

To be supported in a future release for the Cisco 10720 Internet router. Not supported IP packet fragmentation through an L2TPv3 session Supported on the Cisco 7200 series, Cisco 7500 series, and Cisco 12000 Internet routers in Release 12.0(24)S. To be supported in a future release for the Cisco 10720 Internet router. Not supported Payload sequence number checking To be supported in a future release. Not supported MIB support VPDN MIB for the pseudowire IfTable MIB for the attachment circuit. IfTable MIB for the session interface. Supported L2TPv3 Payloads L2TPv3 supports the following Layer 2 payloads that can be included in L2TPv3 packets tunneled over the pseudowire: • • • • • •.

Note Each L2TPv3 tunneled packet includes the entire Layer 2 frame of the payloads described in this section. If sequencing is required (see the section '), a Layer 2-specific sublayer (see the section ') is included in the L2TPv3 header to provide the Sequence Number field. Frame Relay L2TPv3 supports the Frame Relay functionality described in the following sections: • • • • • • • Port-to-Port Trunking Port-to-port trunking is where two CE Frame Relay interfaces are connected as by a leased line (UTI 'raw' mode). All traffic arriving on one interface is forwarded transparently across the pseudowire to the other interface. For example, in, if the two CE routers are connected by a virtual leased line, the PE routers transparently transport all packets between CE R3 and CE R4 over a pseudowire. PE R1 and PE R2 do not examine or change the DLCIs, and do not participate in the LMI protocol. The two CE routers are LMI peers.

There is nothing Frame Relay-specific about this service as far as the PE routers are concerned. The CE routers should be able to use any encapsulation based on HDLC framing without needing to change the provider configuration. DLCI-to-DLCI Switching Frame Relay DLCI-to-DLCI switching is where individual Frame Relay DLCIs are connected to create an end-to-end Frame Relay PVC. Traffic arriving on a DLCI on one interface is forwarded across the pseudowire to another DLCI on the other interface. For example, in, CE R3 and PE R1 are Frame Relay LMI peers; CE R4 and PE R2 are also LMI peers.

You can use a different type of LMI between CE R3 and PE R1 compared to what you use between CE R4 and PE R2. The CE devices may be a Frame Relay switch or end-user device. Each Frame Relay PVC is composed of multiple segments. The DLCI value is local to each segment and is changed as traffic is switched from segment to segment. Note that, in, two Frame Relay PVC segments are connected by a pseudowire. Frame Relay header flags (FECN, BECN, C/R, DE) are preserved across the pseudowire. PVC Status Signaling PVC status signaling is propagated toward Frame Relay end users by the LMI protocol.

You can configure the LMI to operate in any of the following modes: • UNI DTE mode—PVC status is not reported, only received. • UNI DCE mode—PVC status is reported but not received. • NNI mode—PVC status is reported and received independently. L2TPv3 supports all three modes. The PVC status should be reported as ACTIVE only if the PVC is available from the reporting device to the Frame Relay end-user device. All interfaces, line protocols, and pseudowires must be operational between the reporting device and the Frame Relay end-user device. Note that any keepalive functions on the session are independent of Frame Relay, but any state changes that are detected are fed into the PVC status reporting.

For example, the L2TP control channel uses hello packets as a keepalive function. If the L2TPv3 keepalive fails, all L2TPv3 sessions are torn down. Loss of the session is notified to Frame Relay, which can then report PVCs INACTIVE to the CE devices. For example, in, CE R3 reports ACTIVE to PE R1 only if the PVC is available within CE R3.

When CE R3 is a switch, it reports all the way to the user device in the customer network. PE R1 reports ACTIVE to CE R3 only if the PVC is available within PE R1 and all the way to the end-user device (via PE R2 and CE R3) in the other customer VPN site.

The ACTIVE state is propagated hop-by-hop, independently in each direction, from one end of the Frame Relay network to the other end. Sequencing Frame Relay provides an ordered service in which packets sent to the Frame Relay network by one end-user device are delivered in order to the other end-user device. When switching is occurring over the pseudowire, packet ordering must be able to be preserved with a very high probability to closely emulate a traditional Frame Relay service. If the CE router is not using a protocol that can detect misordering itself, configuring sequence number processing may be important. For example, if the Layer 3 protocol is IP and Frame Relay is therefore used only for encapsulation, sequencing is not required. To detect misordering, you can configure sequence number processing separately for transmission or reception.

For more information about how to configure sequencing, see the section '.' ToS Marking The ToS bytes in the IP header can be statically configured or reflected from the internal IP header. The Frame Relay DE bit does not influence the ToS bytes.

CIR Guarantees In order to provide committed information rate (CIR) guarantees, you can configure a queueing policy that provides bandwidth to each DLCI to the interface facing the customer network on the egress PE. Note In Cisco IOS Release 12.0(24)S, CIR guarantees are supported only on the Cisco 7500 series with dCEF. This support requires that the core has sufficient bandwidth to handle all CE traffic and that the congestion occurs only at the egress PE. Binding L2TPv3 Sessions to Multilink Frame Relay Interfaces The configuration of an L2TPv3 session on a Multilink Frame Relay (MLFR) bundle interface is supported only on Cisco 12000 Series Two-Port Channelized OC-3/STM-1 (DS1/E1) and Six-Port Channelized T3 (T1) line cards. The Multilink Frame Relay feature introduces functionality based on the Frame Relay Forum Multilink Frame Relay UNI/NNI Implementation Agreement (FRF.16).

This feature provides a cost-effective way to increase bandwidth for particular applications by enabling multiple serial links to be aggregated into a single bundle of bandwidth. For an example of how to configure L2TPv3 tunneling on a multilink Frame Relay bundle interface, see.

For information about how configure and use the MLFR feature, refer to the publication. Ethernet An Ethernet frame arriving at a PE router is simply encapsulated in its entirety with an L2TP data header. At the other end, a received L2TP data packet is stripped of its L2TP data header. The payload, an Ethernet frame, is then forwarded to the appropriate attachment circuit.

Because the L2TPv3 tunneling protocol serves essentially as a bridge, it need not examine any part of an Ethernet frame. Any Ethernet frame received on an interface is tunneled, and any L2TP-tunneled Ethernet frame is forwarded out the interface. Note Due to the way in which L2TPv3 handles Ethernet frames, an Ethernet interface must be configured to promiscuous mode in order to capture all traffic received on the Ethernet segment attached to the router. All frames will be tunneled through the L2TP pseudowire. 802.1q (VLAN) L2TPv3 supports VLAN membership in the following ways: • Port-based, in which undated Ethernet frames are received. • VLAN-based, in which tagged Ethernet frames are received.

