0

We have two cisco 871 routers, one is in the datacenter with a fixed ip address, the other is at our office with a changing ip address(dsl with pppoe).

How to build a L2 VPN for this scenario?

I have checked L2TPv3, and it seems it cannot handle changing ip. We also cannot afford VPLS because we don't have MPLS backbone network.

Any suggestion is appreciated

haohaolee
  • 101
  • 2
  • Get a static IP at your office and use L2TPv3. – Chris S Oct 19 '14 at 14:43
  • @ChrisS Static IP is expensive. It would be our last resort. Thanks – haohaolee Oct 19 '14 at 14:45
  • It's probably going to be your only option if you want to use L2TP. You can do an IPSec site to site with the connection initiated from the dynamic side and the peer IP set to 0.0.0.0 at the static side.. – Rex Oct 19 '14 at 14:56
  • @Rex We don't limit ourself to L2TP, but we don't know other options either. For the ipsec way, can you please elaborate it? – haohaolee Oct 19 '14 at 15:03
  • L2TP and IPSec are the same for the purposes of this discussion. L2TP is the connection and routing procotol, IPSec is the encryption and authentication, they work together to provide a whole VPN solution in this case. – Chris S Oct 19 '14 at 19:20
  • Like @ChrisS states, you need to use L2TPv3. If you want to severely impact your MTU you can move the encryption to a different device and set up a L3 tunnel (that supports dynamic IP) there, then use internal addressing to form your L2TP connection. Otherwise if it's a business requirement just pay for the static IP. – cpt_fink Oct 20 '14 at 03:48
  • @cpt_fink Thank you. I totally got what you meant, actually I had an idea that setting up a DMVPN(mGRE) tunnel, and then setting a L2VPN on top of that, which I thought has too much overhead too. – haohaolee Oct 20 '14 at 04:38
  • @cpt_fink I have another question, if I choose deploy L2TPv3, how can I get the loopback interfaces routable? Because L2TPv3 need the source to be loopback and loopback interfaces normally are setup with private IP address like 10.x.x.x. – haohaolee Oct 20 '14 at 04:43
  • No problem. The one thing to be concerned about with L2 tunneling is you have no way to fragment the packet or send a 'packet too big' error message, so all hosts (including gateway) on the L2 segment must be configured with the smaller MTU. – cpt_fink Oct 20 '14 at 04:45
  • Don't use a loopback as your tunnel source unless using the separate encryption device? The outside IP would work as a tunnel endpoint, since the site will be down if you lose the circuit a loopback doesn't gain you anything. – cpt_fink Oct 20 '14 at 04:47

0 Answers0