Downloads |
Table Of Contents
L2TP Tunnel Management Enhancements
Supported Standards, MIBs, and RFCs
Configuring Tunnel Sharing—Local Method
Configuring Tunnel Sharing—RADIUS Service Profile
Verifying the RADIUS Service Profile
Limiting the Number of Sessions per Tunnel—Local Method
Verifying Sessions per Tunnel Limiting via the Local Method
Limiting the Number of Sessions per Tunnel—RADIUS Service Profile
Verifying the RADIUS Service Profile
Local Method of Tunnel Sharing
RADIUS Service Profiles with Tunnel Sharing
Local Method of Sessions per Tunnel Limiting
RADIUS Service Profile Including Sessions per Tunnel Limiting
L2TP Tunnel Management Enhancements
This feature module describes enhancements to L2TP tunnel management. It includes information on the benefits of the enhancements, supported platforms, related documents, and configuration.
This document includes the following sections:
•
Supported Standards, MIBs, and RFCs
Feature Overview
The L2TP tunnel management enhancements include the following features:
•
•
Benefits
Tunnel Reduction
Tunnel Sharing reduces the number of tunnels required from the L2TP access concentrator (LAC). When used with the L2TP Tunnel Switching feature, Tunnel Sharing also reduces the number of tunnels to an L2TP network server (LNS). While improving tunnel management, Tunnel Sharing helps to reduce the number of tunnel establishment messages that are sent after interface dropouts, reducing dropout recovery time.
Session Limiting Without Resource Pool Management
Prior to this release, the limit option of the initiate-to command was valid only when resource pool management (RPM) was enabled. The limit option also set the maximum number of sessions from the router to the specified IP address.
Sessions per Tunnel Limiting allows session limiting without RPM, and it limits the number of sessions per L2TP tunnel.
Sessions per PVC Limiting
Sessions per Tunnel Limiting enables you to limit the number of sessions ultimately carried by one ATM PVC.
Predictable Corporate Router Utilization
Because the Sessions per Tunnel Limiting feature enables you to specify the maximum number of VPDN sessions terminating at any L2TP network server (LNS), you can keep corporate router utilization at a more predictable level.
Related Documents
•
•
•
Supported Platforms
The Sessions per Tunnel Limiting feature is supported on the Cisco 6400 UAC.
Supported Standards, MIBs, and RFCs
Standards
None
MIBs
No new or modified MIBs are supported by this feature.
RFCs
No new or modified RFCs are supported by this feature.
Configuration Tasks
The following sections describe two methods of implementing each L2TP tunnel management feature:
•
•
•
•
Configuring Tunnel Sharing—Local Method
To implement the tunnel sharing feature, complete the following steps on the NRP-LAC beginning in global configuration mode:
Step 1
Router(config)# vpdn-group number
Selects the VPDN group.
Step 2
Router(config-vpdn)# request-dialin
Enables the LAC to request L2TP tunnels to the LNS. Enters VPDN request-dialin group mode.
Step 3
Router(config-vpdn-req-in)# protocol l2tp
Specifies the Layer 2 Tunnel Protocol.
Step 4
Router(config-vpdn-req-in)# multihop hostname ingress-tunnel-nameor
Router(config-vpdn-req-in)# domain domain-nameor
Router(config-vpdn-req-in)# dnis dnis-numberInitiates a tunnel based on the LAC's host name or ingress tunnel ID.
Initiates a tunnel based on the client-supplied domain name.
Initiates a tunnel based on the user's DNIS number.
Note
Step 5
Router(config-vpdn-req-in)# exit
Returns to VPDN group mode.
Step 6
Router(config-vpdn)# initiate-to ip ip-address
[priority priority-number]Specifies the LNS IP address. Optionally specifies the priority of the IP address (1 is highest).
Step 7
Router(config-vpdn)# tunnel share
Enables tunnel sharing among the keys entered in Step 4.
Verifying Tunnel Sharing
Enter the show running-config EXEC command to check that you successfully enabled the tunnel sharing feature.
Configuring Tunnel Sharing—RADIUS Service Profile
To implement the tunnel sharing feature, enter the following Cisco-AVpair attributes in the RADIUS service profile.
VPDN Group
This attribute specifies the group to which the service belongs. All services with matching group names are considered members of the same VPDN group.
Cisco-AVpair = "vpdn:vpdn-group=group-name"
Syntax Description
Example (RADIUS Freeware Format)
Cisco-AVpair="vpdn:vpdn-group=group1"Example (CiscoSecure ACS for UNIX)
9,1="vpdn:vpdn-group=group1"Tunnel Share
This attribute indicates that the tunnel sharing feature is enabled for the service.
Cisco-AVpair = "vpdn:tunnel-share=yes"
Syntax Description
This attribute has no arguments or keywords.
