Table Of Contents
l2f ignore-mid-sequence
l2f tunnel busy timeout
l2f tunnel retransmit initial retries
l2f tunnel retransmit retries
l2f tunnel timeout setup
l2tp drop out-of-order
l2tp hidden
l2tp ip udp checksum
l2tp security crypto-profile
l2tp sequencing
l2tp tunnel authentication
l2tp tunnel bearer capabilities
l2tp tunnel busy timeout
l2tp tunnel framing capabilities
l2tp tunnel hello
l2tp tunnel password
l2tp tunnel receive-window
l2tp tunnel retransmit initial retries
l2tp tunnel retransmit initial timeout
l2tp tunnel retransmit retries
l2tp tunnel retransmit timeout
l2tp tunnel timeout no-session
l2tp tunnel timeout setup
l2tp tunnel zlb delay
lcp renegotiation
limit base-size
limit overflow-size
line-power
loadsharing
local name
logging event nfas-status
loopback (controller el)
loopback local (controller)
loopback local (interface)
loopback remote (controller)
l2f ignore-mid-sequence
To configure the router to ignore multiplex ID (MID) sequence numbers for sessions in a Layer 2 Forwarding (L2F) tunnel, use the l2f ignore-mid-sequence command in VPDN group or VPDN template configuration mode. To remove the ability to ignore MID sequencing, use the no form of this command.
l2f ignore-mid-sequence
no l2f ignore-mid-sequence
Syntax Description
This command has no arguments or keywords.
Command Default
MID sequence numbers are not ignored.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
11.3(5)AA
|
This command was introduced.
|
12.0(1)T
|
This command was integrated into Cisco IOS Release 12.0(1)T.
|
Usage Guidelines
This command applies only to L2F initiated tunnels and control packets for initial link control protocol (LCP) tunnel negotiation.
This command is not required when both tunnel endpoints are Cisco equipment, and is required only if MID sequence numbering is not supported by third-party hardware.
Examples
The following example configures the VPDN group named group1 to ignore MID sequencing for L2F sessions between a Cisco router and a non-Cisco hardware device that does not support MID sequencing:
Related Commands
Command
|
Description
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2f tunnel busy timeout
To configure the amount of time that the router will wait before attempting to recontact a Layer 2 Forwarding (L2F) peer that was previously busy, use the l2f tunnel busy timeout command in VPDN group or VPDN template configuration mode. To restore the default value, use the no form of this command.
l2f tunnel busy timeout seconds
no l2f tunnel busy timeout
Syntax Description
seconds
|
Time, in seconds, to wait before checking for router availability. This value can range from 5 to 6000. The default value is 60.
|
Command Default
The router will wait 60 seconds before attempting to recontact a previously busy peer.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
12.2(4)T
|
This command was introduced.
|
12.2(11)T
|
This command was integrated into Cisco IOS Release 12.2(11)T and support was added for the Cisco 1760, Cisco AS5300, Cisco AS5400, and Cisco AS5800 platforms.
|
Examples
The following example configures the router to leave an L2F peer on the busy list for 90 seconds. This configuration applies only to tunnels associated with the virtual private dialup network (VPDN) group named group 1.
l2f tunnel busy timeout 90
Related Commands
Command
|
Description
|
l2f tunnel retransmit initial retries
|
Configures the number of times that the router will attempt to send the initial control packet for tunnel establishment before considering an L2F peer busy.
|
l2f tunnel retransmit retries
|
Configures the number of times the router will attempt to resend an L2F tunnel control packet before tearing the tunnel down.
|
l2f tunnel timeout setup
|
Configures the amount of time that the router will wait for a confirmation message after sending out the initial L2F control packet before considering a peer busy.
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2f tunnel retransmit initial retries
To configure the number of times that the router will attempt to send the initial control packet for tunnel establishment before considering a Layer 2 Forwarding (L2F) peer busy, use the l2f tunnel retransmit initial retries command in VPDN group or VPDN template configuration mode. To restore the default value, use the no form of this command.
l2f tunnel retransmit initial retries number
no l2f tunnel retransmit initial retries
Syntax Description
number
|
The number of retries that will be attempted, ranging from 1 to 1000. The default value is 2.
|
Command Default
The router will send the initial control packet twice.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
12.2(4)T
|
This command was introduced.
|
12.2(11)T
|
This command was integrated into Cisco IOS Release 12.2(11)T and support was added for the Cisco 1760, Cisco AS5300, Cisco AS5400, and Cisco AS5800 platforms.
|
Usage Guidelines
This command can be used only if load sharing is enabled.
Examples
The following example configures a dial-in VPDN group on a network access server (NAS) to load balance calls between two tunnel servers, and to attempt to send the initial L2F control packet five times:
initiate-to ip 172.16.0.1 priority 1
initiate-to ip 172.16.1.1 priority 2
l2f tunnel retransmit initial retries 5
Related Commands
Command
|
Description
|
l2f tunnel busy timeout
|
Configures the amount of time that the router will wait before attempting to recontact an L2F peer that was previously busy.
|
l2f tunnel retransmit retries
|
Configures the number of times the router will attempt to resend an L2F tunnel control packet before tearing the tunnel down.
|
l2f tunnel timeout setup
|
Configures the amount of time that the router will wait for a confirmation message after sending out the initial L2F control packet before considering a peer busy.
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2f tunnel retransmit retries
To configure the number of times the router will attempt to resend a Layer 2 Forwarding (L2F) tunnel control packet before tearing the tunnel down, use the l2f tunnel retransmit retries command in VPDN group or VPDN template configuration mode. To restore the default value, use the no form of this command.
l2f tunnel retransmit retries number
no l2f tunnel retransmit retries
Syntax Description
number
|
The number of retries that will be attempted, ranging from 5 to 1000. The default value is 6.
|
Command Default
The router will resend control packets six times.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
12.2(4)T
|
This command was introduced.
|
12.2(11)T
|
This command was integrated into Cisco IOS Release 12.2(11)T and support was added for the Cisco 1760, Cisco AS5300, Cisco AS5400, and Cisco AS5800 platforms.
|
Usage Guidelines
This command does not apply to the initial tunnel setup message or session control packets.
Examples
The following example configures the router to resend L2F tunnel control packets ten times before tearing the tunnel down. This configuration applies only to tunnels associated with the virtual private dialup network (VPDN) group named group1.
l2f tunnel retransmit retries 10
Related Commands
Command
|
Description
|
l2f tunnel busy timeout
|
Configures the amount of time that the router will wait before attempting to recontact an L2F peer that was previously busy.
|
l2f tunnel retransmit initial retries
|
Configures the number of times that the router will attempt to send the initial control packet for tunnel establishment before considering an L2F peer busy.
|
l2f tunnel timeout setup
|
Configures the amount of time that the router will wait for a confirmation message after sending out the initial L2F control packet before considering a peer busy.
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2f tunnel timeout setup
To configure the amount of time that the router will wait for a confirmation message after sending out the initial Layer 2 Forwarding (L2F) control packet before considering a peer busy, use the l2f tunnel timeout setup command in VPDN group or VPDN template configuration mode. To restore the default value, use the no form of this command.
l2f tunnel timeout setup seconds
no l2f tunnel timeout setup
Syntax Description
seconds
|
Time, in seconds, that the router will wait for a return message. This value can range from 5 to 6000. The default value is 10.
|
Command Default
The router will wait 10 seconds for a confirmation message.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
12.2(4)T
|
This command was introduced.
|
12.2(11)T
|
This command was integrated into Cisco IOS Release 12.2(11)T and support was added for the Cisco 1760, Cisco AS5300, Cisco AS5400, and Cisco AS5800 platforms.
|
Usage Guidelines
If the router has not received a confirmation message from the peer device before the tunnel timeout setup timer expires, the peer will be placed on the busy list.
Examples
The following example configures a router to wait 25 seconds for confirmation that the initial L2F control packet was received by the peer. This configuration will apply only to tunnels associated with the virtual private dialup network (VPDN) group named group1.
l2f tunnel timeout setup 25
Related Commands
Command
|
Description
|
l2f tunnel busy timeout
|
Configures the amount of time that the router will wait before attempting to recontact an L2F peer that was previously busy.
|
l2f tunnel retransmit initial retries
|
Configures the number of times that the router will attempt to send the initial control packet for tunnel establishment before considering an L2F peer busy.
|
l2f tunnel retransmit retries
|
Configures the number of times the router will attempt to resend an L2F tunnel control packet before tearing the tunnel down.
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2tp drop out-of-order
To instruct a network access server (NAS) or tunnel server using Layer 2 Tunneling Protocol (L2TP) to drop packets that are received out of order, use the l2tp drop out-of-order command in VPDN group or VPDN template configuration mode. To disable dropping of out-of-sequence packets, use the no form of this command.
l2tp drop out-of-order
no l2tp drop out-of-order
Syntax Description
This command has no arguments or keywords.
Command Default
Out of order packets are not dropped.
Command Modes
VPDN group configuration
VPDN template configuraton
Command History
Release
|
Modification
|
11.3(5)AA
|
This command was introduced.
|
12.0(1)T
|
This command was integrated into Cisco IOS Release 12.0(1)T.
|
Usage Guidelines
This command is valid only for tunnels where sequencing is enabled.
Examples
The following example enables sequencing and configures the router to drop any out-of-order packets that are received on a tunnel associated with the VPDN group named tunnelme:
Related Commands
Command
|
Description
|
l2tp sequencing
|
Enables sequencing for packets sent over an L2TP tunnel.
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2tp hidden
To enable Layer 2 Tunneling Protocol (L2TP) attribute-value (AV) pair hiding, which encrypts the value of sensitive AV pairs, use the l2tp hidden command in VPDN group or VPDN template configuration mode. To disable L2TP AV pair value hiding, use the no form of this command.
l2tp hidden
no l2tp hidden
Syntax Description
This command has no arguments or keywords.
Command Default
L2TP AV pair hiding is disabled.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
11.3(5)AA
|
This command was introduced.
|
12.0(1)T
|
This command was integrated into Cisco IOS Release 12.0(1)T.
|
Usage Guidelines
This command is not required if one-time Password Authentication Protocol (PAP) password authentication is used. This command is useful for additional security if PPP is using PAP or proxy authentication between the L2TP access concentrator (LAC) and Layer 2 Tunneling Protocol Network Server (LNS). When AV pair hiding is enabled, the L2TP hiding algorithm is executed, and sensitive passwords that are used between the L2TP AV pairs are encrypted during PAP or proxy authentication.
In Figure 1, the client initiates a PPP session with the LAC, and tunnel authentication begins. The LAC in turn exchanges authentication requests with the LNS. Upon successful authentication between the LAC and LNS, a tunnel is created. Proxy authentication is done by the LAC using either PAP or Challenge Handshake Authentication Protocol (CHAP). Because PAP username and password information is exchanged between devices in clear-text, it is beneficial to use the l2tp hidden command where L2TP AV pair values are encrypted.
Figure 1 LAC-LNS Proxy Authentication
Examples
The following example encrypts the AV pair value exchanged between the endpoints of tunnels associated with the VPDN group named group1:
Related Commands
Command
|
Description
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2tp ip udp checksum
To enable IP User Data Protocol (UDP) checksums on Layer 2 Tunneling Protocol (L2TP) data packets, use the l2tp ip udp checksum command in VPDN group or VPDN template configuration mode. To disable IP UDP checksums, use the no form of this command.
l2tp ip udp checksum
no l2tp ip udp checksum
Syntax Description
This command has no arguments or keywords.
Command Default
UDP checksums are not used on L2TP data packets.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
11.3(5)AA
|
This command was introduced.
|
12.0(1)T
|
This command was integrated into Cisco IOS release 12.0(1)T.
|
Usage Guidelines
Enabling IP UDP checksums on data packets causes the switching path to revert to process-level switching, which results in slower performance. The drop in performance may be acceptable if the connection between the network access server (NAS) and the tunnel server is poor. Enabling IP UDP checksums will minimize delays that occur when the ultimate error correction is done end-to-end rather than at the tunnel endpoints.
