Home > VPN > L2TPv3 VLAN-to-VLAN


For a few days ago I had to find a solution for a customer that could provide VLAN-to-VLAN traffic over Internet between 2 locations. I found a solution which I think was really interesting therefore I want to share it here.

Here are the requirements:

  • Host 1 (VPC1) in VLAN X  at location A and Host 2(VPC2) in VLAN X in location B should be able to send Multicast traffic to each other as well as unicast traffic
  • Host 3 (VPC3) in VLAN Y  at location A and Host 4(VPC4) in VLAN Y in location B should be able to send Multicast traffic to each other as well as unicast traffic
  • Host 2 and Host 4 at location B cannot be configured with a default gateway so they must be in the same broadcast domain as Host 1 and Host 2 respectively in location A
  • Host 1/2 traffic should completely be isolated from Host 3/4 traffic

First of all I thought of configuring GRE and multicast routing but then I realized that there would be an issue for unicast traffic as Host 2/4 cannot be configured with a default gateway. So one of my colleague told me to use L2TPv3. I haven’t heard about this feature before. I knew EoMPLS but I did not know  that it was possible to send L2 traffic over Internet.

I used GNS3 (my favorite simulating tool) to test it. Here is the setup  used (I am using cisco 2691 with 12.4(15)T11)

Here is an output on how the L2TPv3 encapsulation looks like when I ping from VPC1 to VPC2. As you can see below the Cisco implementation of L2TPv3 uses IPv4 encapsulation with an IP protocol ID of 115. Cisco does not support the IPv4/UDP encapsulation form for L2TPv3  which can have the advantage of being friendlier to applications such as NAT. Moreover IPv4 encapsulation only provides header checksum while UDP also provides payload intergrity.

Show Commands:

show l2tunn session -> Provide state of the tunnel(s). Look for esp state which means established
show l2tunn session all -> Provide more detailed information about the tunnel(s)
show xconnect all -> Provide state of the tunnel(s). Look for up state

Debug commands:

debug vpdn l2x-events
debug vpdn l2x-packets

I attach the partial configuration of R1 and R3 if some people are interested in it: R1-R3-L2TPv3-Config

At first I could not make it work when using VLAN1 then after configuring another VLAN it was working.  I am not sure what is going on when using VLAN1 but maybe it is because Cisco router/switch uses VLAN1 for control traffic (VTP,STP,CDP). If anyone as an idea you are really welcome to write a comment;-)


Categories: VPN Tags: , , ,
  1. July 4, 2012 at 17:17

    Thank you for the lab. I am setting up a scenario like this, but I have to carry the native VLAN1, but without success. Any tips?

    • July 5, 2012 at 09:47

      Hi muricoca,

      Have you tried to tag the native VLAN on your switches: vlan dot1q tag native?


  2. July 6, 2012 at 10:20

    Hi Muriçoca,

    I suggest that you try to configure L2TPv3 in port-mode instead for VLAN-mode as port-mode should replicate all ehternet frames received, including all tagged frames. In VLAN-based mode it will only intercept and forward the respective VLAN frames across the pseudowire.

    For configuring port-mode you just configure xconnect under the main interface without using sub-interfaces. Let me know if it works.


  3. MMS
    May 25, 2013 at 17:49

    Great post 🙂
    Is this configuration compatible with Cisco 870 Series ?

  4. July 30, 2013 at 12:10


    is it possible to configure L2TPv3 tunnels in a way that would allow assigning a default gateway to hosts in the VLAN?
    Since xconnect command cannot be entered under an interface that has an IP address assigned to it, you cannot create a L3 interface in the VLAN that would serve as a default gateway to clients.

    Is there a way to configure the tunnel in a way that would allow creation of a L3 interface for the tunneled VLAN?


  5. Juan123
    October 7, 2015 at 18:22

    I need some help!

    First, 2 previous questions:

    1. *Can I establish a tunnel between 2 Cisco routers with only 2 xconnect´s inside my vlan interfaces, and with a pseudowire linked with my ethernet interface and the vlan interfaces?

    2. * The need of a crypto map is only for encrypting the info? Or it is always necessary to create one?

    I have already established an l2tpv3 tunnel between my 2 Cisco´s (Cisco_A and Cisco_B), but now I want to establish a tunnel between my Cisco_A and a third Cisco (Cisco_C) and is not working!!!

    3. What do I have to take into consideration???


  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: