-
Cisco IOS Release 12.0 Dial Solutions Command Reference
-
About This Manual
-
Using Cisco IOS Software
- Part 1: Dial-In Port Setup
- Part 2: Dial-In Terminal Service & Remote Node Config
- Part 3: Dial-on-Demand Routing
- Part 4: Dial Backup
- Part 5: NASI Client Commands
- Part 6: Large-Scale Dial Solutions
- Part 7: Cost-Control Solutions
- Part 8: Virtual Private Dialup Networks
- Part 9: Other Network Traffic on ISDN Channels
- Part 10: Dial-Related Addressing Services
- Part 11: Appendixes
-
Index
-
Table Of Contents
Virtual Private Dialup Network Commands
Virtual Private Dialup Network Commands
This chapter describes the commands required to configure virtual private dialup networks. For information about configuring this feature, see the "Configuring Virtual Private Dialup Networks" chapter of the Dial Solutions Configuration Guide.
clear vpdn history failure
To clear the content of the failure history table, use the clear vpdn history failure EXEC command.
clear vpdn history failure
Syntax Description
This command has no arguments or keywords.
Command Mode
EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3 T.
Example
The following example clears the content of the failure history table:
clear vpdn history failureclear vpdn tunnel
To shut down a specified tunnel and all the MIDs within it, use the clear vpdn tunnel EXEC command.
clear vpdn tunnel network-access-server gateway-name
Syntax Description
Command Mode
EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
This command is used primarily for troubleshooting. You can use the command to force the tunnel to come down without unconfiguring it (the tunnel could be restarted immediately by a user logging in).
Example
The following example clears a tunnel between a network access server called orion and a home gateway called sampson:
clear vpdn tunnel orion sampsonshow vpdn
To display information about active Level 2 Forwarding (L2F) protocol tunnel and Level 2 Forwarding (L2F) message identifiers in a virtual private dialup network, use the show vpdn EXEC command.
show vpdn
Syntax Description
This command has no keywords or arguments.
Command Mode
EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
Sample Display
The following is sample output of the show vpdn command:
Router# show vpdnActive L2F tunnelsNAS Name Gateway Name NAS CLID Gateway CLID Statenas gateway 4 2 openL2F MIDsName NAS Name Interface MID Statephil@cisco.com nas As7 1 opensam@cisco.com nas As8 2 opendescribes the fields in this sample display.
Related Commands
You can use the master indexes or search online to find documentation of related commands.
vpdn enable
vpdn history failureshow vpdn history failure
To show the content of the failure history table, use the show vpdn history failure with the optional username keyword EXEC command.
show vpdn history failure [username]
Syntax Description
username
(Optional) Specifies the username. The specified username helps to display only the entries mapped to that particular user.
Command Mode
EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3 T.
If a username is specified, only the entries mapped to that username are displayed; when the username is not specified, the whole table is displayed.
Sample Display
The following is a sample output from the show vpdn history failure command, which displays the failure history table for a specific user:
router> show vpdn history failureTable size: 20Number of entries in table: 1User: jcchan@cisco.com, MID = 1NAS: isp, IP address = 172.21.9.25, CLID = 1Gateway: hp-gw, IP address = 172.21.9.15, CLID = 1Log time: 13:08:02, Error repeat count: 1Failure type: The remote server closed this sessionFailure reason: Administrative interventiondescribes the fields shown in the sample output.
Related Commands
You can use the master indexes or search online to find documentation of related commands.
vpdn history failure
vpdn aaa attribute
To enable reporting of network access server (NAS) authentication, authorization, and accounting (AAA) attributes related to a virtual private dialup network (VPDN) to the AAA server, use the vpdn aaa attribute global configuration command. To disable reporting of AAA attributes related to VPDN, use the no form of this command.
vpdn aaa attribute {nas-ip-address vpdn-nas | nas-port vpdn-nas}
no vpdn aaa attribute {nas-ip-address vpdn-nas | nas-port}
Syntax Description
nas-ip-address vpdn-nas
Enable reporting of the VPDN NAS IP address to the AAA server..
nas-port vpdn-nas
Enable reporting of the VPDN NAS port to the AAA server.