In L2TPv3, Ethernet Xconnect supports port-based VLAN membership and the reception of tagged Ethernet frames. A tagged Ethernet frame contains a tag header (defined in 802.1Q), which is 4-bytes long and consists of a 2-byte tag protocol identifier (TPID) field and a 2-byte tag control information (TCI) field.

The TPID indicates that a TCI follows. The TCI is further broken down into the following three fields: • User priority field • Canonical format indicator (CFI) • A 12-bit VLAN ID (VID) For L2TPv3, an Ethernet subinterface configured to support VLAN switching may be bound to an Xconnect service so that all Ethernet traffic, tagged with a VID specified on the subinterface, is tunneled to another PE.

The VLAN Ethernet frames are forwarded in their entirety. The receiving PE may rewrite the VID of the tunneled traffic to another value before forwarding the traffic onto an attachment circuit. To successfully rewrite VLANs, it may be necessary to disable the Spanning Tree Protocol (STP). This can be done on a per-VLAN basis by using the no spanning-tree vlan command. Example: Router(config-l2tp-class)# timeout setup 400 (Optional) Configures the amount of time, in seconds, allowed to set up a control channel. • Valid values for the seconds argument range from 60 to 6000.

The default value is 300. Configuring L2TP Control Channel Authentication Parameters The following L2TP control channel authentication parameters can be configured in L2TP class configuration mode: • Authentication for the L2TP control channel • Local host name used for authenticating the control channel • Hiding the AVPs in outgoing control messages • Password used for control channel authentication and AVP hiding This task configures a set of authentication control channel parameters in an L2TP class. All of the authentication control channel parameter configurations are optional and may be configured in any order.

If these parameters are not configured, the default values will be applied. SUMMARY STEPS 1. Configure terminal 3. L2tp-class [ l2tp-class-name ] 4. Authentication 5. Hostname name 6.

Password [ encryption-type ] password DETAILED STEPS. Example: Router(config-l2tp-class)# password tunnel2 (Optional) Configures the password used for control channel authentication. • The valid values for the optional encryption type range from 0 to 7. If you do not use this command to specify a password, the password associated with the remote peer PE is taken from the value entered with the username password value global configuration command. Configuring L2TP Control Channel Maintenance Parameters The L2TP hello packet keepalive interval control channel maintenance parameter can be configured in L2TP class configuration mode. This task configures the interval used for hello messages in an L2TP class.

This control channel parameter configuration is optional. If this parameter is not configured, the default value will be applied. SUMMARY STEPS 1.

Configure terminal 3. L2tp-class [ l2tp-class-name ] 4.

Hello interval DETAILED STEPS. Example: Router(config-l2tp-class)# hello 100 (Optional) Specifies the exchange interval (in seconds) used between L2TP hello packets. • Valid values for the interval argument range from 0 to 1000. The default value is 60.

Configuring the L2TPv3 Pseudowire The pseudowire class configuration procedure creates a configuration template for the pseudowire. You use this template, or class, to configure session-level parameters for L2TPv3 sessions that will be used to transport attachment circuit traffic over the pseudowire. The pseudowire configuration specifies the characteristics of the L2TPv3 signaling mechanism, including the data encapsulation type, the control protocol, sequencing, fragmentation, payload-specific options, and IP properties. The setting that determines if signaling is used to set up the pseudowire is also included. For simple L2TPv3 signaling configurations on most platforms, pseudowire class configuration is optional. However, specifying a source IP address to configure a loopback interface is highly recommended.

If you do not configure a loopback interface, the router will choose the best available local address, which could be any IP address configured on a core-facing interface. This configuration could prevent a control channel from being established. On the Cisco 12000 series Internet routers, specifying a source IP address is mandatory, and you should configure a loopback interface that is dedicated for the use of L2TPv3 sessions exclusively.

If you do not configure other pseudowire class configuration commands, the default values are used. Once you specify the encapsulation l2tpv3 command, you cannot remove it using the no encapsulation l2tpv3 command. Nor can you change the command's setting using the encapsulation mpls command. Those methods result in the following error message. Example: Router(config-pw)# protocol l2tpv3 class1 (Optional) Specifies the L2TPv3 signaling protocol to be used to manage the pseudowires created with the control channel parameters in the specified L2TP class (see the section ').

• If the l2tp-class-name argument is not specified, the default values for L2TP control channel parameters will be used. The default protocol option is l2tpv3.

• If you do not want to use signaling in the L2TPv3 sessions created with this pseudowire class, enter protocol none. (The protocol none configuration is necessary when configuring interoperability with a remote peer that runs UTI.) Step 6 ip local interface interface-name. Note If you select L2TPv3 as your data encapsulation method, you must specify the pw-class keyword. • The optional sequencing parameter specifies whether sequencing is required for packets that are received, sent, or both received and sent. Manually Configuring L2TPv3 Session Parameters When you bind an attachment circuit to an L2TPv3 pseudowire for Xconnect service using the xconnect l2tpv3 manual command (see the section ') because you do not want signaling, you must then configure L2TP-specific parameters to complete the L2TPv3 control channel configuration. SUMMARY STEPS 1.

Configure terminal 3. Interface type slot/port 4. Xconnect peer-ip-address vc-id encapsulation l2tpv3 manual pw-class pw-class-name 5.

L2tp id local-session-id remote-session-id 6. L2tp cookie local size low-value [ high-value] 7.

L2tp cookie remote size low-value [ high-value] 8. L2tp hello l2tp-class-name DETAILED STEPS. Example: Router(config-if)# xconnect 10.0.3.201 123 encapsulation l2tpv3 manual pw-class vlan-xconnect Specifies the IP address of the peer PE router and the 32-bit virtual circuit identifier shared between the PE at each end of the control channel. • The peer router ID (IP address) and virtual circuit ID must be a unique combination on the router.

• The encapsulation l2tpv3 manual parameter specifies that L2TPv3 is to be used as the pseudowire tunneling method, and enters xconnect configuration mode. • The mandatory pw-class pw-class-name keyword and argument combination specifies the pseudowire class configuration from which the data encapsulation type (L2TPv3) will be taken. Step 5 l2tp id local-session-id remote-session-id. Note This command assumes that there is no control plane to negotiate control channel parameters and that a control channel is to be used to provide keepalive support through an exchange of L2TP hello messages.

By default, no hello messages are sent. Configuring the Xconnect Attachment Circuit for ATM VP Mode Single Cell Relay over L2TPv3 The ATM VP Mode Single Cell Relay over L2TPv3 feature allows cells coming into a predefined permanent virtual path (PVP) on the ATM interface to be transported over an L2TPv3 pseudowire to a predefined PVP on the egress ATM interface. This task binds a permanent virtual path (PVP) to an L2TPv3 pseudowire for Xconnect service.

