Table Of Contents
Layer 2 Tunneling Protocol
A Feature in Cisco IOS Software
A Key Building Block for an Access Virtual Private Network
VPNs enable today's increasingly mobile workforce to connect to their corporate intranets or extranets whenever, wherever, or however they require, improving productivity and flexibility while reducing access costs.
To provide a low-cost, easily accessible pathway to a corporate intranet or extranet, Access VPNs simulate a private network —but over a shared infrastructure, such as the Internet. They offer access for mobile users, telecommuters, and small offices through a range of technologies, including dial, ISDN, xDSL, mobile IP, and cable.
A key building block for Access VPNs is L2TP (Layer 2 Tunneling Protocol), an extension to the Point-to-point (PPP) protocol and a fundamental building block for VPNs. L2TP merges the best features of two other tunneling protocols: Layer 2 Forwarding (L2F) from Cisco Systems and Point-to-Point Tunneling (PPTP) from Microsoft. L2TP is an Internet Engineering Task Force (IETF) emerging standard, currently under codevelopment and endorsed by Cisco Systems, Microsoft, Ascend, 3Com, and other networking industry leaders.
Key L2TP Terms
Network Access Server. This device provides temporary, on-demand network access to users. This access is point-to-point, typically using PSTN or ISDN lines. In the Cisco implementation, a NAS serves as a LAC.
Cisco Access VPN Features at a Glance
Layer 2 Tunneling Protocol (L2TP). The Cisco implementation of L2TP support is based on the latest draft of the L2TP standard. Cisco provides full support of standard L2TP features and most of the optional functions. The Cisco implementation of L2TP offers:
•Support for Multiprotocol Environments—L2TP can transport any routed protocols, including IP, IPX, and Appletalk.
•Media Independent—In Cisco implementation of L2TP it operates on any network capable of delivering IP frames. It supports any WAN backbone technology, including Frame Relay, ATM, X.25, or SONET. It also supports LAN media such as Ethernet, Fast Ethernet, Token Ring, and FDDI.
Security. L2TP is a tunneling protocol that supports tunnel and user authentication. For additional Access VPN security protection, Cisco offers:
•Authentication, Authorization, and Accounting (AAA), including:
•Support for username/password or Dialed Number Identification Service (DNIS) to determine authorization of the Access VPN services.
•User authentication support includes PAP, CHAP, MS-CHAP (MD4-CHAP), and One-Time Password.
•Per-user configuration support, including per-user provisioning of IP address assignment, static routes, and access filters.
•Accounting that can be performed on the LAC and the LNS includes connection, start/stop, and full logging information of failed connection attempts.
•RADIUS and TACACS+ support.
•AAA support and CiscoSecure global roaming server (GRS), providing proxy and translation of Access-VPN roaming user authentication.
•IPSec—IPSec provides data confidentiality, integrity, and authenticity among participating peers in a network. Cisco provides full encapsulating security payload (ESP) and authentication header (AH) support. IPSec is available from Cisco on network access servers such as the AS5300 and AS5800; router platforms such as the 1600 through 7500; and the PIX—firewall. IPSec is also available on Windows 95 and Windows NT 4.0 with the RavlinSoft IPSec software.
•IKE—The Internet Security Association Key Management Protocol formally known as ISAKMP/Oakley provides security association management. IKE authenticates each peer in an IPSec transaction, negotiates security policy, and handles the session keys exchange. Cisco has been leading the IKE standardization effort.
•Cisco Encryption Technologie(CET)—CET is the original network-based encryption solution.
•Certificate Management—Cisco fully supports the use of X.509-V3 certificates for device authentication as required by IKE.
•Cisco IOS Firewall Feature Set—Cisco IOS Firewall feature is a value-added option of Cisco IOS software that builds on the strength of existing Cisco IOS security capabilities. The Cisco IOS Firewall feature set includes context based-access control (CBAC), which secures traffic flow by tracking the state and context of network connections. It also includes Java blocking, which controls downloading of potentially malicious applets; denial-of-service detection and prevention; real-time alerts; and UDP transaction logs that track user access by source/destination address and port pair.
•Quality of Service—Cisco IOS software supports IP precedence, priority queuing, custom queuing, WFQ, WRR, GTS, CAR, fragmentation & interleaving, ABR, WRED, IP precedence, and BGP4 precedence propagation. Leveraging IP precedence, with multiple tunnels to a given LNS, service providers can offer enterprise users differentiated tunnels with varying bandwidth levels.
•Address Allocation and Management—L2TP provides full support of dynamic IP address allocation from an IP address pool maintained by the enterprise, including full support of the private addresses defined in RFC 1918. L2TP also supports dynamic address allocation from the DHCP server. Cisco IOS software supports network address translation (NAT) while preventing internal "inside addresses" from being published to the outside world.
•Reliability—The Cisco L2TP implementation provides a backup capability, allowing multiple LNS peers to be configured with backup LNSs. If the connection to the primary LNS is unreachable, the NAS (LAC) will establish a connection with a backup LNS.
•Scalability—The Cisco L2TP implementation supports unlimited sessions on each LAC and can support more than 2000 sessions per each LNS on a Cisco router platform. More than 8000 sessions support on the Cisco 6400 Universal Access Concentrator (UAC) provides massive scalability for large ISPs, Internet wholesalers, and corporations.
When using the Cisco L2TP implementation load sharing and stackable LNS features, multiple LNSs can perform load-sharing across multiple tunnel connections between one LAC and the LNSs. The statistical load sharing capability across multiple LNSs provides added reliability and scalability. The stackable LNS feature has additional support for multilink PPP sessions. One of the LNSs will take responsibility for assembling segmented packets for each session across the multiple tunnels.
•Management—For enhanced fault management, the Cisco L2TP implementation includes support for the L2TP SNMP MIB prior to the availability of the IETF standard MIB. MIB support provides full failure code and reports reasons for disconnect. L2TP also includes a full suite of messages that can be sent to a syslog server. This set of capabilities provides a full end-to-end troubleshooting solution for Access VPNs built on L2TP.
L2TP Access VPN Architecture
•In a dial environment, an L2TP tunnel can be initiated from a Network Access Server (NAS) as a NAS-initiated tunnel or from client software as a client-initiated tunnel to a router that acts as a tunnel termination point.
•In a xDSL environment, user ATM PVCs extend from the CPE to a centrally located NAS function, which then originates L2TP tunnels to the LNSs. This NAS (such as the Cisco 6400 UAC) may be operated by either the ILEC/PTT, offering the ADSL service, or by a CLEC or ISP at edge of the ILEC.
The Cisco L2TP implementation is a solution that provides a long list of benefits to enterprise users. These benefits include:
•Security and guaranteed priority for their most mission-critical applications
•Improved connectivity, reduced costs, and freedom to refocus resources on core competencies
•Flexible, scalable remote network access environment without compromising corporate security or endangering mission-critical applications
Service providers gain the following benefits from Access VPNs built on a foundation of Cisco IOS software that incorporates L2TP:
•The ability to provision, bill, and manage Access VPNs that provide a competitive advantage, minimize customer turnover, and increase profitability.
•The flexibility to offer a wide range of VPN services across many different architectures, using the Cisco IOS software implementation of L2TP.
•The capability to provide differentiated services for secure, enterprise-wide remote access using Access VPNs over the public Internet or service provider backbones.
Cisco Access VPN Feature and Benefit Summary
L2TP Case Studies
Scenario 1: Cost-Effective Remote Access for an Enterprise Corporation
The company turned to its service provider to create an Access VPN to outsource its remote access links. Cisco IOS software with the L2TP feature provides a standards-based platform for the Access VPN by providing the security, reliability, and scalability the company needs to move sensitive internal traffic over the service provider's public infrastructure. The company's service provider used L2TP to differentiate traffic streams between employees and external users of the extranet. L2TP also ensures quality of service for the company's desktop video and mission-critical customer service applications, which needed high priority to ensure reliable performance.
Scenario 2: Competitive Edge for an Internet Service Provider
The goal of the Internet Service Providers (ISPs) is to build and maintain affordable networks of geographically dispersed PoPs. By outsourcing dial and xDSL access from Internet wholesalers, telcos, Regional Bell Operating companies (RBOC), carriers, or other Service Providers who already have the dispersed PoPs, the medium-sized ISP can build revenue while overcoming resource constraints. These outsourcing services—known as "wholesale Internet" or "wholesale access" —can use L2TP technology to offload Internet dialup network traffic from the service provider's traditional voice network, creating new revenue streams over existing, underutilized links and offering added flexibility to growing ISPs.
Scenario 3: A Telco Alleviates the Strain of Internet Usage on a Voice Infrastructure
As more corporations seek to deploy VPNs over the Internet, connection duration threatens to increase exponentially, as casual e-mail or Web surfing turns into continuous usage for business applications.
L2TP offers a solid solution for RBOC and telecommunication carriers by enabling them to separate data applications from voice switches and offload data to purpose-built data networks.
Availability and Products Supported for Cisco IOS Software with L2TP
Cisco IOS Version 11.3(5)AA
•L2TP feature is in Cisco IOS software version 11.3(5)AA
•Availability: (shipping August 1998)
•Supported products: Cisco AS5200, AS5300, AS5800, and the 7200 series
Cisco IOS Version 12.0(1)T
•Availability: (shipping TBD)
•Supported products: Cisco 1600, 2500, 2600, 3600, 4000, 4500, 7500, and UAC 6400
Cisco IOS Images
•IOS images IP Plus on the AS5800; IP Plus, Desktop Plus, Enterprise, Enterprise Plus, IP Plus 40, IP Plus IPS 56, Enterprise Plus 40, and Enterprise Plus IPSec 56 on the AS5200 and AS5300; enterprise image on the 7200 router series supports the L2TP feature.