thx for your Response

the Question or the use case why i am asking is following :

public wlan in busses and Trams -> AP with flexconnect  via VLAN to an IR829 Router  via L2tpV3  thru an 4G uplink --backhauled to an central Controller .

the mobile SP must Nat that traffic and  that´s the question from vodafone if this l2tpV3 tunnel is stateless or staful

i saw in  an config guide

http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/l2tpv30s.html#wp1276974

the statement if we turn of peer auth and dead peer dedection for static l2tpv3 - then its in my opinion Kind of stateless

what do you think ?

thx and regards

MS

Does it have to come back to a central HQ?  Could you use Office Extend mode instead, and have the AP's tunnel directly back to the controller?

Cisco Meraki AP's (cloud managed) might be a better fit, and you just "vent" the Internet via the 4G directly.

Otherwise you might need to consider using DMVPN from the 829 back to HQ, and run the L2TPv3 over that.

Personally, I think I would use the Cisco Meraki MX instead of the IR829 and the Cisco Meraki APs if this is only for providing guest WiFi.

it is  a bit  more complex

they will use some Telemetrie Sensors in the buses and Trams and send the traffic thru DMVPN back to the HQ .

the Public Wlan stuff will be send either on an an different VRF back to the HQ wlan Controller  (there we need the L2tpv3 - but no /DMVPN/crypto )  and then off to the Internet - or better if the mobile SP Supports Multi PDN - then the public wlan stuff directly to the Internet without via the HQ

so we need 2 VRF´s - one internal with dmvpn  and one public without DMVPN -- both with L2TPv3  .

i am playing arround with design Options -- what do you finally think about stateless/statefull l2tpv3 ??

thx for the discussion

best r m

I think trying to use a stateless L2TPv3 solution will be hard to maintain.

I can see why you might use L2TPv3 for the public WiFi.  Why do you need L2TPv3 for the other network?

Have you considered using MPLS L3VPN over DMVPN, and no L2TPv3 at all?

http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/mpls/13733-mpls-vpn-basic.html

Hello,


I'm the customer which needs the solution.

The problem is, as described above, that we have to deploy the APs in the tram. There we have some special requirements on the hardware that the merkai hardware does not match but the classic cisco ISR 829 with the integrated AP.

On the software side, meraki matches all requirements.

Is there any possibility or hint on the roadmap for the wlc managed APs that they will get the same functionallity as meraki already has and which is described in the following link:

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/L2TPv3_Concentration_for_SSIDs

Kind Regards

Stefan

What about using a simple CAPWAP tunnel from the AP back to the WLC?

Thats our last point of hope if we dont find anything else.

Using the CAPWAP has some drawbacks for us.

1) All the traffic generated by the guest ssid needs to be tunneld on layer2 back to vodafone. They are responsible for DHCP, Default Gateway, captive portal, and so on. So with CAPWAP we would route all the traffic from the trams over the internet to our HQ to the wlc and from there with an EoGRE tunnel back to vodafone over the internet.

2) We would like to run the APs in the trams in flex connected mode with a tunnel directly from AP to vodafone so taht allready logged in users don't get kicked out if the 4/3G Uplink fails for a short time.

What works, but is not supported (because of the NAT), is running the AP in the tram in flex connect mode, NAT them to the internet an let them directly build an EoGRE tunnel to vodafone.
But there we have a problem if we want to run a second AP behind one 3/4G Uplink.
The best solution would be getting the NATable L2TPv3 over UDP tunnel working on a flex connec AP like it is supported with meraki or nearly all other Wifi Vendors.
But we are open for all other suggestions.

What about using L2TPv3 on the IR829 back to Vodafone?  Drop the AP guest traffic into a VLAN (using as many APs as you want) then xconnect that entire VLAN to Vodafone?

What about putting the WLC in Vodafone itself?

As far as I know the IR829 does not support "stateless" L2TPv3 over UDP and that's required by Vodafone. Cisco has L2TPv3 only implemented with ip protocol 115 (as far as I know). But i hope "mschneid" can verify this or do you have access to this information?

Yeah, putting the WLC to Vodafone is a new idea, we will think about that and discuss it with the guys over by vodafone, but then we also have to maintain an CAPWAP tunnel from the AP to the wlc for everthing to work.

Do you rate this solution as "stable"? For example we need the router to periodically take down the 3/4G Uplink for like 20 seconds if the Uplink falls from 4G to 3G to get it back up to 4G.

With an stateless Tunnel only for the traffic that will be no problem, but how will it be if we have to maintain a full CAPWAP tunnel?

Yes, EoGre is supported on the WLC.

But EoGRE is not supported with NAT.

We have to NAT on the IR829 from the internal AP to the 3/4G Uplink mobile network.

We have the solution from your link running but with only one AP behind one IR829 with one Uplink.

The second one, where the AP creates directly the Tunnel.

The second AP fails because of the NAT and I think NATing EoGre is not supported from Cisco's side.

Can you build a VPN from the IR829 to Vodafone so that you don't have to have NAT in the picture for this part of the network?

That I have also to discuss with vodafone but with VPN and encrypton I think we will have problems with the throughput.

I think there is no good way to accoblish this with classic cisco hardware.

I'm just a bit supirsed why Cisco Meraki and naerly all other vendors have implemented the standard solution for this use case and there is no way we can find a simple solution with classic cisco :-)

I thank you very much for all your effort and I'm still open to any other sugestions on a scalable, central managed solution for the problem. You need to know that we have to manage a few hundered vehicles with this solution.

I think I try everything I can to reach out to the BU if there are any points on the roadmap that would help us.

I have read over this again - what is the reason you can't use the Meraki AP's again?

They seem to tick every box.