Table Of Contents

shutdown (port)

shutdown (spe)

signaling-class cas

snapshot client

snapshot server

source-ip (VPDN)

source template

source vpdn-template

spe

spe call-record modem

spe country

spe download maintenance

spe log-size

spe recovery

start-character

start-chat

stop-character

subscriber access

subscriber authorization enable

tdm clock priority

tdm-group

template

terminate-from

test modem back-to-back

test port modem back-to-back

timeout absolute

timer

trunk group (global)

tunnel

virtual-profile if-needed

virtual-profile virtual-template

virtual-template

vpdn aaa attribute

vpdn aaa override-server

vpdn aaa untagged

vpdn authen-before-forward

vpdn authorize directed-request

vpdn authorize domain

vpdn domain-delimiter

vpdn enable

vpdn group

vpdn history failure

vpdn incoming

vpdn ip udp ignore checksum

vpdn logging

vpdn multihop

vpdn outgoing

vpdn pmtu

vpdn profile

vpdn redirect identifier

vpdn redirect attempts

vpdn redirect identifier

vpdn redirect source

vpdn search-order

vpdn session-limit

vpdn softshut

vpdn source-ip

vpdn-group

vpdn-template

vpn

vty-async

vty-async dynamic-routing

vty-async header-compression

vty-async ipx ppp-client loopback

vty-async keepalive

vty-async mtu

vty-async ppp authentication

vty-async ppp use-tacacs

vty-async virtual-template

x25 aodi

x25 map ppp

shutdown (port)

To disable a port, use the shutdown command in port configuration mode. To change the administrative state of a port from out-of-service to in-service, use the no form of this command.

shutdown

no shutdown

Syntax Description

This command has no arguments or keywords.

Defaults

Port is enabled.

Command Modes

Port configuration

Command History

Release	Modification
12.1(1)XD	This command was introduced on the Cisco AS5400.
12.1(3)T	This command was implemented on the Cisco AS5800.
12.1(5)XM1	This command was implemented on the Cisco AS5350.
12.2(11)T	This command was integrated into Cisco IOS Release 12.2(11)T and support was added for the Cisco AS5350.

Usage Guidelines

The shutdown command disables a port.

---

Note The shutdown command is similar to the modem shutdown MICA technologies modem command.

---

Examples

The following example disables ports 1 to 18 and then reenables them:

router(config)# port 1/1 1/18

router(config-port)# shutdown

router(config-port)# no shutdown

Related Commands

Command	Description
busyout (port)	Disables a port by causing the system to wait for the active services on the port to terminate.
clear port	Resets the NextPort port and clears any active call.
clear spe	Reboots all specified SPEs.
modem shutdown	Abruptly shuts down an active or idle modem installed in an access server or router.
show spe	Displays history statistics of all SPEs, a specified SPE, or the specified range of SPEs.

shutdown (spe)

To take a service processing element (SPE) out of service, use the shutdown command in SPE configuration mode. To change the administrative state of this SPE from down to up, use the no form of this command.

shutdown

no shutdown

Syntax Description

This command has no arguments or keywords.

Defaults

SPE is in service.

Command Modes

SPE configuration

Command History

Release	Modification
12.1(1)XD	This command was introduced on the Cisco AS5400.
12.1(3)T	This command was implemented on the Cisco AS5800.
12.1(5)XM1	This command was implemented on the Cisco AS5350.
12.2(11)T	This command was integrated into Cisco IOS Release 12.2(11)T and support was added for the Cisco AS5350.

Examples

The following example disables SPE ports 1 to 18 and then reenables them:

Router(config)# spe 1/1 1/18

Router(config-spe)# shutdown

Router(config-spe)# no shutdown

Related Commands

Command	Description
busyout (port)	Disables a port by causing the system to wait for the active services on the port to terminate.
clear spe	Reboots all specified SPEs.
show spe	Displays history statistics of all SPEs, a specified SPE, or the specified range of SPEs.

signaling-class cas

To define a signaling class with a template formed by directives guiding the Call Service Module (CSM) to process the digit sequence, use the signaling-class cas command in global configuration mode. To remove the signaling class assignment, use the no form of this command.

signaling-class cas name

no signaling-class cas name

Syntax Description

name	The signaling class name, which specifies the template that processes the ANI/DNIS delimiter.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
12.1(1)T	This command was introduced.

Usage Guidelines

The signaling class is referred by the name argument.

Examples

The following example enables the signaling-class cas command:

signaling-class cas test

 profile incoming S<*a<*d<*n

 controller T1 1/0/1

 cas-custom 1

 class test

Related Commands

Command	Description
class (controller)	Activates the signaling-class cas command.
profile incoming	Defines a template formed by directives guiding the CSM to process the digit sequence for a signaling class.

snapshot client

To configure a client router for snapshot routing, use the snapshot client command in interface configuration mode. To disable a client router, use the no form of this command.

snapshot client active-time quiet-time [suppress-statechange-updates] [dialer]

no snapshot client active-time quiet-time [suppress-statechange-updates] [dialer]

Syntax Description

active-time	Amount of time, in minutes, that routing updates are regularly exchanged between the client and server routers. This can be an integer ranging from 5 to 100. There is no default value. A typical value is 5 minutes.
quiet-time	Amount of time, in minutes, that routing entries are frozen and remain unchanged between active periods. Routes are not aged during the quiet period, so they remain in the routing table as if they were static entries. This argument can be an integer ranging from 8 to 100000. There is no default value. The minimum quiet time is generally the active time plus 3.
suppress-statechange-updates	(Optional) Disables the exchange of routing updates each time the line protocol goes from "down" to "up" or from "dialer spoofing" to "fully up."
dialer	(Optional) Specifies that the client router dials up the remote router in the absence of regular traffic.

Defaults

Snapshot routing is disabled.

The active-time and quiet-time arguments have no default values.

Command Modes

Interface configuration

Command History

Release	Modification
10.3	This command was introduced.

Usage Guidelines

The value of the active-time argument must be the same for the client and server routers.

To specify that the remote server routers be called by this client router during each active period, use the dialer map snapshot command.

Examples

The following example configures a client router for snapshot routing:

interface dialer 1

 snapshot client 5 600 suppress-statechange-updates dialer

Related Commands

Command	Description
clear resource-pool	Ends the quiet period on a client router within 2 minutes.
dialer map snapshot	Defines a dialer map for the Cisco snapshot routing protocol on a client router connected to a DDR interface.
show snapshot	Displays snapshot routing parameters associated with an interface.
snapshot client	Configures a client router for snapshot routing.
snapshot server	Configures a server router for snapshot routing.

snapshot server

To configure a server router for snapshot routing, use the snapshot server command in interface configuration mode. To disable a server router, use the no form of this command.

snapshot server active-time [dialer]

no snapshot server active-time [dialer]

Syntax Description

active-time	Amount of time, in minutes, that routing updates are regularly exchanged between the client and server routers. This can be an integer ranging from 5 to 100. There is no default value. A typical value is 5 minutes.
dialer	(Optional) Specifies that the client router dials up the remote router in the absence of regular traffic.

Defaults

Snapshot routing is disabled.

The active-time argument has no default value.

Command Modes

Interface configuration

Command History

Release	Modification
10.3	This command was introduced.

Usage Guidelines

The value of the active-time argument must be the same for the client and server routers.

Examples

The following example configures a server router for snapshot routing:

interface dialer 1

 snapshot server 5 

Related Commands

Command	Description
show snapshot	Displays snapshot routing parameters associated with an interface.
snapshot client	Configures a client router for snapshot routing.

source-ip (VPDN)

To specify an IP address that is different from the physical IP address used to open a virtual private dialup network (VPDN) tunnel for the tunnels associated with a VPDN group, use the source-ip command in VPDN group configuration mode. To remove the alternate IP address, use the no form of this command.

source-ip ip-address

no source-ip

Syntax Description

ip-address

Alternate IP address.

Command Default

No alternate IP address is specified.

Command Modes

VPDN group configuration

Command History

Release	Modification
12.0(5)T	This command was introduced.

Usage Guidelines

Use the source-ip command in VPDN group configuration mode to configure an alternate IP address to be used for only those tunnels associated with that VPDN group. Each VPDN group on a router can be configured with a unique source-ip command.

Use the vpdn source-ip command to specify a single alternate IP address to be used for all tunnels on the device. A single source IP address can be configured globally per device.

The VPDN group-level configuration will override the global configuration.

Examples

The following example configures a network access server (NAS) to accept Layer 2 Tunnel Protocol (L2TP) dial-out calls using the alternate IP address 172.23.33.7, which is different from the physical IP address used to open the L2TP tunnel:

vpdn-group 3

 accept-dialout

  protocol l2tp

  dialer 2

 terminate-from hostname router21

 source-ip 172.23.33.7

Related Commands

Command	Description
accept-dialin	Creates an accept dial-in VPDN subgroup that configures a tunnel server to accept requests from a NAS to tunnel dial-in calls, and enters accept dial-in VPDN subgroup configuration mode.
accept-dialout	Creates an accept dial-out VPDN subgroup that configures a NAS to accept requests from a tunnel server to tunnel L2TP dial-out calls, and enters accept dial-out VPDN subgroup configuration mode.
request-dialin	Creates a request dial-in VPDN subgroup that configures a NAS to request the establishment of a dial-in tunnel to a tunnel server, and enters request dial-in VPDN subgroup configuration mode.
request-dialout	Creates a request dial-out VPDN subgroup that configures a tunnel server to request the establishment of dial-out L2TP tunnels to a NAS, and enters request dial-out VPDN subgroup configuration mode.
vpdn source-ip	Globally specifies an IP address that is different from the physical IP address used to open a VPDN tunnel.

source template

To attach a configured customer profile template to a particular customer profile, use the source template command in customer profile configuration mode.

source template name

Syntax Description

name	Customer profile template name.

Defaults

No templates are sourced or attached to a customer profile.

Command Modes

Customer profile configuration

Command History

Release	Modification
12.0(6)T	This command was introduced.

Usage Guidelines

All PPP and peer-default commands are allowed for a particular customer profile template under this grouping.

Examples

The following example shows the creation and configuration of a customer profile template named acme-direct and its subsequent assignment to the customer profile acme1:

template acme-direct

 multilink {max-fragments num | max-links num | min-links num}

 peer match aaa-pools

 peer default ip address pool acme-numbers

 ppp ipcp dns 10.1.1.1  10.2.2.2 

 ppp multilink

 exit

resource-pool profile customer acme1

source template acme-direct

Related Commands

Command	Description
template	Accesses the template configuration mode for configuring a particular customer profile template.

source vpdn-template

To associate a virtual private dialup network (VPDN) group with a VPDN template, use the source vpdn-template command in VPDN group configuration mode. To disassociate a VPDN group from a VPDN template, use the no form of this command.

source vpdn-template [name]

no source vpdn-template [name]

Syntax Description

name	(Optional) The name of the VPDN template to be associated with the VPDN group.

Defaults

Global VPDN template settings are applied to individual VPDN groups if a global VPDN template has been defined. If no global VPDN template has been defined, system default settings are applied to individual VPDN groups.

Command Modes

VPDN group configuration

Command History

Release	Modification
12.2(4)B	This command was introduced on the Cisco 7200 series and Cisco 7401ASR routers.
12.2(8)T	This command was integrated into Cisco IOS Release 12.2(8)T without support for the name argument.
12.2(13)T	Support was added for the name argument in Cisco IOS Release 12.2(13)T.

Usage Guidelines

Use the source vpdn-template command to associate a VPDN group with a VPDN template. By default, VPDN groups are associated with the global VPDN template if one is defined. A VPDN group can be associated with only one VPDN template. Associating a VPDN group with a named VPDN template automatically disassociates it from the global VPDN template.

The hierarchy for the application of VPDN parameters to a VPDN group is as follows:

•VPDN parameters configured for the individual VPDN group are always applied to that VPDN group.

•VPDN parameters configured in the associated VPDN template are applied for any settings not specified in the individual VPDN group configuration.

•System default settings for VPDN parameters are applied for any settings not configured in the individual VPDN group or the associated VPDN template.

Uncoupling a VPDN group from the global VPDN template using the no source vpdn-template command results in the following hierarchy for the application of VPDN parameters to that VPDN group:

•VPDN parameters configured for the individual VPDN group are always applied to that VPDN group.

•System default settings for VPDN parameters are applied for any settings not configured in the individual VPDN group.

If you uncouple a VPDN group from a named VPDN template, the VPDN group will be associated with the global VPDN template if one is defined.

Examples

The following example configures the VPDN group named group1 to ignore the global VPDN template settings and use the system default settings for all unspecified VPDN parameters:

Router(config)# vpdn-group group1

Router(config-vpdn)# no source vpdn-template

The following example creates a VPDN template named l2tp, enters VPDN template configuration mode, configures two VPDN parameters in the VPDN template, and associates the VPDN group named l2tptunnels with the VPDN template:

Router(config)# vpdn-template l2tp

Router(config-vpdn-templ)# l2tp tunnel busy timeout 65

Router(config-vpdn-templ)# l2tp tunnel password 7 tunnel4me

!

Router(config)# vpdn-group l2tptunnels

Router(config-vpdn)# source vpdn-template l2tp

The following example uncouples the VPDN group named l2tptunnels from the VPDN template named l2tp. The VPDN group will be associated with the global VPDN template if one has been defined.

Router(config)# vpdn-group l2tptunnels

Router(config-vpdn)# no source vpdn-template l2tp

Related Commands

Command	Description
vpdn-group	Creates a VPDN group and enters VPDN group configuration mode.
vpdn-template	Creates a VPDN template and enters VPDN template configuration mode.

spe

To enter service processing element (SPE) configuration mode and set the range of SPEs, use the spe command in global configuration mode.

Cisco AS5350 and Cisco AS5400 with the NextPort Dial Feature Card (DFC)

spe {slot | slot/spe}

Cisco AS5800 with the Universal Port Card (UPC)

spe {shelf/slot | shelf/slot/spe}

Syntax Description

slot	All ports on the specified slot. For the Cisco AS5350 slot values range from 1 to 3. For the Cisco AS5400, slot values range from 1 to 7.
slot/spe	All ports on the specified slot and SPE. For the Cisco AS5350 slot values range from 1 to 3. For the Cisco AS5400, slot values range from 1 to 7. SPE values range from 1 to 17. You must include the slash mark.
shelf/slot	All ports on the specified shelf and slot. For the Cisco AS5800, shelf values range from 0 to 1 and UPC slot values range from 2 to 11. You must include the slash mark.
shelf/slot/spe	All ports on the specified SPE. For the Cisco AS5800, shelf values range from 0 to 1, slot values range from 2 to 11, and SPE values range from 0 to 53. You must include the slash marks.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release	Modification
12.0(4)XI1	This command was introduced.
12.0(5)T	This command was implemented on the Cisco AS5200 and Cisco AS5300 platforms.
12.1(1)XD	This command was implemented on the Cisco AS5400.
12.1(3)T	This command was implemented on the Cisco AS5800.
12.1(5)XM1	This command was implemented on the Cisco AS5350.
12.2(11)T	This command was integrated into Cisco IOS Release 12.2(11)T and support was added for the Cisco AS5350.

Usage Guidelines

The spe global configuration command enables the SPE configuration mode. Configure your SPE by specifying a slot and an SPE associated with the slot; or, you can configure a range of SPEs by specifying the first and last SPE in the range.

To exit SPE configuration mode, use the exit command.

Examples

The following example shows the spe command being used from global configuration mode to access the SPE configuration mode for the SPE range from 1/2 to 1/4:

router(config)# spe 5/4 5/6

router(config-spe)# ?

SPE Configuration Commands:

  busyout   Busyout SPE

  default   Set a command to its defaults

  exit      Exit from SPE Configuration Mode

  firmware  Firmware used for the SPE

  help      Description of the interactive help system

  no        Negate a command or set its defaults

  shutdown  Take the SPE out of Service

When the universal gateway is booted, the spe global configuration command specifies the location from where the firmware image is downloaded to the SPE. If the spe configuration command is used to download the firmware from Flash memory and then subsequently the no version of the exact command is entered, then the spe command downloads the embedded firmware.

---

Note Use this command when traffic is low because the spe download does not begin until the modems have no active calls.

---

---

Caution The spe command is a configuration command. Save it using the write memory command; otherwise, the configuration is not saved. If the configuration is not saved, the downloading of the specified firmware does not occur after the next reboot.

---

The following example shows the spe command being used from global configuration mode to access the SPE configuration mode for the range of SPEs from 1/2 to 1/4 on the Cisco AS5400:

Router(config)# spe 1/2 1/4

The following example specifies the range for use of the shutdown command:

Router(config)# spe 1/1 1/18

Router(config-spe)# shutdown

Router(config-spe)# no shutdown

Related Commands

Command	Description
exit	Exits SPE configuration mode.
show spe	Displays SPE status.

spe call-record modem

To generate a modem call record at the end of each call, use the spe call-record modem command in global configuration mode. To cancel the request to generate the reports, use the no form of the command.

spe call-record modem {max-userid number | quiet}

no spe call-record modem {max-userid number | quiet}

Syntax Description

max-userid number	Maximum length of the user ID for the modem call record report in number of bytes. The range is from 0 to 100.
quiet	Disables logging to console and terminal, but not to syslog.

Defaults

An SPE call record is enabled.

Command Modes

Global configuration

Command History

Release	Modification
12.1(1)XD	This command was introduced on the Cisco AS5400.
12.1(3)T	This command was implemented on the Cisco AS5800.
12.1(5)XM1	This command was implemented on the Cisco AS5350.
12.2(11)T	This command was integrated into Cisco IOS Release 12.2(11)T and support was added for the Cisco AS5350.

Usage Guidelines

The spe modem-call-record command generates a modem call record at the end of each call.

---

Note The spe call-record modem command is similar to the modem call-record command.

---

Examples

The following example displays an SPE call record:

Router# configure terminal

Router(config)# spe call-record modem max-userid 50

Router(config)# end

Router#

00:18:30: %SYS-5-CONFIG_I: Configured from console by console

Router# write memory

Building configuration...

[OK]

The following is a partial example of traces generated when a call terminates. The logs from the show port modem log command do not change as a result of using the spe call-record modem command.

.

.

.

%LINK-3-UPDOWN: Interface Async5/105, changed state to down

%MODEMCALLRECORD-6-PM_TERSE_CALL_RECORD: DS0 slot/contr/chan=4/2/15,

shelf/slot/port=5/37, call_id=EE, userid=touraco-e1-4, ip=79.188.24.1,

calling=(n/a), called=35160, std=V.34+, prot=LAP-M, comp=V.42bis,

init-rx/tx b-rate=33600/33600, finl-rx/tx b-rate=33600/33600, rbs=0,

d-pad=None, retr=1, sq=5, snr=10495, rx/tx chars=286/266, bad=0, rx/tx

ec=16/6, bad=0, time=96, finl-state=Steady Retrain,

disc(radius)=(n/a)/(n/a), disc(modem)=1F00 <unknown>/Requested by

host/non-specific host disconnect

%MODEMCALLRECORD-6-PM_TERSE_CALL_RECORD: DS0 slot/contr/chan=4/1/24,

shelf/slot/port=5/38, call_id=FD, userid=touraco-e1-4, ip=79.205.24.1,

calling=(n/a), called=35170, std=V.34+, prot=LAP-M, comp=V.42bis,

init-rx/tx b-rate=33600/33600, finl-rx/tx b-rate=33600/33600, rbs=0,

d-pad=None, retr=1, sq=5, snr=10495, rx/tx chars=289/267, bad=0, rx/tx

ec=17/7, bad=0, time=93, finl-state=Steady Retrain,

disc(radius)=(n/a)/(n/a), disc(modem)=1F00 <unknown>/Requested by

host/non-specific host disconnect

%MODEMCALLRECORD-6-PM_TERSE_CALL_RECORD: DS0 slot/contr/chan=4/3/15,

shelf/slot/port=5/2, call_id=FF, userid=touraco-e1-4, ip=79.200.24.1,

calling=(n/a), called=35170, std=V.34+, prot=LAP-M, comp=V.42bis,

init-rx/tx b-rate=33600/33600, finl-rx/tx b-rate=33600/33600, rbs=0,

d-pad=None, retr=1, sq=5, snr=10495, rx/tx chars=287/270, bad=0, rx/tx

ec=17/7, bad=0, time=92, finl-state=Steady Retrain,

disc(radius)=(n/a)/(n/a), disc(modem)=1F00 <unknown>/Requested by

host/non-specific host disconnect

%MODEMCALLRECORD-6-PM_TERSE_CALL_RECORD: DS0 slot/contr/chan=4/3/10,

shelf/slot/port=5

.

.

.

Related Commands

Command	Description
modem call-record	Activates the logging of a summary of modem events upon the termination of a call.

spe country

To specify the country while setting the modem card parameters (including country code and encoding), use the spe country command in global configuration mode. To set the country code to the default value, use the no form of this command.

spe country {country-name | e1-default | t1-default}

no spe country {country-name | e1-default | t1-default}

Syntax Description

country-name	Name of the country, See Table 139 for a list of supported country name keywords.
e1-default	Use this command when using the E1 interface.
t1-default	Use this command when using the T1 interface.

Defaults

Disabled

Command Modes

Global configuration

Command History

Release	Modification
12.1(1)XD	This command was introduced on the Cisco AS5400.
12.1(3)T	This command was implemented on the Cisco AS5800.
12.1(5)XM1	This command was implemented on the Cisco AS5350.
12.2(11)T	This command was integrated into Cisco IOS Release 12.2(11)T and support was added for the Cisco AS5350.

Usage Guidelines

On the Cisco universal gateway, DS0 companding law selection is configured for the entire system rather than on individual voice ports. Set the spe country command to the appropriate country.

If T1 lines are configured, the default is t1-default; if E1 lines are configured, the default is e1-default.

The Cisco universal gateway must be in an Idle state (no calls are active) for the spe country command to function. All sessions on all modules in all slots must be in the Idle state.

---

Note The spe country command is similar to the modem country mica and modem country microcom_hdms commands.

---

Table 139 lists the country names and corresponding companding law.

Table 139 Country Names and Corresponding Companding Law 

Keyword	Country	Companding Law
australia	Australia	a-law
austria	Austria	a-law
belgium	Belgium	a-law
china	China	a-law
cyprus	Cyprus	a-law
czech-republic	Czech/Slovak Republic	a-law
denmark	Denmark	a-law
e1-default	Default for E1	a-law
finland	Finland	a-law
france	France	a-law
germany	Germany	a-law
hong-kong	Hong Kong	u-law
india	India	a-law
ireland	Ireland	a-law
israel	Israel	a-law
italy	Italy	a-law
japan	Japan	u-law
malaysia	Malaysia	a-law
netherlands	Netherlands	a-law
new-zealand	New Zealand	a-law
norway	Norway	a-law
poland	Poland	a-law
portugal	Portugal	a-law
russia	Russia	a-law
singapore	Singapore	a-law
south-africa	South Africa	a-law
spain	Spain	a-law
sweden	Sweden	a-law
switzerland	Switzerland	a-law
t1-default	Default for T1	u-law
taiwan	Taiwan	u-law
thailand	Thailand	a-law
turkey	Turkey	a-law
united-kingdom	United Kingdom	a-law
usa	United States of America	u-law

Examples

The following example configures the setting of the country code to the default for E1:

router(config)# spe country e1-default

The following example configures the setting of the country code to the default for T1:

router(config)# spe country t1-default

Related Commands

Command	Reference
modem country mica	Configures the modem country code for a bank of MICA technologies modems.
modem country microcom_hdms	Configures the modem country code for a bank of Microcom modems.
show spe	Displays SPE status.

spe download maintenance

To perform download maintenance on service processing elements (SPEs) that are marked for recovery, use the spe download maintenance command in global configuration mode. To disable download maintenance on SPEs, use the no form of the command.

spe download maintenance {time hh:mm | stop-time hh:mm | max-spes number-of-spes | window time-period | expired-window {drop-call | reschedule}}

no spe download maintenance {time hh:mm | stop-time hh:mm | max-spes number-of-spes | window time-period | expired-window {drop-call | reschedule}}

Syntax Description

time hh:mm	Time of the day to start the download maintenance activity. Enter the value in the format of the variable as shown in hours and minutes. Default is 03:00 a.m.
stop-time hh:mm	Time of the day to stop the download maintenance activity. Enter the value in the format of the variable as shown in hours and minutes.
max-spes number-of-spes	Maximum number of SPEs that can simultaneously be in maintenance. The value ranges from 1 to 10,000. Default is equal to 20 percent of the maximum number of SPEs in each NextPort Dial Feature Card (DFC).
window time-period	Time window to perform the maintenance activity. The value ranges from 0 to 360 minutes. Default is 60 minutes.
expired-window	Action to take if SPE maintenance is not completed within the specified window. Default is reschedule.
drop-call	Expired window choice that forces download by dropping active calls.
reschedule	Expired window choice that defers recovery to the next maintenance time (default for the expired-window keyword).

Defaults

Enabled

Command Modes

Global configuration

Command History

Release	Modification
12.1(1)XD	This command was introduced on the Cisco AS5400.
12.1(3)T	This command was implemented on the Cisco AS5800.
12.1(5)XM1	This command was implemented on the Cisco AS5350.
12.2(11)T	This command was integrated into Cisco IOS Release 12.2(11)T and support was added for the Cisco AS5350.

Usage Guidelines

The SPE download maintenance activity takes place when SPEs are marked for recovery. The settings are enabled by default. When you want to change the default settings to a desired setting, use the spe download maintenance command parameters to perform SPE download maintenance activity with the specific changes.

Enter the time hh:mm keyword to set a time to start the SPE download maintenance activity. Then enter the stop-time hh:mm keyword to set a time to stop the download maintenance. Next enter the max-spes number-of-spes keyword to set the number of SPEs for the download maintenance. Then enter the window time-period keyword to set a time period to perform the download maintenance. Finally, enter the expired-window keyword to set actions in the event the SPE download maintenance is not completed in the set window time-period.

The download maintenance activity starts at the set start time and steps through all the SPEs that need recovery and the SPEs that need a firmware upgrade and starts maintenance on the maximum number of set SPEs for maintenance. The system waits for the window delay time for all the ports on the SPE to become inactive before moving the SPE to the Idle state. Immediately after the SPE moves to the Idle state, the system starts to download firmware. If the ports are still in use by the end of window delay time, depending upon the expired-window setting, connections on the SPE ports are shut down and the firmware is downloaded by choosing the drop-call option, or the firmware download is rescheduled to the next download maintenance time by choosing the reschedule option. This process continues until the number of SPEs under maintenance is below the max-spes value, or until the stop-time value (if set), or until all SPEs marked for recovery or upgrade have had their firmware reloaded.

Examples

The following example displays the SPE download maintenance with the different keyword parameters:

Router(config)# spe download maintenance time 03:00

Router(config)# spe download maintenance stop-time 04:00

Router(config)# spe download maintenance max-spes 50

Router(config)# spe download maintenance window 30

Router(config)# spe download maintenance expired-window reschedule

Related Commands

Command	Description
firmware location	Downloads firmware into Cisco integrated modems.
firmware upgrade	Specifies the method in which the SPE will be downloaded.
show spe version	Displays the firmware version on an SPE.
spe recovery	Sets an SPE port for recovery.

spe log-size

To set the size of the port event log, use the spe log-size command in global configuration mode. To restore the default size, use the no version of this command.

spe log-size number

no spe log-size

Syntax Description

number

The number of recorded events. Valid values for the number argument range from 0 to 100. The default value is 50 events.

Command Default

The port event log records 50 events.

Command Modes

Global configuration

Command History

Release	Modification
12.1(1)XD	This command was introduced on the Cisco AS5400.
12.1(3)T	This command was integrated into Cisco IOS Release 12.1(3)T on the Cisco AS5400 and Cisco AS5800.
12.1(5)XM1	This command was implemented on the Cisco AS5350.
12.2(11)T	This command was integrated into Cisco IOS Release 12.2(11)T and support was added for the Cisco AS5350.

Examples

The following example sets the size of the event log to 70 events:

Router(config)# spe log-size 70

Related Commands

Command	Description
show port digital log	Displays the digital data event log with the oldest event first.
show port modem log	Displays the modem port history event log or modem test log.

spe recovery

To set a service processing element (SPE) port for recovery, use the spe recovery command in global configuration mode. To disable SPE recovery or to restore the default port-threshold value, use the no form of this command.

spe recovery {port-action {disable | recover} | port-threshold number-failures}

no spe recovery {port-action | port-threshold}

Syntax Description

port-action	Action to apply to the port for recovery when the configured port-threshold value has been exceeded.
disable	Sets the port to the bad state.
recover	Sets the port for recovery.
port-threshold number-failures	Number of consecutive failed attempts made on the port before the port-action keyword is applied. The range is from 1 to 10000. The default value is 30.

Defaults

There is no default port-action value. SPE recovery is disabled.
The default port-threshold value is 30 failed attempts.

Command Modes

Global configuration

Command History

Release	Modification
12.1(1)XD	This command was introduced on the Cisco AS5400.
12.1(2.3)T1	This command was implemented on the Cisco AS5800.
12.1(5)XM1	This command was implemented on the Cisco AS5350.
12.2(11)T	This command was integrated into Cisco IOS Release 12.2(11)T and implemented on the Cisco AS5350.

Usage Guidelines

Failure of an SPE port to connect after repeated tries indicates that a problem exists in the SPE or firmware. An SPE port in this state is recovered by downloading firmware.

When an SPE port fails to connect consecutively for a number of times, as specified by the port-threshold number-failures keyword and argument, the SPE is moved to a state based on the port-action configuration.

If the spe recovery port-action recover command has been configured, when the port-threshold number-failures value is exceeded, the port is temporarily marked as disabled ("d" state) to avoid further incoming calls, and it is then marked for recovery ("r" state). Any SPE that has a port marked for recovery will download firmware when the SPE is idle (when none of the ports on the SPE have active calls).

If the spe recovery port-action disable command has been configured, when the port-threshold number-failures value is exceeded, the port is marked as bad ("BAD" state). An SPE with a port that is marked as bad must be explicitly cleared in order for that port to be used again.

If no port-action is configured, the port will be marked as not in use ("_" state). An SPE with a port marked as not in use will remain unusable until it is explicitly cleared, and the SPE will not accept incoming calls on any of the ports.

SPE recovery can be disabled by issuing the no spe recovery port-action command. If SPE recovery is disabled, the SPE will behave as if no port-action has been configured.

---

Note Beginning with Cisco IOS Release 12.1(2.3)T1, the modem recovery action for MICA technologies modems on the Cisco AS5800 platforms is done using the spe recovery command rather than the modem recovery command.

---

Examples

The following example configures the SPE to recover ports that exceed the call failure threshold:

Router(config)# spe recovery port-action recover

The following example sets a value of 50 for the number of consecutive failed attempts on the port before the port-action keyword is applied:

Router(config)# spe recovery port-threshold 50

Related Commands

Command	Description
clear port	Resets the NextPort port and clears any active call.
clear spe	Reboots all specified SPEs.
firmware upgrade	Specifies an SPE firmware upgrade method.
show spe	Displays history statistics of all SPEs, a specified SPE, or the specified range of SPEs.
show spe version	Displays the firmware version on an SPE and displays the version to firmware file mappings.
spe download maintenance	Performs download maintenance on SPEs that are marked for recovery.

start-character

To set the flow control start character, use the start-character command in line configuration mode. To remove the character, use the no form of this command.

start-character ascii-number

no start-character

Syntax Description

ascii-number

Decimal representation of the start character.

Defaults

Decimal 17

Command Modes

Line configuration

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

This command defines the character that signals the start of data transmission when software flow control is in effect. Refer to the "ASCII Character Set" appendix in the Cisco IOS Configuration Fundamentals Command Reference for a list of ASCII characters.

Examples

The following example changes the start character to Ctrl-B, which is decimal 2:

line 2

 start-character 2

Related Commands

Command	Description
flowcontrol	Sets the method of data flow control between the terminal or other serial device and the router.
stop-character	Sets the flow control stop character.
terminal start-character	Changes the flow control start character for the current session.

start-chat

To specify that a chat script start on a specified line at any point, use the start-chat command in privileged EXEC mode. To stop the chat script, use the no form of this command.

start-chat regexp [line-number [dialer-string]]

no start-chat

Syntax Description

regexp	Name of a regular expression or modem script to be executed. If there is more than one script with a name that matches the argument regexp, the first script found will be used.
line-number	(Optional) Line number on which to execute the chat script. If you do not specify a line number, the current line number is chosen. If the specified line is busy, the script is not executed and an error message appears. If the dialer-string argument is specified, line-number must be entered; it is not optional if you specify a dialer string. This command functions only on physical terminal (TTY) lines. It does not function on virtual terminal (VTY) lines.
dialer-string	(Optional) String of characters (often a telephone number) to be sent to a DCE. If you enter a dialer string, you must also specify line-number, or the chat script regexp will not start.

Command Modes

Privileged EXEC

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

This command provides modem dialing commands for a chat script that you want to apply immediately to a line. If you do not specify a line, the script runs on the current line. If the specified line is already in use, the script is not activated and an error message appears.

The argument regexp is used to specify the name of the modem script that is to be executed. The first script that matches the argument in this command and the dialer map command will be used. For more information about regular expressions, refer to the "Regular Expressions" appendix in this publication.

This command functions only on physical terminal (TTY) lines. It does not function on virtual terminal lines.

Examples

The following example forces a dialout on line 8 using the script named "telebit":

start-chat telebit line 8

Related Commands

Command	Description
chat-script	Places calls over a modem and logs in to remote systems.
dialer map	Configures a serial interface or ISDN interface to call one or multiple sites or to receive calls from multiple sites.
script activation	Specifies that a chat script start on a physical terminal line when the line is activated.
script connection	Specifies that a chat script start on a physical terminal line when a remote network connection is made to a line.
script dialer	Specifies a default modem chat script.
script reset	Specifies that a chat script start on a physical terminal line when the specified line is reset.
script startup	Specifies that a chat script start on a physical terminal line when the router is powered up.

stop-character

To set the flow control stop character, use the stop-character command in line configuration mode. To remove the character, use the no form of this command.

stop-character ascii-number

no stop-character

Syntax Description

ascii-number

Decimal representation of the stop character.

Defaults

Decimal 19

Command Modes

Line configuration

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

This command defines the character that signals the end of data transmission when software flow control is in effect. Refer to the "ASCII Character Set" appendix in the Cisco IOS Configuration Fundamentals Command Reference for a list of ASCII characters.

Examples

The following example changes the stop character to Ctrl-E, which is decimal 5:

line 3

 stop-character 5

Related Commands

Command	Description
flowcontrol	Sets the method of data flow control between the terminal or other serial device and the router.
source template	Sets the flow control start character.
stop-character	Sets the flow control stop character.

subscriber access

To enable Subscriber Service Switch to preauthorize the NAS-Port-ID (network access server port identifier) string before authorizing the domain name, use the subscriber access command in global configuration mode. To disable Subscriber Service Switch preauthorization, use the no form of this command.

subscriber access {pppoe | pppoa} pre-authorize nas-port-id [aaa-method-list]

no subscriber access {pppoe | pppoa} pre-authorize nas-port-id [aaa-method-list]

Syntax Description

pppoe	Specifies PPP over Ethernet (PPPoE).
pppoa	Specifies PPP over ATM (PPPoA).
pre-authorize nas-port-id	Signals Subscriber Service Switch to preauthorize the NAS-Port-ID string before authorizing the domain name.
aaa-method-list	(Optional) Authentication, authorization, and accounting (AAA) method list name.

Defaults

Authorization is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.2(8)B	This command was introduced on the Cisco 6400 series, the Cisco 7200 series, and the Cisco 7401 ASR.
12.2(13)T	This feature was integrated into Cisco IOS Release 12.2(13)T with a choice of pppoe and pppoa keywords.

Usage Guidelines

The NAS-Port-ID string is used to locate the first service record, which may contain one of three attributes, as follows:

1. A restricted set of values for the domain substring of the unauthenticated PPP name.

This filtered service key then locates the final service. See the vpdn authen-before-forward command and the example of the domain preauthorization RADIUS user profile showing use of the vpdn:domain-list= RADIUS attribute for more details.

2. Session limit.

3. The logical line ID (LLID).

Once NAS port authorization takes place, normal authorization, which is usually the domain authorization, continues.

---

Note The LLID is an alphanumeric string from 1 to 253 characters in length that serves as the logical identification of a subscriber line. LLID is maintained in a RADIUS server customer profile database and enables users to track their customers on the basis of the physical lines in which customer calls originate. Downloading the LLID is also referred to as preauthorization because it occurs before normal virtual private dialup network (VPDN) authorization downloads Layer 2 Tunneling Protocol (L2TP) tunnel information.

---

This command enables LLID and Subscriber Service Switch querying only for PPP over Ethernet over ATM (PPPoEoATM) and PPP over Ethernet over VLAN (PPPoEoVLAN or Dot1Q) calls; all other calls, such as ISDN, are not supported.

Examples

The following example signals Subscriber Service Switch to preauthorize the NAS-Port-ID string before authorizing the domain name. This policy applies only to sessions with a PPPoE access type.

aaa new-model

aaa group server radius sg_llid

 server 172.20.164.106 auth-port 1645 acct-port 1646

aaa group server radius sg_water

 server 172.20.164.106 auth-port 1645 acct-port 1646

aaa authentication ppp default group radius 

aaa authorization confg-commands

aaa authorization network default group sg_water

aaa authorization network mlist_llid group sg_llid

aaa session-id common

!

username s7200_2 password 0 lab

username s5300 password 0 lab

username sg_water password 0 lab

vpdn enable

!

vpdn-group 2

  request-dialin

  protocol 12tp

 domain water.com

 initiate-to ip 30.1.1.1

 local name s7200_2

!

vpdn-group 3

 accept dialin

  protocol pppoe

  virtual-template 1

!

! Signals Subscriber Service Switch to preauthorize the NAS-Port-ID string before

! authorizing the domain name.

subscriber access pppoe pre-authorize nas-port-id mlist_llid

!

interface Loopback0

 ip address 10.1.1.2 255.255.255.0

!

interface Loopback1

 ip address 10.1.1.6 255.255.255.0

!

interface Ethernet1/0

 ip address 10.1.1.8 255.255.255.0 secondary

 ip address 10.0.58.111 255.255.255.0 

 no cdp enable

!

interface ATM4/0

 no ip address

 no atm ilmi-keepalive

!

interface ATM4/0.1 point-to-point

 pvc 1/100

  encapsulation aa15snap

  protocol pppoe

!

interface virtual-template1

 no ip unnumbered Loopback0

 no peer default ip address

 ppp authentication chap

!

radius-server host 172.20.164.120 auth-port 1645 acct-port 1646 key rad123

radius-server host 172.20.164.106 auth-port 1645 acct-port 1646 key rad123

ip radius source-interface Loopback1

Related Commands

Command	Description
subscriber authorization enable	Enables Subscriber Service Switch type authorization.

subscriber authorization enable

To enable Subscriber Service Switch type authorization, use the subscriber authorization enable command in global configuration mode. To disable the Subscriber Service Switch authorization, use the no form of this command.

subscriber authorization enable

no subscriber authorization enable

Syntax Description

This command has no arguments or keywords.

Defaults

Authorization is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.2(13)T	This feature was introduced.

Usage Guidelines

The subscriber authorization enable command triggers Subscriber Service Switch type authorization for local termination, even if virtual private dialup network (VPDN) and Stack Group Bidding Protocol (SGBP) are disabled.

Examples

The following example enables Subscriber Service Switch type authorization:

subscriber authorization enable

Related Commands

Command	Description
subscriber access	Enables Subscriber Service Switch preauthorization.
vpdn authorize domain	Enables domain preauthorization on a NAS.

tdm clock priority

To configure the clock source and priority of the clock source used by the time-division multiplexing (TDM) bus on the Cisco AS5350, AS5400, and AS5800 access servers, use the tdm clock priority command in global configuration mode. To return the clock source and priority to the default values, use the no form of this command.

tdm clock priority priority-number {slot/ds1-port | slot/ds3-port:ds1-port | external | freerun}

no tdm clock priority priority-number {slot/ds1-port | slot/ds3-port:ds1-port | external | freerun}

Syntax Description

priority-number	Priority of the clock source. The priority range is from 1 to 99. A clock set to priority 100 will not drive the TDM bus.
slot/ds1-port	Trunk-card slot is a value from 1 to 7. DS1 port number controller is a value between 0 and 7. Specify with a slash separating the numbers; for example, 1/1.
slot/ds3-port:ds1-port	Trunk-card slot is a value from 1 to 7. DS3 port specifies the T3 port. DS1 port number controller is a value from 1 to 28. Specify with a slash separating the slot and port numbers, and a colon separating the DS1 port number. An example is 1/0:19.
external	Synchronizes the TDM bus with an external clock source that can be used as an additional network reference.
freerun	Selects the free-running clock from the local oscillator when there is no good clocking source from a trunk card or an external clock source.

Defaults

If no clocks are configured, the system uses a default, primary clock. An external clock is never selected by default; it must be explicitly configured.

Command Modes

Global configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.

Usage Guidelines

The TDM bus can receive an input clock from one of three sources on the gateway:

•CT1, CE1, and CT3 trunk cards

•An external T1/E1 clock source feed directly through the Building Integrated Timing Supply (BITS) interface port on the motherboard

•Free-running clock providing clock from an oscillator

---

Note BITS is a single building master timing supply. BITS generally supplies DS1- and DS0-level timing throughout an office. BITS is the clocks that provide and distribute timing to a wireline network's lower levels.

---

Trunk-Card Ports

The TDM bus can be synchronized with any trunk cards. On the CT1/CE1 trunk card, each port receives the clock from the T1/E1 line. The CT3 trunk card uses an M13 multiplexer to receive the DS1 clock. Each port on each trunk-card slot has a default clock priority. Also, clock priority is configurable through the tdm clock priority command.

External Clock

The TDM bus can be synchronized with an external clock source that can be used as an additional network reference. If no clocks are configured, the system uses a primary clock through a software-controlled default algorithm. If you want the external T1/E1 clock (from the BITS interface) as the primary clock source, you must configure it using the external keyword with the tdm clock priority command; the external clock is never selected by default.

The BITS interface requires a T1 line composite clock reference set at 1.544 MHz and an E1 line composite clock reference set at 2.048 MHz.

Free-Running Clock

If there is no good clocking source from a trunk card or an external clock source, then select the free-running clock from the internal oscillator using the freerun keyword with the tdm clock priority command.

Examples

In the following example, BITS clock is set at priority 1:

AS5400(config)# tdm clock priority priority 1 external

In the following example, a trunk clock from a CT1 trunk card is set at priority 2 and uses slot 4 and DS1 port (controller) 6:

AS5400(config)# tdm clock priority priority 2 4/6

In the following example, a trunk clock from a CT3 trunk card is set at priority 2 and uses slot 1, DS3 port 0, and DS1 port 19:

AS5400(config)# tdm clock priority priority 2 1/0:19

In the following example, free-running clock is set at priority 3:

AS5400(config)# tdm clock priority priority 3 freerun

Related Commands

Command	Description
dial-tdm-clock	Configures the clock source and priority of the clock source used by the TDM bus on the dial shelf of the Cisco AS5800.
show tdm clocks	Displays default system clocks and clock history.

tdm-group

To configure a list of timeslots for creating clear channel groups (pass-through) for Time Division Multiplexing (TDM) cross-connect, use the tdm-group controller configuration command. Use the no form of this command to delete a clear channel group.

tdm-group tdm-group-no timeslots timeslot-list [type {e&m | fxs [loop-start | ground-start] | fxo [loop-start | ground-start] | fxs-melcas | fxo-melcas | e&m-melcas} ]

no tdm-group tdm-group-no

Syntax Description

tdm-group-no	TDM group number. The valid range is 0 to 31. Note For any of the timeslots within the timeslot range provided for the TDM group, use timeslot -1 as the TDM group number.
timeslot-list	Timeslots (DS0s) to include in this TDM group. The valid timeslots are: 1 to 24 for T1; 1 to 15 and 17 to 31 for E1.
type	(Valid only when the mode cas command is enabled.) Specifies the voice signaling type of the voice port. If configuring a TDM group for data traffic only, do not specify the type option. Choose from one of the following options:
	e&m—for E&M signaling fxo—for Foreign Exchange Office signaling (optionally, you can also specify loop-start or ground-start) fxs—for Foreign Exchange Station signaling (optionally, you can also specify loop-start or ground-start) e&m-melcas—for E&M Mercury Exchange Limited (MEL) Channel Associated Signaling fxs-melcas— for Foreign Exchange Station Mercury Exchange Limited (MEL) Channel Associated Signaling fxo-melcas—for Foreign Exchange Office Mercury Exchange Limited (MEL) Channel Associated Signaling The melcas options apply only to E1 lines and are used primarily in the United Kingdom.

Defaults

No TDM group is configured.

Command Modes

Controller configuration

Command History

Release	Modification
11.3 MA	This command was first introduced.

Usage Guidelines

This command applies to the configuration of Voice over Frame Relay, Voice over ATM, and Voice over HDLC on the Cisco MC3810.

Channel groups, voice groups, and TDM groups all use group numbers. All group numbers configured for channel groups, voice groups and TDM groups must be unique on the local Cisco MC3810 concentrator. For example, you cannot use the same group number for both a channel group and a TDM group.

Examples

The following example configures TDM group number 20, containing DS0s 2, 5, 7, 9-12, and 21, on controller T1 1 to support FXS ground-start signaling:

controller T1 1

 mode cas

 tdm-group 20 timeslots 2,5,7,9-12,21 type fxs ground-start

Related Commands

Command	Description
mode	Sets the mode of the T1/E1 controller and enters specific configuration commands for each mode type.

template

To access the template configuration mode for configuring a particular customer profile template, use the template command in global configuration mode. To delete the template of the specified name, use the no form of this command.

template name [default | exit | multilink | no | peer | ppp]

no template name [default | exit | multilink | no | peer | ppp]

Syntax Description

name	Identifies the template.
default	(Optional) Sets the command to its defaults.
exit	(Optional) Exits from resource-manager configuration mode.
multilink	(Optional) Configures multilink parameters.
no	(Optional) Negates the command or its defaults.
peer	(Optional) Accesses peer parameters for point-to-point interfaces.
ppp	(Optional) Accesses Point-to-Point Protocol.

Defaults

No templates are configured.

Command Modes

Global configuration

Command History

Release	Modification
12.0(6)T	This command was introduced.

Usage Guidelines

All PPP and peer-default commands are enabled for a customer profile template under this grouping.

Examples

The following example shows the creation and configuration of a customer profile template named "acme-direct" and its subsequent assignment to the customer profile "acme1":

template acme-direct

 multilink max-fragments 10

 peer match aaa-pools

 peer default ip address pool acme-numbers

 ppp ipcp dns 10.1.1.1  10.2.2.2 

 ppp multilink

 exit

resource-pool profile customer acme1

source template acme-direct

Related Commands

Command	Description
source template	Attaches a configured customer profile template to a customer profile.

terminate-from

To specify the host name of the remote L2TP access concentrator (LAC) or L2TP network server (LNS) that will be required when accepting a virtual private dialup network (VPDN) tunnel, use the terminate-from command in VPDN group configuration mode. To remove the host name from the VPDN group, use the no form of this command.

terminate-from hostname host-name

no terminate-from [hostname host-name]

Syntax Description

hostname host-name

Host name from which this VPDN group will accept connections.

Defaults

Disabled

Command Modes

VPDN group configuration

Command History

Release	Modification
12.0(5)T	This command was introduced.

Usage Guidelines

Before you can use this command, you must have already enabled one of the two accept VPDN subgroups by using either the accept-dialin or accept-dialout command.

Each VPDN group can only terminate from a single host name. If you enter a second terminate-from command on a VPDN group, it will replace the first terminate-from command.