SUMMARY STEPS 1. Configure terminal 3. Interface type slot/port 4.

Atm pvp vpi [ l2transport ] 5. Xconnect peer-ip-address vcid pw-class pw-class-name DETAILED STEPS. Example: Router(config-if)# xconnect 10.0.3.201 888 pw-class atm-xconnect Specifies the IP address of the peer PE router and the 32-bit virtual circuit identifier shared between the PE at each end of the control channel.

• The peer router ID (IP address) and virtual circuit ID must be a unique combination on the router. • pw-class pw-class-name—The pseudowire class configuration from which the data encapsulation type (L2TPv3) will be taken. The pw-class parameter binds the Xconnect statement to a specific pseudowire class. The pseudowire class then serves as the template configuration for all attachment circuits bound to it. Configuration Examples for Layer 2 Tunnel Protocol Version 3 This section provides the following configuration examples: • • • • • • • • • • • • • Configuring Frame Relay DLCI-to-DLCI Switching Example The following is a sample configuration for switching a Frame Relay DLCI over a pseudowire. Xconnect 10.0.3.201 666 pw-class fr-xconnect Configuring Frame Relay Trunking Example The following is a sample configuration for setting up a trunk connection for an entire serial interface over a pseudowire. All incoming packets are switched to the pseudowire regardless of content.

Note that when you configure trunking for a serial interface, the trunk connection does not require an encapsulation method. You do not, therefore, need to enter the encapsulation frame-relay command. Reconfiguring the default encapsulation removes all Xconnect configuration settings from the interface.

Xconnect 10.0.3.201 666 encapsulation l2tpv3 pw-class mqc Configuring QoS for L2TPv3 on the Cisco 12000 Series Example To apply a QoS policy for L2TPv3 to a Frame Relay interface on a Cisco 12000 Series 2-port Ch OC-3/STM-1 (DS1/E1) or 6-port Ch T3 line card, you must: • Use the map-class frame-relay class-name command in global configuration mode to apply a QoS policy to a Frame Relay class of traffic. • Use the frame-relay interface-dcli dcli-number switched command (in interface configuration mode) to enter Frame Relay DLCI interface configuration mode and then the class command to configure a QoS policy for a Frame Relay class of traffic on the specified DLCI. You must enter a separate series of these configuration commands to configure QoS for each Frame Relay DLCI on the interface. As shown in the following example, when you configure QoS for L2TPv3 on the ingress side of a Cisco 12000 Series Frame Relay interface, you must also configure the value of the ToS byte used in IP headers of tunneled packets when you configure the L2TPv3 pseudowire (see ). The following example shows the MQC commands and ToS byte configuration used on a Cisco 12000 Series router to apply a QoS policy for DLCI 100 on the ingress side of a Frame Relay interface configured for L2TPv3 tunneling. To apply a QoS policy for L2TPv3 to the egress side of a Frame Relay interface on a Cisco 12000 Series 2-port Ch OC-3/STM-1 (DS1/E1) or 6-port Ch T3 line card, you must: • Use the match ip precedence command in class-map configuration mode to configure the IP precedence value used to determine the egress queue for each L2TPv3 packet with a Frame Relay payload. • Use the random-detect command in policy-map class configuration mode to enable a weighted random early detection (WRED) drop policy for a Frame Relay traffic class that has a bandwidth guarantee.

Use the random-detect precedence command to configure the WRED and modified deficit round robin (MDRR) parameters for particular IP Precedence values. The next example shows the MQC commands used on a Cisco 12000 Series Internet Router to apply a QoS policy with WRED/MDRR settings for specified IP Precedence values to DLCI 100 on the egress side of a Frame Relay interface configured for L2TPv3. Xconnect 10.10.10.10 3 pw-class mfr Configuring a Static L2TPv3 Session for an Xconnect Ethernet Interface Example L2TPv3 is the only encapsulation method that supports a manually provisioned session setup.

This example shows how to configure a static session configuration in which all control channel parameters are set up in advance. There is no control plane used and no negotiation phase to set up the control channel. The PE router starts sending tunneled traffic as soon as the Ethernet interface (int e0/0) comes up. The virtual circuit identifier, 123, is not used. The PE sends L2TP data packets with session ID 111 and cookie 12345. In turn, the PE expects to receive L2TP data packets with session ID 222 and cookie 54321.

L2tp hello l2tp-defaults Configuring a Negotiated L2TPv3 Session for an Xconnect VLAN Subinterface Example The following is a sample configuration of a dynamic L2TPv3 session for a VLAN Xconnect interface. In this example, only VLAN traffic with a VLAN ID of 5 is tunneled. In the other direction, the L2TPv3 session identified by a virtual circuit identifier of 123 receives forwarded frames whose VLAN ID fields are rewritten to contain the value 5. L2TPv3 is used as both the control plane protocol and the data encapsulation. Document Title Further information about L2TPv3 Layer 2 Tunneling Protocol Version 3 Technical Overview Information about L2TP Layer 2 Tunnel Protocol Layer 2 Tunneling Protocol: A Feature in Cisco IOS Software Configuring the CEF feature 'Cisco Express Forwarding' chapter in the Cisco IOS Switching Configuration Guide, Release 12.0 Further information about MTU discovery and packet fragmentation MTU Tuning for L2TP Additional VPN commands: complete command syntax, command mode, defaults, usage guidelines and examples. Cisco IOS Release 12.0 Dial Solutions Command Reference Additional Frame Relay commands: complete command syntax, command mode, defaults, usage guidelines and examples. Cisco IOS Release 12.0 Wide-Area Networking Command Reference Information about UTI Universal Transport Interface (UTI) Standards.

Link Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, tools, and lots more. Registered Cisco.com users can log in from this page to access even more content. Command Reference This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.

• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • atm pvp To create a permanent virtual path (PVP) used to multiplex (or bundle) one or more virtual circuits (VCs), use the atm pvp command in interface configuration mode. To remove a PVP, use the no form of this command. Atm pvp vpi [ peak-rate ] [ l2transport ] no atm pvp vpi Syntax Description.

Vpi ATM network virtual path identifier (VPI) of the VC to multiplex on the permanent virtual path. The range is from 0 to 255. The VPI is an 8-bit field in the header of the ATM cell. The VPI value is unique only on a single link, not throughout the ATM network because it has local significance only.

The VPI value must match that of the switch. The number specified for the vpi argument must not already exist. If the number specified for the vpi argument is already being used by an existing VC, this command is rejected. Peak-rate (Optional) Maximum rate in kbps at which the PVP can send data. The range is 84 kbps to line rate. The default is the line rate. L2transport (Optional) Specifies that the PVP is for the Any Transport over MPLS (AToM) ATM cell relay feature or the ATM Cell Relay over L2TPv3 feature.

Defaults PVP is not configured. The default peak rate is the line rate.

Command Modes Interface configuration Command History. Modification 11.1 This command was introduced. 12.0(25)S This command was updated to include the l2transport keyword. Usage Guidelines This command is commonly used to create a PVP that is used in multiplex circuit emulation service (CES) and data VCs. The ATM-CES port adapter supports multiplexing of one or more VCs over a virtual path that is shaped at a constant bandwidth. For example, you can buy a virtual path service from an ATM service provider and multiplex both the CES and data traffic over the virtual path. All subsequently created VCs with a vpi argument matching the vpi value specified with the atm pvp command are multiplexed onto this PVP.

This PVP connection is an ATM connection where switching is performed on the VPI field of the cell only. A PVP is created and left up indefinitely. All VCs that are multiplexed over a PVP share and are controlled by the traffic parameters associated with the PVP. Changing the peak-rate argument causes the ATM-CES port adapter to go down and then back up.

When you create a PVP, two VCs are created (VCI 3 and 4) by default. These VCs are created for VP end-to-end loopback and segment loopback operation, administration, and maintenance (OAM) support. When you use the l2transport keyword with the atm pvp command, the command mode becomes the l2transport PVP submode. You must issue the l2transport keyword to configure the ATM cell relay over MPLS feature in port mode or to configure the ATM cell relay over L2TPv3 feature. To verify the configuration of a PVP, use the show atm vp command in EXEC mode. Examples The following example creates a permanent virtual path with a peak rate of 2000 kbps. The subsequent VCs created are multiplexed onto this virtual path.

Description show atm vp Displays the statistics for all VPs on an interface or for a specific VP. Authentication To enable Layer 2 Tunnel Protocol Version 3 (L2TPv3) authentication, use the authentication command in L2TP class configuration mode. To disable L2TPv3 authentication, use the no form of this command. Authentication no authentication Syntax Description This command has no arguments or keywords. Defaults L2TPv3 authentication is disabled.

Command Modes L2TP class configuration Command History. Error Displays errors that occur in protocol-independent conditions. Event Displays events resulting from protocol-independent conditions.

L2x-errors Displays errors that occur in protocol-specific conditions. L2x-events Displays events resulting from protocol-specific conditions. L2x-packets Displays detailed information about control packets in protocol-specific conditions. Packet Displays information about high-level Layer 2 control packets. Packet detail Displays detailed packet information, including packet dumps.

Packet errors Displays errors that occur in packet processing. Command Modes Privileged EXEC Command History. Description debug acircuit Displays events and failures related to attachment circuits.

Debug vpdn Displays errors and events relating to L2TP configuration and the surrounding Layer 2 tunneling infrastructure. Encapsulation l2tpv3 To specify that Layer 2 Tunnel Protocol Version 3 (L2TPv3) is used as the data encapsulation method for tunneling IP traffic over the pseudowire, use the encapsulation l2tpv3 command in pseudowire class or VC class configuration mode.

To remove L2TPv3 as the encapsulation method, use the no pseudowire-class command (see the Usage Guidelines for more information). Encapsulation l2tpv3 no pseudowire-class Syntax Description This command has no arguments or keywords. Command Default No encapsulation method is specified. Command Modes Pseudowire class configuration VC class configuration Command History. Modification 12.0(23)S This command was introduced. 12.3(2)T This command was integrated into Cisco IOS Release 12.3(2)T. 12.2(25)S This command was integrated into Cisco IOS Release 12.2(25)S.

12.2(27)SBC Support for this command was integrated into Cisco IOS Release 12.2(27)SBC. Usage Guidelines This command must be configured if the pseudowire class will be referenced from an Xconnect configured to forward L2TPv3 traffic. Once you specify the encapsulation l2tpv3 command, you cannot remove it using the no encapsulation l2tpv3 command.

Nor can you change the command's setting using the encapsulation mpls command. Those methods result in the following error message. Description encapsulation mpls Configures MPLS as the data encapsulation method over AToM-enabled IP/MPLS networks. Pseudowire-class Specifies the name of an L2TP pseudowire class and enters pseudowire class configuration mode. Hello To configure the interval used to exchange hello keepalive packets in a Layer 2 Tunnel Protocol Version 3 (L2TPv3) control channel, use the hello command in L2TP class configuration mode. To disable the sending of hello keepalive packets, use the no form of this command.

Hello interval no hello interval Syntax Description. Description l2tp-class Creates a template of L2TP control plane configuration settings that can be inherited by different pseudowire classes and enters L2TP class configuration mode. Hidden To hide the attribute-value pair (AVP) values in Layer 2 Tunneling Protocol (L2TP) control messages, use the hidden command in L2TP class configuration mode. To unhide AVPs, use the no form of this command.

Hidden no hidden Syntax Description This command has no arguments or keywords. Defaults L2TP AVP hiding is disabled. Command Modes L2TP class configuration Command History. Modification 12.0(23)S This command was introduced. Usage Guidelines Use the hidden command to provide additional security for the exchange of control messages between provider edge routers in a Layer 2 Tunnel Protocol Version 3 (L2TPv3) control channel. Because username and password information is exchanged between devices in clear text, it is useful to encrypt L2TP AVP values with the hidden command. Examples The following example enables AVP hiding and encrypts AVPs in control messages in L2TPv3 pseudowires configured using the L2TP class configuration named l2tp class1.

Description ip local interface Configures the IP address of the PE router interface to be used as the source IP address for sending tunneled packets. L2tp-class Creates a template of L2TP control plane configuration settings that can be inherited by different pseudowire classes and enters L2TP class configuration mode. Ip dfbit set To enable the Don't Fragment (DF) bit in the outer Layer 2 Tunnel Protocol Version 3 (L2TPv3) header, use the ip dfbit set command in pseudowire class configuration mode. To disable the DF bit setting, use the no form of this command. Ip dfbit set no ip dfbit set Syntax Description This command has no arguments or keywords.

Defaults The default value is DF bit off, except for Cisco 12000 series Internet routers, which have this command enabled by default. Command Modes Pseudowire class configuration Command History. Modification 12.0(23)S This command was introduced. Usage Guidelines Use the same local interface name for all pseudowire classes configured between a pair of PE routers.

