05-07-2013 01:56 AM - edited 03-04-2019 07:50 PM
Hi,
i have set up a layer 2 tunnel on my 887va router and the traffic transmits accross this to my second 887va. unfortunately, I do not seem able to get the layer 2 traffic from my host PC and down the tunnel.
I believe the problem to be the router settings for the fastethernet aqnd forwarding this data out of the dialer port.
I am now desperate to resolve this as all of my attempts have failed, I believe this is something very simple I am missing. PLEASE HELP.
Here is my config:
Building configuration...
Current configuration : 3973 bytes
!
! Last configuration change at 13:03:15 UTC Thu May 2 2013
! NVRAM config last updated at 13:04:17 UTC Thu May 2 2013
! NVRAM config last updated at 13:04:17 UTC Thu May 2 2013
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXX
!
boot-start-marker
boot-end-marker
!
enable secret 4 pozkvcqXiM/f4AVrqz8PjSI9KxXYqhSXdmI.1yi0uD2
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
ip source-route
!
ip cef
no ipv6 cef
l2tp-class l2tpclass2
authentication
password xxx
!
l2tp-class l
!
vpdn enable
!
vpdn-group vpdngroup1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname xxxxx
!
license udi pid CISCO887VA-K9 sn FCZ1706908Q
!
controller VDSL 0
!
pseudowire-class pwclass2
encapsulation l2tpv3
sequencing both
ip local interface Dialer0
ip pmtu
ip tos reflect
ip ttl 100
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxx address xxx.xxx.xxx.xxx
crypto isakmp keepalive 30 5
!
!
crypto ipsec transform-set XXX esp-3des esp-md5-hmac
!
crypto map Cmap 10 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set XXX
match address 101
!
bridge irb
!
interface Loopback1
no ip address
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
ip nat outside
ip virtual-reassembly in
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
switchport access vlan 2
no ip address
!
interface FastEthernet1
switchport access vlan 200
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template1
ip unnumbered Loopback1
ppp authentication chap
ppp chap hostname xxxxx
!
interface Virtual-PPP2
ip unnumbered Loopback1
ppp authentication chap
ppp chap hostname xxxxx
pseudowire xxx.xxx.xxx.xxx 10 pw-class pwclass2
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly in
shutdown
!
interface Vlan2
no ip address
bridge-group 1
bridge-group 1 input-address-list 700
bridge-group 1 output-address-list 700
!
interface Vlan200
no ip address
!
interface Dialer0
ip address xxx.xxx.xxx.xxx 255.255.255.0
no ip redirects
no ip unreachables
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxxx
ppp chap password 0 xxxx
ppp ipcp route default
ppp ipcp address accept
no cdp enable
crypto map Cmap
!
interface Dialer1
no ip address
!
interface Dialer9
no ip address
shutdown
!
interface BVI1
ip address 192.168.1.1 255.255.255.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 78.105.250.120 255.255.255.255 Dialer0
ip route 192.168.1.0 255.255.255.0 Virtual-PPP2
!
access-list 50 deny any log
access-list 100 deny ip 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255
access-list 101 permit tcp 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255
access-list 101 permit udp 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255
access-list 101 permit icmp 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255
access-list 101 deny ip any any
access-list 101 deny tcp any any
access-list 101 deny udp any any
access-list 101 deny icmp any any
access-list 111 deny tcp any any eq telnet
access-list 111 permit ip any any
access-list 700 permit 0000.0000.0000 ffff.ffff.ffff
dialer-list 1 protocol ip permit
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
line aux 0
line vty 0 4
access-class 50 in
exec-timeout 0 0
no login
transport input none
transport output none
!
end
05-10-2013 02:13 PM
What is the reason why you need layer 2 instead of regular IP ?
05-13-2013 12:04 AM
Hi,
I have a Web Ranger which only ouputs the data in layer 2 format.
Thanks..
05-13-2013 12:42 PM
I don't know if you are referring to the following.
http://www.data-connect.com/RAD_WEB_RANGER.htm
If yes, that is a regular router, if not, please explain.