Example (RADIUS Freeware Format)
Cisco-AVpair="vpdn:tunnel-share=yes"Example (CiscoSecure ACS for UNIX)
9,1="vpdn:tunnel-share=yes"Verifying the RADIUS Service Profile
To verify the RADIUS service profile, refer to the user documentation for your RADIUS server.
Limiting the Number of Sessions per Tunnel—Local Method
To limit the number of sessions per tunnel without using a RADIUS server, complete the following steps on the NRP-LAC beginning in global configuration mode:
Verifying Sessions per Tunnel Limiting via the Local Method
Step 1
Step 2
Router# show vpdn tunnelL2TP Tunnel Information (Total tunnels 50 sessions 2000)LocID RemID Remote Name State Remote Address Port Sessions41234 7811 LNS1 est 10.1.1.1 1701 4020022 2323 LNS1 est 10.1.1.1 1701 4041234 7811 LNS2 est 10.1.2.2 1701 4059765 3477 LNS2 est 10.1.3.3 1701 40...
Limiting the Number of Sessions per Tunnel—RADIUS Service Profile
To use a RADIUS server to limit the number of sessions per tunnel, enter the following Cisco-AVpair attributes in the RADIUS service profile.
VPDN IP Addresses
This attribute specifies the IP addresses of the LNSes to receive the L2TP connections.
Cisco-AVpair = "vpdn:ip-addresses=address1[<delimiter>address2][<delimiter>address3]..."
Syntax Description
In the following example, the LAC will send the first PPP session through a tunnel to 10.1.1.1, the second PPP session to 10.2.2.2, the third to 10.3.3.3. The fourth PPP session will be sent through the tunnel to 10.1.1.1, and so forth. If the LAC fails to establish a tunnel with any of the IP addresses in the first group, then the LAC will attempt to connect to those in the second group (10.4.4.4 and 10.5.5.5).
Example (RADIUS Freeware Format)
Cisco-AVpair="vpdn:ip-addresses=10.1.1.1,10.2.2.2,10.3.3.3/10.4.4.4,10.5.5.5"Example (CiscoSecure ACS for UNIX)
9,1="vpdn:ip-addresses=10.1.1.1,10.2.2.2,10.3.3.3/10.4.4.4,10.5.5.5"VPDN IP Address Limits
This attribute specifies the maximum number of sessions in each tunnel to the IP addresses listed with the vpdn:ip-addresses attribute.
Cisco-AVpair = "vpdn:ip-address-limits=limit1 [limit2] [limit3]... "
Syntax Description
Example (RADIUS Freeware Format)
Cisco-AVpair="vpdn:ip-address-limits=10 20 30 40 50 "Example (CiscoSecure ACS for UNIX)
9,1="vpdn:ip-address-limits=10 20 30 40 50 "
Note
Verifying the RADIUS Service Profile
To verify the RADIUS service profile, refer to the user documentation for your RADIUS server.
Configuration Examples
This section provides the following configuration examples:
•
•
•
•
Local Method of Tunnel Sharing
In the following example, all sessions that are locally authorized through VPDN group 1 are sent through the same tunnel to 10.1.1.1.
!vpdn-group 1request-dialinprotocol l2tpdomain net1.comdomain net2.cominitiate-to ip 10.1.1.1tunnel share!RADIUS Service Profiles with Tunnel Sharing
In the following example, both the net1.com and net2.com services are members of the "group1" VPDN group. With tunnel sharing enabled in both service profiles, the sessions for net1.com and net2.com will be combined and sent through the same tunnels.
user = net1.com{profile_id = 45profile_cycle = 18member = meradius=Cisco {check_items= {2=cisco}reply_attributes= {9,1="vpdn:tunnel-id=LAC-1"9,1="vpdn:l2tp-tunnel_password=MySecret"9,1="vpdn:tunnel-type=l2tp"9,1="vpdn:ip-addresses=10.10.10.10"9,1="vpdn:vpdn-group=group1"
user = net2.com{profile_id = 45profile_cycle = 18member = meradius=Cisco {check_items= {2=cisco}reply_attributes= {9,1="vpdn:tunnel-id=LAC-1"9,1="vpdn:l2tp-tunnel_password=MySecret"9,1="vpdn:tunnel-type=l2tp"9,1="vpdn:ip-addresses=10.10.10.10"Local Method of Sessions per Tunnel Limiting
In the following example, the LAC initiates up to three tunnels. Each tunnel is limited to 40 sessions.