It is highly recommended that a loopback interface is configured with this command. If you do not configure a loopback interface, the router will choose the 'best available local address,' which could be any IP address configured on a core-facing interface. This configuration could prevent a control channel from being established. The ip local interface command must be configured for pseudo-wire class configurations using L2TPv3 as the data encapsulation method.

Note On Cisco 12000 series Internet routers, the interface configured with the ip local interface command must be a loopback interface. On the Cisco 10720 Internet Router, it is highly recommended that you configure a loopback interface as the IP local interface. A LAN interface is also supported as the IP local interface.

Multiple L2TPv3 tunnel sessions can exist between Cisco 10720 Internet routers on different IP LANs. Examples The following example shows how to configure the IP address of the local Ethernet interface named e0/0 as the source IP address for sending Ethernet packets through an L2TPv3 session. Description pseudowire-class Specifies the name of an L2TP pseudowire class and enters pseudowire class configuration mode. Ip pmtu To enable the discovery of a path maximum transmission unit (PMTU) for Layer 2 Tunnel Protocol Version 3 (L2TPv3) traffic, use the ip pmtu command in pseudowire class configuration mode.

To disable PMTU discovery, use the no form of this command. Ip pmtu no pmtu Syntax Description This command has no arguments or keywords. Defaults Path MTU discovery is disabled.

Command Modes Pseudowire class configuration Command History. Modification 12.0(23)S This command was introduced.

Usage Guidelines The ip pmtu command enables the processing of Internet Control Message Protocol (ICMP) unreachable messages that indicate fragmentation errors in the IP backbone network carrying the tunneled traffic. The MTU of the L2TPv3 session is updated according to the MTU information contained in the ICMP unreachable message. The ip pmtu command also enables MTU checking for IP packets that are sent into an L2TPv3 session with the Don't Fragment (DF) bit set. If an IP packet is larger than the MTU of the tunnel, the packet is dropped and an ICMP unreachable message is sent. If an IP packet is smaller than the MTU of the tunnel, the DF bit in the packet header is reflected from the inner IP header to the tunnel header. Examples The following example shows how to enable the discovery of the path MTU for pseudowires created from the pseudowire class named ether-pw.

Note IP ToS byte reflection functions only if traffic in an L2TPv3 session carries IP packets as its payload. In addition, you can configure both IP ToS reflection and a ToS priority level (from 0 to 255) for a pseudowire class.

In this case, the ToS value in the tunnel header defaults to the value you specify with the ip tos value value command. IP packets received on the Layer 2 interface and encapsulated into the L2TPv3 session have their ToS byte reflected into the outer IP session, overriding the default value configured with the ip tos value value command. Examples The following example shows how to configure the ToS byte in the headers of tunneled packets in L2TPv3 tunnels created from the pseudowire class named ether-pw to be reflected from the ToS value in the header of each encapsulated IP packet. Modification 12.0(23)S This command was introduced. Usage Guidelines The l2tp-class l2tp-class-name command allows you to configure an L2TP class template that consists of configuration settings used by different pseudowire classes.

An L2TP class includes the following configuration settings: • Host name of local router used during L2TPv3 authentication • Authentication enabled • Time interval used to exchange hello packets • Password used for control channel authentication • Packet size of receive window • Retransmission settings for control packets • Time allowed to set up a control channel The l2tp-class command enters L2TP class configuration mode, where L2TP control plane parameters are configured. You must use the same L2TP class in the pseudowire configuration at both ends of an L2TPv3 control channel. Examples The following example shows how to enter L2TP class configuration mode to create an L2TP class configuration template for the class named ether-pw. Description protocol l2tpv3 Specifies that L2TPv3 is the signaling protocol to be used to manage the pseudowires created from a pseudowire class for a dynamic L2TPv3 session, and that control plane configuration settings are to be taken from the specified L2TP class pseudowire-class Specifies the name of an L2TP pseudowire class and enters pseudowire class configuration mode. Xconnect Binds an attachment circuit to an L2TPv3 pseudowire for Xconnect service and enters xconnect configuration mode. L2tp cookie local To configure the size of the cookie field used in the Layer 2 Tunnel Protocol Version 3 (L2TPv3) headers of incoming packets received from the remote provider edge (PE) peer router, use the l2tp cookie local command in xconnect configuration mode. To remove the configured cookie field parameters, use the no form of this command.

L 2tp cookie local size low-value [ high-value ] no l2tp cookie local size low-value [ high-value ] Syntax Description. Modification 12.0(23)S This command was introduced. Usage Guidelines The l2tp cookie local command specifies the values that the peer PE router includes in the cookie field in L2TPv3 headers of the packets it sends to the local PE router through an L2TPv3 session.

These values are required in a static L2TPv3 session. The cookie field is an optional part of an L2TPv3 header with a length of either 4 or 8 bytes. If you specify an 8-byte length, you must also enter a value for the high-value argument. Modification 12.0(23)S This command was introduced.

Usage Guidelines The l2tp cookie local command specifies the values that the local PE router includes in the cookie field in L2TPv3 headers of the packets it sends to the remote PE router through an L2TPv3 session. These values are required in a static L2TPv3 session. The cookie field is an optional part of an L2TPv3 header with a length of either 4 or 8 bytes. If you specify an 8-byte length, you must also enter a value for the high-value argument.

Examples The following example shows how to configure the cookie field of 4 bytes starting at 12345 for the L2TPv3 headers in outgoing tunneled packets sent to the remote PE peer. Description l2tp cookie local Configures the size of the cookie field used in the L2TPv3 headers of incoming (received) packets from the remote PE peer router. L2tp hello Configures the interval used between sending hello keepalive messages. L2tp id Configures the IDs used by the local and remote PE routers at each end of an L2TPv3 session.

Xconnect Binds an attachment circuit to an L2TPv3 pseudowire for Xconnect service and enters xconnect configuration mode. L2tp hello To specify the use of a hello keepalive setting contained in a specified Layer 2 Tunneling Protocol class configuration for a static Layer 2 Tunnel Protocol Version 3 (L2TPv3) session, use the l2tp hello command in xconnect configuration mode. To disable the sending of hello keepalive messages, use the no form of this command. L2tp hello l2tp-class-name no l2tp hello l2tp-class-name Syntax Description. Modification 12.0(23)S This command was introduced. Usage Guidelines Because a static L2TPv3 session does not use a control plane to dynamically negotiate control channel parameters, you must use the l2tp hello command to specify an L2TP class configuration that contains the interval for sending hello keepalive messages. The following example shows how to configure the time interval for hello keepalive messages stored in the L2TP class configuration named l2tp-defaults for an Ethernet interface using the configuration settings stored in the pseudowire class named ether-pw.

