The Layer 2 Tunneling Protocol (L2TP) is a standard protocol for tunneling L2 traffic over an IP network. Its ability to carry almost any L2 data format over IP or other L3 networks makes it particularly useful. But L2TP remains little-known outside of certain niches, perhaps because early versions of the specification were limited to carrying PPP -- a limitation that is now removed.
It is desirable to tunnel L2 traffic over routed L3 networks because L2 networks are generally more transparent, easier to configure and easier to manage than L3 networks. These are desirable properties for a range of applications. In data centers, a flat network is essential for promoting virtual machine (VM) mobility between physical hosts. In companies with multiple premises, the sharing of infrastructure and resources between remote offices can be simplified by L2 tunneling.
The L2TP protocol itself is an open standard defined by the IETF. This article concentrates on the latest Version 3 of the specification, which describes tunneling multiple L2 protocols over various types of packet-switched networks (PSN). The standard discusses tunneling over IP, UDP, Frame Relay and ATM PSNs.
[ IN DEPTH: Complete guide to network virtualization ]
An L2TP connection comprises two components: a tunnel and a session. The tunnel provides a reliable transport between two L2TP Control Connection Endpoints (LCCEs) and carries only control packets. The session is logically contained within the tunnel and carries user data. A single tunnel may contain multiple sessions, with user data kept separate by session identifier numbers in the L2TP data encapsulation headers.
Conspicuously absent from the L2TP specification are any security or authentication mechanisms. It is typical to deploy L2TP alongside other technologies, for example IPSec, to provide these features. This gives L2TP the flexibility to interoperate with various different security mechanisms within a network.
The four use cases discussed below illustrate how L2TP works in a variety of scenarios, from simple point-to-point links to large networks. Whether you're running a single-site corporate LAN or a complicated multi-site network, L2TP has the scalability to fit into your architecture.
L2TP/IPSec as a VPN
Today, with diverse mobile devices used throughout businesses, and pervasive availability of broadband in the home, most corporate networks must provide remote access as a basic necessity. Virtual private network (VPN) technologies are an essential part of meeting that need.
Since L2TP doesn't provide any authentication or encryption mechanisms directly, both of which are key features of a VPN, L2TP is usually paired with IPSec to provide encryption of user and control packets within the L2TP tunnel. Figure 1 shows a simplified VPN configuration. Here the corporate network on the right contains an L2TP Network Server (LNS) providing access to the network. Remote workers and mobile devices may join the corporate network via IPSec-secured L2TP tunnels over any intermediate network (most likely the Internet).
Clients attaching to the VPN will often run L2TP and IPSec software directly. It is normally unnecessary to install extra software in client systems to communicate with an L2TP VPN server: L2TP VPN software is provided with Windows, OS X, iOS, Android and Linux systems.
L2TP to extend a LAN
An L2TP-based VPN works well to allow individual clients to make single links with a remote LAN. Our next example takes the VPN concept and runs with it, employing L2TP to merge two or more LANs. Many businesses have the challenge of managing several remote locations, all of which must share data and network infrastructure. By using L2TP to provide tunnels between each individual LAN, we can create one unified network with easy access to resources from any location.
Figure 2 shows a simple deployment using L2TP to join two LANs over the Internet. Rather than running L2TP software on each host in each office, a separate machine is used as an LCCE endpoint at each office location. The LCCE machines bridge Ethernet frames from the LAN with the L2TP interface to the remote site, thereby acting as a gateway between the LANs. Depending on the LAN configuration and the nature of the intermediate network, it may be necessary or desirable to add packet filters at the LCCE to confine certain traffic to the LAN of origin instead of passing it over the tunnel.
Just as in the point-to-point VPN case, security is an important consideration for remote office connections. IPSec is usually deployed to provide traffic encryption between sites.
L2TP as a part of an ISP network
So far we've considered using L2TP as a means of extending a corporate network, but as we scale up outside of the office L2TP continues to prove useful. Our next example (see Figure 3) shows how L2TP is employed as a part of an Internet Service Provider (ISP) network. Here L2TP is used to tunnel data from a customer's premises to the ISP's IP network. The L2TP tunnels and sessions span an intermediate network managed by a wholesale provider, which sells access to the ISP directly.
Individual customers connect to a local LCCE acting as an L2TP Access Concentrator (LAC), which is administered by the wholesale provider. The LAC will dynamically create L2TP tunnels and sessions to the customer's ISP. Information on which ISP to tunnel to might be based on static configuration stored on the LAC, or discovered using a RADIUS lookup when the customer connects.
This configuration allows the ISP to manage client IP allocation and Internet access as they choose, since each client device behaves as though it were connected into their L2 network.
L2TP in a public-access Wi-Fi network
Our final example considers networking an urban area or large corporate campus, using L2TP as an integral part of a public access Wi-Fi network.
In this configuration, shown in Figure 4, local Wi-Fi access points provide client devices with Internet access. Each access point forwards client data over an L2TP session to a centralized network. This network manages IP address allocation and routing to the Internet, typically with network address translation.
Using L2TP in this network allows a single supplier to provide Internet access to a wide variety of customers without needing to manage an Internet connection at each Wi-Fi access point location. Choosing WiMax as an interconnect allows metropolitan area networks to be provided with Wi-Fi access using a single high-bandwidth Internet connection.
Although L2TP has a history of being a rather obscure protocol, L2TPv3 provides immense flexibility for all kinds of uses. In any situation where you need the flat topology and "plug and play" configuration of a Layer 2 network, L2TP is a mature technology that can work well. As with any established and open protocol, L2TP is widely supported on a variety of target platforms, including mobile devices. Even better, with multiple projects supporting L2TP on Linux or BSD platforms, there is no need to make expensive hardware investments to support an L2TP deployment on your network.
Katalix Systems is a software consultancy based in the U.K., with expertise in Linux, networking and embedded systems. Katalix develops both off-the-shelf and bespoke software solutions, and maintains the L2TP subsystem of the Linux kernel. ProL2TP, their enterprise-class L2TP software suite, provides comprehensive L2TPv3 support on generic Linux systems.