Default
AAA attributes are not reported to the AAA server.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3NA.
This command can be used with RADIUS or TACACS+, and is applicable only on the VPDN tunnel server.
Examples
The following example configures VPDN on a tunnel server and enables reporting of VPDN AAA attributes to the AAA server:
vpdn enablevpdn-group 1accept-dialinprotocol anyvirtual-template 1!terminate-from hostname nas1local name ts1!vpdn aaa attribute nas-ip-address vpdn-nasvpdn aaa attribute nas-port vpdn-nasRelated Commands
You can use the master indexes or search online to find documentation of related commands.
aaa new-model
vpdn enablevpdn aaa override-server
To specify an authentication, authorization, and accounting (AAA) server to be used for virtual private dialup network (VPDN) tunnel authorization other than the default AAA server, use the vpdn aaa override-server global configuration command. To return to the default setting, use the no form of this command.
vpdn aaa override-server {aaa-server-ip-address | aaa-server-name}
no vpdn aaa override-server {aaa-server-ip-address | aaa-server-name}
Syntax Description
aaa-server-ip-address
The IP address of the AAA server to be used for tunnel authorization.
aaa-server-name
The name of the AAA server to be used for tunnel authorization.
Default
If the AAA server is not specified, the default AAA server configured for network authorization is used.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2F.
This command can be used with RADIUS or TACACS+, and is applicable only on the VPDN network access server (NAS). Configuring this command restricts tunnel authorization to the specified AAA servers only. This command can be used to specify multiple AAA servers.
For TACACS+ configuration, the tacacs-server directed-request command must be configured using the restricted keyword, or authorization will continue with all configured TACACS+ servers.
Examples
The following example enables AAA attributes and specifies the AAA server to be used for VPDN tunnel authorization:
aaa new-modelaaa authorization network default group radiusvpdn aaa override-server 10.1.1.1vpdn enableradius-server host 10.1.1.2 auth-port 1645 acct-port 1646radius-server key SecretRelated Commands
You can use the master indexes or search online to find documentation of related commands.
aaa new-model
tacacs-server directed-request
vpdn enablevpdn domain-delimiter
To specify the characters to be use to delimit the domain prefix or domain suffix, use the vpdn domain-delimiter global configuration command.
vpdn domain-delimiter characters [suffix | prefix]
Syntax Description
Default
This command is disabled.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3.
You can enter one vpdn domain-delimiter command to list the suffix delimiters and another vpdn domain-delimiter command to list the prefix delimiters. However, no character can be both a suffix delimiter and a prefix delimiter.
This command allows the network access server to parse a list of home gateway DNS domain names and addresses sent by an AAA server. The AAA server can store domain names or IP addresses in the following AV pair:
cisco-avpair = "lcp:interface-config=ip address 1.1.1.1 255.255.255.255.0",
cisco-avpair = "lcp:interface-config=ip address bigrouter@excellentinc.com,
Examples
The following example lists three suffix delimiters and three prefix delimiters:
vpdn domain-delimiter %-@ suffixvpdn domain-delimiter #/\\ prefixThis example allows the following host and domain names:
cisco.com#houstonddrhoustonddr@cisco.comRelated Commands
You can use the master indexes or search online to find documentation of related commands.
vpdn enable
vpdn history failure
vpdn search-ordervpdn enable
To enable virtual private dialup networking on the router and inform the router to look for tunnel definitions in a local database and on a remote authorization server (home gateway), if one is present, use the vpdn enable global configuration command.
vpdn enable
Syntax Description
This command has no keywords or arguments.
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
Note
To disable a VPN tunnel, use the command clear vpn tunnel in EXEC mode. The command no vdpn enable does not automatically disable a VPN tunnel.
Example
The following example enables virtual private dialup networking on the router:
vpdn enableRelated Commands
You can use the master indexes or search online to find documentation of related commands.
vpdn force-local-chap
To cause the home gateway to issue its own CHAP challenge even if one has already been issued from the network access server, use the vpdn force-local-chap global configuration command. To disable the home gateway's issuing its own CHAP challenge, use the no form of this command.
vpdn force-local-chap
no vpdn force-local-chapSyntax Description
This command has no arguments or keywords.
