[c-nsp] L2TP again
Rodney Dunn
rodunn at cisco.com
Wed Jul 25 09:02:29 EDT 2007
On Wed, Jul 25, 2007 at 02:37:17PM +0200, Bernd Ueberbacher wrote:
> Rodney Dunn wrote:
> >On Wed, Jul 25, 2007 at 11:17:09AM +0200, Bernd Ueberbacher wrote:
> >
> >>Hi there!
> >>
> >>My L2TPv3 tunnel is currently running fine, but I have two short but
> >>stupid questions:
> >>
> >>Is it possible to interfere the L2TP traffic with access-lists?
> >>
> >
> >No. Not on the access side.
> >
> Is there any way to deny some specific traffic on a l2tp link?
AFAIK no. The features applied on ingress are not evaluated on
L3 info. We simply encapsulate the raw L2 frame and ship it over.
I wonder if a service policy with a FPM match would allow you
to specific networks in the L2 frame payload by offsets. hmmm...
I'll have to ask/test that.
Rodney
>
>
> >>I have to xconnect to the LAN address of the router. On the LAN side I
> >>just have a few /30 networks but nothing else. Should I pick one of the
> >>IPs from those networks to xconnect to or is it allowed to xconnect to
> >>the NETWORK ADDRESS of the /28 network on my LAN side? This seems better
> >>to me than using one of the real /30 IPs, but I don't wanna break the
> >>law/some RFC *G*
> >>
> >
> >You should do your xconnects to loopback addresses that are routed
> >between the two tunnel endpoints.
> >
> That was just a thought. My "Layer 2 VPN Architectures" book also has
> the same opinion and so I guess I should be listening to you ;-)
>
>
>
> Thanks!
> Bernd
More information about the cisco-nsp
mailing list