Table Of Contents
Prerequisites for VPDN Multihop by DNIS
Restrictions for VPDN Multihop by DNIS
Information About VPDN Multihop by DNIS
How to Configure the VPDN Multihop Tunnel Switch
Configuration Examples for VPDN Multihop by DNIS
Verify VPDN Multihop by DNIS Example
VPDN Multihop by DNIS
The Cisco VPDN Multihop by DNIS feature allows dialed number identification service (DNIS)-based multihop capability in a virtual private dial-up network (VPDN), which enables customers that dial in to a network using a standard telephone line to take advantage of the aggregation capability offered by multihop switching.
Feature Specifications for VPDN Multihop by DNIS
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or Cisco Feature Navigator.
Contents
•Prerequisites for VPDN Multihop by DNIS
•Restrictions for VPDN Multihop by DNIS
•Information About VPDN Multihop by DNIS
•How to Configure the VPDN Multihop Tunnel Switch
•Configuration Examples for VPDN Multihop by DNIS
Prerequisites for VPDN Multihop by DNIS
No new configuration commands are introduced by the VPDN Multihop by DNIS feature. The configuration required for the VPDN multihop support of DNIS is already supported by the existing Cisco IOS software commands. For VPDN multihop support of DNIS to take effect, you need a VPDN subsystem. Use the show subsystem name * EXEC command to check that this subsystem is supported on your router.
This document assumes that you are familiar with VPDN technology, and have a VPDN already configured and enabled that has been shown to support basic VPDN dialup between a client and an L2TP access concentrator (LAC). See the documents listed in the section "Additional References" for more information about VPDNs.
The VPDN Multihop by DNIS feature is enabled by adding the configuration for both a LAC and L2TP network server (LNS) on a router configured as a tunnel switch (also called a multihop node). See the configurations in the section "Configuration Examples for VPDN Multihop by DNIS" for examples.
Restrictions for VPDN Multihop by DNIS
The VPDN Multihop by DNIS feature requires that the LAC sends the DNIS string to the tunnel switch. Currently, this functionality is supported only by Layer 2 Forwarding (L2F) and the Layer 2 Tunneling Protocol (L2TP). These two protocols are not required to send the DNIS string but often do during session setup, and Cisco LACs always send the DNIS string during session setup. However, if a LAC does not send the DNIS string, then the multihop node would support only tunnel switching based on domain and multihop host name.
Information About VPDN Multihop by DNIS
To configure the VPDN Multihop by DNIS feature, you need to understand the following concepts:
VPDN Basics
A VPDN carries private data over a public network, and extends remote access to users over a shared infrastructure. VPDNs maintain the same security and management policies as a private network, and provide a cost-effective method of establishing a point-to-point connection between remote users and a central network.
VPDNs allow separate and autonomous protocol domains to share common access infrastructure including modems, access servers, and ISDN routers. VPDNs, therefore, delegate much of the responsibilities associated with network infrastructure. The customer outsources the responsibility for the infrastructure to an Internet service provider (ISP) that maintains the modems that the remote users dial in to (called modem pools), the access servers, and the internetworking expertise. The customer is then responsible only for authenticating its users and maintaining its network.
As an added benefit, instead of connecting directly to the network using the plain old telephone service (POTS), which can be expensive, VPDN users need only use the POTS to connect to an ISP local point of presence (POP). The ISP then uses the Internet to forward users from the POP to the customer network. Forwarding a user call over the Internet provides dramatic cost savings for the customer.
VPDNs use Layer 2 tunneling and forwarding technologies to create a virtual point-to-point connection between users and the customer network. These tunneling technologies provide the same direct connectivity as the expensive POTS, but do so by using the Internet, which means that users anywhere in the world have the same connectivity as they would at the customer headquarters.
Figure 1 shows the PPP link that runs between a client (the user hardware and software) and the tunnel server (LNS).
Figure 1 End-to-End Access VPDN Protocol Flow: L2F or L2TP, PPP, and IP
Using either L2F or L2TP, an ISP or other access service can create a virtual tunnel to link customer remote sites or remote users with corporate home networks. In particular, a network access server (NAS) at the ISP POP exchanges PPP messages with the remote users and communicates by L2F or L2TP requests and responses with the customer tunnel server to set up tunnels. L2F and L2TP pass protocol-level packets through the virtual tunnel between endpoints of a point-to-point connection.
