Can Cumulus do L2TP Tunneling between Cisco Router?

L2TP Tunneling between S4048 to Cisco ASR 1006 router.

11 replies

Userlevel 2
No official support for L2TPv2 or L2TPv3.

It does look like there are some packages out there that enable L2TPv3 tunnels in Linux.
even the l2tp tun is established between two cpus,
quesiton is what will cumulus do after that? will traffic forwarding fine?

if not, just explain the difficulties and don't confuse the community.

Userlevel 2
Eric Dong wrote:

even the l2tp tun is established between two cpus,
quesiton is what will cumulus do after that? ...

the answer is there is no official support
Thank you Kevin and Eric for replying.. Can you provide answer? Also Can I use GRE-Tunneling? For example using "modprobe ip_gre"
Userlevel 3
In general, "no official support" means Cumulus has not tested the package, typically because it is out of the scope of our product. Therefore, Cumulus GSS can not support these packages or the unsupported configurations. Furthermore, if GSS help is requested, and the additional packages prove to be related to problems with the supported features, the first step to resolve the support issue will be to remove the package and/or configuration.

Now back to the question about tunneling... Creating any IP-based tunnel to the cumulus linux kernel is simple enough. So if debian jessie supports the tunneling protocol, it will work the same as a host. I think the key point here is the tunnel will be terminated by the CPU, and NOT in the forwarding ASIC. There is currently no hardware acceleration enabled for these tunneling protocols, so the data rates of the traffic over L2TP and GRE will be poor. I would recommend not installing them without hardware acceleration, because they will put a load on the CPU and cause unforseen side-effects.
Thanks Jason. What switch does the hardware acceleration? Any recommendation?
Userlevel 3
Hi Mihir, L2TPv3 is typically associated with DSL and some other VPN technologies. I and not entirely sure of your use case, but I believe this is considered a legacy tunneling protocol, so I am not sure where to point you. Why not use VXLAN to tunnel into the Cumulus Switches? This can be hardware accelerated on many of the host NICs as well, providing a more modern solution for tunneling traffic at line rate.
Thanks for the solution. Reason of L2TP use is for to access iLO ports from our data center. As we can't route internal traffic out, think of creating a tunnel from data center to center location.
We are use SSH tunneling to access the iLO ports on server, but the performance is really lag, plus when opening multiple session using the ssh tunnel ilo web browsing lacking and very slow performance.. I m open for the idea.. 🙂

Userlevel 3
Is this a CLI/terminal iLO connection? It sounds like it is an HTTP/HTTPS connection to the iLO. Regardless, if the server iLO ports are connected to a cumulus switch, it would be easy enough to create a VXLAN tunnel from a central location (your office I assume) to the datacenter switches. Then the iLO subnets will remain private, and the iLO sessions over the VXLAN tunnel *should* provide the best possible performance.

On the central side of the tunnel, you would need to initiate the VXLAN from your host, or perhaps use a cumulus switch there as well. However without RIOT (routing in/out tunnels), you will need to enter the switches via layer2 to encapsulate into the VXLAN tunnel. There is also a technique using a physical loopback cable to route packets back into the switch, satisfying the Trident2 restriction. How's that sound?
sounds promising.. does the vxlan discover dynamic? Because I have to provide so many server mac address..
Userlevel 3
Depends on what version you are running. I think you would probably want to do LNV, or if running 3.2, could try EVPN.