Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software Releases 12.1 Special and Early Deployments

L2TP Tunnel Switching

Downloads

Table Of Contents

L2TP Tunnel Switching

Feature Overview

Benefits

Restrictions

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

Configuration Tasks

Enabling VPDN and Multihop Functionality

Verifying VPDN and Multihop Functionality

Terminating the Tunnel from the LAC

Verifying Termination of the Tunnel from the LAC

Mapping the Ingress Tunnel Name to an LNS

Verifying the Ingress Tunnel Name to LNS Map

Performing VPDN Tunnel Authorization Searches by Ingress Tunnel Name

Verifying VPDN Tunnel Authorization Searches by Ingress Tunnel Name

Configuration Examples

LAC-1 Configuration

LAC-2 Configuration

L2TP Tunnel Switch Configuration

LNS Configuration

Command Reference

multihop hostname

vpdn search-order

Glossary


L2TP Tunnel Switching

This feature module describes the L2TP Tunnel Switching feature. It includes information on the benefits of the new feature, supported platforms, related documents, and configuration information.

This document includes the following sections:

Feature Overview

Supported Platforms

Supported Standards, MIBs, and RFCs

Configuration Tasks

Configuration Examples

Command Reference

Glossary

Feature Overview

The L2TP Tunnel Switching feature enables the Cisco 6400 NRP to terminate tunnels from LACs and forward the sessions through new L2TP tunnels selected independently of the client-supplied domains. The NRP as a tunnel switch performs VPDN tunnel authorization based on the ingress tunnel names that are mapped to specified LNSes.

Figure 1 shows an example network topology using the L2TP tunnel switching feature.

Figure 1 Example Network Topology Using the L2TP Tunnel Switching Feature

Benefits

Improved Provisioning Scalability

Aggregating LAC tunnels with an L2TP tunnel switch improves provisioning scalability on both the LAC and wholesaler ends.

Improved Permanent Virtual Circuit Interconnect Scalability

In a B-ISDN network, a multihop node can improve PVC interconnect scalability.

Restrictions

When using a RADIUS service profile for tunnel service authorization, the NRP configured as an L2TP tunnel switch must forward all sessions through L2TP tunnels. The L2TP tunnel switch must not terminate any of the sessions.

Related Documents

Layer 2 Tunnel Protocol feature module

VPDN Group Reorganization feature module

Cisco 6400 UAC Software Configuration Guide

Supported Platforms

The L2TP Tunnel Switching feature is supported on the node route processor (NRP) of the Cisco 6400 UAC.

Supported Standards, MIBs, and RFCs

Standards

None

MIBs

None

RFCs

No new or modified RFCs are supported by this feature.

Configuration Tasks

See the following sections for configuration tasks for the L2TP Tunnel Switching feature. All of the listed tasks are required to configure the L2TP tunnel switch.

Enabling VPDN and Multihop Functionality

Terminating the Tunnel from the LAC

Mapping the Ingress Tunnel Name to an LNS

Performing VPDN Tunnel Authorization Searches by Ingress Tunnel Name

Note The NRP as a tunnel switch requires at least two VPDN groups: one to handle incoming tunnels from the LAC, and one to create the L2TP tunnels/sessions to the LNS.

Enabling VPDN and Multihop Functionality

To use the L2TP Tunnel Switching feature, you must first enable VPDN and multihop capabilities by entering the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# vpdn enable

Enables VPDN functionality.

Step 2 

Router(config)# vpdn multihop

Enables VPDN multihop functionality.

Verifying VPDN and Multihop Functionality

To verify that you enabled VPDN and multihop functionality, use the show running-config EXEC command.

Terminating the Tunnel from the LAC

To terminate the tunnel from the LAC, enter the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# username remote-hostname password secret

Configures the secret (password). Must match the secret configured on the LAC.

Step 2 

Router(config)# username local-name password secret

Configures the secret (password). Must match secret in Step 1.

Step 3 

Router(config)# vpdn-group number

Selects the VPDN group.

Step 4 

Router(config-vpdn)# accept-dialin

Accepts incoming L2TP tunnel connections. Enters VPDN accept-dialin group mode.

Step 5 

Router(config-vpdn-acc-in)# protocol l2tp

Specifies the Layer 2 Tunnel Protocol.

Step 6 

Router(config-vpdn-acc-in)# virtual-template number

Specifies the virtual template interface to use to clone the new virtual access interface.

Step 7 

Router(config-vpdn-acc-in)# exit

Returns to VPDN group mode.

Step 8 

Router(config-vpdn)# terminate-from hostname remote-hostname

Specifies the host name of the remote LAC that will be required when accepting a VPDN tunnel. Must match remote-hostname in Step 1.

Step 9 

Router(config-vpdn)# local name local-name

Specifies the local host name of the tunnel. Must match local-name in Step 2.

Verifying Termination of the Tunnel from the LAC

To verify that you successfully configured the tunnel switch to terminate tunnels from the LAC, use the show running-config EXEC command.

Mapping the Ingress Tunnel Name to an LNS

To map the ingress tunnel name to an LNS, complete the following steps beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# username username password secret

Configures the secret (password). Username must match LNS's hostname or tunnel ID. Secret must match the secret configured on the LNS.

Step 2 

Router(config)# username egress-tunnel-name password secret

Configures the secret (password). Must match secret in Step 1.

Step 3 

Router(config)# vpdn-group number

Selects the VPDN group.

Step 4 

Router(config-vpdn)# request-dialin

Enables the tunnel switch to request L2TP tunnels to the LNS. Enters VPDN request-dialin group mode.

Step 5 

Router(config-vpdn-req-in)# protocol l2tp

Specifies the Layer 2 Tunnel Protocol.

Step 6 

Router(config-vpdn-req-in)# multihop hostname
ingress-tunnel-name

Initiates a tunnel based on the LAC's hostname or ingress tunnel ID.

Step 7 

Router(config-vpdn-req-in)# exit

Returns to VPDN group mode.

Step 8 

Router(config-vpdn)# initiate-to ip ip-address
[limit limit-number] [priority priority-number]

Specifies the LNS. Optionally specifies the maximum number of sessions per tunnel as well as the priority of the IP address (1 is highest).

Step 9 

Router(config-vpdn)# local name egress-tunnel-name

Specifies the local host name of the tunnel. Must match egress-tunnel-name in Step 2.

Verifying the Ingress Tunnel Name to LNS Map

To verify that you successfully mapped the ingress tunnel name to the LNS, use the show running-config EXEC command.

Performing VPDN Tunnel Authorization Searches by Ingress Tunnel Name

To specify how to perform VPDN tunnel authorization searches, enter the following command in global configuration mode:

Command
Purpose

Router(config)# vpdn search-order multihop-hostname [domain]

Specifies a search by the configured ingress tunnel name. Optionally specifies to search by domain or DNIS if the first search type fails.


Verifying VPDN Tunnel Authorization Searches by Ingress Tunnel Name

To verify that you successfully configured the tunnel switch to perform VPDN tunnel authorization searches by ingress tunnel name, use the show running-config EXEC command.

Configuration Examples

The examples in this section show the configurations necessary for the basic L2TP tunnel switch topology shown in Figure 2. In this topology, a tunnel switch terminates tunnels from two LACs and forwards all the sessions through one tunnel to the LNS.

Figure 2 Example L2TP Tunnel Switch Topology

This section provides the following configuration examples:

LAC-1 Configuration

LAC-2 Configuration

L2TP Tunnel Switch Configuration

LNS Configuration

LAC-1 Configuration

In the following example, LAC-1 performs tunnel authorization based on domain name and initiates a tunnel to the L2TP tunnel switch: 

!

vpdn enable

!

username net.com password Secret1

username Tunnel-Switch-In password Secret1

!

vpdn-group 1

 request-dialin

  protocol l2tp

  domain service1.net.com

 initiate-to ip 10.1.1.1

 local name net.com

!

LAC-2 Configuration

In the following example, LAC-2 also performs tunnel authorization based on domain name and initiates a tunnel to the L2TP tunnel switch: 

!

vpdn enable

!

username net.com password Secret2

username Tunnel-Switch-In password Secret2

!

vpdn-group 1

 request-dialin

  protocol l2tp

  domain service2.net.com

 initiate-to ip 10.1.1.1

 local name net.com

!

L2TP Tunnel Switch Configuration

In the following example, the NRP is configured as an L2TP tunnel switch. VPDN groups 1 and 2 are used to terminate the tunnels from the LAC. VPDN group 11 is used to initiate the tunnel to the LNS, and it performs tunnel authorization based on the configured ingress tunnel name. 

!

vpdn enable

vpdn multihop

vpdn search-order multihop-hostname domain

!

username net.com password Secret1

username Tunnel-Switch-In password Secret1

username net.com password Secret2

username Tunnel-Switch-In password Secret2

username LNS password Secret3

username Tunnel-Switch-Out password Secret3

!

vpdn-group 1

 accept-dialin

  protocol l2tp

  virtual-template 1

 terminate-from hostname net.com

 local name Tunnel-Switch-In

!

vpdn-group 11

 request-dialin

  protocol l2tp

  multihop hostname net.com

 initiate-to ip 10.2.2.2 

 local name Tunnel-Switch-Out

!

interface ATM 0/0/0.1001 point-to-point

 ip address 10.1.1.1 255.255.255.0

 pvc 5/10

 encapsulation aal5snap

!


interface Virtual-Template 1

 ip unnumbered FastEthernet 0/0/0

 no ip directed-broadcast

 no keepalive

 no peer default ip address

 ppp authentication chap

!