Examples

The following example configures a VPDN group to accept L2TP tunnels for dialout calls from the LNS cerise by using dialer 2 as its dialing resource:

vpdn-group 1

 accept-dialout 

 protocol l2tp 

 dialer 2 

terminate-from hostname cerise

Related Commands

Command	Description
accept-dialin	Specifies the LNS to use for authenticating, and the virtual template to use for cloning, new virtual access interfaces when an incoming L2TP tunnel connection is requested from a specific peer.
accept-dialout	Accepts requests to tunnel L2TP dial-out calls and creates an accept-dialout VPDN subgroup

test modem back-to-back

To diagnose an integrated modem that may not be functioning properly, use the test modem back-to-back command in EXEC mode.

test modem back-to-back first-slot/port second-slot/port

Syntax Description

first-slot/port	Slot and modem number of the first test modem. You must include the slash mark
second-slot/port	Slot and modem number of the second test modem. You must include the slash mark

Command Modes

EXEC

Command History

Release	Modification
11.2	This command was introduced.

Usage Guidelines

Use this command to perform back-to-back testing of two modems. You might need to enable this command on several different combinations of modems to determine which one is not functioning properly.

Examples

The following example performs a back-to-back modem test between modem 2/0 and modem 2/1 and removes modem 2/1 (which is associated with TTY line 26) from all dial-in and dial-out services:

Router# test modem back-to-back 2/0 2/1

back2back 2/0 2/1

Repetitions (of 10-byte packets) [1]: 

Router#

%MODEM-5-B2BCONNECT: Modems (2/0) and (2/1) connected in back-to-back test: 
CONNECT9600/REL-MNPM

%MODEM-5-B2BMODEMS: Modems (2/0) and (2/1) completed back-to-back test: success/packets = 
2/2

Related Commands

Command	Description
modem bad	Removes an integrated modem from service and indicates it as suspected or proven to be inoperable.
test port modem back-to-back	Tests two specified ports back-to-back and transfers a specified amount of data between the ports.

test port modem back-to-back

To test two specified ports back-to-back and transfer a specified amount of data between the ports, use the test port modem back-to-back command in EXEC mode.

Cisco AS5350 and Cisco AS5400 with the NextPort Dial Feature Card (DFC)

test port modem back-to-back {slot/port}

Cisco AS5800 with the Universal Port Card (UPC)

test port modem back-to-back {shelf/slot/port}

Syntax Description

slot/port	All ports on the specified slot and SPE. For the Cisco AS5350 slot values range from 1 to 3. For the Cisco AS5400, slot values range from 1 to 7. Port values range from 0 to one less than the number of ports supported by the card. You must include the slash mark.
shelf/slot/port	All ports on the specified SPE. For the Cisco AS5800, shelf values range from 0 to 1, slot values range from 2 to 11, and port values range from 0 to 323. You must include the slash marks.

Defaults

No default behavior or values.

Command Modes

EXEC

Command History

Release	Modification
11.3	The test modem back-to-back form of this command was introduced.
12.1(1)XD	This command was implemented on the Cisco AS5400.
12.1(3)T	This command was implemented on the Cisco AS5800.
12.1(5)XM1	This command was implemented on the Cisco AS5350.
12.2(11)T	This command was integrated into Cisco IOS Release 12.2(11)T and support was added for the Cisco AS5350.

Usage Guidelines

The test port modem back-to-back command should be performed on different combinations to determine a good port.

---

Note The test port modem back-to-back command is similar to the test modem back-to-back MICA technologies modem command.

---

Examples

The following example displays a back-to-back test:

Router# test port modem back-to-back 1/1/1

Repetitions (of 10-byte packets) [1]:

*Mar  02 12:13:51.743:%PM_MODEM_MAINT-5-B2BCONNECT:Modems (2/10) and (3/20) connected in 
back-to-back test:CONNECT33600/V34/LAP

*Mar  02 12:13:52.783:%PM_MODEM_MAINT-5-B2BMODEMS:Modems (3/20) and (2/10) completed 
back-to-back test:success/packets = 2/2

Related Commands

Command	Description
port modem autotest	Automatically and periodically performs a modem diagnostic test for modems inside the universal gateway or router.
port modem startup test	Performs diagnostic testing for all modems.
show port modem test	Displays the modem port history event log or modem test log.
test modem back-to-back	Diagnoses an integrated modem that may not be functioning properly.

timeout absolute

To specify a timeout period that controls how long a session can be connected before it is terminated, use the timeout absolute command in interface configuration mode. To remove the session timeout period, use the no form of this command.

timeout absolute minutes [seconds]

no timeout absolute

Syntax Description

minutes	Session lifetime in minutes, in the range from 0 to 71582787 minutes.
seconds	(Optional) Session lifetime in seconds, in the range from 0 to 59 seconds.

Defaults

No default behavior or values.

Command Modes

Interface configuration

Command History

Release	Modification
11.3	This command was introduced.

Examples

The following partial example shows how to impose a 15-minute (900-second) idle timeout and a 12-hour (720-minute) absolute timeout for session connections:

interface Serial0:23

 dialer idle-timeout 900

 timeout absolute 720

!

interface Serial1:23

 dialer idle-timeout 900

 timeout absolute 720

.

.

.

Related Commands

Command	Description
ppp idle timeout	Sets PPP idle timeout parameters.
dialer idle-timeout	Specifies the idle time before the line is disconnected.

timer

To set the Redundant Link Manager (RLM) timer, use the timer command in RLM configuration mode. The associated options can overwrite the default setting of timeout values. To disable this function, use the no form of this command.

timer {force-down | keepalive | minimum-up | open-wait | recovery | retransmit | switch-link} seconds

no timer {force-down | keepalive | minimum-up | open-wait | recovery | retransmit | switch-link} seconds

Syntax Description

force-down	After RLM enters the down state, RLM will stay in the down state for a certain amount of time to make sure that the remote end will also enter the down state. After this occurs, both can be forced to be in sync again. This timer can also prevent RLM links from going up and down rapidly in an unstable network environment.
keepalive	A keepalive packet will be sent out from Network Access Server (NAS) to CSC periodically.
minimum-up	After a link is recovered from the failure state and RLM is in the up state, RLM will wait for a minimum time to make sure the new recovered link is stabilized before doing any operation.
open-wait	To overcome the latency while opening several links at the same time, RLM will use this timer to wait before opening the new links, and then choose the link with the highest weighting to become the active signaling link.
recovery	When the network access server (NAS) loses the active connection to CSC, it will try to reestablish the connection within the interval specified by this command. If it fails to reestablish the connection, RLM will declare that the RLM signaling link is down.
retransmit	Because RLM is operating under UDP, it needs to retransmit the control packet if the packet is not acknowledged within this retransmit interval.
switch-link	The maximum transition period allows RLM to switch from a lower preference link to a higher preference link. If the switching link does not complete successfully before this timer expires, RLM will go into the recovery state.
seconds	Time, in seconds, before executing the designated function.

Defaults

Disabled

Command Modes

RLM configuration

Command History

Release	Modification
11.3(7)	This command was introduced.

Related Commands

Command	Description
clear interface virtual-access	Resets the hardware logic on an interface.
clear rlm group	Clears all RLM group time stamps to zero.
interface	Defines the IP addresses of the server, configures an interface type, and enters interface configuration mode.
link (RLM)	Specifies the link preference.
protocol rlm port	Reconfigures the port number for the basic RLM connection for the whole rlm-group.
retry keepalive	Allows consecutive keepalive failures a certain amount of time before the link is declared down.
server (RLM)	Defines the IP addresses of the server.
show rlm group statistics	Displays the network latency of the RLM group.
show rlm group status	Displays the status of the RLM group.
show rlm group timer	Displays the current RLM group timer values.
shutdown (RLM)	Shuts down all of the links under the RLM group.

trunk group (global)

To define a trunk group, use the trunk group command in global configuration mode. To disable the specified trunk group, use the no form of this command.

trunk group group-number [max-calls {any | voice | data] number] | [direction in | out] [max-retries retries]

no trunk group group-number

Syntax Description

group-number	Identifier for this trunk group, ranging from 1 to 1000.
max-calls [any | voice | data] number	(Optional) Specifies the maximum number of voice or data calls allowed on this trunk group or the maximum number of any type of calls allowed on this trunk group, ranging from 1 to 1000.
direction in | out	(Optional) Specifies whether the trunk group is restricted to incoming or outgoing calls.
max-retries retries	(Optional) Specifies the maximum number of outgoing call attempts when a glare situation is encountered, ranging from 1 to 5. The default value is the number of interfaces that belong to the trunk group

Defaults

No trunk group is defined.

If the max-calls any keyword is not specified, the trunk group allows all calls, both incoming and outgoing.

The default maximum number of retries is 1.

Command Modes

Global configuration

Command History

Release	Modification
12.1(3)T	This command was introduced.

Usage Guidelines

Use this command to define the trunk group. Then if you decide to configure an interface for the Network Side ISDN PRI feature, use a trunk-group interface configuration command to assign the interface to a defined trunk group.

However, a trunk group need not be defined globally before being configured on an interface. If it has not been defined, it will be created.

The max-calls keyword set can be repeated to allow you to specify the maximum number of voice calls, the maximum number of data calls, and the maximum number of any calls.

Examples

The following example defines trunk group 101 but does not specify a maximum number of calls:

trunk group 101

The following example specifies multiple maximums. In the first version of the example, the maximums are shown on separate lines for readability, but in reality they are part of a single command:

trunk group 101 

  max-calls any 100

  max-calls voice 30

  max-calls data 60 direction in

In the second version of the example, the same command is shown in a single run-on line:

trunk group 101 max-calls any 100 max-calls voice 30 max-calls data 60 direction in

Related Commands

Command	Description
trunk-group (interface)	Assigns a PRI interface to a defined trunk group.

tunnel

To set up a network layer connection to a router, use the tunnel command in EXEC mode.

tunnel host

Syntax Description

host	Name or IP address of a specific host on a network that can be reached by the router.

Command Modes

EXEC

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

If you are a mobile user, it is often impractical to dial in to your "home" router from a remote site. The asynchronous mobility feature allows you to dial in to different routers elsewhere on the internetwork while experiencing the same server environment that you would if you were connecting directly to your home router.

This asynchronous host mobility is accomplished by packet tunneling, a technique by which raw data from the dial-in user is encapsulated and transported directly to the host site where your home router performs the actual protocol processing.

You enable asynchronous mobility by entering the tunnel command to set up a network layer connection to a specified host. From a router other than a Cisco router, however, you need to use the Telnet protocol.

After a connection is established, you receive an authentication dialog or prompt from your home router and can proceed as if you are connected directly to it. When communications are complete, the network connection can be closed and terminated from either end of the connection.

Examples

The following example establishes a network layer connection with an IBM host named mktg:

Router> tunnel mktg

virtual-profile if-needed

To specify that a virtual profile be used to create a virtual access interface only if the inbound connection requires a virtual access interface, use the virtual-profile if-needed command in global configuration mode. To create virtual access interfaces for every inbound connection, use the no form of this command.

virtual-profile if-needed

no virtual-profile if-needed

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Command History

Release	Modification
12.0(5)T	This command was introduced.

Usage Guidelines

This command is intended to prevent the creating of virtual-access interfaces for inbound calls on physical interfaces that do not require virtual-access interfaces.

This command is compatible with local, RADIUS, and TACACS+ AAA.

Examples

The following example enables selective virtual-access interface creation:

virtual-profile if-needed

Related Commands

Command	Description
interface virtual-template	Creates a virtual template interface that can be configured and applied dynamically in creating virtual access interfaces.
virtual-profile virtual-template	Enables virtual profiles by virtual interface template.

virtual-profile virtual-template

To enable virtual profiles by virtual interface template, use the virtual-profile virtual-template command in global configuration mode. To disable this function, use the no form of this command.

virtual-profile virtual-template number

no virtual-profile virtual-template number

Syntax Description

number

Number of the virtual template to apply, ranging from 1 to 30.

Defaults

Disabled. No virtual template is defined, and no default virtual template number is used.

Command Modes

Global configuration

Command History

Release	Modification
11.2 F	This command was introduced.

Usage Guidelines

When virtual profiles are configured by virtual templates only, any interface-specific configuration information that is downloaded from the AAA server is ignored in configuring the virtual access interface for a user.

The interface virtual-template command defines a virtual template to be used for virtual profiles. Because several virtual templates might be defined for different purposes on the router (such as MLP, PPP over ATM, and virtual profiles), it is important to be clear about the virtual template number to use in each case.

Examples

The following example configures virtual profiles by virtual templates only. The number 2 was chosen because virtual template 1 was previously defined for use by Multilink PPP.

virtual-profile virtual-template 2 

Related Commands

Command	Description
interface virtual-template	Creates a virtual template interface that can be configured and applied dynamically in creating virtual access interfaces.

virtual-template

To specify which virtual template will be used to clone virtual access interfaces, use the virtual-template command in VPDN group configuration mode. To remove the virtual template from a virtual private dial-up network (VPDN) group, use the no form of this command.

virtual-template template-number

no virtual-template

Syntax Description

template-number

Number of the virtual template that will be used to clone virtual access interfaces.

Defaults

No virtual template is enabled.

Command Modes

VPDN group configuration

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.1(1)T	This command was enhanced to enable PPPoE on ATM to accept dial-in PPP over Ethernet (PPPoE) sessions.
12.2(15)T	This command was enhanced to allow IP per-user attributes to be applied to a Layer 2 Tunneling Protocol (L2TP) dial-out session.

Usage Guidelines

You must first enable a tunneling protocol on the VPDN group using the protocol (VPDN) command before you can enable the virtual-template command. Removing or modifying the protocol command will remove the virtual-template command from the VPDN group.

Each VPDN group can clone only virtual access interfaces using one virtual template. If you enter a second virtual-template command on a VPDN group, it will replace the first virtual-template command.

Table 140 lists the VPDN group commands under which the virtual-template command can be entered. Entering the VPDN group command starts VPDN group configuration mode. The table includes the command-line prompt for the VPDN group configuration mode and the type of service configured.

Table 140 VPDN Subgroups

VPDN Group Command	Command Mode Prompt	Type of Service
accept-dialin	router(config-vpdn-acc-in)#	Tunnel server
request-dialout	router(config-vpdn-req-ou)#	L2TP network server (LNS)

When the virtual-template command is entered under a request-dialout VPDN subgroup, IP and other per-user attributes can be applied to an L2TP dial-out session from an LNS. Before this command was enhanced, IP per-user configurations from authentication, authorization, and accounting (AAA) servers were not supported; the IP configuration would come from the dialer interface defined on the router.

The enhanced virtual-template command works in a way similar to configuring virtual profiles and L2TP dial-in. The L2TP virtual access interface is first cloned from the virtual template, which means that configurations from the virtual template interface will be applied to the L2TP virtual access interface. After authentication, the AAA per-user configuration is applied to the virtual access interface. Because AAA per-user attributes are applied only after the user has been authenticated, the LNS must be configured to authenticate the dial-out user (configuration authentication is needed for this command).

With the enhanced virtual-template command, all software components can now use the configuration present on the virtual access interface rather than what is present on the dialer interface. For example, IP Control Protocol (IPCP) address negotiation uses the local address of the virtual access interface as the router address while negotiating with the peer.

Examples

The following example enables the LNS to accept an L2TP tunnel from an L2TP access concentrator (LAC) named LAC2. A virtual access interface will be cloned from virtual template 1.

vpdn-group 1

 accept-dialin 

  protocol l2tp 

  virtual-template 1 

 terminate-from hostname LAC2

The following example enables PPPoE on ATM to accept dial-in PPPoE sessions. A virtual access interface for the PPP session is cloned from virtual template 1.

vpdn-group 1

 accept-dialin

  protocol pppoe

  virtual-template 1

The following partial example shows how to configure an LNS to support IP per-user configurations from a AAA server:

!

vpdn enable

vpdn search-order domain

!

vpdn-group 1

.

.

.

 request-dialout

  protocol l2tp

  rotary-group 1

  virtual-template 1

 initiate-to ip 10.0.1.194.2

 local name lns

 l2tp tunnel password 7094F3$!5^3

 source-ip 10.0.194.53

!

