[gorkish]

I appreciate that you are trying to give examples of "L2 things" but none of this is really good advice.

For QoS, what do you think double-encapsulating all of the QoS bits inside of two tunnels is going to do for you? If you pay your carrier to respect QoS, you have to actually give them the bits! QoS goes on the OUTSIDE of the onion.

DHCP for VLANs should be handled by snooping for it on the switch and forwarding over L3 (ip helper-address), not by running vxlan over a VPN tunnel. And really it shouldn't ever be done over a potentially unreliable WAN link either; you should have a local agent for DDI at each site.

The only story here is that L2-over-L3 VPN have their very specific niches, and VXLAN+Wireguard is an alternative to L2TP+IPSec that is (IMO) both easier to configure and more reliable when such a thing is needed.

[SoftTalker]

> VXLAN+Wireguard is an alternative to L2TP+IPSec that is (IMO) both easier to configure and more reliable

I'm sorry to ask but which alternative do you find easier and more reliable? I seem to be able to parse that either way, maybe it's just me.

[gorkish]

Sorry for the dangling preposition. "That" refers to VXLAN+Wireguard being easier and more reliable. It has the drawback though of having very high overhead at 130 bytes/packet, and it can be very tricky to use over the public Internet without paying lots of special attention to tuning the MTU of all devices on the bridged segment. I'm glad to know that there are geeks who have not been exposed to the horrors of IPSec, though. And yeah, you should pretty much never do L2VPN. It is perilous in the extreme.

[justsomehnguy]

>maybe it's just me.

Nope, here with the same problem and I don't treat L2TP/IPSec as an easier to configure and reliable.