L2TPv3 Explained, Configuration Example and Packet Caputure

L2TPv3 Overview

• L2TPv3 (Layer 2 Tunneling Protocol Version 3) is an IETF-standardized pseudowire protocol defined in RFC 3931 that allow the tunneling of various Layer 2 payloads (Ethernet, Frame Relay, HDLC, PPP, etc.) over an IP network, using either native IP (protocol 115) or UDP (port 1701) for transport.

• L2TPv3 separates control and data planes: a control plane based on AVP-encoded messages (SCCRQ/SCCRP/SCCCN, etc.) establishes and maintains sessions, while a streamlined data plane forwards raw Layer 2 frames encapsulated in a minimal header carrying a 32-bit Session ID and optional 64-bit Cookie.
• L2TPv3 relies on external mechanisms such as IPsec for security and supports high-performance, carrier-grade L2VPN services.

Control Plane

• Control Connection: uses UDP port 1701 (or an arbitrary negotiated port) and exchanges AVP-encoded control messages (SCCRQ, SCCRP, SCCCN for setup; CDN, CDNACK for teardown)

• AVP (Attribute-Value Pair): Each control message carries AVPs with a 2-bit Mandatory (M) flag, 1-bit Hidden (H) flag, reserved bits, a Length field, Vendor ID, Attribute Type, and Value

• Sequence Numbers & Reliability: Control messages use Ns/Nr fields for sequenced, acknowledged delivery, similar to TCP, with retransmissions on timeout to ensure reliable negotiation.

• Ns indicates the sequence number for this control message, beginning at zero and incrementing by one (modulo 216) for each message sent.

• Nr indicates the sequence number expected in the next control message to be received. Thus, Nr is set to the Ns of the last in-order message received plus one (modulo 216).

Control plane L2TPv3 header:

| (32 bits of zeros) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|T|L|x|x|S|x|x|x|x|x|x|x| Ver  | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|               Control Connection ID                         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|               Ns              |               Nr              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

• T: 1 for control.

• L: Length field present.

• S: Sequence numbers present.

• Ver: 3.

• Length: Total length of control message starting at this octet.

• Control Connection ID (32 bits),

• Ns/Nr (16 bits each) for reliability.

L2TPv3 Session Establishment

1. SCCRQ (Start-Control-Connection-Request): Initiator sends SCCRQ with Tunnel Capabilities.
2. SCCRP (Reply): Responder replies with SCCRP, accepting or rejecting capabilities.
3. SCCCN (Connect): Initiator confirms with SCCCN, completing the handshake.
4. Session Creation: Once control is up, Initiator sends ICRQ (Incoming-Call-Request) with a unique 32-bit Session ID; Responder replies with ICRP and ICCN, establishing the session.
5. ACK: Each control message carries Ns/Nr acknowledgments​

L2TPv3 Configuration Example

Topology

Configuration

R1:

pseudowire-class LD1
 encapsulation l2tpv3
 ip local interface GigabitEthernet1/0

interface FastEthernet0/0
 no ip address
 xconnect 192.168.23.1 13 pw-class LD1
!
interface GigabitEthernet1/0
 ip address 192.168.12.1 255.255.255.252
 ip ospf 10 area 0
!
router ospf 10
 log-adjacency-changesCode language: JavaScript (javascript)

R3:

pseudowire-class LD1
 encapsulation l2tpv3
 ip local interface GigabitEthernet1/0
!
interface FastEthernet0/0
 no ip address
 xconnect 192.168.12.1 13 pw-class LD1

!
interface GigabitEthernet1/0
 ip address 192.168.23.1 255.255.255.252
 ip ospf 10 area 0
!
router ospf 10
 log-adjacency-changesCode language: JavaScript (javascript)

L2TPv3 Dataplane and Flow Packet Capture

ARP:

First, let’s verify the ARP, we see ARP request sent from PC1 to PC2:

• R1 receives the broadcast ARP frame.

• Since R1 received the frame on interface f0/0 which is configured with xconnect, R1 encapsulates the Ethernet frame (ARP request) into an L2TPv3 packet, over IP.

• The encapsulated ARP request is sent over the L2TPv3 tunnel to R3.

• R3 receives the L2TPv3 packet, decapsulates it to get the original Ethernet frame (the ARP request). It then broadcasts the ARP request on its local LAN f0/0.

ICMP, in the same way, we can check the icmp traffic when pinging from PC1 to PC2:

R1 encapsulate ICMP and Add L2TPv3 header: