On Wed, Jul 25, 2007 at 02:37:17PM +0200, Bernd Ueberbacher wrote: > Rodney Dunn wrote: > >On Wed, Jul 25, 2007 at 11:17:09AM +0200, Bernd Ueberbacher wrote: > > > >>Hi there! > >> > >>My L2TPv3 tunnel is currently running fine, but I have two short but > >>stupid questions: > >> > >>Is it possible to interfere the L2TP traffic with access-lists? > >> > > > >No. Not on the access side. > > > Is there any way to deny some specific traffic on a l2tp link?
AFAIK no. The features applied on ingress are not evaluated on L3 info. We simply encapsulate the raw L2 frame and ship it over. I wonder if a service policy with a FPM match would allow you to specific networks in the L2 frame payload by offsets. hmmm... I'll have to ask/test that. Rodney > > > >>I have to xconnect to the LAN address of the router. On the LAN side I > >>just have a few /30 networks but nothing else. Should I pick one of the > >>IPs from those networks to xconnect to or is it allowed to xconnect to > >>the NETWORK ADDRESS of the /28 network on my LAN side? This seems better > >>to me than using one of the real /30 IPs, but I don't wanna break the > >>law/some RFC *G* > >> > > > >You should do your xconnects to loopback addresses that are routed > >between the two tunnel endpoints. > > > That was just a thought. My "Layer 2 VPN Architectures" book also has > the same opinion and so I guess I should be listening to you ;-) > > > > Thanks! > Bernd _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
