In this blog post I'll guide you trough the commands to extend a local LAN via any L3 internet uplink and secure it with IPSEC!
All you need is L2TPv3 (aka pseudowire) which doesn't require any license upgrade with a 89X router (this is the cheap part)! Be aware that if you want to use a 29XX or similar you need a DATA license!!
In this setup I'm using two ISR 892 since you need routed ports. Haven't tested it with VLAN SVI yet.
EDIT: I've tested it with SVI and it works! Here it's listed that it works since 12.4.20(T)
Let's assure you have Office-A with a LAN 10.0.0.0/24 and Office-B with LAN 10.0.0.0/24. To interconnect them both over a DSL link or similar you need L2TPv3. Let's say WAN IP from Office-A is 10.10.10.1 and from Office.B it's 10.10.10.2.
Here's your config for Office-A
l2tp-class l2class authentication password l2
pseudowire-class LAN2LAN encapsulation l2tpv3 protocol l2tpv3 l2class ip local interface GigabitEthernet0
interface FastEthernet8 description LAN no ip address duplex auto speed auto xconnect 10.10.10.2 1 encapsulation l2tpv3 pw-class LAN2LAN ! interface GigabitEthernet0 ip address 10.10.10.1 255.255.255.0
Be aware that FA8 (your LAN) is not allowed to have an IP address, it's the interface to your switch!
Now check the status with
R1#show xconnect all Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State UP=Up DN=Down AD=Admin Down IA=Inactive SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware
XC ST Segment 1 S1 Segment 2 S2 ------+---------------------------------+--+---------------------------------+-- UP pri ac Fa8:3(Ethernet) UP l2tp 10.10.10.2:1 UP
You have a running setup, fine! But now your LAN traffic is travelling packed within L2TPv3 but in plaintext over the wire. Now we have to encrypt the tunnel via IPSEC (transport mode).
local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.10.10.2 plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0 current outbound spi: 0x900B4A7(151041191) PFS (Y/N): Y, DH group: group14
Please don't use this setup in large deployments and/or on slow links! It just a PoC to show you how to extend your LAN the "dirty" but quick way.
Hi All, I have a question during my project for ASA High AvailabilityHere's the topology : The Failover already working, but one point was not working .So if we remove cable from ISP 1 (orange cable / A), the traffic didn't go through ISP 2.&nbs...
I am keen to watch some of the ISE Webinar Recordings but I can't seem to access them. I am registered and logged in, but I cannot figure out whether I am locked out, or whether these sessions were not recorded - it's contradictory.
Hi I'm thinking a ise deployment and I want use a "2-node deployment (redundant)" with a "node A" and "node B", and use a "node C" as standalone node for syslog or loggin. Can use this deployment? Regards.
Duplicate header name; X-Agari-Policy-Matched: Compromised_SendersX-Agari-Policy-Matched: Untrusted MessagesX-Agari-Trust-Score: 1.0 I have a content filter that writes the header to the log; Condition: No conditionAction: log-entry("C...