Implementing Layer 2 Tunnel Protocol Version 3
In the case of static L2TPv3 sessions, a control channel between the two L2TP peers is negotiated through
the exchange of start control channel request (SCCRQ), start control channel replay (SCCRP), and start control
channel connected (SCCCN) control messages. The control channel is responsible only for maintaining the
keepalive mechanism through the exchange of hello messages.
The interval between hello messages is configurable per control channel. If one peer detects that the other has
gone down through the keepalive mechanism, it sends a StopCCN control message and then notifies all of
the pseudowires to the peer about the event. This notification results in the teardown of both manually
configured and dynamic sessions.
Maximum Transmission Unit Handling
It is important that you configure an maximum transmission unit (MTU) appropriate for a each L2TPv3
tunneled link. The configured MTU size ensures that the lengths of the tunneled L2 frames fall below the
MTU of the destination AC.
L2TPv3 handles the MTU as follows:
• Configure the path MTU on the PE. If the packet size and the L2TP header collectively are larger than
the configured value, packets are dropped.
IP Security Mapping to L2 Tunneling Protocol, Version 3
This feature is supported only on the Cisco IPSec VPN SPA.
Note
The L2TPv3 is a protocol that is used to tunnel a variety of payload types over IP networks. IP security (IPSec)
provides an additional level of protection at a service PE router than relying on access control list (ACL)
filters. L2TPv3 tunnels are also secured by using IPSec, as specified in RFC3931.
You can secure L2TPv3 tunnels by using IPSec, which provides authentication, privacy protection, integrity
checking, and replay protection. When using IPSec, the tunnel head and the tunnel tail can be treated as the
endpoints of an SA. A single IP address of the tunnel head is used as the source IP address, and a single IP
address of the tunnel tail is used as the destination IP address.
The following scenarios are described to have L2TPv3 work with IPSec:
IPSec Mapping to L2TPv3
A CE 1 router sends an IPSec packet to a PE1 router. The PE1 router sends an IPSec packet to the Cisco IPSec
VPN SPA by routing the look up for the front door virtual routing and forwarding (FVRF) in the service-ipsec
interface. The Cisco IPSec VPN SPA can decapsulate an IPSec packet to obtain a clear IP packet, and perform
a routing look up for the inside virtual routing and forwarding (IVRF) in the service-ipsec interface.
IPSec over L2TPv3
If the packet arrives at PE1 outside of a virtual routing and forwarding (VRF), for example, the global table,
the packet is forwarded to the PE2 according to the global FIB in PE1. This is normal for IP switching until
the packet arrives at PE2 with no encapsulation at any point.
Cisco IOS XR Virtual Private Network Configuration Guide for the Cisco CRS Router, Release 6.1.x
L2TPv3 Features
151