Default
The home gateway does not issue its own CHAP challenge.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
Example
The following example configures a virtual template interface on the home gateway and then enables VPDN and forces the home gateway to issue its own CHAP challenge.
interface virtual-template 1ip unnumbered ethernet 0encapsulation pppppp authentication chap!vpdn enablevpdn incoming world12 troll virtual-template 1vpdn force-local-chapvpdn history failure
To enable logging of virtual private dibalup network (VPDN) failures to the history failure table or to set the failure history table size, use the vpdn history failure command in global configuration mode. To disable logging of VPDN history failures or to restore the default table size, use the no form of this command.
vpdn history failure [table-size entries]
no vpdn history failure [table-size]
Syntax Description
table-size entries
(Optional) Sets the number of entries in the history failure table. Valid entries range from 20 to 50.
Default
VPDN failures are logged by default.
table size: 20 entriesCommand Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3 T.
Logging of VPDN failure events is enabled by default. You can disable the logging of VPDN failure events by issuing the no vpdn history failure command.
The logging of a failure event to the history table is triggered by event logging by the syslog facility. The syslog facility creates a failure history table entry, which keeps records of failure events. The table starts with 20 entries, and the size of the table can be expanded to a maximum of 50 entries using the vpdn history failure table-size entries command. You may configure the vpdn history failure table-size entries command only if VPDN failure event logging is enabled.
All failure entries for the user are kept chronologically in the history table. Each entry records the relevant information of a failure event. Only the most recent failure event per user, unique to its name and tunnel client ID (CLID), is kept.
When the total number of entries in the table reaches the configured table size, the oldest record is deleted and a new entry is added.
Example
The following example disables logging of VPDN failures to the history failure table:
no vpdn history failureThe following example enables logging of VPDN failures to the history table and sets the history failure table size to 40 entries:
vpdn history failurevpdn history failure table-size 40Related Commands
You can use the master indexes or search online to find documentation of related commands.
show vpdn history failure
vpdn incoming
To specify the local name to use for authenticating and the virtual template to use for building interfaces for incoming connections when a Level 2 Forwarding (tunnel) connection is requested from a certain remote host, use the vpdn incoming global configuration command.
vpdn incoming remote-name local-name virtual-template number
Syntax Description
Default
Disabled. No host name, IP address, or local name for authentication are provided.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
The remote-name and local-name arguments are case sensitive.
This command is usually used on a home gateway, not on the network access server in the ISP or public data network.
Example
The following partial example specifies use of local host go_blue and virtual template interface 6 for connections with remote host dallas_wan:
vpdn incoming dallas_wan go_blue virtual-template 6vpdn logging
To enable the logging of VPDN events, use the vpdn logging global configuration command. To disable the logging of VPDN events, use the no form of this command.
vpdn logging [local | remote]
no vpdn logging [local | remote]Syntax Description
local
(Optional) Log VPDN events locally.
remote
(Optional) Log VPDN events to a remote tunnel endpoint.
Default
Enabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3 T.
This command logs VPDN events. By default, VPDN logging is enabled; therefore, if you wish to disable VPDN event logging, you must explicitly configure the router using the no form of the command.
Example
The default behavior is to log VPDN events; however, if you wish to reenable the feature after removal, the following example shows how to reenable VPDN logging locally:
vpdn logging localRelated Commands
You can use the master indexes or search online for documentation of related commands.
vpdn history failure
vpdn multihop
To enable virtual private dialup network (VPDN) multihop, use the vpdn multihop global configuration command. To disable VPDN multihop capability, use the no form of this command.
vpdn multihop
no vpdn multihop
Syntax Description
This command has no arguments or keywords.
Default
Multihop is not enabled.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3(5)T.
The Cisco Multihop VPDN feature allows you to perform Multichassis Multilink Point-to-Point Protocol (MMP) on a home gateway (HGW) or Layer 2 Tunneling Protocol (L2TP) network server (LNS) in a VPDN scenario. This feature allows sharing tunnel resources between the HGW and LNS routers, and the possibility to offload by default to another router in the network.
