Table Of Contents
VPDN Group Session Limiting
This document describes the VPDN Group Session Limiting feature in Cisco IOS Release 12.2(1)DX. It includes the following sections:
Before the introduction of the Virtual Private Dial Network (VPDN) Group Session Limiting feature, you could only globally limit the number of VPDN sessions on a router with limits applied equally to all VPDN groups. Using the VPDN Group Session Limiting feature, you can limit the number of VPDN sessions allowed per VPDN group. This feature is implemented with the introduction of the session-limit number command in VPDN configuration mode. VPDN group session limiting is applied after the global VPDN session limiting (which is configured via the vpdn session-limit session command in configuration mode) is enforced.
The VPDN Group Session Limiting feature gives more control to network administrators by enabling them to limit how many sessions a VPDN group can terminate. This feature enables service providers to cater to all types of organizations, large or small, by enabling finer configuration granularity.
•VPDN Group Session Limiting cannot be configured on an L2TP Access Concentrator (LAC) or L2F Network Access Server (NAS).
•The range of legal values for number is from 0 to 32767.
•VPDN Group Session Limiting applies only to L2F and L2TP sessions.
Related Features and Technologies
•Shell-Based Authentication of VPDN Users
•Accounting of VPDN Disconnect Cause
•Resource Pool Management
•Resource Pool Management
•"Configuring Virtual Private Networks" section of the Cisco IOS Dial Services Configuration Guide: Network Services
•Cisco IOS Dial Services Command Reference
•Cisco 7200 series
•Cisco 7401ASR router
Platform Support Through Feature Navigator
Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Feature Navigator. Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image.
To access Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to email@example.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions at http://www.cisco.com/register.
Feature Navigator is updated when major Cisco IOS software releases and technology releases occur. As of May 2001, Feature Navigator supports M, T, E, S, and ST releases. You can access Feature Navigator at the following URL:
Supported Standards, MIBs, and RFCs
No new or modified standards are supported by this feature.
No new or modified MIBs are supported by this feature
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
No new or modified RFCs are supported by this feature
A VPDN session group must be created before the session-limit VPDN configuration group can be configured. You must configure the accept-dialin command or request-dialout command before VPDN session group limiting can be configured.
See the following section for the configuration task necessary to configure the VPDN group session limiting feature:
•Configuring VPDN Group Session Limiting (required)
Configuring VPDN Group Session Limiting
To configure VPDN group session limiting, follow the steps in the table below:
Verifying VPDN Group Session Limiting
Follow the steps below to verify the successful configuration of VPDN Group Session Limiting:
Step 1 Enter the session-limit 1 command in VPDN configuration mode.
Step 2 Establish a VPDN session by dialing in to the network access server (NAS) using an allowed username and password.
Step 3 Attempt to establish another VPDN session by dialing in to the NAS using another allowed username and password.
Step 4 A Syslog message similar to the following should appear on the console of the router:00:11:17: %VPDN-6-MAZ_sESS_EXCD:L2F HGW great_went has exceeded configured local session-limit and rejected user firstname.lastname@example.org
Step 5 Enter the show vpdn history failure command on the router. If you see output similar to the following, the group session limit was successful:User: email@example.comNAS: cliford_ball, IP address = 172.25.52.8, CLID = 2Gateway: great_went, IP address = 172.25.52.7, CLID = 13Log time: 00:04:21, Error repeat count:1Failure type: Exceeded configured VPDN mazimum session limitFailure reason:
Monitoring and Maintaining VPDN Group Session Limiting
Use the following commands to monitor and maintain VPDN group session limiting:
This section provides the following configuration examples:
Configuring VPDN Group Session Limiting
In the example below, VPDN group "abc" is created and restricted to three sessions:Router# configure terminalRouter(config)# vpdn-group abcRouter(config-vpdn)# accept dialinRouter(config-vpdn-acc-in)# protocol l2tpRouter(config-vpdn-acc-in)# virtual-template 5Router(config-vpdn-acc-in)# exitRouter(config-vpdn)# terminate hostname host1Router(config-vpdn)# session-limit 3Router(config-vpdn)# endRouter# show vpdn-group abc
This section documents the new command that configures the VPDN Group Session Limiting feature.
To limit the number of sessions that are allowed through a specified VPDN group, use the session-limit command in VPDN configuration mode. To remove a configured session-limit restriction, use the no form of this command.
no session-limit number
No default behavior or values.
Use this command to limit the number of allowed sessions for a specified VPDN group.
This command works independently from the global VPDN session-limit command. Using the global VPDN session-limit command, you can restrict the total number of sessions allowed on all VPDN groups. Global session limiting is configured in configuration mode. VPDN group session limiting is configured in VPDN configuration mode.
Global VPDN session limiting and per VPDN group session limiting work independently, but global VPDN session limiting is enforced before individual VPDN group limiting. For example, if you configure vpdn session-limit 2 at the global configuration mode and session-limit 3 under the VPDN group "abc," no more than two calls are allowed in VPDN group "abc."
The following example creates VPDN group "abc," virtual template 5, and restricts VPDN group "abc" to three sessions:Router(config)# vpdn-group abcRouter(config-vpdn)# accept dialinRouter(config-vpdn-acc-in)# protocol l2tpRouter(config-vpdn-acc-in)# virtual-template 5Router(config-vpdn-acc-in)# exitRouter(config-vpdn)# terminate hostname host1Router(config-vpdn)# session-limit 3