!vpdn-group 1request-dialinprotocol l2tpdomain net.cominitiate-to ip 10.1.1.1 limit 40initiate-to ip 10.2.2.2 limit 40initiate-to ip 10.2.2.2 limit 40!RADIUS Service Profile Including Sessions per Tunnel Limiting
The following example shows a tunnel service authorization RADIUS service profile, along with the session limiting entry. IP addresses 10.1.1.1 and 10.2.2.2 are assigned priority 1, while IP addresses 10.3.3.3 and 10.4.4.4 are assigned priority 2. Tunnels to 10.1.1.1 are limited to 100 sessions, tunnels to 10.2.2.2 are limited to 200 sessions, tunnels to 10.3.3.3 are limited to 300 sessions, and tunnels to 10.4.4.4 are limited to 400 sessions.
user = net.com{profile_id = 45profile_cycle = 18member = meradius=Cisco {check_items= {2=cisco}reply_attributes= {9,1="vpdn:tunnel-id=LAC-1"9,1="vpdn:l2tp-tunnel_password=MySecret"9,1="vpdn:tunnel-type=l2tp"Command Reference
This section documents the modified command that configures the Sessions per Tunnel Limiting feature.
initiate-to
To specify the IP address that will be tunneled to, use the initiate-to VPDN group command. To remove an IP address from the VPDN group, use the no form of this command.
initiate-to ip ip-address [limit limit-number] [priority priority-number]
no initiate-to [ip ip-address]
Syntax Description
Defaults
Disabled.
Unlimited number of sessions per tunnel.
Command Modes
VPDN Group Mode
Command History
Usage Guidelines
Before you can use this command, you must enable one of the two request VPDN subgroups by using either the request dialin or request dialout command.
A LAC configured to request dial-in can be configured with multiple initiate-to commands to tunnel to more than one IP address.
An LNS configured to request dialout can only be configured with a single initiate-to command. If you enter a second initiate-to command, it will replace the original initiate-to command.
At least one initiate-to command must be configured for the VPDN group initiator services (request-dialin and request-dialout) to function.
Examples
The following example configures VPDN group 1 to request up to three L2TP tunnels to the LNS. This group can tunnel a maximum of 40 sessions per tunnel.
!vpdn-group 1request-dialinprotocol l2tpdomain net.cominitiate-to ip 10.1.1.1 limit 40initiate-to ip 10.2.2.2 limit 40initiate-to ip 10.2.2.2 limit 40!Related Commands
request-dialin
Enables a router to request L2TP tunnels for dial-in.
request-dialout
Enables a router to request L2TP tunnels for dialout calls.
tunnel share
To enable tunnel sharing for a VPDN group, use the tunnel share VPDN group command. To disable tunnel sharing, use the no form of this command.
tunnel share
no tunnel share
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled.
Command Modes
VPDN group
Command History
Examples
In the following example, all sessions that are locally authorized through VPDN group 1 are sent through the same tunnel to 10.1.1.1.
!vpdn-group 1request-dialinprotocol l2tpdomain net1.comdomain net2.cominitiate-to ip 10.1.1.1Related Commands
vpdn-group
Selects the VPDN group.
request-dialin
Enables a router to request L2TP tunnels for dial-in.
initiate-to
Specifies the IP address that calls are tunneled to.
Glossary
B-ISDN—Broadband ISDN. ITU-T communication standards designed to handle high-bandwidth applications such as video. B-ISDN currently uses ATM technology over SONET-based transmission circuits to provide data rates from 155 to 622 Mbps and beyond.
Broadband ISDN—See B-ISDN.
Dialed Number Identification Service—See DNIS.
DNIS—Dialed Number Identification Service. The called party number. Typically, this is a number used by call centers or a central office where different numbers are each assigned to a specific service.
Layer 2 Tunnel Protocol—See L2TP.
L2TP—Layer 2 Tunnel Protocol. An Internet Engineering Task Force (IETF) standards track protocol defined in RFC 2661 that provides tunneling of PPP. Based upon the best features of L2F and PPTP, L2TP provides an industry-wide interoperable method of implementing VPDN.
L2TP Access Concentrator—See LAC.
LAC—L2TP Access Concentrator. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP network server (LNS). The LAC sits between an LNS and a remote system and forwards packets to and from each. Packets sent from the LAC to the LNS requires tunneling with the L2TP protocol as defined in this document. The connection from the LAC to the remote system is either local or a PPP link.
L2TP network server—See LNS.
LNS—L2TP network server. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP access concentrator (LAC). The LNS is the logical termination point of a PPP session that is being tunneled from the remote system by the LAC. Analogous to the Layer 2 Forwarding (L2F) home gateway (HGW).
permanent virtual circuit—See PVC.
permanent virtual connection—See PVC.
PVC—Permanent virtual circuit or connection. Virtual circuit that is permanently established. PVCs save bandwidth associated with circuit establishment and tear down in situations where certain virtual circuits must exist all the time. In ATM terminology, called a permanent virtual connection.
RADIUS—Remote Access Dial-In User Service. Database for authenticating modem and ISDN connections and for tracking connection time.
Remote Access Dial-In User Service—See RADIUS.
tunnel—A virtual pipe between the LAC and LNS that can carry multiple L2TP sessions.
Virtual Private Dialup Networking—See VPDN.
VPDN—Virtual Private Dialup Networking. A system that permits the physical dialup connection to appear to be connected directly to a home network while actually residing elsewhere on the network. A virtual pipe is connected between the physical dialup connections and the termination point at the home network.