The VPDN multihop feature also allows a router configured as a tunnel switch to terminate tunnels from Layer 2 access concentrators (LACs) and forward the sessions through up to four newly established L2TP tunnels. The tunnels are selected using client-supplied matching criteria configured by the vpdn search-order global configuration command.
Before using the vpdn multihop command, refer to the Dial Solutions Configuration Guide to learn more about Multilink PPP and MMP.
Example
The following example shows a configuration where a packet traverses a VPDN tunnel over a service provider link, and then a second tunnel by traversing a hop between home gateways on the corporate network. The bundle owner is Home-Gateway1 and the stack group peer, Home-Gateway2, is specified as a peer (10.10.1.2).
vpdn multihopusername stack password hellotheremultilink virtual-template 1sgbp group stacksgbp member Home-Gateway2 10.10.1.2interface virtual-template 1ip unnumbered e0ppp multilinkppp auth chapRelated Commands
You can use the master indexes or search online to find documentation of related commands.
vpdn enable
vpdn search-ordervpdn outgoing
To specify use of Dialed Number Information Service (DNIS) or use of a domain name when selecting a tunnel for forwarding traffic to the remote host (the home gateway) on a virtual private dialup network, use the vpdn outgoing global configuration command.
vpdn outgoing word | dnis dialed-number
Syntax Description
word
Case-sensitive name of the gateway domain for forwarding traffic.
dnis dialed-number
Dialed number to be used for selecting a specific tunnel for forwarding traffic to a home gateway.
Default
Disabled. No remote names and local names are defined.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2
The word argument is case sensitive.
This command is usually used on a network access server, not on a home gateway.
When use of the Dialed Number Information Service is enabled and a dialed number is provided, the network service provider can use the dialed number to select a specific tunnel destination.
The domain name can be used to choose a tunnel destination. For example, if a user dials in as "joe@company-a.com," then matching on "company-a.com," a tunnel destination can be chosen.
If both DNIS information and a CHAP or PAP name map to a valid tunnel, the DNIS information is used.
If TACACS+ is used to get tunnel information, the string "dnis:" is prepended to the phone number before attempting to look up the information in AAA.
Examples
The following example selects a tunnel destination based on the domain name:
vpdn outgoing chicago-main go-blueThe following example selects a tunnel destination based on the use of DNIS and a specific dialed number:
vpdn outgoing dnis 2387765 gocardinalRelated Commands
You can use the master indexes or search online to find documentation of related commands.
vpdn enable
vpdn history failurevpdn search-order
To specify how the service provider's network access server is to perform VPDN tunnel authorization searches, use the vpdn search-order global configuration command. To remove a prior specification, use the no form of the command.
vpdn search-order {dnis domain | domain dnis | domain | dnis}
no vpdn search-orderSyntax Description
Default
When this command is not used, the default is to search first on the Dialed Number Information Service (DNIS) information provided on ISDN lines and then search on the domain name. This is equivalent to using the vpdn search-order dnis domain command.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3.
VPDN authorization searches are performed only as specified.
The configuration shows the vpdn search-order command setting only if the command is explicitly configured.
Example
The following example configures a network access server to select a tunnel destination based on the use of DNIS and a specific dialed number and to perform tunnel authorization searches based on the DNIS information only.
vpdn enablevpdn outgoing dnis 2387765 gocardinal ip 170.16.44.56vpdn search-order dnisRelated Commands
You can use the master indexes or search online to find documentation of related commands.
vpdn outgoing
vpdn source-ip
To set the source IP address of the network access server, use the vpdn source-ip global configuration command.
vpdn source-ip address
Syntax Description
Default
This command is disabled. No default IP address is provided.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.3.
One source IP address is configured on the network access server. The source IP address is configured per network access server, not per domain.
Example
This example enables VPDN on the network access server and sets an IP source address of 171.4.48.3.
vpdn enablevpdn source-ip 171.4.48.3Related Commands
You can use the master indexes or search online for documentation of related commands.
vpdn enable