The previous configuration requires a AAA profile such as the following example to specify the per-user attributes:

5300-Router1-out  Password = "cisco"

     Service-Type = Outbound

     cisco-avpair = "outbound:dial-number=5553021"

7200-Router1-1  Password = "cisco"

     Service-Type = Outbound

     cisco-avpair = "ip:route=10.17.17.1 255.255.255.255 Dialer1 100 name 5300-Router1"

5300-Router1 Password = "cisco"

     Service-Type = Framed

     Framed-Protocol = PPP

     cisco-avpair = "lcp:interface-config=ip unnumbered loopback 0"

     cisco-avpair = "ip:outacl#1=deny ip host 10.5.5.5 any log"

     cisco-avpair = "ip:outacl#2=permit ip any any"

     cisco-avpair = "ip:inacl#1=deny ip host 10.5.5.5 any log"

     cisco-avpair = "ip:inacl#2=permit ip any any"

     cisco-avpair = "multilink:min-links=2"

     Framed-Route = "10.5.5.6/32 Ethernet4/0"

     Framed-Route = "10.5.5.5/32 Ethernet4/0"

     Idle-Timeout = 100

Related Commands

Command	Description
accept-dialin	Configures an LNS to accept tunneled PPP connections from a LAC and to create an accept-dialin VPDN subgroup.
protocol (VPDN)	Specifies the Layer 2 Tunneling Protocol that the VPDN subgroup will use.
request-dialout	Enables an LNS to request VPDN dial-out calls by using L2TP and to create a request-dialout VPDN subgroup.
vpdn-group	Defines a local, unique group number identifier.

vpdn aaa attribute

To enable reporting of network access server (NAS) authentication, authorization, and accounting (AAA) attributes related to a virtual private dialup network (VPDN) to the AAA server, use the vpdn aaa attribute command in global configuration mode. To disable reporting of AAA attributes related to VPDN, use the no form of this command.

vpdn aaa attribute {nas-ip-address vpdn-nas | nas-port {vpdn-nas | physical-channel-id}}

no vpdn aaa attribute {nas-ip-address vpdn-nas | nas-port}

Syntax Description

nas-ip-address vpdn-nas	Enable reporting of the VPDN NAS IP address to the AAA server.
nas-port vpdn-nas	Enable reporting of the VPDN NAS port to the AAA server.
nas-port physical-channel-id	Enable reporting of the VPDN NAS port physical channel identifier to the AAA server.

Command Default

AAA attributes are not reported to the AAA server.

Command Modes

Global configuration

Command History

Release	Modification
11.3 NA	This command was introduced.
11.3(8.1)T	This command was integrated into Cisco IOS Release 11.3(8.1)T.
12.1(5)T	This command was modified to support the PPP extended NAS-Port format.
12.2(13)T	Support was added for the physical-channel-id keyword.

Usage Guidelines

This command can be used with RADIUS or TACACS+, and is applicable only on the VPDN tunnel server.

The PPP extended NAS-Port format enables the NAS-Port and NAS-Port-Type attributes to provide port details to a RADIUS server when one of the following protocols is configured:

•PPP over ATM

•PPP over Ethernet (PPPoE) over ATM

•PPPoE over 802.1Q VLANs

Before PPP extended NAS-Port format attributes can be reported to the RADIUS server, the radius-server attribute nas-port format command with the d keyword must be configured on both the tunnel server and the NAS, and the tunnel server and the NAS must both be Cisco routers.

Examples

The following example configures VPDN on a tunnel server and enables reporting of VPDN AAA attributes to the AAA server:

vpdn enable

vpdn-group 1

 accept-dialin

  protocol any

  virtual-template 1

!

 terminate-from hostname nas1

 local name ts1

!

vpdn aaa attribute nas-ip-address vpdn-nas

vpdn aaa attribute nas-port vpdn-nas

vpdn aaa attribute nas-port physical-channel-id

The following example configures the tunnel server for VPDN, enables AAA, configures a RADIUS AAA server, and enables reporting of PPP extended NAS-Port format values to the RADIUS server. PPP extended NAS-Port format must also be configured on the NAS for this configuration to be effective.

vpdn enable

vpdn-group L2TP-tunnel

 accept-dialin

  protocol l2tp

  virtual-template 1

!

 terminate-from hostname nas1

 local name ts1

!

aaa new-model

aaa authentication ppp default local group radius

aaa authorization network default local group radius

aaa accounting network default start-stop group radius

!

radius-server host 171.79.79.76 auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server attribute nas-port format d

radius-server key ts123

!

vpdn aaa attribute nas-port vpdn-nas

Related Commands

Command	Description
radius-server attribute nas-port format	Selects the NAS-Port format used for RADIUS accounting features.

vpdn aaa override-server

To specify an authentication, authorization, and accounting (AAA) server to be used for virtual private dialup network (VPDN) tunnel authorization other than the default AAA server, use the vpdn aaa override-server global configuration command. To return to the default setting, use the no form of this command.

vpdn aaa override-server {aaa-server-ip-address | aaa-server-name}

no vpdn aaa override-server {aaa-server-ip-address | aaa-server-nam}

Syntax Description

aaa-server-ip-address	The IP address of the AAA server to be used for tunnel authorization.
aaa-server-name	The name of the AAA server to be used for tunnel authorization.

Defaults

If the AAA server is not specified, the default AAA server configured for network authorization is used.

Command Modes

Global configuration

Command History

Release	Modification
11.2 F	This command was introduced.

Usage Guidelines

This command can be used with RADIUS or TACACS+, and is applicable only on the VPDN network access server (NAS). Configuring this command restricts tunnel authorization to the specified AAA servers only. This command can be used to specify multiple AAA servers.

For TACACS+ configuration, the tacacs-server directed-request command must be configured using the restricted keyword, or authorization will continue with all configured TACACS+ servers.

Examples

The following example enables AAA attributes and specifies the AAA server to be used for VPDN tunnel authorization:

aaa new-model

 aaa authorization network default group radius

 vpdn aaa override-server 10.1.1.1

 vpdn enable

 radius-server host 10.1.1.2 auth-port 1645 acct-port 1646

 radius-server key Secret

Related Commands

Command	Description
aaa new-model	Enables the AAA access control model.
tacacs-server directed-request	Sends only a username to a specified server when a direct request is issued.
vpdn enable	Enables VPDN on the router and directs the router to look for tunnel definitions in a local database and on a remote authorization server (home gateway), if one is present.

vpdn aaa untagged

To apply untagged attribute values obtained from the authentication, authorization, and accounting (AAA) RADIUS server to all attribute sets for virtual private dialup network (VPDN) tunnels, use the vpdn aaa untagged command in global configuration mode. To disable this function, use the no form of this command.

vpdn aaa untagged

no vpdn aaa untagged

Syntax Description

This command has no arguments or keywords.

Defaults

Untagged attribute values are applied to all attribute sets.

Command Modes

Global configuration

Command History

Release	Modification
12.2(1)T	This command was introduced.

Usage Guidelines

Untagged attribute values obtained from the AAA RADIUS server will be applied to all attribute sets by default, unless a value for that attribute is already specified in the tagged attribute set. To prevent untagged attribute values from being applied to tagged attribute sets, use the no form of this command.

Examples

The following example disables the application of untagged attribute values to attribute sets:

no vpdn aaa untagged

vpdn authen-before-forward

To configure a network access server (NAS) to request authentication of a complete username before making a forwarding decision for all dial-in Layer 2 Tunnel Protocol (L2TP) or Layer 2 Forwarding (L2F) tunnels, use the vpdn authen-before-forward command in global configuration mode. To disable this configuration, use the no form of this command.

vpdn authen-before-forward

no vpdn authen-before-forward

Syntax Description

This command has no arguments or keywords.

Command Default

L2TP or L2F tunnels are forwarded to the tunnel server without first requesting authentication of the complete username.

Command Modes

Global configuration

Command History

Release	Modification
11.3	This command was introduced.

Usage Guidelines

To configure the NAS to perform authentication of all dial-in L2TP or L2F sessions before the sessions are forwarded to the tunnel server, configure the vpdn authen-before-forward command in global configuration mode.

To configure the NAS to perform authentication of dial-in L2TP or L2F sessions belonging to a specific VPDN group before the sessions are forwarded to the tunnel server, use the authen-before-forward command in VPDN group configuration mode.

Enabling the vpdn authen-before-forward command instructs the NAS to authenticate the complete username before making a forwarding decision based on the domain portion of the username. A user may be forwarded or terminated locally depending on the information contained in the users RADIUS profile. Users with forwarding information in their RADIUS profile are forwarded based on that information. Users without forwarding information in their RADIUS profile are either forwarded or terminated locally based on the Service-Type in their RADIUS profile. The relationship between forwarding decisions and the information contained in the users RADIUS profile is summarized in Table 141.

Table 141 Forwarding Decisions Based on RADIUS Profile Attributes

Forwarding Information Is	Service-Type Is Outbound	Service-Type Is Not Outbound
Present in RADIUS profile	Forward User	Forward User
Absent from RADIUS profile	Check Domain	Terminate Locally

Examples

The following example configures the NAS to request authentication of all dial-in L2TP or L2F sessions before the sessions are forwarded to the tunnel server:

vpdn authen-before-forward

Related Commands

Command	Description
authen-before-forward	Configures a NAS to request authentication of a complete username before making a forwarding decision for dial-in L2TP or L2F tunnels belonging to a VPDN group.

vpdn authorize directed-request

To enable virtual private dialup network (VPDN) authorization for directed-request users, use the vpdn authorize directed-request command in global configuration mode. To disable VPDN authorization for directed request users, use the no form of this command.

vpdn authorize directed-request

no vpdn authorize directed-request

Syntax Description

This command has no keywords or arguments.

Defaults

VPDN authorization for directed-request users is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.1	This command was introduced.

Usage Guidelines

When a username incudes both a username and a domain portion, such as user@site.com, directed request configuration allows the authorization request to be sent to a specific RADIUS or TACACS+ server based on the domain name portion of the username (site.com). The vpdn authorize directed-request command must be enabled to allow VPDN authorization of any directed request user.

Directed request for RADIUS users is enabled by issuing the radius-server directed-request command. Directed request for TACACS+ users is enabled by default, and may be disabled using the no tacacs-server directed request command. The ip host command must be configured to enable directed requests to RADIUS or TACACS+ servers.

The vpdn authorize directed-request command is usually configured on the L2TP network server (LNS). When directed-requests are used on an L2TP access concentrator (LAC) in conjuction with per-user VPDN configuration, the authen before-forward command must be enabled.

Examples

The following example enables VPDN authorization and RADIUS directed requests on an LNS:

ip host site.com 10.1.1.1

radius-server host 10.1.1.1 auth-port 1645 acct-port 1646

radius-server directed-request

vpdn authorize directed-request

The following example enables VPDN authorization and TACACS+ directed requests on an LNS:

ip host site.com 10.1.1.1 

tacacs-server host 10.1.1.1 

tacacs-server directed-request

vpdn authorize directed-request

The following example enables per-user VPDN and enables VPDN authorization for directed request users on a LAC:

vpdn-group 1

 request-dialin

  protocol l2f

  domain site.com

 !

 initiate-to ip 10.1.1.1

 local name local1

 authen before-forward

!

ip host site.com 10.1.1.1

vpdn authorize directed-request

!

radius-server host 10.1.1.1 auth-port 1645 acct-port 1646

radius-server directed-request

Related Commandsradius-server directed-requestradius-server directed-request

Command	Description
authen before-forward	Specifies that the VPDN sends the entire structured username to the AAA server the first time the router contacts the AAA server.
ip host	Defines a static host name-to-address mapping in the host cache.
radius-server directed-request	Allows users logging into a Cisco NAS to select a RADIUS server for authentication.
tacacs-server directed-request	Sends only a username to a specified server when a direct request is issued.

vpdn authorize domain

To enable domain preauthorization on a network access server (NAS), use the vpdn authorize domain command in global configuration mode. To disable domain preauthorization, use the no form of this command.

vpdn authorize domain

no vpdn authorize domain

Syntax Description

This command has no arguments or keywords.

Defaults

Domain preauthorization is disabled by default.

Command Modes

Global configuration

Command History

Release	Modification
12.1(1)DC1	This command was introduced on the Cisco 6400 NRP.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.

Usage Guidelines

A RADIUS domain preauthorization user profile must also be created. See the "Examples" section and refer to the latest edition of the Cisco IOS Security Configuration Guide, for information on how to create these profiles.

Examples

Domain Preauthorization Configuration on the LAC Example

The following example shows the configuration necessary for a L2TP access concentrator (LAC) to participate in domain preauthorization:

!

aaa new-model

aaa authorization network default local group radius

!

vpdn authorize domain

!

radius-server host 10.9.9.9 auth-port 1645 acct-port 1646

radius-server attribute nas-port format d

radius-server key MyKey

radius-server vsa send authentication

!

Domain Preauthorization RADIUS User Profile Example

The following example shows a domain preauthorization RADIUS user profile:

user = nas-port:10.9.9.9:0/0/0/30.33{

 profile_id = 826 

 profile_cycle = 1 

 radius=Cisco {

 check_items= {

 2=cisco

 } 

 reply_attributes= {

 9,1="vpdn:vpn-domain-list=net1.com,net2.com"

 6=5

 } 

 } 

vpdn domain-delimiter

To specify the characters to be used to delimit the domain prefix or domain suffix, use the vpdn domain-delimiter command in global configuration mode. To disable this function, use the no form of this command.

vpdn domain-delimiter characters [suffix | prefix]

no vpdn domain-delimiter characters [suffix | prefix]

Syntax Description

characters	One or more specific characters to be used as suffix or prefix delimiters. Available characters are %, -, @, \ , #, and /. If a backslash (\) is the last delimiter in the command line, enter it as a double backslash (\\).
suffix | prefix	(Optional) Usage of the specified characters.

Defaults

Disabled

Command Modes

Global configuration

Command History

Release	Modification
11.3	This command was introduced.

Usage Guidelines

You can enter one vpdn domain-delimiter command to list the suffix delimiters and another vpdn domain-delimiter command to list the prefix delimiters. However, no character can be both a suffix delimiter and a prefix delimiter.

This command allows the network access server to parse a list of home gateway DNS domain names and addresses sent by an AAA server. The AAA server can store domain names or IP addresses in the following AV pair:

cisco-avpair = "lcp:interface-config=ip address 10.1.1.1 255.255.255.255.0",

cisco-avpair = "lcp:interface-config=ip address bigrouter@excellentinc.com,

Examples

The following example lists three suffix delimiters and three prefix delimiters:

vpdn domain-delimiter %-@ suffix

vpdn domain-delimiter #/\\ prefix

This example allows the following host and domain names:

cisco.com#houstonddr

houstonddr@cisco.com

Related Commands

Command	Description
vpdn enable	Enables VPDN on the router and directs the router to look for tunnel definitions in a local database and on a remote authorization server (home gateway), if one is present.
vpdn-group	Sets the failure history table depth beyond the default value of 20 entries.
vpdn history failure	Enables logging of VPDN failures to the history failure table or to set the failure history table size.
vpdn profile	Specifies how the network access server for the service provider is to perform VPDN tunnel authorization searches.

vpdn enable

To enable virtual private dialup networking on the router and inform the router to look for tunnel definitions in a local database and on a remote authorization server (home gateway), if one is present, use the vpdn enable command in global configuration mode. To disable, use the no form of this command.

vpdn enable

no vpdn enable

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Command History

Release	Modification
11.2	This command was introduced.

Usage Guidelines

To disable a VPN tunnel, use the command clear vpdn tunnel in EXEC mode. The command no vpdn enable does not automatically disable a VPN tunnel.

Examples

The following example enables virtual private dialup networking on the router:

vpdn enable

Related Commands

Command	Description
clear vpdn tunnel	Shuts down a specified tunnel and all sessions within the tunnel.
vpdn-group	Sets the failure history table depth beyond the default value of 20 entries.
vpdn history failure	Enables logging of VPDN failures to the history failure table or to set the failure history table size.

vpdn group

To associate a virtual private dialup network (VPDN) group with a customer or VPDN profile, use the vpdn group command in customer profile or VPDN profile configuration mode. To disassociate a VPDN group from a customer or VPDN profile, use the no form of this command.

vpdn group name

no vpdn group name

Syntax Description

name	Name of the VPDN group. Note This name should match the name defined for the VPDN group configured with the vpdn-group command.

Defaults

No default behavior or values.

Command Modes

Customer profile configuration
VPDN profile configuration

Command History

Release	Modification
12.0(4)XI	This command was introduced.
12.0(5)T	This command was integrated into Cisco IOS Release 12.0(5)T.

Usage Guidelines

Use the vpdn group command in customer profile configuration mode or VPDN profile configuration mode to associate a VPDN group with a customer profile or a VPDN profile, respectively.

VPDN groups are created using the vpdn-group command in global configuration mode.

Examples

The following example creates the VPDN groups named l2tp and l2f, and associates both VPDN groups with the VPDN profile named profile32:

Router(config)# vpdn-group l2tp

Router(config-vpdn)#

!

Router(config)# vpdn-group l2f

Router(config-vpdn)#

!

Router(config)# resource-pool profile vpdn profile32

Router(config-vpdn-profile)# vpdn group l2tp

Router(config-vpdn-profile)# vpdn group l2f

The following example creates two VPDN groups and configures them under a customer profile named company2:

Router(config)# vpdn-group mygroup

Router(config-vpdn)#

!

Router(config)# vpdn-group yourgroup

Router(config-vpdn)#

!

Router(config)# resource-pool profile vpdn company2

Router(config-vpdn-profile)# vpdn group mygroup

Router(config-vpdn-profile)# vpdn group yourgroup

Related Commands

Command	Description
resource-pool profile customer	Creates a customer profile and enters customer profile configuration mode.
resource-pool profile vpdn	Creates a VPDN profile and enters VPDN profile configuration mode.
vpdn-group	Creates a VPDN group and enters VPDN group configuration mode.
vpdn profile	Associates a VPDN profile with a customer profile.

vpdn history failure

To enable logging of virtual private dialup network (VPDN) failures to the history failure table or to set the failure history table size, use the vpdn history failure command in global configuration mode. To disable logging of VPDN history failures or to restore the default table size, use the no form of this command.

vpdn history failure [table-size entries]

no vpdn history failure [table-size]

Syntax Description

table-size entries

(Optional) Sets the number of entries in the history failure table. Valid entries range from 20 to 50.

Defaults

VPDN failures are logged by default.
table size: 20 entries

Command Modes

Global configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Logging of VPDN failure events is enabled by default. You can disable the logging of VPDN failure events by issuing the no vpdn history failure command.

The logging of a failure event to the history table is triggered by event logging by the syslog facility. The syslog facility creates a failure history table entry, which keeps records of failure events. The table starts with 20 entries, and the size of the table can be expanded to a maximum of 50 entries using the vpdn history failure table-size entries command. You may configure the vpdn history failure table-size entries command only if VPDN failure event logging is enabled.

All failure entries for the user are kept chronologically in the history table. Each entry records the relevant information of a failure event. Only the most recent failure event per user, unique to its name and tunnel client ID (CLID), is kept.

When the total number of entries in the table reaches the configured table size, the oldest record is deleted and a new entry is added.

Examples

The following example disables logging of VPDN failures to the history failure table:

no vpdn history failure

The following example enables logging of VPDN failures to the history table and sets the history failure table size to 40 entries:

vpdn history failure

vpdn history failure table-size 40

Related Commands

Command	Description
show vpdn history failure	Displays the content of the failure history table.

vpdn incoming

The vpdn incoming command is replaced by the accept-dialin command. See the description of the accept-dialin command for more information.

vpdn ip udp ignore checksum

To allow the router to ignore User Datagram Protocol (UDP) checksums for Layer 2 Forwarding (L2F) and Layer 2 Tunnel Protocol (L2TP) virtual private dialup network (VPDN) traffic, use the vpdn ip udp ignore checksum command in global configuration mode. To disable the ignoring of UDP checksums, use the no form of this command.

vpdn ip udp ignore checksum

no vpdn ip udp ignore checksum

Syntax Description

This command has no arguments or keywords.

Defaults

Releases Prior to Cisco IOS Release 12.3(13) and Earlier Releases

UDP checksums are not ignored by default.

Cisco IOS Release 12.3(13) and Later Releases

UDP checksums are ignored by default.

Command Modes

Global configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.
12.3(13)	This command was modified to be enabled by default.

Usage Guidelines

Ignoring UDP checksums is beneficial when the remote tunnel endpoint uses UDP checksums and you want to use fast switching or Cisco Express Forwarding (CEF). If the remote tunnel endpoint uses UDP checksums and the vpdn ip udp ignore checksum command has been disabled, all tunnel traffic will be process-switched.

In Cisco IOS Release 12.3(13) and Cisco IOS Release 12.3(14)T this command was modified to be enabled by default.

Examples

The following example configures the router to ignore UDP checksums, allowing fast switching or CEF:

vpdn ip udp ignore checksum

The following example disables the ignoring of UDP checksums on the router:

no vpdn ip udp ignore checksum

vpdn logging

To enable the logging of virtual private dialup network (VPDN) events, use the vpdn logging command in global configuration mode. To disable the logging of VPDN events, use the no form of this command.

vpdn logging [accounting | local | remote | tunnel-drop | user]

no vpdn logging [accounting | local | remote | tunnel-drop | user]

Syntax Description

accounting	(Optional) Enables the transmission of VPDN event log messages within an authentication, authorization, and accounting (AAA) accounting record.
local	(Optional) Enables logging of VPDN events to the syslog locally.
remote	(Optional) Enables logging of VPDN events to the syslog of the remote tunnel endpoint.
tunnel-drop	(Optional) Enables logging of VPDN tunnel-drop events to the syslog.
user	(Optional) Enables logging of VPDN user events to the syslog.

Defaults

All VPDN event logging is disabled.

Command Modes

Global configuration

Command History

Release	Modification
11.3T	This command was introduced.
12.1	The user keyword was introduced in Cisco IOS Release 12.1.
12.2(15)T	The accounting keyword was introduced.
12.3	The tunnel-drop keyword was introduced in Cisco IOS Release 12.3.

Usage Guidelines

This command controls the logging of VPDN events. By default, all VPDN event logging is disabled.

To enable the logging of VPDN events to the system message logging (syslog) of the local or remote tunnel endpoint router, issue the vpdn logging command with the local or remote keyword.

To log VPDN user events or VPDN tunnel-drop events to the syslog, you must configure the vpdn logging command with the user or tunnel-drop keyword.

Configuring the vpdn logging command with the accounting keyword causes VPDN event log messages to be sent to a remote AAA server in a AAA vendor-specific attribute (VSA), allowing the correlation of VPDN call success rates with accounting records.

---

Note VPDN event logging to the syslog need not be enabled to allow the reporting of VPDN event log messages to a AAA server.

---

You may configure as many types of VPDN event logging as you want.

Examples

The following example enables VPDN logging locally:

vpdn logging local

The following example disables VPDN event logging locally, enables VPDN event logging at the remote tunnel endpoint, and enables the logging of both VPDN user and VPDN tunnel-drop events to the syslog of the remote router:

no vpdn logging local

vpdn logging remote

vpdn logging user

vpdn logging tunnel-drop

The following example disables the logging of VPDN events to the syslog both locally and at the remote tunnel endpoint, and enables the reporting of VPDN event log messages to the AAA server:

no vpdn logging local

no vpdn logging remote

vpdn logging accounting

Related Commands

Command	Description
vpdn history failure	Enables logging of VPDN failures to the history failure table or sets the failure history table size.

vpdn multihop

To enable virtual private dialup network (VPDN) multihop, use the vpdn multihop command in global configuration mode. To disable VPDN multihop capability, use the no form of this command.

vpdn multihop

no vpdn multihop

Syntax Description

This command has no arguments or keywords.

Defaults

Multihop capability is not enabled.

Command Modes

Global configuration

Command History

Release	Modification
11.3(5)T	This command was introduced.
12.2(8)B	Support was added for dialed number identification service (DNIS)-based multihop capability.
12.2(13)T	The DNIS-based multihop capability was integrated into Cisco IOS Release 12.2(13)T.

Usage Guidelines

The VPDN multihop feature allows a router configured as a tunnel switch to terminate tunnels from Layer 2 access concentrators (LACs) and forward the sessions through up to four newly established Layer 2 Tunneling Protocol (L2TP) tunnels. The tunnels are selected using client-supplied matching criteria. Versions of Cisco IOS software prior to Cisco IOS Release 12.2(8)B support L2TP tunnel switching using only a user domain name or a remote tunnel name as the matching criterion.

The dialed number identification service (DNIS)-based multihop capability added a telephone number to the matching criteria for the tunnel switch. The tunnel switch can perform VPDN tunnel authorization based on a DNIS (a called telephone number), a user domain name, or ingress tunnel domain names that are mapped to specified L2TP network servers (LNSs). The order in which the client-supplied matching criteria are searched by the Cisco IOS software is determined by the vpdn search-order global configuration command.

Before using the vpdn multihop command, refer to the latest edition of the Cisco IOS Dial Technologies Configuration Guide, to learn more about Multilink PPP and Multichassis Multilink PPP.

Examples

The following example shows how to configure the Cisco Multihop VPDN feature:

!

vpdn enable

vpdn multihop

vpdn search-order domain

!

vpdn-group 1

 request-dialin

  protocol l2tp

  domain cisco.com

 initiate-to ip 172.22.53.144 priority 1

 initiate-to ip 172.22.53.145 priority 1

!

l2tp tunnel password 7 secret

!

The following example shows how to configure DNIS-based multihop capability:

!

vpdn enable

vpdn multihop

!

vpdn-group 1

 accept-dialin

  protocol l2tp/l2f

  virtual-template 1

 terminate-from hostname LAC-1

 local name Multi-Hop

vpdn-group 2

 request-dialin

  protocol l2tp/l2f

  dnis 5555555

 initiate-to ip 10.10.1.1

 local name Multi-Hop

!

The following example shows a configuration where a packet traverses a VPDN tunnel over a service provider link, and then a second tunnel by traversing a hop between home gateways on the corporate network. The bundle owner is Home-Gateway1 and the stack group peer, Home-Gateway2, is specified as a peer (1.1.1.2).

	vpdn multihop

username stack password hellothere

multilink virtual-template 1

sgbp group stack

sgbp member Home-Gateway2 1.1.1.2

interface virtual-template 1

ip unnumbered e0

ppp multilink

ppp auth chap

Related Commands

Command	Description
vpdn enable	Enables VPDN networking on the router and informs the router to look for tunnel definitions in a local database and on a remote authorization server (home gateway), if one is present.
vpdn-group	Associates a VPDN group to a customer or VPDN profile.
vpdn search-order	Specifies how the service provider's network access server is to perform VPDN tunnel authorization searches.

vpdn outgoing

The vpdn outgoing command is replaced by the request-dialin command. See the description of the request-dialin command for more information.

vpdn pmtu

To manually configure a range of allowed path maximum transmission unit (MTU) sizes for a Layer 2 Tunnel Protocol (L2TP) virtual private dialup network (VPDN), use the vpdn pmtu command in global configuration mode. To restore the default value, use the no form of this command.

vpdn pmtu {maximum bytes | minimum bytes}

no vpdn pmtu

Syntax Description

maximum bytes	Sets the maximum allowed size, in bytes, for the path MTU. Valid values for the bytes argument range from 68 to 65535 bytes.
minimum bytes	Sets the minimum allowed size, in bytes, for the path MTU. Valid values for the bytes argument range from 68 to 65535 bytes.

Command Default

No maximum or minimum path MTU size is defined.

Command Modes

Global configuration

Command History

Release	Modification
12.3(25)	This command was introduced.
12.3(14)T	This command was integrated into Cisco IOS Release 12.3(14)T.
12.2(28)SB	This command was integrated into Cisco IOS Release 12.2(27)SB.

Usage Guidelines

Use the vpdn pmtu command to prevent Denial of Service (DoS) attacks against L2TP VPDN deployments that are performing path MTU discovery (PMTUD). PMTUD for an L2TP VPDN is disabled by default. To enable PMTUD, use the ip pmtu command.

When PMTUD is enabled, VPDN deployments are vulnerable to DoS attacks that use crafted Internet Control Message Protocol (ICMP) "fragmentation needed and Don't Fragment (DF) bit set" (code 4) messages, also known as PMTUD attacks.

When an Internet host is performing PMTUD, crafted code 4 ICMP messages can be used to set the path MTU to an impractically low value. This will cause higher layer protocols to time out because of a very low throughput, even though the connection is still in the established state. This type of attack is classified as a throughput-reduction attack.

Use the vpdn pmtu command to configure a range of acceptable values for the path MTU when PMTUD is enabled. If the device receives a code 4 ICMP message that advertises a next-hop path MTU outside the configured size range, the device will ignore the ICMP message and display the following log message:

%VPDN-5-IGNOREICMPMTU Ignoring received ICMP Type 3 Code 4, due to pmtu min or max setting

For information on detecting a PMTUD attack on an L2TP VPDN deployment, see the Cisco Security Advisory Crafted ICMP Messages Can Cause Denial of Service.

Cisco IOS Releases that support the ip pmtu command but do not support the vpdn pmtu command are vulnerable to PMTUD attacks. To protect a device running a vulnerable version of Cisco IOS software, issue the no ip pmtu command to disable PMTUD.

For a complete list of Cisco IOS software rebuild releases that support the vpdn pmtu command, refer to the Cisco Security Advisory Crafted ICMP Messages Can Cause Denial of Service.

Examples

The following example enables PMTUD for the VPDN group named mygroup and configures the device to accept path MTU values ranging from 576 to 1460 bytes. The device will ignore code 4 ICMP messages that specify a path MTU outside of this range.

Router(config)# vpdn-group mygroup

Router(config-vpdn)# ip pmtu

!

Router(config)# vpdn pmtu maximum 1460

Router(config)# vpdn pmtu minimum 576

Related Commands

Command	Description
ip pmtu	Enables the discovery of the path MTU for Layer 2 traffic.

vpdn profile

To associate a virtual private dialup network (VPDN) profile with a customer profile, use the vpdn profile command in customer profile configuration mode. To remove a VPDN profile from a customer profile, use the no form of this command.

vpdn profile name

no vpdn profile name

Syntax Description

name	VPDN profile name.

Defaults

No default behavior or values.

Command Modes

Customer profile configuration

Command History

Release	Modification
12.0(4)XI	This command was introduced.
12.0(5)T	Support for this command was integerated into Cisco IOS Release 12.0(5)T.

Usage Guidelines

Use the vpdn profile command to associate a VPDN profile with a customer profile.

VPDN profiles can be used to combine session counting over multiple VPDN groups. This ability can be applied to customer profiles by configuring multiple VPDN groups under a VPDN profile, then associating the VPDN profile with the customer profile using the vpdn profile command.

Examples

The following example shows how to create two VPDN groups, configure the VPDN groups under a VPDN profile named profile1, then associates the VPDN profile with a customer profile named customer12:

Router(config)# vpdn-group 1

Router(config-vpdn)#

!

Router(config)# vpdn-group 2

Router(config-vpdn)#

!

Router(config)# resource-pool profile vpdn profile1

Router(config-vpdn-profile)# vpdn group 1

Router(config-vpdn-profile)# vpdn group 2

!

Router(config)# resource-pool profile customer customer12

Router(config-vpdn-customer)# vpdn profile profile1

Related Commands

Command	Description
resource-pool profile customer	Creates a customer profile.
resource-pool profile vpdn	Creates a VPDN profile and enters VPDN profile configuration mode.
vpdn group	Associates a VPDN group with a customer or VPDN profile.
vpdn-group	Creates a VPDN group and enters VPDN group configuration mode.

vpdn redirect identifier

To configure a virtual private dialup network (VPDN) redirect identifier to use for Layer 2 Tunneling Protocol (L2TP) call redirection on a stack group tunnel server, use the vpdn redirect identifier command in global configuration mode. To remove the name of the redirect identifier from the tunnel server, use the no form of this command.

vpdn redirect identifier identifier-name

no vpdn redirect identifier identifier-name

Syntax Description

identifier-name

Name of the redirect identifier to use for call redirection.

Command Default

No identifier name is configured.

Command Modes

Global configuration

Command History

Release	Modification
12.2(8)B	This command was introduced.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.

Usage Guidelines

The vpdn redirect identifier command is configured on each of the stack group tunnel servers. To configure the name of the redirect identifier on the NAS, use the redirect identifier command in VPDN group configuration mode.

The NAS compares the configured redirect identifier with the one received from the stack group tunnel server to determine authorization information to redirect the call.

Configuring the redirect identifier is not necessary to perform redirects. If the redirect identifier is not configured, the NAS uses the redirect IP address in order to get authorization information to redirect the call. In that case, the IP address of the new redirected tunnel server must be present in the initiate-to command configuration of the VPDN group on the NAS.

The redirect identifier allows new stack group members to be added without the need to update the NAS configuration with their IP addresses. With the redirect identifier configured, a new stack group member can be added and given the same redirect identifier as the rest of the stack group.

If the authorization information for getting to the new redirected tunnel server is different, then you will need to configure the authorization information via RADIUS using tagged attributes:

Cisco:Cisco-Avpair = :0:"vpdn:vpdn-redirect-id=identifier name"

The NAS will choose the correct tagged parameters to get authorization information for the new redirected tunnel server by first trying to match the redirect identifier (if present) or else by matching the Tunnel-Server-Endpoint IP address.

Examples

The following example configures the redirect identifier named lns1 on a stack group tunnel server:

Router(config)# vpdn redirect identifier lns1

The following attribute-value (AV) pair configures the RADIUS server with the redirect identifier named lns1 for a tunnel server:

Cisco:Cisco-Avpair = :0:"vpdn:vpdn-redirect-id=lns1"

Related Commands

Command	Description
clear vpdn redirect	Clears the L2TP redirect counters shown in the output from the show vpdn redirect command.
redirect identifier	Configures a VPDN redirect identifier to use for L2TP call redirection on a NAS.
show vpdn redirect	Displays statistics for L2TP call redirects and forwards.
vpdn redirect	Enables L2TP redirect functionality.
vpdn redirect attempts	Restricts the number of redirect attempts possible for an L2TP call on the LAC.
vpdn redirect source	Configures the public redirect IP address of an LNS.

vpdn redirect attempts

To restrict the number of redirect attempts possible for a given Layer 2 Tunneling Protocol (L2TP) call on the L2TP access concentrator (LAC), use the vpdn redirect attempts command in global configuration mode. To revert to the default of three redirect attempts, use the no form of this command.

vpdn redirect attempts number-of-attempts

no vpdn redirect attempts number-of-attempts

Syntax Description

number-of-attempts

Number of redirect attempts in a range from 1 to 20.

Defaults

Three redirect attempts

Command Modes

Global configuration

Command History

Release	Modification
12.2(8)B	This command was introduced.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.

Usage Guidelines

Note that the number of redirect attempts is by default always restricted to three, even if this command is not explicitly configured. The only use of this command is to configure a redirect attempts value other than the default (which is always in effect).

Examples

The following example configures four redirect attempts:

Router(config)# vpdn redirect attempts 4

Related Commands

Command	Description
clear vpdn redirect	Clears the L2TP redirect counters shown in the output from the show vpdn redirect command.
show vpdn redirect	Displays statistics for L2TP call redirects and forwards.
vpdn redirect	Enables L2TP redirect functionality.
vpdn redirect identifier	Indicates the name of the VPDN redirect identifier to use for L2TP call redirection.
vpdn redirect source	Configures the public redirect IP address of an LNS.

vpdn redirect identifier

To indicate the name of the virtual private dialup network (VPDN) redirect identifier to use for Layer 2 Tunneling Protocol (L2TP) call redirection, use the vpdn redirect identifier command in global configuration mode. To remove the name of the redirect identifier from the L2TP network server (LNS) of the stack group, use the no form of this command.

vpdn redirect identifier identifier-name

no vpdn redirect identifier identifier-name

Syntax Description

identifier-name

Name of the redirect identifier to use for call redirection.

Defaults

No identifier name is configured.

Command Modes

Global configuration

Command History

Release	Modification
12.2(8)B	This command was introduced.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.

Usage Guidelines

The vpdn redirect identifier command is configured on the L2TP access concentrator (LAC) and the stack group LNSs. The LAC compares this identifier with the one received from the stack group LNS to determine authorization information to redirect the call.

Note that configuring the redirect identifiers is not necessary in order to do redirects. If redirect identifiers are not configured, the LAC uses the new received redirect IP address to get authorization information to redirect the call. In that case, the IP address of the new redirected LNS must be present in the vpdn-group and initiate-to commands for the LAC configuration.

The redirect identifier allows new stack group members to be added without the need to update the LAC configuration with their IP addresses (which would be needed for redirect authorization). Now, you can add a new stack group member and give it the same redirect identifier as the rest of the stack group. The LAC configuration then need not be updated. Note that if the authorization information for getting to the new redirected LNS is different, then you will need to configure the authorization information via RADIUS using tagged attributes, as follows:

Cisco:Cisco-Avpair = :0:"vpdn:vpdn-redirect-id=<identifier name>"

The LAC will then choose the correct tagged parameters to get authorization information for the new redirected LNS by first trying to match the redirect identifier (if present) or else by matching the Tunnel-Server-Endpoint IP address.

Examples

The following example configures the redirect identifier for LNS1:

Router(config)# vpdn redirect identifier LNS1

The following AV pair configures the RADIUS server with the redirect identifier for LNS1:

Cisco:Cisco-Avpair = :0:"vpdn:vpdn-redirect-id=idforLNS1"

The following example configures the redirect identifier on the LAC:

Router(config-vpdn)# vpdn-group 1

.

.

.

Router(config)# redirect identifier lns1

Related Commands

Command	Description
clear vpdn redirect	Clears the L2TP redirect counters shown in the output from the show vpdn redirect command.
show vpdn redirect	Displays statistics for L2TP call redirects and forwards.
vpdn redirect	Enables L2TP redirect functionality.
vpdn redirect attempts	Restricts the number of redirect attempts possible for an L2TP call on the LAC.
vpdn redirect source	Configures the public redirect IP address of an LNS.

vpdn redirect source

To configure the public redirect IP address of an L2TP network server (LNS), use the vpdn redirect source command in global configuration mode. To remove the public redirect IP address of an LNS, use the no form of this command.

vpdn redirect source redirect-ip-address

no vpdn redirect source redirect-ip-address

Syntax Description

redirect-ip-address

Public redirect IP address for an LNS.

Defaults

If the vpdn redirect source command is not configured, then the IP address used for Stack Group Bidding Protocol (SGBP) bidding itself will be used as the redirect address (the public redirect address is then omitted in the bid response).

Command Modes

Global configuration

Command History

Release	Modification
12.2(8)B	This command was introduced.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.

Usage Guidelines

On the LAC, this command will have no significance.

Examples

The following example configures a public IP address as a redirect source:

Router(config)# vpdn redirect source 255.255.1.1

Related Commands

Command	Description
clear vpdn redirect	Clears the L2TP redirect counters shown in the output from the show vpdn redirect command.
show vpdn redirect	Displays statistics for L2TP call redirects and forwards.
vpdn redirect	Enables L2TP redirect functionality.
vpdn redirect attempts	Restricts the number of redirect attempts possible for an L2TP call on the LAC.
vpdn redirect identifier	Indicates the name of the VPDN redirect identifier to use for L2TP call redirection.

vpdn search-order

To specify how a network access server (NAS) or tunnel switch is to perform virtual private dialup network (VPDN) tunnel authorization searches, use the vpdn search-order command in global configuration mode. To restore the default search order, use the no form of this command.

vpdn search-order {[dnis] [domain] [multihop-hostname]}

no vpdn search-order

Syntax Description

dnis	Searches on the Dialed Number Information Service (DNIS) information.
domain	Searches on the domain name.
multihop-hostname	Searches on the hostname or tunnel ID of the ingress tunnel for a multihop tunnel switch.

Command Default

When this command is not enabled, the default is to search first on the DNIS information provided on ISDN lines, and then search on the domain name. This is equivalent to issuing the vpdn search-order dnis domain command.

Command Modes

Global configuration

Command History

Release	Modification
11.3	This command was introduced.
12.2(13)T	Support was added for the multihop-hostname option.

Usage Guidelines

To issue the vpdn search-order command, you must include at least one of the search parameter keywords. You may enter multiple keywords, and they can be entered in any order. The order of the keywords specifies the order of precedence given to the search parameters. If you do not issue a particular keyword, no search will be performed on that parameter.

Issue the multihop-hostname keyword only on a device configured as a multihop tunnel switch.

The configuration shows the vpdn search-order command setting only if the command is explicitly configured.

Examples

The following example configures a NAS to perform tunnel authorization searches based on DNIS information only:

vpdn search-order dnis

The following example configures a tunnel switch to select a tunnel destination based on the multihop hostname first, then on the domain name, and finally on the DNIS number:

vpdn search-order multihop-hostname domain dnis

Related Commands

Command	Description
multihop-hostname	Enables the tunnel switch to initiate a tunnel based on the hostname or tunnel ID of the ingress tunnel.

vpdn session-limit

To limit the number of simultaneous VPN sessions that can be established on a router, use the vpdn session-limit command in global configuration mode. To allow an unlimited number of simultaneous VPN sessions, use the no form of this command.

vpdn session-limit sessions

no vpdn session-limit

Syntax Description

sessions

Maximum number of simultaneous VPN sessions that are allowed on a router.

Defaults

Disabled

Command Modes

Global configuration

Command History

Release	Modification
12.0(6)T	This command was introduced.

Usage Guidelines

When this command is enabled, use the show vpdn history failure command to view records of refused attempts to establish new sessions.

Examples

The following example first sets a limit of two simultaneous VPN sessions on the router and then shows a Syslog message stating that an attempt to establish a new session was refused:

Router(config)# vpdn session-limit 2

Router(config)# 

00:11:17:%VPDN-6-MAX_SESS_EXCD:L2F HGW great_went exceeded configured local session-limit 
and rejected user wilson@soam.com

Router(config)# 

Related Commands

Command	Description
show vpdn history failure	Displays the content of the failure history table.
vpdn softshut	Prevents new sessions from being established on a VPN tunnel without disturbing existing sessions.

vpdn softshut

To prevent new sessions from being established on a VPN tunnel without disturbing existing sessions, use the vpdn softshut command in global configuration mode. To return the VPN tunnel to active service, use the no form of this command.

vpdn softshut

no vpdn softshut

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Command History

Release	Modification
12.0(5)T	This command was introduced.

Usage Guidelines

When this feature is enabled on a network access server (NAS), the potential session will be authorized before it is refused. This authorization ensures that accurate accounting records can be kept.

When this feature is enabled on a home gateway, the reason for the session refusal will be returned to the NAS. This information is recorded in the VPN history failure table.

When this command is enabled, use the show vpdn history failure command to view records of refused attempts to establish new sessions.

Examples

The following example first enables the vpdn softshut command and then shows a syslog message stating that an attempt to establish a new session was refused:

Router(config)# vpdn softshut

Router(config)# 

00:11:17:%VPDN-6-SOFTSHUT:L2F HGW great_went has turned on softshut and rejected user 
wilson@soam.com

Router(config)# 

Related Commands

Command	Description
show vpdn history failure	Displays the content of the failure history table.
vpdn session-limit	Limits the number of simultaneous VPN sessions that can be established on a router.

vpdn source-ip

To globally specify an IP address that is different from the physical IP address used to open a virtual private dialup network (VPDN) tunnel, use the vpdn source-ip command in global configuration mode. To disable use of the alternate IP address, use the no form of this command.

vpdn source-ip ip-address

no vpdn source-ip ip-address

Syntax Description

ip-address

Alternate IP address.

Command Default

No alternate IP address is specified.

Command Modes

Global configuration

Command History

Release	Modification
11.3	This command was introduced.

Usage Guidelines

Use the vpdn source-ip command to specify a single alternate IP address to be used for all tunnels on the device. A single source IP address can be configured globally per device.

Use the source-ip command in VPDN group configuration mode to configure an alternate IP address to be used for only those tunnels associated with that VPDN group.

The VPDN group-level configuration will override the global configuration.

Examples

This example sets a source IP address of 172.24.48.3:

vpdn source-ip 172.24.48.3

Related Commands

Command	Description
source-ip	Specifies an IP address that is different from the physical IP address used to open a VPDN tunnel for the tunnels associated with a VPDN group.
vpdn enable	Enables VPDN on the router and informs the router to look for tunnel definitions in a local database and on a remote authorization server, if one is present.

vpdn-group

To create a virtual private dialup network (VPDN) group and to enter VPDN group configuration mode, use the vpdn-group command in global configuration mode. To delete a VPDN group, use the no form of this command.

vpdn-group name

no vpdn-group name

Syntax Description

name	Name of the VPDN group.

Defaults

No VPDN groups are defined.

Command Modes

Global configuration

Command History

Release	Modification
12.0(4)XI	This command was introduced.
12.0(5)T	This command was integrated into Cisco IOS Release 12.0(5)T.

Usage Guidelines

Issuing the vpdn-group command creates a VPDN group with the specified name and enters VPDN group configuration mode. If a VPDN group with the specified name already exists, issuing the vpdn-group command will enter VPDN group configuration mode and allow configuration of that VPDN group.

A VPDN group can be associated with a customer profile or a VPDN profile by issuing the vpdn group command in customer profile configuration mode or VPDN profile configuration mode.

Examples

The following example creates the VPDN group named l2tp and enters VPDN group configuration mode:

Router(config)# vpdn-group l2tp

Router(config-vpdn)#

The following example associates the VPDN group created in the preceding example with the VPDN profile named profile1:

Router(config)# resource-pool profile vpdn profile1

Router(config-vpdn-profile)# vpdn group l2tp

The following example creates a VPDN group named l2f and associates it with the customer profile named customer1:

Router(config)# vpdn-group l2f

!

Router(config)# resource-pool profile customer customer1

Router(config-customer-profile)# vpdn group l2f

Related Commands

Command	Description
resource-pool profile customer	Creates a customer profile and enters customer profile configuration mode.
resource-pool profile vpdn	Creates a VPDN profile and enters VPDN profile configuration mode.
vpdn group	Associates a VPDN group with a customer or VPDN profile.

vpdn-template

To create a virtual private dialup network (VPDN) template and enter VPDN template configuration mode, use the vpdn-template command in global configuration mode. To delete a VPDN template, use the no form of this command.

vpdn-template [name]

no vpdn-template [name]

Syntax Description

name	(Optional) Name of a VPDN template.

Defaults

No VPDN template exists. The system default values are applied to individual VPDN groups for any parameters that are not configured in the individual VPDN group.

Command Modes

Global configuration

Command History

Release	Modification
12.2(4)B	This command was introduced on the Cisco 7200 series and Cisco 7401ASR routers.
12.2(8)T	This command was integrated into Cisco IOS Release 12.2(8)T without support for the name argument.
12.2(13)T	Support was added for the name argument in Cisco IOS Release 12.2(13)T.

Usage Guidelines

Use this command to configure values for VPDN parameters in a VPDN template. A single unnamed VPDN template may be configured. Multiple named VPDN templates can be configured. A VPDN group can be associated with only one VPDN template.

Values configured in the global (unnamed) VPDN template are applied to all VPDN groups by default. A VPDN group can be uncoupled from the global VPDN template, or associated with a named VPDN template. Associating a VPDN group with a named VPDN template automatically disassociates it from the global VPDN template.

The values configured in a VPDN template are applied to all associated VPDN groups, unless specific values are configured for individual VPDN groups. VPDN parameters that are not specified in the individual VPDN group or in the associated VPDN template are assigned system default values.

The hierarchy for the application of VPDN parameters to a VPDN group is as follows:

•VPDN parameters configured for the individual VPDN group are always applied to that VPDN group.

•VPDN parameters configured in the associated VPDN template are applied for any settings not specified in the individual VPDN group configuration.

•System default settings for VPDN parameters are applied for any settings not configured in the individual VPDN group or the associated VPDN template.

Not all commands that are available for configuring a VPDN group can be used to configure a VPDN template.

Table 142 lists the commands that can be used to configure the VPDN template.

