Layer 2 VPN Confessions of a Reluctant Teleworker

In an earlier blog, Confessions of a Reluctant Teleworker, I mentioned that I find myself grounded at home in Atlanta, GA, because of the Coronavirus (COVID-19) pandemic. During this extended period, I am on the job as a teleworker as the situation gradually improves. I also discussed the enterprise-grade teleworker solution I have been using at my house in Atlanta, GA. I have been using an ExtremeRouting XR600P™ branch router and an ExtremeWireless AP305C™­­ with a Layer 3 IPsec VPN connection back to Extreme Headquarters.

Essentially, I have what you could describe as a power-user solution for a remote teleworker. However, I have been reminded by numerous people that a power-user solution might not be the best for everyone. The bulk of remote workers need a fast and straightforward way to access the same resources as corporate users. Therefore, Extreme Networks also offers a simple and cost-effective solution for remote users to access corporate resources through a Layer 2 IPsec VPN securely.

I spend time every year in Mexico, and I need a fast and simple solution for remote access at my temporary residence. All I need is a single AP that can connect back to our corporate office. In my opinion, the most important aspect of this type of solution is the auto-provisioning capability of the solution. In other words, when I go to Mexico, I should be able to plug in the AP to any home Internet gateway device, and the VPN tunnel should automatically establish back to corporate. The good news is that I can do this with an access point managed via ExtremeCloud™ IQ. As shown in Figure 1, a predefined network policy with L2 VPN services is simple to configure.

_{Figure 1}

The policy specifies the external IP address of an active VPN server as well as a pool of IP addresses that the AP endpoints use inside the L2 IPsec VPN tunnel. When I plug in an AP for the first time, it connects to the cloud, downloads this policy, and automatically establishes the VPN tunnel back to corporate headquarters. Within a matter of minutes, I am connecting to the same Corporate SSID that I use at the Extreme offices. The best example is to use the Atom AP30. As shown in Figure 2, the Atom AP30 is a pluggable enterprise access point. I plug this little guy into an AC power socket and connect an Ethernet cable to the home gateway, and I am up and running.

_{Figure 2}

The beauty of a L2 VPN is that any access point managed in ExtremeCloud™ IQ can be auto-provisioned. All you need is a means to power the AP and a home gateway device to provide an IP address for the AP’s management interface. Another popular choice for L2 VPN deployments is the enterprise-class wallplate access point, the AP150W.

As shown in the diagram in Figure 3, the benefit of L2 VPN is that any AP is a secure extension of the corporate network.

_{Figure 3}

The same networks that exist at headquarters extend to your home. For example, an employee might still connect to the corporate SSID using 802.1X with a company-issued laptop. BYOD devices might connect to a different SSID with more restrictive access policies. Some of the easy to deploy advantages of a L2 VPN include:

• No complicated subnet definitions at the edge
• No DHCP Scope definitions at the edge
• No DNS definition at the edge
• No complicated split-tunnel decisions
• No complicated policy requirements

At the end of the day, I have a fast-and-easy L2 VPN teleworker solution at my residence in Mexico. And I still maintain my power-user L3 VPN remote access solution from my home in Atlanta. Of course, both of my teleworker solutions are managed via ExtremeCloud™ IQ. From the cloud, a network administrator can easily configure, provision, and monitor equipment for thousands of teleworkers. You can learn more about the wide variety of Extreme’s remote networking solutions at: https://www.extremenetworks.com/remote/.

Do you want to see how easy it is to provision any AP in ExtremeCloud™ IQ? Take a moment to watch this video as Erika Bagby takes you through a quick demo of a L2 IPsec VPN remote connection.

[wistia src="https://extremenetworks.wistia.com/medias/um873ze5ox"]