LNS Configuration

In the following example, the LNS terminates the tunnel from the L2TP tunnel switch: 

vpdn enable

!

username LNS password Secret3

username Tunnel-Switch-Out password Secret3

!

vpdn-group 1

 accept-dialin

  protocol l2tp

  virtual-template 1

 terminate-from hostname Tunnel-Switch

 local name LNS

!

interface Virtual-Template 1

 ip unnumbered FastEthernet 0/0/0

 no ip directed-broadcast

 ip mroute-cache

 no keepalive

 peer default ip address pool pool-1

 ppp authentication chap

!

Command Reference

This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.1 command reference publications.

multihop hostname

vpdn search-order

multihop hostname

To enable the L2TP tunnel switch to initiate a tunnel based on the LAC host name or ingress tunnel ID, use the multihop hostname VPDN request-dialin group configuration mode command. To disable this option, use the no form of this command.

multihop hostname ingress-tunnel-name

no multihop hostname ingress-tunnel-name

Syntax Description

ingress-tunnel-name

LAC hostname or ingress tunnel ID.


Defaults

No default behavior or values.

Command Modes

VPDN request-dialin group

Command History

Release
Modification

12.1(1) DC1

This command was introduced on the Cisco 6400 NRP.


Examples

The following example enables the L2TP tunnel switch to forward sessions from LAC-1 through an outgoing tunnel to IP address 10.3.3.3: 

!

vpdn-group 11

 request-dialin

  protocol l2tp

  multihop hostname LAC-1

 initiate-to ip 10.3.3.3 

 local name Tunnel-Switch

!

Related Commands

Command
Description

domain domain-name

Selects VPDN group for tunnel initiation based on domain name.

dnis dnis-number

Selects VPDN group for tunnel initiation based on DNIS.


vpdn search-order

To specify how the service provider's NAS is to perform VPDN tunnel authorization searches, use the vpdn search-order global configuration command. To remove a prior specification, use the no form of the command.

vpdn search-order {multihop-hostname [domain] [dnis] | domain [dnis] [multihop-hostname] | dnis [domain] [multihop-hostname]}

no vpdn search-order {multihop-hostname [domain] [dnis] | domain [dnis] [multihop-hostname] | dnis [domain] [multihop-hostname]}

Syntax Description

multihop-hostname

Specifies a search on LAC host name or ingress tunnel ID.

domain

Specifies a search on the domain name.

dnis

Specifies a search on the DNIS information.


Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release
Modification

11.3(5)AA

This command was introduced.

12.1(1) DC1

The multihop-hostname keyword was added for the Cisco 6400 NRP.


Usage Guidelines

VPDN authorization searches are performed only as specified.

The configuration shows the vpdn search-order command setting only if the command is explicitly configured.

Examples

The following example configures an L2TP tunnel switch to perform each VPDN authorization search by the multihop-hostname, and if unsuccessful, search by the domain name. 

vpdn search-order multihop-hostname domain

Glossary

B-ISDN—Broadband ISDN. ITU-T communication standards designed to handle high-bandwidth applications such as video. B-ISDN currently uses ATM technology over SONET-based transmission circuits to provide data rates from 155 to 622 Mbps and beyond.

DNIS—Dialed Number Identification Service. The called party number. Typically, this is a number used by call centers or a central office where different numbers are each assigned to a specific service.

L2TP—Layer 2 Tunnel Protocol. An Internet Engineering Task Force (IETF) standards track protocol defined in RFC 2661 that provides tunneling of PPP. Based upon the best features of L2F and PPTP, L2TP provides an industry-wide interoperable method of implementing VPDN.

LAC—L2TP Access Concentrator. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP network server (LNS). The LAC sits between an LNS and a remote system and forwards packets to and from each. Packets sent from the LAC to the LNS requires tunneling with the L2TP protocol as defined in this document. The connection from the LAC to the remote system is either local or a PPP link.

LNS—L2TP network server. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP access concentrator (LAC). The LNS is the logical termination point of a PPP session that is being tunneled from the remote system by the LAC. Analogous to the Layer 2 Forwarding (L2F) home gateway (HGW).

NAS—Network access server. A device providing local network access to users across a remote access network such as the PSTN. A NAS can also serve as a LAC, LNS, or both.

PVC—Permanent virtual circuit or connection. Virtual circuit that is permanently established. PVCs save bandwidth associated with circuit establishment and tear down in situations where certain virtual circuits must exist all the time. In ATM terminology, called a permanent virtual connection.

VPDN—Virtual Private Dialup Networking. A system that permits the physical dialup connection to appear to be connected directly to a home network while actually residing elsewhere on the network. A virtual pipe is connected between the physical dialup connections and the termination point at the home network.