The Layer 2 Forwarding (L2F) protocol is a media-independent technology developed at Cisco Systems. It’s a media-independent tunneling protocol that came to life at the first Virtual Private Networks development stages. It allows for VPNs to exist over a public network (such as the Internet) by turning data-link layer packets in web protocols like SLIP (Serial Line Internet Protocol) or PPP (Point-to-Point Protocol).
Servers can take advantage of L2F for things such as user authentication through dynamic address allocation, Remote Authentication Dial-In User Service (RADIUS), and Quality of Service (QoS). Cisco’s Internetwork operating system implements L2F in routers as well.
The tunneling approach to creating private networks is independent of the Internet Protocol (IP). Hence, the same technology can create secure tunnels in other network contexts like ATMs or Frame Relay.
The L2F protocol: How does it work?
Let’s take the PPP protocol. It connects a dial-up client with the NAS (short form of network access server) when it receives the call using Layer 2 Forwarding (L2F).
Client-triggered PPP connections get terminated at a PPP service vendor’s NAS (Network Access Server) — this is typically an ISP (Internet Service Provider). L2F enables the client to connect beyond the Network Access Server to a remote node. That mechanism allows the client to act as if it was directly connected to that remote node instead of connecting to the NAS. Within the L2F world, the NAS has one job only: to exchange forward (Point-to-Point Protocol) frames from the client all the way to the distant node. That remote node in Ciscospeak is known as the home gateway.
The critical thing to remember is that Cisco’s L2F protocol can undoubtedly work over the IP protocol, but it doesn’t really need it. It can work along with other protocols as it is. For instance, it often works when used in tandem with VDU (Virtual Dial-Up).
Related read: What is port forwarding.
Authentication types
L2F authenticates remote users using PPP as well as other authentication systems that can include Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS).
- There are several connections in L2F tunneling channels, which is one of the reasons they’re different from PPTP tunneling channels.
- The authentication occurs in two stages. The ISP performs the first one before the tunnel appears. The tunnel comes alive in the corporate gateway in the second stage upon the connection getting online.
- The SP and the specific corporate company gateway use an agreed-upon authentication process before allowing the tunnel between the remote and local networks to exist.
- The L2 works on the data connection layer (or that’s the word in the OSI reference documentation). It thus enables users like NetBEUI or 1PX instead of IP such as PPTP.
PAP – Password Authentication Protocol
First, the client and the server connect. Then the client sends a package with the user’s credentials (password and username). Then the server will grant or refuse a connection request, depending on its ability to authenticate the request, which can be rejected or verified.
CHAP – Challenge Handshake Authentication Protocol
This protocol takes a different approach to the authentication process. Here, the client keeps sending the server an authentication packet regularly. The client and the server keep exchanging these CHAP packets regularly to verify the user’s credentials at both ends. As long as the authentication remains valid, the connection keeps online.
L2F’s pros
- It guarantees transmission security, creating an end-to-end secure tunnel for data encapsulation.
- It can enhance the security of other protocols.
- It supports user authentication for other protocols such as RADIUS, QoS, and Dynamic Address Allocation.
- The L2F tunnels support multiple connections.