Frames from the remote users are accepted by the ISP POP, stripped of any linked framing or transparency bytes, encapsulated in L2F or L2TP, and then forwarded over the appropriate tunnel. The customer tunnel server accepts these frames, strips the Layer 2 encapsulation, and processes the incoming frames for the appropriate interface.
VPDN Multihop
The VPDN multihop feature allows a router configured as a tunnel switch to terminate tunnels from LACs and forward the sessions through multiple (up to four), newly established L2TP tunnels. The tunnels are selected using client-supplied matching criteria.
Figure 2 shows a basic VPDN multihop network configuration.
Figure 2 VPDN Multihop
Versions of Cisco IOS software prior to Cisco IOS Release 12.2(8)B support L2TP tunnel switching using only a user domain name or a remote tunnel name as the matching criteria.
VPDN Multihop by DNIS
The VPDN Multihop by DNIS feature adds a telephone number to the matching criteria for the tunnel switch. The tunnel switch can perform VPDN tunnel authorization based on a DNIS (a called telephone number), a user domain name, or ingress tunnel domain names that are mapped to specified LNSs. (The order in which the client-supplied matching criteria are searched by the Cisco IOS software is determined by the vpdn search-order global configuration command.)
Figure 3 shows an example network topology using the VPDN Multihop by DNIS feature.
Figure 3 Example Network Topology Using the VPDN Multihop by DNIS Tunnel Switching Feature
The VPDN Multihop by DNIS feature expands the aggregation capability offered by multihop switching to dial up users using the POTS to connect to the Internet by supporting telephone numbers (DNIS) as the matching criteria for forwarding the sessions through L2TP tunnels. This feature, therefore, offers service providers expanded connection services and more flexibility in how their network traffic is directed.
How to Configure the VPDN Multihop Tunnel Switch
To configure a tunnel switch (or multihop node) that supports the VPDN Multihop by DNIS feature, you need to configure a tunnel switch that contains both the LNS and LAC portions of the VPDN. Use the following commands:
SUMMARY STEPS
1. enable
2. configure {terminal | memory | network}
3. username {local-name | remote-hostname} password secret
4. vpdn enable
5. vpdn multihop
6. vpdn-group name
7. vpdn-group subcommands (accept-dialin and terminate-from for the incoming portion of the tunnel switch, and request-dialin and initiate-to for the outgoing portion, for example)
8. vpdn search-order {dnis | multihop-hostname | domain} (optional step that should be executed only when it is necessary to change the default search order)
DETAILED STEPS
1. Enable VPDN and VPDN multihop
Command or Action PurposeStep 1
enable
Example:Router> enable
Enables higher privilege levels, such as privileged EXEC mode.
Enter your password if prompted.
Step 2
configure {terminal | memory | network}
Example:Router# configure terminal
Enters global configuration mode.
Step 3
username remote-hostname password secret
Example:Router(config)# username LAC-1 password <secret>
Configures the secret (a password). Must match the secret word configured on the LAC.
Step 4
username local-name password secret
Example:Router(config)# username Multi-Hop password <secret>
Configures the secret (password). Must match the secret word configured in Step 3.
Step 5
vpdn enable
Router(config)# vpdn enable
Enables virtual private dialup networking on the router.
Step 6
vpdn multihop
Router(config)# vpdn multihop
Enables VPDN multihop functionality.
2. Configure the Incoming (LNS) Portion of the Tunnel Switch
Command or Action PurposeStep 7
vpdn-group number
Example:Router(config)# vpdn-group 1
Selects the VPDN group.
Step 8
accept-dialin
Example:Router(config-vpdn)# accept-dialin
Enables the tunnel switch to accept incoming L2TP tunnel connections and enters VPDN accept-dialin group configuration mode.
Step 9
protocol l2tp/l2f
Example:Router(config-vpdn-acc-in)# protocol l2tp
Specifies L2TP and L2F.
Step 10
virtual-template number
Router(config-vpdn-acc-in)# virtual-template 1
Specifies the virtual template interface to use to clone the new virtual access interface.
Step 11
exit
Example:Router(config-vpdn-acc-in)# exit
Returns to VPDN group configuration mode.