Examples
The following example enables IP UDP checksums on L2TP data packets for tunnels associated with the virtual private dialup network (VPDN) group named group1:
Related Commands
Command
|
Description
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2tp security crypto-profile
To configure IP Security (IPSec) protection of Layer 2 Tunnel Protocol (L2TP) sessions associated with a virtual private dialup network (VPDN) group, use the l2tp security crypto-profile command in VPDN group or VPDN template configuration mode. To disable IPSec protection for a VPDN group, use the no form of this command.
l2tp security crypto-profile profile-name [keep-sa]
no l2tp security crypto-profile
Syntax Description
profile-name
|
The name of the crypto profile to be used for IPSec protection of tunneled PPP sessions. The profile-name argument must match the name of a profile configured using the crypto map command.
|
keep-sa
|
(Optional) Controls the destruction of IPSec security associations (SAs) upon tunnel teardown. By default, any IPSec phase 2 SAs and Internet Key Exchange (IKE) phase 1 SAs are destroyed when the L2TP tunnel is torn down. Issuing the keep-sa keyword prevents the destruction of IKE phase 1 SAs.
|
Command Default
IPSec security is disabled.
IKE phase 1 SAs are destroyed on tunnel teardown.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
12.2(4)T
|
This command was introduced.
|
12.2(11)T
|
This command was integrated into Cisco IOS Release 12.2(11)T and support was added for the Cisco 1760, Cisco AS5300, Cisco AS5400, and Cisco AS5800 platforms.
|
Usage Guidelines
A crypto profile must be configured using the crypto map (global IPSec) command before it can be associated with a VPDN group using the l2tp security crypto-profile command. Enabling this command for a VPDN group ensures that no L2TP packets will be processed unless they have IPSec protection.
The keep-sa keyword can be used to prevent the destruction of IKE phase 1 SAs when the L2TP tunnel between the network access server (NAS) and tunnel server is considered permanent, and the IP addresses of the peer devices rarely change. This option is not useful with short-lived tunnels, such as those generated by client-initiated L2TP tunneling.
Examples
The following example configures VPDN group 1, associates it with the crypto profile named l2tp, and prevents the destruction of IKE phase 1 SAs on tunnel teardown:
l2tp security crypto-profile l2tp keep-sa
Related Commands
Command
|
Description
|
crypto map (global IPSec)
|
Enters crypto map configuration mode and creates or modifies a crypto map entry, creates a crypto profile that provides a template for configuration of dynamically created crypto maps, or configures a client accounting list.
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2tp sequencing
To enable sequencing for packets sent over a Layer 2 Tunnel Protocol (L2TP) tunnel, use the l2tp sequencing command in VPDN group or VPDN template configuration mode. To disable sequencing, use the no form of this command.
l2tp sequencing
no l2tp sequencing
Syntax Description
This command has no arguments or keywords.
Command Default
Sequencing is disabled by default. However, if the peer device requests sequencing, it will be enabled.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
12.1
|
This command was introduced.
|
Usage Guidelines
Use the l2tp sequencing command to control sequencing for packets sent over an L2TP tunnel.
The l2tp sequencing command configuration may be overridden by a request for sequencing from the peer device. The following sections describe the default behavior and sequencing request interactions of the two tunnel endpoints.
Tunnel Initiator
•
By default, sequence numbers are off.
•
By default, the Sequencing Required attribute-value (AV) pair will not be sent from the tunnel initiator to the tunnel terminator.
•
If the tunnel initiator receives data packets from the tunnel terminator that include sequencing numbers, the tunnel initiator will include sequence numbers on data packets regardless of the l2tp sequencing command configuration.
•
Enabling the l2tp sequencing command will cause the tunnel initiator to send the Sequencing Required AV pair to the tunnel terminator and to include sequencing numbers on data packets.
Tunnel Terminator
•
By default, sequence numbers are off.
•
If the tunnel terminator receives the Sequencing Required AV pair from the tunnel initiator, the tunnel terminator will include sequence numbers on data packets regardless of the l2tp sequencing command configuration.
•
Enabling the l2tp sequencing command will cause the tunnel terminator to include sequence numbers.
Examples
The following example configures sequencing on a network access server (NAS) for dial-in L2TP tunnels associated with the VPDN group named tunnelme. The NAS will send the Sequencing Required AV pair to the tunnel server, and sequencing will be enabled on both devices.
Related Commands
Command
|
Description
|
l2tp drop out-of-order
|
Instructs a NAS or tunnel server using L2TP to drop packets that are received out of order.
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2tp tunnel authentication
To enable Layer 2 Tunneling Protocol (L2TP) tunnel authentication, use the l2tp tunnel authentication command in VPDN group or VPDN template configuration mode. To disable L2TP tunnel authentication, use the no form of this command.
l2tp tunnel authentication
no l2tp tunnel authentication
Syntax Description
This command has no arguments or keywords.
Command Default
L2TP tunnel authentication is enabled.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
11.3(5)AA
|
This command was introduced.
|
12.0(1)T
|
This command was integrated into Cisco IOS Release 12.0(1)T.
|
Examples
The following example disables L2TP tunnel authentication for tunnels associated with the virtual private dialup network (VPDN) group named group1:
no l2tp tunnel authentication
The following example reenables L2TP tunnel authentication for tunnels associated with the VPDN group named group1:
l2tp tunnel authentication
Note
L2TP tunnel authentication is enabled by default, so there is no need to enable this command unless it was previously disabled.
Related Commands
Command
|
Description
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2tp tunnel bearer capabilities
To set the Layer 2 Tunnel Protocol (L2TP) bearer-capability value used by the Cisco router, use the l2tp tunnel bearer capabilities command in VPDN group or VPDN template configuration mode. To restore the default value, use the no form of this command.
l2tp tunnel bearer capabilities {none | digital | analog | all}
no l2tp tunnel bearer capabilities
Syntax Description
none
|
Specifies that no access types are supported. This is the default value if the accept-dialout command is not configured..
|
digital
|
Specifies that digital access is supported.
|
analog
|
Specifies that analog access is supported.
|
all
|
Specifies that all access types are supported. This is the default value if the accept-dialout command is configured.
|
Command Default
If the accept-dialout command is not configured, no access types are supported.
If the accept-dialout command is configured, all access types are supported.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
12.2(11)T
|
This command was introduced.
|
Usage Guidelines
By default, Cisco routers use a bearer-capability value of none. If the accept-dialout command is configured, Cisco routers use a bearer-capability value of all. To ensure compatibility with some non-Cisco routers, you may be required to override the default bearer-capability value by configuring the l2tp tunnel bearer capabilities command.
Examples
The following example configures the bearer-capability value to support only digital access for tunnels associated with the virtual private dialup network (VPDN) group named group1:
l2tp tunnel bearer capabilities digital
Related Commands
Command
|
Description
|
accept-dialout
|
Accepts requests to tunnel L2TP dial-out calls and creates an accept-dialout VPDN subgroup.
|
l2tp tunnel framing capabilities
|
Sets the framing-capability value used by the Cisco router.
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2tp tunnel busy timeout
To configure the amount of time that the router will wait before attempting to recontact a Layer 2 Transport Protocol (L2TP) peer that was previously busy, use the l2tp tunnel busy timeout command in VPDN group or VPDN template configuration mode. To restore the default value, use the no form of this command.
l2tp tunnel busy timeout seconds
no l2tp tunnel busy timeout
Syntax Description
seconds
|
Time, in seconds, to wait before checking for router availability. This value can range from 5 to 6000. The default value is 60.
|
Command Default
The router will wait 60 seconds before attempting to recontact a previously busy peer.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
12.2(4)T
|
This command was introduced.
|
12.2(11)T
|
This command was integrated into Cisco IOS Release 12.2(11)T and support was added for the Cisco 1760, Cisco AS5300, Cisco AS5400, and Cisco AS5800 platforms.
|
Examples
The following example configures tunnels associated with the virtual private dialup network (VPDN) group named group1 to leave an L2TP destination router on the busy list for 90 seconds:
l2tp tunnel busy timeout 90
Related Commands
Command
|
Description
|
l2tp tunnel retransmit initial retries
|
Sets the number of times that the router will attempt to send out the initial control packet for tunnel establishment before considering a router busy.
|
l2tp tunnel retransmit initial timeout
|
Sets the amount of time that the router will wait before resending an initial packet out to establish a tunnel.
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2tp tunnel framing capabilities
To set the Layer 2 Tunnel Protocol (L2TP) framing-capability value used by the Cisco router, use the l2tp tunnel framing capabilities command in VPDN group or VPDN template configuration mode. To restore the default value, use the no form of this command.
l2tp tunnel framing capabilities {none | synchronous | asynchronous | all}
no l2tp tunnel framing capabilities
Syntax Description
none
|
Specifies that no framing types are supported. This is the default value if the accept-dialout command is not configured.
|
synchronous
|
Specifies that synchronous framing is supported.
|
asynchronous
|
Specifies that asynchronous framing is supported.
|
all
|
Specifies that all framing types are supported. This is the default value if the accept-dialout command is configured.
|
Command Default
If the accept-dialout command is not configured, no framing types are supported.
If the accept-dialout command is configured, all framing types are supported.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
12.2(11)T
|
This command was introduced.
|
Usage Guidelines
By default, Cisco routers use a framing-capability value of none. If the accept-dialout command is configured, Cisco routers use a framing-capability value of all. To ensure compatibility with some non-Cisco routers, you may be required to override the default framing-capability value by configuring the l2tp tunnel framing capabilities command.
Examples
The following example configures the framing-capability value to support only asynchronous framing for tunnels associated with the virtual private dialup network (VPDN) group named group1:
l2tp tunnel framing capabilities asynchronous
Related Commands
Command
|
Description
|
accept-dialout
|
Accepts requests to tunnel L2TP dial-out calls and creates an accept-dialout VPDN subgroup.
|
l2tp tunnel bearer capabilities
|
Sets the bearer-capability value used by the Cisco router.
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2tp tunnel hello
To set the number of seconds between sending hello keepalive packets for a Layer 2 Tunneling Protocol (L2TP) tunnel, use the l2tp tunnel hello command in VPDN group or VPDN template configuration mode. To disable the sending of hello keepalive packets, use the no form of this command.
l2tp tunnel hello seconds
no l2tp tunnel hello
Syntax Description
seconds
|
The interval, in seconds, that the network access server (NAS) and tunnel server wait before sending the next L2TP tunnel keepalive packet. Valid values range from 0 to 1000. The default value is 60.
|
Command Default
Hello keepalive packets are sent every 60 seconds.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
11.3(5)AA
|
This command was introduced.
|
12.0(1)T
|
This command was integrated into Cisco IOS Release 12.0(1)T.
|
Usage Guidelines
To change the tunnel hello value, reenter the command with the new value.
The L2TP tunnel keepalive timers need not use the same value on both sides of the tunnel. For example, a NAS can use a keepalive value of 30 seconds, and a tunnel server can use the default value of 60 seconds.
Examples
The following example sets the L2TP tunnel hello value to 90 seconds for tunnels associated with the virtual private dialup network (VPDN) group named group1:
Related Commands
Command
|
Description
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2tp tunnel password
To set the password that the router will use to authenticate Layer 2 Tunnel Protocol (L2TP) tunnels, use the l2tp tunnel password command in VPDN group or VPDN template configuration mode. To remove a previously configured password, use the no form of this command.
l2tp tunnel password password
no l2tp tunnel password
Syntax Description
password
|
String that the router uses for tunnel authentication.
|
Command Default
The password associated with the local name of the router is used to authenticate the tunnel.
If no local name password is configured, the password associated with the hostname of the router is used to authenticate the tunnel.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
11.3(5)AA
|
This command was introduced.
|
12.0(1)T
|
This command was integrated into Cisco IOS Release 12.0(1)T.
|
Usage Guidelines
The password defined with the l2tp tunnel password command is also used for attribute-value (AV) pair hiding.
The password hierarchy sequence that is used for tunnel identification, and subsequently tunnel authentication, is as follows:
•
An L2TP tunnel password is used if one is configured.
•
If no L2TP tunnel password exists, the password associated with the local name of the router is used.
•
If a local name password does not exist, the password associated with the hostname of the router is used.
The username command is used to define the passwords associated with the local name and the hostname.
Examples
The following example configures the L2TP tunnel password, secret, which will be used to authenticate tunnels associated with the virtual private dialup network (VPDN) group named group1:
l2tp tunnel password secret
Related Commands
Command
|
Description
|
hostname
|
Specifies or modifies the hostname for the network server.
|
local name
|
Specifies a local hostname that the tunnel will use to identify itself.
|
l2tp hidden
|
Enables L2TP AV pair hiding, which encrypts the value of sensitive AV pairs.
|
username
|
Establishes a username-based authentication system.
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2tp tunnel receive-window
To configure the number of packets allowed in the local receive window for a Layer 2 Tunnel Protocol (L2TP) control channel, use the l2tp tunnel receive-window command in VPDN group or VPDN template configuration mode. To restore the default value, use the no form of this command.
l2tp tunnel receive-window packets
no l2tp tunnel receive-window packets
Syntax Description
packets
|
Number of packets allowed in the receive window. Valid values range from 1 to 5000. The default value varies by platform.
|
Command Default
The default size of the control channel receive window is platform-dependent.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
12.0(7) DC
|
This command was introduced on the Cisco 6400 node route processor (NRP).
|
12.1(1)
|
This command was integrated into Cisco IOS Release 12.1(1).
|
Usage Guidelines
Use the l2tp tunnel receive-window command to set the size of the advertised control channel receive window. The receive window size controls the number of L2TP control packets that can be queued by the system for processing. Increasing the size of the control channel receive window allows the system to open PPP sessions more quickly; a smaller size is desirable on networks that cannot handle large bursts of traffic.
Examples
The following example configures the receive window to hold up to 500 packets for tunnels associated with the virtual private dialup network (VPDN) group named group1:
l2tp tunnel receive-window 500
Related Commands
Command
|
Description
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2tp tunnel retransmit initial retries
To configure the number of times that the router will attempt to send out the initial Layer 2 Tunnel Protocol (L2TP) control packet for tunnel establishment before considering a peer busy, use the l2tp tunnel retransmit initial retries command in VPDN group or VPDN template configuration mode. To restore the default value, use the no form of this command.
l2tp tunnel retransmit initial retries number
no l2tp tunnel retransmit initial retries
Syntax Description
number
|
Number of retransmission attempts. Valid values range from 1 to 1000. The default value is 2.
|
Command Default
The router will resend the initial L2TP control packet 2 times.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
12.2(4)T
|
This command was introduced.
|
12.2(11)T
|
This command was integrated into Cisco IOS Release 12.2(11)T and support was added for the Cisco 1760, Cisco AS5300, Cisco AS5400, and Cisco AS5800 platforms.
|
Usage Guidelines
Use the l2tp tunnel retransmist initial retries command to configure the number of times a device will attempt to resend the initial control packet used to establish an L2TP tunnel.
Examples
The following example configures the router to attempt to send the initial L2TP control packet five times for tunnels associated with the virtual private dialup network (VPDN) group named group1:
l2tp tunnel retransmit initial retries 5
Related Commands
Command
|
Description
|
l2tp tunnel busy timeout
|
Configures the amount of time that the router will wait before attempting to recontact a router that was previously busy.
|
l2tp tunnel retransmit initial timeout
|
Configures the amount of time that the router will wait before resending an initial L2TP control packet out to establish a tunnel.
|
l2tp tunnel retransmit retries
|
Configures the number of retransmission attempts made for a L2TP control packet.
|
l2tp tunnel retransmit timeout
|
Configures the amount of time that the router will wait before resending an L2TP control packet.
