L2TPv3
L2TPv3 interfaces let you establish L2TPv3 tunnels to transport Layer 2 traffic over IP networks.
The L2TPv3 protocol (defined in RFC 3931) wraps Layer 2 frames (e.g., Ethernet, Frame Relay, HDLC) within IP packets, allowing them to traverse the underlying IP infrastructure.
Unlike L2TPv2, which strictly requires UDP encapsulation, the L2TPv3 protocol is more flexible and supports two encapsulation types:
Direct IP: Tunnel data is encapsulated directly inside IP packets (Protocol 115) for lower overhead.
UDP: Tunnel data is encapsulated inside a UDP datagram. This allows the tunnel to traverse NAT more easily.
L2TPv3 tunnels connect geographically separated sites, serving as a simpler alternative to MPLS by operating over basic IP connectivity rather than requiring a full MPLS infrastructure.
L2TPv3 tunnels can be established over both IPv4 and IPv6 underlying networks.
Configuration
Common interface configuration
Configure one or more interface IP addresses.
<address> supports IPv4 and IPv6 in CIDR notation. For example, use
192.0.2.1/24 for IPv4 or 2001:db8::1/64 for IPv6.
Example:
set interfaces l2tpv3 l2tpeth0 address 192.0.2.1/24
set interfaces l2tpv3 l2tpeth0 address 2001:db8::1/64
Configure a clear, descriptive alias for the interface.
This alias appears in the show interfaces command and SNMP-based
monitoring tools.
Example:
set interfaces l2tpv3 l2tpeth0 description 'This is an interface running on VyOS.'
Disable the interface.
The interface will be set to the administratively down
(A/D) state.
Example:
set interfaces l2tpv3 l2tpeth0 disable
Disable Ethernet flow control (IEEE 802.3x pause frames) on the interface.
Ethernet flow control, defined by the IEEE 802.3x standard, temporarily stops data transmission to prevent packet loss during network congestion. For example, when a sender transmits data faster than the receiver can process it.
Disabling Ethernet flow control means the interface will not signal the connected device to pause transmission and will drop packets if overwhelmed.
Example:
set interfaces l2tpv3 l2tpeth0 disable-flow-control
Disable physical link-state change detection on the interface, such as when a cable is unplugged.
By default, the interface detects physical link-state changes.
Example:
set interfaces l2tpv3 l2tpeth0 disable-link-detect
Configure a custom MAC address on the interface.
Example:
set interfaces l2tpv3 l2tpeth0 mac '00:53:01:02:03:04'
Configure the MTU on the interface.
This value defines the largest packet size, in bytes, that the interface transmits without fragmentation.
Example:
set interfaces l2tpv3 l2tpeth0 mtu 1600
Configure the MSS advertised in outgoing TCP SYN packets on the specified interface.
By clamping the MSS value in TCP SYN packets, you explicitly inform the remote side not to send packets larger than that size. This prevents connection issues that occur when Path MTU Discovery (PMTUD) fails.
The following options are available:
mss: Sets the MSS to a specific value, in bytes. Use this option if you need to enforce a specific MSS, for example, to troubleshoot connectivity issues or accommodate specific network requirements.
clamp-mss-to-pmtu: The router automatically calculates the MSS to be the interface’s MTU minus 40 bytes for IPv4 traffic (20 bytes for the IPv4 header and 20 bytes for the TCP header). This option is recommended to automatically set the proper value.
Configure how long an ARP entry remains valid after learning an IP-to-MAC address mapping on this interface.
The default duration is 30 seconds.
An ARP entry remains valid if it receives positive feedback from higher-level protocols.
Example:
set interfaces l2tpv3 l2tpeth0 ip arp-cache-timeout 180
Configure ARP filtering on this interface.
Default behavior: The kernel responds to ARP requests on this interface only if the traffic would be routed back to the ARP sender through that specific interface.
If configured: The kernel responds to ARP requests on this interface for any IP address configured on the local host, regardless of which specific interface that IP address is assigned to, and regardless of the routing table. This reflects the Linux concept that IP addresses belong to the host, not individual interfaces.
Example:
set interfaces l2tpv3 l2tpeth0 ip disable-arp-filter
Configure the interface for host or router behavior.
If configured, the interface switches to host mode, and IPv4 forwarding is disabled on it.