Step 12
terminate-from hostname hostname
Example:Router(config-vpdn)# terminate-from hostname LAC-1
Specifies the host name of the remote LAC that will be required when accepting a VPDN tunnel.
•Must match the remote-hostname configured in Step 3.
Step 13
local name local-name
Example:Router(config-vpdn)#
local name Multi-Hop
Specifies the local host name of the tunnel.
•Must match the local-name configured in Step 4.
Step 14
exit
Example:Router(config-vpdn)# exit
Returns to global configuration mode.
3. Configure the Outgoing (LAC) Portion of the Tunnel Switch
Command PurposeStep 15
vpdn-group number
Example:Router(config)# vpdn-group 2
Selects the VPDN group.
Step 16
request-dialin
Example:Router(config-vpdn)# request-dialin
Enables the tunnel switch to request L2TP tunnels to the LNS and enters VPDN request-dialin group configuration mode.
Step 17
protocol l2tp/l2f
Example:Router(config-vpdn-req-in)# protocol l2tp/l2f
Specifies L2TP and L2F.
Step 18
dnis telephone-number
Example:Router(config-vpdn-req-in)#
dnis 5555555
Initiates a tunnel based on the user DNIS number.
Step 19
exit
Example:Router(config-vpdn-req-in)# exit
Returns to VPDN group configuration mode.
Step 20
initiate-to ip ip-address [limit limit-number]
[priority priority-number]Example:Router(config-vpdn)# initiate-to ip 10.10.1.1
Specifies the LNS.
Optionally specifies the maximum number of sessions per tunnel and the priority of the IP address (1 is highest).
Step 21
local name local-name
Example:Router(config-vpdn)#
local name Multi-Hop
Specifies the local host name of the tunnel.
•Must match the local-name configured in Step 4.
Step 22
Router(config-vpdn)# exit
Returns to global configuration mode.
4. Changing the Default Search Order (Optional)
Verify VPDN Multihop by DNIS
To verify that the VPDN Multihop by DNIS feature is working, perform the following optional steps:
SUMMARY STEPS
1. Make a call using the DNIS
2. enable
3. show vpdn
DETAILED STEPS
Troubleshooting Tips
•The configuration commands in the previous sections should be entered on an operational VPDN. See the section "Prerequisites for VPDN Multihop by DNIS" for information about configuring and troubleshooting a VPDN.
•If the call is not successful, enter the debug vpdn l2x-packet EXEC command to display the dialog between the LAC and LNS for tunnel creation. Check for the attribute-value pair (AVP), which will have the DNIS number in it, when using L2TP. When using L2F, check the CLID/DNIS pair for the telephone number.
Configuration Examples for VPDN Multihop by DNIS
This section provides the following configuration example to match the identified configuration tasks in the previous section.
•VPDN Multihop by DNIS Example
•Verify VPDN Multihop by DNIS Example
VPDN Multihop by DNIS Example
The following example shows how to configure both the LAC and LNS in a tunnel switch, so that the VPDN Multihop by DNIS feature will work:
vpdn multihopvpdn-group 1accept-dialinprotocol l2tp/l2fvirtual-template 1terminate-from hostname LAC-1local name Multi-Hopvpdn-group 2request-dialinprotocol l2tp/l2fdnis 5555555initiate-to ip 10.10.1.1local name Multi-HopThe policy for VPDN group search order is determined by the vpdn search-order global configuration command. The default search order is based on DNIS, domain, and then the multihop host name.
Verify VPDN Multihop by DNIS Example
The following example shows the tunnel and session reports from the show vpdn EXEC command:
Router# show vpdnL2TP Tunnel and Session Information Total tunnels 2 sessions 2LocID RemID Remote Name State Remote Address Port Sessions VPDN Group785 7059 Router1 est 1.1.1.1 1701 1 2LocID RemID TunID Intf Username State Last Chg28 15 785 SSS Circuit gomer@l2tp.com est 00:01:31LocID RemID Remote Name State Remote Address Port Sessions VPDN Group7718 57428 Router5 est 1.1.4.5 1701 1 3LocID RemID TunID Intf Username State Last Chg29 15 7718 SSS Circuit 27 est 00:01:31%No active L2F tunnels%No active PPTP tunnels%No active PPPoE tunnelsAdditional References
For additional information related to VPDN Multihop by DNIS, refer to the following references:
Related Documents
Related Topic Document TitleDial commands
Cisco IOS Dial Technologies Command Reference, Release 12.2
VPDN
Cisco IOS Dial Technologies Configuration Guide, Release 12.2; see the part "Virtual Templates, Profiles, and Networks.