Description l2tp cookie local Configures the size of the cookie field used in the L2TPv3 headers of incoming (received) packets from the remote PE peer router. L2tp cookie remote Configures the size of the cookie field used in the L2TPv3 headers of outgoing (transmitted) packets from the remote PE peer router. L2tp id Configures the IDs used by the local and remote PE routers at each end of an L2TPv3 session.

Xconnect Binds an attachment circuit to an L2TPv3 pseudowire for Xconnect service and enters xconnect configuration mode. L2tp id To configure the identifiers used by the local and remote provider edge routers at each end of a Layer 2 Tunnel Protocol Version 3 (L2TPv3) session, use the l2tp id command in Xconnect configuration mode. To remove the configured identifiers for local and remote sessions, use the no form of this command. L2tp id local-session-ID remote-session-ID no l2tp id local-session-ID remote-session-ID Syntax Description. Modification 12.0(23)S This command was introduced. Usage Guidelines The Xconnect configuration that binds an attachment circuit to an L2TPv3 pseudowire is not complete without configured values for the local-session-ID and remote-session-ID arguments.

Examples The following example shows how to configure the identifiers named 222 for the local PE router and 111 for the remote peer in an L2TPv3 session bound to an Ethernet circuit using the L2TPv3 configuration settings stored in the pseudowire class named ether-pw. Description l2tp cookie local Configures the size of the cookie field used in the L2TPv3 headers of incoming (received) packets from the remote PE peer router. L2tp cookie remote Configures the size of the cookie field used in the L2TPv3 headers of outgoing (transmitted) packets from the remote PE peer router.

L2tp hello Configures the interval used between sending hello keepalive messages. Xconnect Binds an attachment circuit to an L2TPv3 pseudowire for Xconnect service and enters xconnect configuration mode. Password To configure the password used by a provider edge (PE) router for Layer 2 Tunnel Protocol Version 3 (L2TPv3) authentication, use the password command in L2TP class configuration mode.

To disable a configured password, use the no form of this command. Password [ encryption-type ] password no password [ encryption-type ] password Syntax Description. Encryption-type (Optional) Specifies the type of encryption to use. The valid values are from 0 to 7.

Currently defined encryption types are 0 (no encryption) and 7 (text is encrypted using an algorithm defined by Cisco). Password Specifies the password used for L2TPv3 authentication. Defaults If a password is not configured for the L2TP class with the password command, the password configured with the username password command in global configuration mode is used. Command Modes L2TP class configuration Command History. Modification 12.0(23)S This command was introduced.

Usage Guidelines The password that you define with the password command is also used for attribute-value pair (AVP) hiding. The password hierarchy sequence used for a local and remote peer PE for L2TPv3 authentication is as follows: • The L2TPv3 password (configured with the password command) is used first.

• If no L2TPv3 password exists, the globally configured password (configured with the username password command) for the router is used. Examples The following example sets the password named tunnel2 to be used to authenticate an L2TPv3 session between the local and remote peers in L2TPv3 pseudowires configured with the L2TP class configuration named l2tp class1. L2tpv3 Specifies that L2TPv3 signaling protocol will be used in L2TPv3 sessions. None Specifies that no signaling protocol will be used in L2TPv3 sessions.

L2tp-class-name (Optional) The name of the L2TP class whose control plane configuration is to be used for pseudowires in dynamic L2TPv3 sessions set up from a specified pseudowire class. Defaults The default protocol option is l2tpv3. If you do not enter a value for the l2tp-class-name argument, the default control plane configuration settings in the L2TP signaling protocol are used.

Command Modes Pseudowire class configuration Command History. Modification 12.0(23)S This command was introduced. Usage Guidelines Use the protocol l2tpv3 command to configure L2TPv3 as the signaling protocol to use in dynamic L2TPv3 sessions created from the specified pseudowire class. In addition, you can use this command to specify the L2TP class (see the section ') from which the control plane configuration settings are to be taken for use in a dynamic L2TPv3 session. Use the protocol none command to specify that no signaling will be used in L2TPv3 sessions created from the specified pseudowire class.

This configuration is required for interoperability with a remote peer running the Universal Tunnel Interface (UTI). Do not use the command if you want to configure a pseudowire class used to create manual L2TPv3 sessions (see the section ').

Examples The following example shows how to enter pseudowire configuration mode, and how to configure L2TPv3 as the signaling protocol. The control plane configuration used in the L2TP class named class1 will be used to create dynamic L2TPv3 sessions for a VLAN Xconnect interface. Modification 12.0(23)S This command was introduced. Usage Guidelines The pseudowire-class command allows you to configure a pseudowire class template that consists of configuration settings used by all attachment circuits bound to the class. A pseudowire class includes the following configuration settings: • Data encapsulation type • Control protocol • Sequencing • IP address of the local L2TPv3 interface • Type of Service (ToS) value in IP headers After you enter the pseudowire-class command, you switch to pseudowire class configuration mode, where pseudowire settings may be configured. Examples The following example shows how to enter pseudowire class configuration mode to configure a pseudowire configuration template named ether-pw. Description l2tp-class Creates a template of L2TP control plane configuration settings that can be inherited by different pseudowire classes and enters L2TP class configuration mode.

Xconnect Binds an attachment circuit to an L2TPv3 pseudowire for Xconnect service and enters xconnect configuration mode. Receive-window To configure the packet size of the receive window on the remote provider edge router at the other end of a Layer 2 Tunnel Protocol Version 3 (L2TPv3) control channel, use the receive-window command in L2TP class configuration mode. To disable the configured value, use the no form of this command. Receive-window size no receive-window size Syntax Description. Modification 12.0(23)S This command was introduced. Usage Guidelines When you enable sequencing using any of the available options, L2TPv3 automatically enables the sending of sequence numbers and requests the remote provider edge (PE) peer to send sequence numbers. Out-of-order packets received on the pseudowire are dropped only if you use the sequencing receive or sequencing both command.

In Cisco IOS Release 12.0(23)S, sequencing is not supported on the Cisco 10720 Internet router and the Cisco 12000 series Internet routers. If the L2TPv3 peer router requests sequence numbers for an L2TPv3 session configured on a Cisco 10720 Internet router or Cisco 12000 series Internet router, the request to establish the session is denied. If sequencing is enabled for L2TPv3 pseudowires on the Cisco 7500 series, all traffic on the pseudowires is switched through the Route Switch Processor (RSP) regardless of the setting configured with the ip cef distributed command.