Example:
set interfaces l2tpv3 l2tpeth0 ip disable-forwarding
Configure whether to forward IP-directed broadcast packets received on this interface.
Default behavior: IP-directed broadcast packets are dropped.
If configured: IP-directed broadcast packets are forwarded to all hosts on the destination subnet, as defined in RFC 1812 and RFC 2644.
Example:
set interfaces l2tpv3 l2tpeth0 ip enable-directed-broadcast
Configure how to process gratuitous ARPs on this interface.
If configured, an IP-to-MAC address mapping is added to the ARP table based on gratuitous ARP requests or replies.
Note
If the ARP table already contains the IP address from a gratuitous ARP, its entry is updated regardless of whether this setting is configured.
Example:
set interfaces l2tpv3 l2tpeth0 ip enable-arp-accept
Configure the source IP selection for ARP requests on this interface.
Default behavior: The kernel can use any IP address the host owns as the source IP address in ARP requests on this interface.
If configured: The kernel first attempts to select a source IP address configured on the interface that shares a common subnet with the target IP address. If there is no such subnet, the kernel selects the IP address it would normally use (based on the routing table to reach the target destination).
Example:
set interfaces l2tpv3 l2tpeth0 ip enable-arp-announce
Configure which ARP requests will be ignored on this interface.
Default behavior: The kernel responds to ARP requests for any local IP addresses, regardless of which interface they are assigned to.
If configured: The kernel responds to ARP requests only if the target IP address is assigned to this specific interface.
Example:
set interfaces l2tpv3 l2tpeth0 ip enable-arp-ignore
Configure proxy ARP on this interface.
If configured, the router (kernel) intercepts ARP requests for non-local IP addresses and replies with the MAC address of the interface that received the request. Subsequent packets destined to these IP addresses are forwarded to their actual destinations on remote subnets.
Example:
set interfaces l2tpv3 l2tpeth0 ip enable-proxy-arp
Configure local proxy ARP on the interface.
If configured, the router (kernel) responds to ARP requests on this VLAN interface even if the target IP address resides on the same subnet and interface.
This is used to support network isolation requirements (RFC 3069) for private VLANs (PVLANs). In PVLAN configurations, hosts on isolated ports are NOT allowed to communicate directly with each other at Layer 2, but they can communicate with the upstream router.
By replying to inter-host ARP requests with its own MAC address, the router (kernel) directs inter-host traffic through itself instead of directly between hosts.
Note
This command works independently and does not require enabling the standard proxy ARP on the interface.
Local proxy ARP is also known as:
VLAN aggregation (RFC 3069).
Private VLAN (Cisco, Allied Telesyn).
Source-port filtering or port isolation (Hewlett-Packard).
MAC-Forced Forwarding (Ericsson).
Configure source IP address validation using RPF on this interface, as specified in RFC 3704.
The following options are available:
strict: Each incoming packet’s source IP address is checked against the Forwarding Information Base (FIB). If the interface is not the best route back to that source, validation fails, and the packet is dropped.
loose: Each incoming packet’s source IP address is checked against the FIB. If the source IP address is unreachable through any interface, validation fails.
disable: No source IP address validation is performed. All incoming packets are accepted.
RFC 3704 recommends enabling strict mode to prevent IP spoofing, such as DDoS attacks. For asymmetric or other complex routing scenarios, use loose mode.
Configure the interface to automatically obtain an IPv6 address using SLAAC, as specified in RFC 4862.
IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters. The router responds with a router advertisement packet containing Internet Layer configuration parameters.
Note
This method automatically disables IPv6 traffic forwarding on the interface.
Example:
set interfaces l2tpv3 l2tpeth0 ipv6 address autoconf
Configure the interface to assign itself an IPv6 address using the EUI-64 method, as specified in RFC 4291.
Example:
set interfaces l2tpv3 l2tpeth0 ipv6 address eui64 2001:db8:beef::/64
Disable the automatic assignment of a link-local IPv6 address to this interface.
Example:
set interfaces l2tpv3 l2tpeth0 ipv6 address no-default-link-local
Configure the interface for host or router behavior.
If configured, the interface switches to host mode, and IPv6 forwarding is disabled on it.
Example:
set interfaces l2tpv3 l2tpeth0 ipv6 disable-forwarding
Configure the MSS advertised in outgoing TCP SYN packets on the specified interface.
