Layer 2 VPN Confessions of a Reluctant Teleworker

In an earlier blog, Confessions of a Reluctant Teleworker, I mentioned that I find myself grounded at home in Atlanta, GA, because of the Coronavirus (COVID-19) pandemic. During this extended period, I am on the job as a teleworker as the situation gradually improves. I also discussed the enterprise-grade teleworker solution I have been using at my house in Atlanta, GA. I have been using an ExtremeRouting XR600P branch router and an ExtremeWireless AP305C­­ with a Layer 3 IPsec VPN connection back to Extreme Headquarters.

Essentially, I have what you could describe as a power-user solution for a remote teleworker. However, I have been reminded by numerous people that a power-user solution might not be the best for everyone. The bulk of remote workers need a fast and straightforward way to access the same resources as corporate users. Therefore, Extreme Networks also offers a simple and cost-effective solution for remote users to access corporate resources through a Layer 2 IPsec VPN securely.

I spend time every year in Mexico, and I need a fast and simple solution for remote access at my temporary residence. All I need is a single AP that can connect back to our corporate office. In my opinion, the most important aspect of this type of solution is the auto-provisioning capability of the solution. In other words, when I go to Mexico, I should be able to plug in the AP to any home Internet gateway device, and the VPN tunnel should automatically establish back to corporate. The good news is that I can do this with an access point managed via ExtremeCloud™ IQ. As shown in Figure 1, a predefined network policy with L2 VPN services is simple to configure.

Figure 1

The policy specifies the external IP address of an active VPN server as well as a pool of IP addresses that the AP endpoints use inside the L2 IPsec VPN tunnel. When I plug in an AP for the first time, it connects to the cloud, downloads this policy, and automatically establishes the VPN tunnel back to corporate headquarters. Within a matter of minutes, I am connecting to the same Corporate SSID that I use at the Extreme offices. The best example is to use the Atom AP30. As shown in Figure 2, the Atom AP30 is a pluggable enterprise access point. I plug this little guy into an AC power socket and connect an Ethernet cable to the home gateway, and I am up and running.

Figure 2

The beauty of a L2 VPN is that any access point managed in ExtremeCloud™ IQ can be auto-provisioned. All you need is a means to power the AP and a home gateway device to provide an IP address for the AP’s management interface. Another popular choice for L2 VPN deployments is the enterprise-class wallplate access point, the AP150W.

As shown in the diagram in Figure 3, the benefit of L2 VPN is that any AP is a secure extension of the corporate network.

Figure 3

The same networks that exist at headquarters extend to your home. For example, an employee might still connect to the corporate SSID using 802.1X with a company-issued laptop. BYOD devices might connect to a different SSID with more restrictive access policies. Some of the easy to deploy advantages of a L2 VPN include:

  • No complicated subnet definitions at the edge
  • No DHCP Scope definitions at the edge
  • No DNS definition at the edge
  • No complicated split-tunnel decisions
  • No complicated policy requirements

At the end of the day, I have a fast-and-easy L2 VPN teleworker solution at my residence in Mexico. And I still maintain my power-user L3 VPN remote access solution from my home in Atlanta. Of course, both of my teleworker solutions are managed via ExtremeCloud™ IQ. From the cloud, a network administrator can easily configure, provision, and monitor equipment for thousands of teleworkers. You can learn more about the wide variety of Extreme’s remote networking solutions at:

Do you want to see how easy it is to provision any AP in ExtremeCloud™ IQ? Take a moment to watch this video as Erika Bagby takes you through a quick demo of a L2 IPsec VPN remote connection.

[wistia src=""]

About the Author
Kendra Luciano
Managing Editor, Content Marketing

Kendra is the Managing Editor of the Extreme Networks blog and resource center. She was previously a Vertical Solutions Marketing Co-Op while pursuing her degree in Communications with a minor in Business Administration from the University of New Hampshire.

Full Bio