05-13-2013 02:48 PM
Hi Danny,
It is hard to say what is wrong with your setup without running debug commands. I have set up a lab with one C887va and one C888E, and successfully running L2TPv3. The relevant part of the config in C887 is as follows. I am using advipservices: c880data-universalk9-mz.152-1.T.bin.
------------------------
l2tp-class L2_CL
hello 10
password 7 02050D480809 !----->same on both ends
cookie size 8
!
pseudowire-class L2TPv3_PS
encapsulation l2tpv3
interworking ethernet !---->you missed this in your config
protocol l2tpv3 L2_CL
ip local interface Ethernet0.10 !---->source layer3 interface
ip dfbit set
!
interface Vlan1
xconnect A.B.C.D 100 encapsulation l2tpv3 pw-class L2TPv3_PS !----->destination IP address
----------------------------------------
The following commands can be used for checking:
show xconne all detail
show l2tp session
show l2tp tunnel
Hope this be helpful to you.
05-14-2013 01:11 PM
Hi,
I have made the changes, however, my traffic still will not go down the tunnel.
Is there any debug statements that will show me layer 2/ethernet traffic entering the router and if it is being filtered?
I think the tunnel is working but my traffic is not getting that far.
Please can you advise whether there is a debug statement that shows layer 2 traffic within the router not the tunnel.
Below is the output from she show L2TP command - I am correct in assuming that this is working aren't I?
Thanks,
Danny
The debug L2TP gives the following output:
L2TP Tunnel and Session Information Total tunnels 1 sessions 1
LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class/
Count VPDN Group
2429948526 1313898432 routername est xxx.xxx.xxx.xxx 1 l2tp_default_cl
LocID RemID TunID Username, Intf/ State Last Chg Uniq ID
Vcid, Circuit
2707157308 3583248854 2429948526 10, Vp2 est 06:41:26 1
05-14-2013 03:59 PM
Hi Danny,
Can you ping between the source and destination IP's used by the l2tpv3 tunnel?
try using the following debugs:
debug vpdn l2x-events
debug vpdn l2x-packets
"show l2tp session all" shows the counters that also tell you if the traffic is going through the tunnel.
------------------------------------------------------------------------------------------------------
sh l2tp session all
L2TP Session Information Total tunnels 1 sessions 1
Session id 34342 is up, tunnel id 15973
Remote session id is 2976301299, remote tunnel id 2129208375
Locally initiated session
Call serial number is 2336700001
Remote tunnel name is XXXXX
Internet address is 10.93.2.1
Local tunnel name is XXXXX
Internet address is 10.248.119.26
IP protocol 115
Session is L2TP signaled
Session state is established, time since change 7w3d
151216258 Packets sent, 36833387 received
775473738 Bytes sent, 3111073773 received
Last clearing of counters never
Counters, ignoring last clear:
151216258 Packets sent, 36833387 received
775473738 Bytes sent, 3111073773 received
Receive packets dropped:
out-of-order: 0
total: 0
Send packets dropped:
exceeded session MTU: 0
total: 0
DF bit on, ToS reflect disabled, ToS value 0, TTL value 255
Sending UDP checksums are disabled
Receiving UDP checksums are verified
Session cookie information:
local cookie, size 8 bytes, value 27 34 0A F5 41 17 93 3B
remote cookie, size 8 bytes, value C2 FC D6 C0 B3 CD 77 1F
FS cached header information:
encap size = 32 bytes
45000014 00004000 FF73ED06 0AF8771A
0A5D0201 B166C0F3 C2FCD6C0 B3CD771F
Sequencing is off
Conditional debugging is disabled
SSM switch id is 4097, SSM segment id is 8195
Unique ID is 5
Session Layer 2 circuit, type is Ethernet, name is FastEthernet0/1
Session vcid is 100
Circuit state is UP
Local circuit state is UP
Remote circuit state is UP
------------------------------------------------------------------------------------------------------------------------
regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide