Table Of Contents
VPDN Group Session Limiting
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Before the introduction of the Virtual Private Dial Network (VPDN) Group Session Limiting feature, you could only globally limit the number of VPDN sessions on a router with limits applied equally to all VPDN groups. Using the VPDN Group Session Limiting feature, you can limit the number of VPDN sessions allowed per VPDN group. This feature is implemented with the introduction of the session-limit number command in VPDN configuration mode. VPDN group session limiting is applied after the global VPDN session limiting (which is configured via the vpdn session-limit session command in configuration mode) is enforced.
The VPDN group session limiting feature offers the following benefits:
Limits Number of Sessions VPDN Group Can Terminate
The VPDN Group Session Limiting feature gives more control to network administrators by enabling them to limit how many sessions a VPDN group can terminate.
Enables Finer Configuration Granularity
This feature enables service providers to cater to all types of organizations, large or small, by enabling finer configuration granularity.
The VPDN Session Limiting feature does not support the following:
•VPDN group session limiting cannot be configured on an L2TP Access Concentrator (LAC) or L2F Network Access Server (NAS).
•The range of legal values for number is from 0 to 32767.
•VPDN group session limiting applies only to L2F and L2TP sessions.
Related Features and Technologies
•Shell-Based Authentication of VPDN Users
•Accounting of VPDN Disconnect Cause
•Resource Pool Management
•Resource Pool Management
•"Configuring Virtual Private Networks" section of the Cisco IOS Dial Services Configuration Guide: Network Services
•Cisco IOS Dial Services Command Reference
•Cisco 7200 series
•Cisco 7401 ASR router
Supported Standards, MIBs, and RFCs
No new or modified standards are supported by this feature.
No new or modified MIBs are supported by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
No new or modified RFCs are supported by this feature.
A VPDN session group must be created before the session-limit VPDN configuration group can be configured. You must configure the accept-dialin command or request-dialout command before VPDN session group limiting can be configured.
See the following section for the configuration task necessary to configure the VPDN Group Session Limiting feature:
•Configuring VPDN Group Session Limiting (required)
Configuring VPDN Group Session Limiting
To configure VPDN group session limiting, follow the steps in the table below, beginning in global configuration mode:
Verifying VPDN Group Session Limiting
Follow the steps below to verify the successful configuration of VPDN group session limiting:
Step 1 Enter the session-limit 1 command in VPDN configuration mode.
Step 2 Establish a VPDN session by dialing in to the network access server (NAS) using an allowed username and password.
Step 3 Attempt to establish another VPDN session by dialing in to the NAS using another allowed username and password.
Step 4 A Syslog message similar to the following should appear on the console of the router:00:11:17: %VPDN-6-MAZ_sESS_EXCD:L2F HGW great_went has exceeded configured local session-limit and rejected user firstname.lastname@example.org
Step 5 Enter the show vpdn history failure command on the router. If you see output similar to the following, the group session limit was successful:User: email@example.comNAS: cliford_ball, IP address = 172.25.52.8, CLID = 2Gateway: great_went, IP address = 172.25.52.7, CLID = 13Log time: 00:04:21, Error repeat count:1Failure type: Exceeded configured VPDN mazimum session limitFailure reason:
Monitoring and Maintaining VPDN Group Session Limiting
Use the following commands to monitor and maintain VPDN group session limiting:
This section provides the following configuration examples:
Configuring VPDN Group Session Limiting:Example
In the example below, VPDN group "abc" is created and restricted to three sessions:Router# configure terminalRouter(config)# vpdn-group abcRouter(config-vpdn)# accept dialinRouter(config-vpdn-acc-in)# protocol l2tpRouter(config-vpdn-acc-in)# virtual-template 5Router(config-vpdn-acc-in)# exitRouter(config-vpdn)# terminate hostname host1Router(config-vpdn)# session-limit 3Router(config-vpdn)# endRouter# show vpdn-group abc
This section documents the modified command
To limit the number of sessions that are allowed through a specified virtual private dialup network (VPDN) group, use the session-limit command in VPDN group configuration mode. To remove a configured session limit restriction, use the no form of this command.
no session-limit number
Specifies the number of sessions allowed through a specified VPDN group. The number of sessions can range from 0 to 32767.
No default behavior or values.
VPDN group configuration
Use this command to limit the number of allowed sessions for a specified VPDN group. If the session-limit command is configured to 0, no sessions are allowed on the VPDN group.
This command works independently from the session-limit command used in global configuration mode. Using the session-limit command in global configuration mode, you can restrict the total number of sessions allowed on all VPDN groups. VPDN group session limiting is configured in VPDN group configuration mode.
Global VPDN session limiting and VPDN group session limiting work independently, but global VPDN session limiting is enforced before individual VPDN group limiting. For example, if you apply the vpdn session-limit 2 command in global configuration mode and the session-limit 3 command in VPDN group configuration mode to the VPDN group named group1, no more than two calls are allowed in the VPDN group group1.
The following example creates a VPDN group named scoot, creates virtual template 5, and restricts the VPDN group group1 to three sessions:Router(config)# vpdn-group group1Router(config-vpdn)# accept dialinRouter(config-vpdn-acc-in)# protocol l2tpRouter(config-vpdn-acc-in)# virtual-template 5Router(config-vpdn-acc-in)# exitRouter(config-vpdn)# terminate-from hostname host1Router(config-vpdn)# session-limit 3
Copyright © 2005 Cisco Systems, Inc. All rights reserved.