Examples The following example shows how to enable sequencing in data packets in L2TPv3 pseudowires created from the pseudowire class named ether-pw so that Sequence Number field is updated in tunneled packet headers for data packets both sent and received over the pseudowire. Description pseudowire-class Specifies the name of an L2TP pseudowire class and enters pseudowire class configuration mode. Show l2tun session To display the current state of a Layer 2 session and display protocol information about a Layer 2 Tunnel Protocol Version 3 (L2TPv3) control channel, use the show l2tun session command in EXEC mode. Show l2tun session [ all [ ip-addr ip-address [ vcid number ] vcid number ] brief [ ip-addr ip-address [ vcid number ] vcid number ] circuit [ ip-addr ip-address [ vcid number ] vcid number ] l2tp [ ip-addr ip-address [ vcid number ] vcid number ] packets [ ip-addr ip-address [ vcid number ] vcid number ] sequence [ ip-addr ip-address [ vcid number ] vcid number ] state [ ip-addr ip-address [ vcid number ] vcid number ]] Syntax Description.

All (Optional) Displays information about all current L2TPv3 sessions on the router. Ip-addr ip-address (Optional) IP address of interface of the peer provider edge (PE) router on which one or more L2TPv3 sessions have been configured. Specifies the IP address of the peer PE router and the 32-bit virtual circuit identifier shared between the PE at each end of the control channel. The peer router ID (IP address) and virtual circuit identifier must be a unique combination on the router. Vcid number (Optional) 32-bit virtual circuit identifier shared between the peer PE and the local router at each end of the control channel. Brief (Optional) Displays information about all current L2TPv3 sessions, including peer ID address and circuit status of the L2TPv3 sessions.

Circuit (Optional) Displays information about all current L2TPv3 sessions, including circuit status (up or down). L2tp (Optional) Displays information about L2TP for all current L2TPv3 sessions. Packets (Optional) Displays information about the packet counters (in and out) associated with current L2TPv3 sessions. Sequence (Optional) Displays sequencing information about each L2TPv3 session, including number of out-of-order and returned packets. State (Optional) Displays information about all current L2TPv3 sessions and their protocol state, including remote virtual circuit identifiers.

Command Modes EXEC Command History. Modification 12.0(23)S This command was introduced. Usage Guidelines When you use the show l2tun session command to display information about current L2TPv3 sessions on the router, you can filter the output as follows: • To filter the output to include only L2TPv3 sessions set up for a specific IP address, enter ip-addr ip-address in the command. • To filter the output to include only the L2TPv3 session that matches the specified remote IP address and virtual circuit identifier, enter ip-addr ip-address vcid number in the command.

• To filter the output to include only L2TPv3 sessions set up for a specific IP address, enter vcid number in the command. Examples The following example shows how to display detailed information about all current L2TPv3 sessions. Description show l2tun tunnel Displays the current state of an L2TPv3 session and display information about currently configured sessions, including local and remote L2TP host names, aggregate packet counts, and L2TP control channels. Show l2tun tunnel To display the current state of a Layer 2 Tunnel Protocol Version 3 (L2TPv3) session and display information about currently configured sessions, including local and remote L2TP host names, aggregate packet counts, and L2TP control channels, use the show l2tun tunnel command in EXEC mode.

Show l2tun tunnel [all [id identifier local-name local-name remote-name remote-name remote-name local-name ] packets [id identifier local-name local-name remote-name remote-name remote-name local-name ] state [id identifier local-name local-name remote-name remote-name remote-name local-name ] summary [id identifier local-name local-name remote-name remote-name remote-name local-name ] transport [id identifier local-name local-name remote-name remote-name remote-name local-name ]] Syntax Description. All (Optional) Displays information about all current L2TP sessions configured on the router. Id identifier (Optional) Specifies the local tunnel ID number.

Local-name local-name remote-name (Optional) Specifies the local and remote names used in the L2TPv3 session. Remote-name remote-name local-name (Optional) Specifies the remote and local names used in the L2TPv3 session. Packets (Optional) Displays aggregate packet counts for all negotiated L2TPv3 sessions. State (Optional) Displays information about the current state of L2TPv3 sessions, including the local and remote host names for each control channel. Summary (Optional) Displays a summary of L2TP sessions on the router and their current state, including the number of virtual private dialup network (VPDN) sessions associated with each control channel.

Transport (Optional) Displays information about the L2TP control channels used in each session and the local and remote IP addresses at each end of the control channel. Command Modes EXEC Command History.

Modification 12.0(23)S This command was introduced. Usage Guidelines When you use the show l2tun tunnel command to display information about configured L2TP sessions on the router, you can filter the output as follows: • To filter the output to include only L2TP sessions set up using the local tunnel ID, enter id identifier in the command.

• To filter the output to include only the L2TP session that matches the specified local IP name and remote name, enter either local-name local-name remote-name or remote-name remote-name local-name in the command. Examples The following example shows how to display detailed information about all currently configured L2TP sessions. Description show l2tun session Displays the current state of a Layer 2 session and displays protocol information about an L2TPv3 control channel. Snmp-server enable traps l2tun session To enable Simple Network Management Protocol (SNMP) notifications (traps or inform requests) for Layer 2 Tunnel Protocol Version 3 (L2TPv3) sessions, use the snmp-server enable traps l2tun session command in global configuration mode. To disable SNMP notifications, use the no form of this command. Snmp-server enable traps l2tun session no snmp-server enable traps l2tun session Syntax Description This command has no arguments or keywords. Defaults This command is disabled by default.

Command Modes Global configuration Command History. Modification 12.0(23)S This command was introduced. Usage Guidelines SNMP notifications can be sent as traps or inform requests. This command enables both traps and inform requests for L2TP sessions. To specify whether the notifications should be sent as traps or informs, use the snmp-server host [ traps informs] command.

If you do not enter the snmp-server enable traps l2tun session command, no notifications are sent. The snmp-server enable traps l2tun session command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. Examples The following example enables the router to send L2TP session traps to the host specified by the name myhost.cisco.com, using the community string defined as public. Description snmp-server host Specifies whether you want the SNMP notifications sent as traps or informs, the version of SNMP to use, the security level of the notifications (for SNMPv3), and the recipient (host) of the notifications. Timeout setup To configure the amount of time allowed to set up a control channel with a remote provider edge (PE) router at the other end of a Layer 2 Tunnel Protocol Version 3 (L2TPv3) pseudowire, use the timeout setup command in L2TP class configuration mode. To disable the configured value, use the no form of this command.

Timeout setup seconds no timeout setup seconds Syntax Description. Note If the remote router is a Cisco 12000 series Internet router, the peer-ip-address argument must specify a loopback address on that router. The same vcid value that identifies the attachment circuit must be configured using the xconnect command on the local and remote PE router at each end of an L2TPv3 session.

