What is Layer 2 Forwarding (L2F), and how it works?

Ali Qamar Last updated: June 1, 2022

The Layer 2 Forwarding protocol is a media-independent technology developed at Cisco Systems. It came to life at the first Virtual Private Networks development stages. Discover how it works, its advantages and disadvantages, and more.

The Layer 2 Forwarding protocol is a media-independent technology developed at Cisco Systems. It’s a media-independent tunneling protocol that came to life at the first Virtual Private Networks development stages. It allows for VPNs to exist over a public network (such as the Internet) by turning data-link layer packets in web protocols like SLIP (Serial Line Internet Protocol) or PPP (Point-to-Point Protocol).

Servers can take advantage of L2F for things such as user authentication through dynamic address allocation, Remote Authentication Dial-In User Service (RADIUS), and Quality of Service (QoS). Cisco’s Internetwork operating system implements L2F in routers as well.

The tunneling approach to creating private networks is independent of the Internet Protocol (IP). Hence, the same technology can create secure tunnels in other network contexts like ATMs or Frame Relay.

The L2F protocol: How does it work?

Let’s take the PPP protocol. It connects a dial-up client with the NAS (short form of network access server) when it receives the call using Layer 2 Forwarding.

Client-triggered PPP connections get terminated at a PPP service vendor’s NAS (Network Access Server) — this is typically an ISP (Internet Service Provider). L2F enables the client to connect beyond the Network Access Server to a remote node. That mechanism allows the client to act as if it was directly connected to that remote node instead of connecting to the NAS. Within the L2F world, the NAS has one job only: to exchange forward (Point-to-Point Protocol) frames from the client all the way to the distant node. That remote node in Ciscospeak is known as the home gateway.

The critical thing to remember is that Cisco’s L2F protocol can undoubtedly work over the IP protocol, but it doesn’t really need it. It can work along with other protocols as it is. For instance, it often works when used in tandem with VDU (Virtual Dial-Up).

Related read: What is port forwarding.

Authentication types

L2F authenticates remote users using PPP as well as other authentication systems that can include Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS).

  • There are several connections in L2F tunneling channels, which is one of the reasons they’re different from PPTP tunneling channels.
  • The authentication occurs in two stages. The ISP performs the first one before the tunnel appears. The tunnel comes alive in the corporate gateway in the second stage upon the connection getting online.
  • The SP and the specific corporate company gateway use an agreed-upon authentication process before allowing the tunnel between the remote and local networks to exist.
  • The L2 works on the data connection layer (or that’s the word in the OSI reference documentation). It thus enables users like NetBEUI or 1PX instead of IP such as PPTP.

PAP – Password Authentication Protocol

First, the client and the server connect. Then the client sends a package with the user’s credentials (password and username). Then the server will grant or refuse a connection request, depending on its ability to authenticate the request, which can be rejected or verified.

CHAP – Challenge Handshake Authentication Protocol

This protocol takes a different approach to the authentication process. Here, the client keeps sending the server an authentication packet regularly. The client and the server keep exchanging these CHAP packets regularly to verify the user’s credentials at both ends. As long as the authentication remains valid, the connection keeps online.

L2F’s pros

  • It guarantees transmission security, creating an end-to-end secure tunnel for data encapsulation.
  • It can enhance the security of other protocols.
  • It supports user authentication for other protocols such as RADIUS, QoS, and Dynamic Address Allocation.
  • The L2F tunnels support multiple connections.

L2F’s cons

  • Privacy protection in L2F relies on the protocol’s ability to tunnel the information instead of providing encryption. 
  • The protocol lacks data flow control.
  • This protocol doesn’t boast AV (Attribute-value) pair hiding.

Overview of L2F protocol security

The virtual dial-up service initiates. Then the ISP will pursue authentication. The ISP cares about two things only: the user’s identity and the home gateway they want to reach. So it tries to discover both things as the call comes in. Once those two bits of information become apparent, it starts connecting to the desired home gateway, based on the authentication data gathered. The final touch happens at the home gateway, which accepts or rejects the connection.

The home gateway has an additional job to do. It must protect the connection against third parties (snoopers, hackers, governments) to establish tunnels to the home gateway, intercept the current tunnel or hijack it.

The tunnel creation needs an authentication process between the ISP and the home gateway. This is the authentication bit that protects the tunnel against malicious attacks. And this is why the L2F is so valuable. It may not be apparent from this description. Still, the fact is that these authentication processes can become safer if you can take advantage of several protocols concurrently to secure them. And L2F gives us that option, and it can work along with many different protocols. Thus it makes the authentication processes faster and safer. And its integration with them is seamless.

Wrap up

Let us congratulate you on your interest in some of the most arcane aspects of digital technology and privacy. L2F is such a fundamental protocol in the digital world that you will never notice it’s there –until it’s not. That’s how these things go.

When Cisco and Microsoft merged in 1999, L2F became the Layer 2 Tunneling protocol. It’s still around, and you’re probably using it all the time without noticing it.

If you use a VPN service, then L2F is right at the heart of the service. That’s because it’s the thing that creates the end-to-end tunnel of encapsulated data that allows for your traffic to go around the Internet safely away from the prying eyes of those third parties you’re keen to avoid. And it’s so fundamental and so subtle that it’s rarely mentioned explicitly (it’s OpenVPN and similar protocols that get all the limelight). But it’s nevertheless there, making everything possible.

L2F has an inherent limitation that makes it a bit less sexy than others: it lacks encryption. Yes, the tunnel is encapsulated and safe but not encrypted, and that’s a big problem in this day and age. If the tunnel falls to a breach, then the data inside the tunnel is there for anybody to read.

L2F needs to take advantage of another protocol that can provide encryption, thus making the tunnel foolproof. Then, the tunnel offers versatility and data integrity, while the second protocol (GRE, TCP) encrypts the data stream.

So now you know all you need to know about L2F. No, this is not the type of digital technology that you will be fiddling with on your phone or laptop unless you’re a sys-admin at an ISP. Other types of users wouldn’t take the time to read this article and read about protocols. But you know that this kind of information puts you ahead of the pack and will give you the best weapons you can have to protect your privacy. That’s why we started by congratulating you on reading this. After all, having this information and using it to your advantage is what being Privacy Savvy is all about!

Share this article

About the Author

Ali Qamar

Ali Qamar

Ali Qamar is the founder of PrivacySavvy, which he started out of the sheer passion for making every internet user privacy savvy. Ali has always been concerned about security and privacy for the general public and is very libertarian. Even before Edward Snowden appeared, he has been a privacy advocate even before Edward Snowden appeared with his revelations about NSA's mass surveillance. Ali graduated with a computing degree from the leading IT college in Pakistan, so he boasts a background in this area. He has an accountable understanding of the technical sides of encryption, VPNs, and privacy. Ali is regularly quoted in the privacy and security reports by the local press. His contributions have been featured in SecurityAffairs, Ehacking, HackRead, Lifewire, Business.com, Intego, InfosecMagazine, and many more publications online. Ali is naturally attracted to transforming things. Read More


No comments.