By clamping the MSS value in TCP SYN packets, you explicitly inform the remote side not to send packets larger than that size. This prevents connection issues when Path MTU Discovery (PMTUD) fails.
The following options are available:
mss: Set the MSS to a specific value, in bytes. Use this option to enforce a specific MSS, for example, to troubleshoot connectivity issues or accommodate specific network requirements.
clamp-mss-to-pmtu: The router calculates the MSS to be the interface’s MTU minus 60 bytes for IPv6 traffic (40 bytes for the IPv6 header and 20 bytes for the TCP header). This option is recommended to automatically set the proper value.
Configure IPv6 DAD on the interface.
The following options are available:
0: Disables DAD. No duplicate address detection is performed.
1: Enables DAD (default). Duplicate addresses are detected. The interface’s IPv6 operation continues for valid IPv6 addresses.
2: Enables DAD and, if a MAC-based duplicate link-local address is found, disables IPv6 operation on this interface.
Example:
set interfaces l2tpv3 l2tpeth0 ipv6 accept-dad 2
Configure the number of DAD messages that the router (kernel) sends during IPv6 address assignment on this interface.
The default value is 1.
Example:
set interfaces l2tpv3 l2tpeth0 ipv6 dup-addr-detect-transmits 5
Assign the interface to a specific VRF instance.
See also
For information on configuring a VRF, refer to the VRF section.
Example:
set interfaces l2tpv3 l2tpeth0 vrf red
L2TPv3 options
Use the following commands to configure the L2TPv3 tunnel’s specific parameters.
Configure the encapsulation type for the L2TPv3 tunnel.
Valid values are udp and ip.
The default encapsulation type is udp.
Note
The encapsulation type must match on both the local and remote peers for the tunnel to establish.
Configure the L2TPv3 tunnel source IP address.
The specified address must be a local interface IP address and can be either IPv4 or IPv6.
Configure the L2TPv3 tunnel destination IP address.
The specified address must be a remote peer’s interface IP address and can be either IPv4 or IPv6.
Configure the local session ID within the L2TPv3 tunnel.
The session-id is a 32-bit value that identifies an incoming tunnel session
on the local peer.
The peer-session-id that identifies this session on the remote peer must be
set to the same value.
Configure the peer session ID within the L2TPv3 tunnel.
The peer-session-id is a 32-bit value that identifies an outgoing tunnel
session from the local peer.
The peer-session-id must match the session-id configured for this
session on the remote peer.
Configure the local identifier for the L2TPv3 tunnel.
The tunnel-id is a 32-bit value that identifies the L2TPv3 tunnel on the
local peer.
The peer-tunnel-id that identifies this tunnel on the remote peer must be
set to the same value.
Configure the peer identifier for the L2TPv3 tunnel.
The peer-tunnel-id is a 32-bit value that identifies the L2TPv3 tunnel on
the remote peer and must correspond to the tunnel-id configured for that
tunnel on that peer.
The peer-tunnel-id must match the tunnel-id that identifies this tunnel
on the remote peer.
Example
L2TPv3 tunnel with IP encapsulation
The following example shows the configuration of an L2TPv3 tunnel using direct IP encapsulation:
# show interfaces l2tpv3
l2tpv3 l2tpeth10 {
address 192.168.37.1/27
encapsulation ip
source-address 192.0.2.1
peer-session-id 100
peer-tunnel-id 200
remote 203.0.113.24
session-id 100
tunnel-id 200
}
The inverse configuration must be applied to the remote peer.
L2TPv3 tunnel with UDP encapsulation
The following example shows the configuration of an L2TPv3 tunnel using UDP encapsulation.
This setup is recommended when the tunnel traverses NAT devices.
Configuration notes:
Use a local LAN IP address as the
source-address.Configure a forwarding rule to allow tunnel traffic on the specified UDP port on the upstream NAT device.
Use a distinct UDP port for each individual tunnel.
# show interfaces l2tpv3
l2tpv3 l2tpeth10 {
address 192.168.37.1/27
destination-port 9001
encapsulation udp
source-address 192.0.2.1
peer-session-id 100
peer-tunnel-id 200
remote 203.0.113.24
session-id 100
source-port 9000
tunnel-id 200
}