The virtual circuit identifier creates the binding between a pseudowire and an attachment circuit. To manually configure the L2TP settings used in the attachment circuit, enter encapsulation l2tpv3 manual in the xconnect command. This configuration is called a static L2TPv3 session.

The router is placed in xconnect configuration mode and you can then configure the following options: • Local and remote session identifiers (using the l2tp id command) for local and remote PE routers at each end of the session. • Size of the cookie field used in the L2TPv3 headers of incoming (sent) packets from the remote PE peer router (using the l2tp cookie local command). • Size of the cookie field used in the L2TPv3 headers of outgoing (received) L2TP data packets (using the l2tp cookie remote command). • Interval used between sending hello keepalive messages (using the l2tp hello command).

For more information about configuring a static L2TPv3 sessions, see the section '.' If you do not enter encapsulation l2tpv3 manual in the xconnect command, the data encapsulation type for the L2TPv3 session is taken from the encapsulation type configured for the pseudowire class specified with the pw-class pw-class-name command (see the section ' '). The pw-class pw-class-name value binds the Xconnect configuration of an attachment circuit to a specific pseudowire class. In this way, the pseudowire class configuration serves as a template that contains settings used by all attachment circuits bound to it with the xconnect command. Description l2tp-class Configures a template of L2TP control plane configuration settings that can be inherited by different pseudowire classes.

L2tp-cookie local.Configures the size of the cookie field used in the L2TPv3 headers of incoming packets received from the remote PE peer router. L2tp cookie remote Configures the size of the cookie field used in the L2TPv3 headers of outgoing packets sent from the local PE peer router.

L2tp hello Specifies the use of a hello keepalive setting contained in a specified L2TP class configuration for a static L2TPv3 session. L2tp id Configures the identifiers used by the local and remote provider edge routers at each end of an L2TPv3 session. Creative Downloadable Resume Templates. Ithu Oru Kathal Kathai Serial Song.

Pseudowire-class Configures a template of pseudowire configuration settings used by the attachment circuits transported over a pseudowire. Glossary AVPs — attribute-value pairs. BECN—backward explicit congestion notification. Bit set by a Frame Relay network in frames traveling in the opposite direction of frames encountering a congested path. DTE receiving frames with the BECN bit set can request that higher-level protocols take flow control action as appropriate. CE—customer edge (Frame Relay switch or user device). CIR—committed information rate.

Rate at which a Frame Relay network agrees to transfer information under normal conditions, averaged over a minimum increment of time. CIR, measured in bits per second, is one of the key negotiated tariff metrics. Data-link control layer—Layer 2 in the SNA architectural model. Responsible for the transmission of data over a particular physical link. Corresponds approximately to the data link layer of the OSI model.

DCE—data circuit-terminating equipment (ITU-T expansion). Devices and connections of a communications network that comprise the network end of the user-to-network interface. DCEF—distributed Cisco Express Forwarding. DLCI—data-link connection identifier. A unique number assigned to a PVC endpoint in a Frame Relay network. Identifies a particular PVC endpoint within an access channel in a Frame Relay network and has local significance only to that channel. DTE—data terminal equipment.

Device at the user end of a user-network interface that serves as a data source, destination, or both. FECN—forward explicit congestion notification. Bit set by a Frame Relay network to inform DTE receiving the frame that congestion was experienced in the path from source to destination. DTE receiving frames with the FECN bit set can request that higher-level protocols take flow-control action as appropriate. HDLC—High-Level Data Link Control. A generic link-level communications protocol developed by the International Organization for Standardization (ISO). HDLC manages synchronous, code-transparent, serial information transfer over a link connection.

ICMP—Internet Control Message Protocol. A network protocol that handles network errors and error messages.

IDB— interface descriptor block. IS-IS—Intermediate System-to-Intermediate System. OSI link-state hierarchical routing protocol based on DECnet Phase V routing, whereby ISs (routers) exchange routing information based on a single metric to determine network topology.

L2TP—An extension to PPP merging features of two tunneling protocols: Layer 2 Forwarding (L2F) from Cisco Systems and Point-to-Point Tunneling (PPTP) from Microsoft. L2TP is an Internet Engineering Task Force (IETF) standard endorsed by Cisco Systems, and other networking industry leaders. L2TPv3— Draft version of L2TP that enhances functionality in RFC 2661 (L2TP). LMI—Local Management Interface. MPLS—Multiprotocol Label Switching.

Switching method that forwards IP traffic using a label. This label instructs the routers and the switches in the network where to forward the packets based on preestablished IP routing information. MQC — modular quality of service command-line interface.

MTU— maximum transmission unit. Maximum packet size, in bytes, that a particular interface can handle. NNI — Network-to-Network Interface. ATM Forum standard that defines the interface between two ATM switches that are both located in a private network or are both located in a public network. The UNI standard defines the interface between a public switch and a private one. Also, the standard interface between two Frame Relay switches meeting the same criteria.

PE—Provider edge router providing Frame Relay over L2TPv3 functionality. PPP—Point-to-Point Protocol. A link-layer encapsulation method for dialup or dedicated circuits.

A successor to Serial Line IP (SLIP), PPP provides router-to-router and host-to-network connections over synchronous and asynchronous circuits. PVC — permanent virtual circuit. A virtual circuit that is permanently established. A Frame Relay logical link, whose endpoints and class of service are defined by network management. Analogous to an X.25 permanent virtual circuit, a PVC consists of the originating Frame Relay network element address, originating data-link control identifier, terminating Frame Relay network element address, and termination data-link control identifier. Originating refers to the access interface from which the PVC is initiated.

Terminating refers to the access interface at which the PVC stops. Many data network customers require a PVC between two points. PVCs save bandwidth associated with circuit establishment and tear down in situations where certain virtual circuits must exist all the time.

Data terminating equipment with a need for continuous communication uses PVCs. SNMP—Simple Network Management Protocol. Network management protocol used almost exclusively in TCP/IP networks. SNMP provides a means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security. Tunneling—Architecture that is designed to provide the services necessary to implement any standard point-to-point encapsulation scheme. UNI—User-Network Interface.

UTI—Universal Transport Interface. VPDN—virtual private dialup network.

A network that allows separate and autonomous protocol domains to share common access infrastructure, including modems, access servers, and ISDN routers. A VPDN enables users to configure secure networks that take advantage of ISPs that tunnel remote access traffic through the ISP cloud. WAN—wide-area network. Data communications network that serves users across a broad geographic area and often uses transmission devices provided by common carriers. Frame Relay, SMDS, and X.25 are examples of WANs.