In this blog post I'll guide you trough the commands to extend a local LAN via any L3 internet uplink and secure it with IPSEC!
All you need is L2TPv3 (aka pseudowire) which doesn't require any license upgrade with a 89X router (this is the cheap part)! Be aware that if you want to use a 29XX or similar you need a DATA license!!
In this setup I'm using two ISR 892 since you need routed ports. Haven't tested it with VLAN SVI yet.
EDIT: I've tested it with SVI and it works! Here it's listed that it works since 12.4.20(T)
Let's assure you have Office-A with a LAN 10.0.0.0/24 and Office-B with LAN 10.0.0.0/24. To interconnect them both over a DSL link or similar you need L2TPv3. Let's say WAN IP from Office-A is 10.10.10.1 and from Office.B it's 10.10.10.2.
Here's your config for Office-A
l2tp-class l2class authentication password l2
pseudowire-class LAN2LAN encapsulation l2tpv3 protocol l2tpv3 l2class ip local interface GigabitEthernet0
interface FastEthernet8 description LAN no ip address duplex auto speed auto xconnect 10.10.10.2 1 encapsulation l2tpv3 pw-class LAN2LAN ! interface GigabitEthernet0 ip address 10.10.10.1 255.255.255.0
Be aware that FA8 (your LAN) is not allowed to have an IP address, it's the interface to your switch!
Now check the status with
R1#show xconnect all Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State UP=Up DN=Down AD=Admin Down IA=Inactive SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware
XC ST Segment 1 S1 Segment 2 S2 ------+---------------------------------+--+---------------------------------+-- UP pri ac Fa8:3(Ethernet) UP l2tp 10.10.10.2:1 UP
You have a running setup, fine! But now your LAN traffic is travelling packed within L2TPv3 but in plaintext over the wire. Now we have to encrypt the tunnel via IPSEC (transport mode).
local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.10.10.2 plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0 current outbound spi: 0x900B4A7(151041191) PFS (Y/N): Y, DH group: group14
Please don't use this setup in large deployments and/or on slow links! It just a PoC to show you how to extend your LAN the "dirty" but quick way.
Hello everyone.We just took on a client with two locations, each with an 5508-X.Before coming over to us, they had just renewed their SMARTnet agreement and FirePOWER services (IPS, AMP, URL filtering) for 3 years with their old IT company.Now here is whe...
após uma desconexão ocorrida em uma videoconferência, iniciou-se um troubleshooting para identificar a causa raíz. Após análise dos logs, verificamos que a chamada foi desconectada por timeout H.323. Contudo, gostaria de saber se tem alguma análise o...
I have an Ironport C370, where all licenses have expired except for Incoming Mail Handling, but the emails were "being sent" I have an Ironport C370, where all licenses have expired except for Incoming Mail Handling, but the emails were "being sent" becau...