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2tp tunnel retransmit initial timeout
To configure the amount of time that the router will wait before resending an initial Layer 2 Tunnel Protocol (L2TP) control packet out to establish a tunnel, use the l2tp tunnel retransmit initial timeout command in VPDN group or VPDN template configuration mode. To restore the default value, use the no form of this command.
l2tp tunnel retransmit initial timeout {min | max} seconds
no l2tp tunnel retransmit initial timeout {min | max}
Syntax Description
min
|
Specifies the minimum time that the router will wait before resending an initial packet.
|
max
|
Specifies the maximum time that the router will wait before resending an initial packet.
|
seconds
|
Timeout length, in seconds, the router will wait before resending an initial packet. Valid values range from 1 to 8. The default minimum value is 1. The default maximum value is 8.
|
Command Default
The router will use the default timeout values specified in the "Syntax Description" section.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
12.2(4)T
|
This command was introduced.
|
12.2(11)T
|
This command was integrated into Cisco IOS Release 12.2(11)T and support was added for the Cisco 1760, Cisco AS5300, Cisco AS5400, and Cisco AS5800 platforms.
|
Usage Guidelines
This command will take effect only when load balancing is enabled.
Control channel retransmissions follow an exponential backoff, starting at the minimum retransmit timeout length specified by the min seconds keyword and argument combination. After each packet that is not acknowledged, the timeout exponentially increases until it reaches the value specified by the max seconds keyword and argument combination. For example, if the minimum timeout length is set to 1 second, the next retransmission attempt occurs 2 seconds later. The following attempt occurs 4 seconds later, and all additional attempts occur in 8-second intervals.
Examples
The following example configures a network access server (NAS) virtual private dialup network (VPDN) group to establish L2TP tunnels that are load balanced across two tunnel servers. The NAS is configured to attempt to recontact a peer with an initial control packet 5 times before considering it busy. The timers are set so that the first attempt to recontact the peer will occur 2 seconds after the initial failure, and the final attempt will occur 7 seconds after the previous failure.
initiate-to ip 172.16.0.1 priority 1
initiate-to ip 172.16.1.1 priority 2
l2tp tunnel retransmit initial retries 5
l2tp tunnel retransmit initial timeout min 2
l2tp tunnel retransmit initial timeout max 7
Related Commands
Command
|
Description
|
l2tp tunnel busy timeout
|
Configures the amount of time that the router will wait before attempting to recontact a router that was previously busy.
|
l2tp tunnel retransmit initial retries
|
Configures the number of times that the router will attempt to send out the initial L2TP control packet for tunnel establishment before considering a peer busy.
|
l2tp tunnel retransmit retries
|
Configures the number of retransmission attempts made for an L2TP control packet.
|
l2tp tunnel retransmit timeout
|
Configures the amount of time that the router will wait before resending an L2TP control packet.
|
vpdn-group
|
Creates a VPDN group and enters VPDN group configuration mode.
|
vpdn-template
|
Creates a VPDN template and enters VPDN template configuration mode.
|
l2tp tunnel retransmit retries
To configure the number of retransmission attempts made for a Layer 2 Tunnel Protocol (L2TP) control packet, use the l2tp tunnel retransmit retries command in VPDN group or VPDN template configuration mode. To restore the default value, use the no form of this command.
l2tp tunnel retransmit retries number
no l2tp tunnel retransmit retries number
Syntax Description
number
|
Number of retransmission attempts. Valid values range from 5 to 1000 retries. The default value is 10.
|
Command Default
The router will resend control packets ten times.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
Release
|
Modification
|
12.0(7) DC
|
This command was introduced on the Cisco 6400 node route processor (NRP).
|
12.1(1)
|
This command was integrated into Cisco IOS Release 12.1(1).
|
Usage Guidelines
Use the l2tp tunnel retransmist retries command to configure the number of times a device will attempt to resend an L2TP control packet.
Examples
The following example tunnels associated with the virtual private dialup network (VPDN) group named group1 to make eight retransmission attempts:
l2tp tunnel retransmit retries 8
Related Commands