L2TP tunneling
VPDN multihop
"Configuring L2TP Multihop to Perform Several Hops from the NAS to the LNS"
Standards
MIBs
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
Technical Assistance
Command Reference
This section documents a modified command, vpdn multihop. All other commands used with this feature are documented in the Cisco IOS Release 12.2 and 12.2T command reference publications.
vpdn multihop
To enable virtual private dialup network (VPDN) multihop, use the vpdn multihop command in global configuration mode. To disable VPDN multihop capability, use the no form of this command.
vpdn multihop
no vpdn multihop
Syntax Description
This command has no arguments or keywords.
Defaults
Multihop capability is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
The VPDN multihop feature allows a router configured as a tunnel switch to terminate tunnels from Layer 2 access concentrators (LACs) and forward the sessions through up to four newly established Layer 2 Tunneling Protocol (L2TP) tunnels. The tunnels are selected using client-supplied matching criteria. Versions of Cisco IOS software prior to Cisco IOS Release 12.2(8)B support L2TP tunnel switching using only a user domain name or a remote tunnel name as the matching criterion.
The dialed number identification service (DNIS)-based multihop capability added a telephone number to the matching criteria for the tunnel switch. The tunnel switch can perform VPDN tunnel authorization based on a DNIS (a called telephone number), a user domain name, or ingress tunnel domain names that are mapped to specified L2TP network servers (LNSs). The order in which the client-supplied matching criteria are searched by the Cisco IOS software is determined by the vpdn search-order global configuration command.
Before using the vpdn multihop command, refer to the Cisco IOS Dial Technologies Configuration Guide, Release 12.2, to learn more about Multilink PPP and Multichassis Multilink PPP.
Examples
The following example shows how to configure the Cisco Multihop VPDN feature:
!vpdn enablevpdn multihopvpdn search-order domain!vpdn-group 1request-dialinprotocol l2tpdomain cisco.cominitiate-to ip 172.22.53.144 priority 1initiate-to ip 172.22.53.145 priority 1!l2tp tunnel password 7 secret!The following example shows how to configure DNIS-based multihop capability:
!vpdn enablevpdn multihop!vpdn-group 1accept-dialinprotocol l2tp/l2fvirtual-template 1terminate-from hostname LAC-1local name Multi-Hopvpdn-group 2request-dialinprotocol l2tp/l2fdnis 5555555initiate-to ip 10.10.1.1local name Multi-Hop!The following example shows a configuration where a packet traverses a VPDN tunnel over a service provider link, and then a second tunnel by traversing a hop between home gateways on the corporate network. The bundle owner is Home-Gateway1 and the stack group peer, Home-Gateway2, is specified as a peer (1.1.1.2).
vpdn multihopusername stack password hellotheremultilink virtual-template 1sgbp group stacksgbp member Home-Gateway2 1.1.1.2interface virtual-template 1ip unnumbered e0ppp multilinkppp auth chapRelated Commands
Glossary
CLID—calling line ID. Information about the billing telephone number from which a call originated. The CLID value might be the entire phone number, the area code, or the area code plus the local exchange.
DNIS—dialed number identification service (the called party number). Typically, this is a number used by call centers or a central office where different numbers are each assigned to a specific service.
LAC—L2TP access concentrator. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP network server (LNS). The LAC sits between an LNS and a remote system and forwards packets to and from each. Packets sent from the LAC to the LNS require tunneling with the L2TP protocol. The connection from the LAC to the remote system is either local or a PPP link.
LNS—L2TP network server. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP access concentrator (LAC). The LNS is the logical termination point of a PPP session that is being tunneled from the remote system by the LAC.
NAS—network access server. A device providing local network access to users across a remote access network such as the POTS. A NAS can also serve as a LAC, LNS, or both.
VPDN—virtual private dial-up network. Also known as virtual private dial network. A VPDN is a network that permits the physical dialup connection to appear to be connected directly to a home network while actually residing elsewhere on the network. A virtual pipe is connected between the physical dialup connections and the termination point at the home network.
Note Refer to the Internetworking Terms and Acronyms for terms not included in this glossary.