Table 142 Commands Available for VPDN Template Configuration 

Command Name	Description
default (VPDN)	Removes or resets a VPDN group or a VPDN subgroup configuration to its default value.
description	Adds a description for a VPDN group.
group session-limit	Specifies the maximum number of concurrent sessions allowed across all VPDN groups associated with a particular VPDN template.
ip mtu adjust	Enables automatic adjustment of the IP maximum transmission unit (MTU) on a virtual access interface.
ip pmtu	Enables the discovery of the path MTU for Layer 2 traffic.
ip precedence (VPDN)	Sets the precedence value in the VPDN Layer 2 encapsulation header.
ip tos (VPDN)	Sets the type of service (ToS) bits in the VPDN Layer 2 encapsulation header.
l2f ignore-mid-sequence	Configures the router to ignore message identifier (MID) sequence numbers for sessions in a Layer 2 Forwarding (L2F) tunnel.
l2f tunnel busy timeout	Configures the amount of time that the router will wait before attempting to recontact an L2F peer that was previously busy.
l2f tunnel retransmit initial retries	Configures the number of times that the router will attempt to send the initial control packet for tunnel establishment before considering an L2F peer busy.
l2f tunnel retransmit retries	Configures the number of times the router will attempt to resend an L2F tunnel control packet before tearing the tunnel down.
l2f tunnel timeout setup	Configures the amount of time that the router will wait for a confirmation message after sending out the initial L2F control packet before considering a peer busy.
l2tp drop out-of-order	Instructs a NAS or tunnel server using L2TP to drop packets that are received out of order.
l2tp hidden	Enables L2TP attribute-value (AV) pair hiding, which encrypts the value of sensitive AV pairs.
l2tp ip udp checksum	Enables IP User Datagram Protocol (UDP) checksums on L2TP payload packets.
l2tp security crypto-profile	Configures IP Security (IPSec) protection of L2TP sessions associated with a VPDN group.
l2tp sequencing	Enables sequencing for packets sent over an L2TP tunnel.
l2tp tunnel authentication	Enables L2TP tunnel authentication.
l2tp tunnel bearer capabilities	Sets the bearer-capability value used by the Cisco router.
l2tp tunnel busy timeout	Configures the amount of time that the router will wait before attempting to recontact an L2TP peer that was previously busy.
l2tp tunnel framing capabilities	Sets the framing-capability value used by the Cisco router.
l2tp tunnel hello	Sets the number of seconds between sending hello keepalive packets for an L2TP tunnel.
l2tp tunnel password	Sets the password the router will use to authenticate the tunnel.
l2tp tunnel receive-window	Configures the number of packets allowed in the local receive window for an L2TP control channel.
l2tp tunnel retransmit initial retries	Configures the number of times that the router will attempt to send out the initial L2TP control packet for tunnel establishment before considering a peer busy.
l2tp tunnel retransmit initial timeout	Configures the amount of time that the router will wait before resending an initial L2TP control packet out to establish a tunnel.
l2tp tunnel retransmit retries	Configures the number of retransmission attempts made for an L2TP control packet.
l2tp tunnel retransmit timeout	Configures the amount of time that the router will wait before resending an L2TP control packet.
l2tp tunnel timeout no-session	Configures the time a router waits after an L2TP tunnel becomes empty before tearing down the tunnel.
l2tp tunnel timeout setup	Configures the amount of time that the router will wait for a confirmation message after sending out the initial L2TP control packet before considering a peer busy.
l2tp tunnel zlb delay	Configures the delay time before a zero length bit (ZLB) control message must be acknowledged.
local name	Specifies a local hostname that the tunnel will use to identify itself.
pptp flow-control receive-window	Specifies how many packets the Point-to-Point Tunnel Protocol (PPTP) client can send before it must wait for the acknowledgment from the tunnel server.
pptp flow-control static-rtt	Specifies the timeout interval of the PPTP tunnel server between sending a packet to the client and receiving a response.
pptp tunnel echo	Specifies the period of idle time on the PPTP tunnel that will trigger an echo message from the tunnel server to the client.
redirect identifier	Configures a VPDN redirect identifier to use for L2TP call redirection on a NAS.
vpn	Specifies that the source and destination IP addresses of a given VPDN group belong to a specified VPN routing and forwarding instance (VRF).

Examples

The following example enters VPDN template configuration mode and configures two VPDN parameters in the global VPDN template:

Router(config)# vpdn-template

Router(config-vpdn-templ)# local name myrouter

Router(config-vpdn-templ)# ip mtu adjust

The following example creates a VPDN template named l2tp, enters VPDN template configuration mode, configures two VPDN parameters in the VPDN template, and associates the VPDN group named l2tptunnels with the VPDN template:

Router(config)# vpdn-template l2tp

Router(config-vpdn-templ)# l2tp tunnel busy timeout 65

Router(config-vpdn-templ)# l2tp tunnel password 7 tunnel4me

!

Router(config)# vpdn-group l2tptunnels

Router(config-vpdn)# source vpdn-template l2tp

The following example configures a VPDN template called customer1 and applies a group session limit of 50 to all VPDN groups associated with that VPDN template:

Router(config)# vpdn-template customer1

Router(config-vpdn-templ)# group session-limit 50

Related Commands

Command	Description
group session-limit	Specifies the maximum number of concurrent sessions allowed across all VPDN groups associated with a particular VPDN template.
source vpdn-template	Associates a VPDN group with a VPDN template.
vpdn-group	Creates a VPDN group and enters VPDN group configuration mode.

vpn

To specify that the source and destination IP addresses of a given virtual private dialup network (VPDN) group belong to a specified VPN routing and forwarding (VRF) instance, use the vpn command in VPDN group or VPDN template configuration mode. To disassociate all IP addresses in a VPDN group from a VRF, use the no form of this command.

vpn {vrf vrf-name | id vpn-id}

no vpn

Syntax Description

vrf vrf-name	Name of the VRF to be associated with the IP addresses of the VPDN group.
id vpn-id	Virtual Private Network (VPN) ID of the VRF to be associated with the IP addresses of the VPDN group.

Command Default

VPDN groups are not associated with a VRF.

Command Modes

VPDN group configuration
VPDN template configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

Use the vpn command to configure the Cisco IOS software to look up a VPDN source or destination IP address in a specific VPN routing table instead of the global routing table.

Before you can issue the vpn command, a VRF instance must be created using the ip vrf command.

The vpn command can be used with both dial-in and dial-out VPDN scenarios.

Examples

The following example associates the IP addresses configured in the VPDN group named group1 with the VRF named vrf-second:

vpdn-group group1

 request-dialin

  protocol l2tp

 !

 vpn vrf vrf-second

 source-ip 172.16.1.9

 initiate-to ip 172.16.1.1

The following example associates the IP addresses configured in the VPDN group named group2 with the VPN ID 11:2222:

vpdn-group group2

 request-dialin

  protocol l2tp

!

 vpn id 11:2222

 source-ip 172.16.1.9

 initiate-to ip 172.16.1.1

Related Commands

Command	Description
ip vrf	Configures a VRF routing table.
show ip route	Displays all static IP routes, or those installed using the AAA route download function.
show vpdn session	Displays information about active L2TP or L2F sessions in a VPDN.
show vpdn tunnel	Displays information about active L2TP or L2F tunnels in a VPDN.
vpdn-group	Creates a VPDN group and enters VPDN group configuration mode.
vpdn-template	Creates a VPDN template and enters VPDN template configuration mode.

vty-async

To configure all virtual terminal lines on a router to support asynchronous protocol features, use the vty-async command in global configuration mode. To disable asynchronous protocol features on virtual terminal lines, use the no form of this command.

vty-async

no vty-async

Syntax Description

This command has no arguments or keywords.

Defaults

By default, asynchronous protocol features are not enabled on virtual terminal lines.

Command Modes

Global configuration

Command History

Release	Modification
10.3	This command was introduced.

Usage Guidelines

The vty-async command extends asynchronous protocol features from physical asynchronous interfaces to virtual terminal lines. Normally, SLIP and PPP can function only on asynchronous interfaces, not on virtual terminal lines. However, extending asynchronous functionality to virtual terminal lines permits you to run SLIP and PPP on these virtual asynchronous interfaces. One practical benefit is the ability to tunnel SLIP and PPP over X.25 PAD, thus extending remote node capability into the X.25 area. You can also tunnel SLIP and PPP over Telnet or LAT on virtual terminal lines. To tunnel SLIP and PPP over X.25, LAT, or Telnet, you use the protocol translation feature in the Cisco IOS software.

To tunnel SLIP or PPP inside X.25, LAT, or Telnet, you can use two-step protocol translation or one-step protocol translation, as follows:

•If you are tunneling SLIP or PPP using the two-step method, you need to first enter the vty-async command. Next, you perform two-step translation.

•If you are tunneling SLIP or PPP using the one-step method, you do not need to enter the vty-async command. You need to issue only the translate command with the SLIP or PPP keywords, because the translate command automatically enables asynchronous protocol features on virtual terminal lines.

Examples

The following example enables asynchronous protocol features on virtual terminal lines:

vty-async

Related Commands

Command	Description
ppp	Starts an asynchronous connection using PPP.
slip	Starts a serial connection to a remote host using SLIP.
translate	Enables asynchronous protocol features on virtual terminal lines.

vty-async dynamic-routing

To enable dynamic routing on all virtual asynchronous interfaces, use the vty-async dynamic-routing command in global configuration mode. To disable asynchronous protocol features on virtual terminal lines, and therefore disable routing on virtual terminal lines, use the no form of this command.

vty-async dynamic-routing

no vty-async dynamic-routing

Syntax Description

This command has no arguments or keywords.

Defaults

Dynamic routing is not enabled on virtual asynchronous interfaces.

Command Modes

Global configuration

Command History

Release	Modification
10.3	This command was introduced.

Usage Guidelines

This feature enables IP routing on virtual asynchronous interfaces. When you issue this command and a user later makes a connection to another host using SLIP or PPP, the user must specify /routing on the SLIP or PPP command line.

If you had not previously entered the vty-async command, the vty-async dynamic-routing command creates virtual asynchronous interfaces, and then enables dynamic routing on them.

Examples

The following example enables dynamic routing on virtual asynchronous interfaces:

vty-async dynamic-routing 

Related Commands

Command	Description
async dynamic routing	Enables manually configured routing on an asynchronous interface.
vty-async	Enables manually configured routing on an asynchronous interface.

vty-async header-compression

To compress the headers of all TCP packets on virtual asynchronous interfaces, use the vty-async header-compression command in global configuration mode. To disable virtual asynchronous interfaces and header compression, use the no form of this command.

vty-async header-compression [passive]

no vty-async header-compression

Syntax Description

passive

(Optional) Outgoing packets are compressed only when TCP incoming packets on the same virtual asynchronous interface are compressed. For SLIP, if you do not specify this option, the Cisco IOS software will compress all traffic. The default is no compression. For PPP, the Cisco IOS software always negotiates header compression.

Defaults

Header compression is not enabled on virtual asynchronous interfaces.

Command Modes

Global configuration

Command History

Release	Modification
10.3	This command was introduced.

Usage Guidelines

This feature compresses the headers on TCP/IP packets on virtual asynchronous connections to reduce the size of the packets and to increase performance.This feature only compresses the TCP header, so it has no effect on UDP packets or other protocol headers. The TCP header compression technique, described fully in RFC 1144, is supported on virtual asynchronous interfaces using SLIP or PPP encapsulation. You must enable compression on both ends of a connection.

Examples

The following example compresses outgoing TCP packets on virtual asynchronous interfaces only if incoming TCP packets are compressed:

vty-async header-compression passive

Related Commands

Command	Description
async dynamic routing	Enables manually configured routing on an asynchronous interface.

vty-async ipx ppp-client loopback

To enable IPX-PPP on virtual terminal lines, use the vty-async ipx ppp-client loopback command in global configuration mode. To disable IPX-PPP sessions on virtual terminal lines, use the no form of this command.

vty-async ipx ppp-client loopback number

no vty-async ipx ppp-client loopback

Syntax Description

number

Number of the loopback interface configured for IPX to which the virtual terminal lines are assigned.

Defaults

IPX over PPP is not enabled on virtual terminal lines.

Command Modes

Global configuration

Command History

Release	Modification
11.0	This command was introduced.

Usage Guidelines

This command enables users to log into the router from a device running a virtual terminal protocol, then issue the PPP command at the EXEC prompt to connect to a remote device.

A loopback interface must already have been defined and an IPX network number must have been assigned to the loopback interface before the vty-async ipx ppp-client loopback command will permit IPX-PPP on virtual terminal lines.

Examples

The following example enables IPX over PPP on virtual terminal lines:

ipx routing ramana

interface loopback0

 ipx network 12345

vty-async ipx ppp-client loopback0

Related Commands

Command	Description
interface loopback	Creates a loopback interface.
ipx network	Enables IPX routing on a particular interface and optionally selects the type of encapsulation (framing).

vty-async keepalive

To change the frequency of keepalive packets on all virtual asynchronous interfaces, use the vty-async keepalive command in global configuration mode. To disable asynchronous protocol features on virtual terminal lines, use the no vty-async keepalive command. To disable keepalive packets on virtual terminal lines, use the vty-async keepalive 0 command.

vty-async keepalive seconds

no vty-async keepalive

vty-async keepalive 0

Syntax Description

seconds

Frequency, in seconds, with which the Cisco IOS software sends keepalive messages to the other end of a virtual asynchronous interface. To disable keepalive packets, use a value of 0. The active keepalive interval range is 1 to 32767 seconds. Keepalive is disabled by default.

Defaults

Keepalive is disabled.

Command Modes

Global configuration

Command History

Release	Modification
10.3	This command was introduced.

Usage Guidelines

Use this command to change the frequency of keepalive updates on virtual asynchronous interfaces, or to disable keepalive updates. To determine if keepalive is enabled on an interface, use the show running-config command. If the router has not received a keepalive packet after three update intervals have passed, the connection is considered down.

Examples

The following example sets the keepalive interval to 30 seconds:

vty-async keepalive 30

The following example sets the keepalive interval to 0 (off):

vty-async keepalive 0

Related Commands

Command	Description
keepalive	Sets the keepalive timer for a specific interface.
show running-config	Displays the contents of the currently running configuration file.

vty-async mtu

To set the maximum transmission unit (MTU) size on virtual asynchronous interfaces, use the vty-async mtu command in global configuration mode. To disable asynchronous protocol features on virtual terminal lines, use the no form of this command.

vty-async mtu bytes

no vty-async

Syntax Description

bytes

MTU size of IP packets that the virtual asynchronous interface can support. The default MTU is 1500 bytes. Valid values for the MTU range from 64 bytes to 1000000 bytes.

Defaults

1500 bytes

Command Modes

Global configuration

Command History

Release	Modification
10.3	This command was introduced.

Usage Guidelines

Use this command to modify the MTU for packets on a virtual asynchronous interfaces. You might want to change to a smaller MTU size for IP packets transmitted on a virtual terminal line configured for asynchronous functions for any of the following reasons:

•The SLIP or PPP application at the other end only supports packets up to a certain size.

•You want to ensure a shorter delay by using smaller packets.

•The host echoing takes longer than 0.2 seconds.

Do not change the MTU size unless the SLIP or PPP implementation running on the host at the other end of the virtual asynchronous interface supports reassembly of IP fragments. Because each fragment occupies a spot in the output queue, it might also be necessary to increase the size of the SLIP or PPP hold queue if your MTU size is such that you might have a high amount of packet fragments in the output queue.

Examples

The following example sets the MTU for IP packets to 256 bytes:

vty-async mtu 256

Related Commands

Command	Description
mtu	Adjusts the maximum packet size or MTU size.

vty-async ppp authentication

To enable PPP authentication on virtual asynchronous interfaces, use the vty-async ppp authentication command in global configuration mode. To disable PPP authentication, use the no form of this command.

vty-async ppp authentication {chap | pap}

no vty-async ppp authentication {chap | pap}

Syntax Description

chap	Enables CHAP on all virtual asynchronous interfaces.
pap	Enables PAP on all virtual asynchronous interfaces.

Defaults

No CHAP or PAP authentication for PPP.

Command Modes

Global configuration

Command History

Release	Modification
10.3	This command was introduced.

Usage Guidelines

This command configures the virtual asynchronous interface to either authenticate CHAP or PAP while running PPP. After you have enabled CHAP or PAP, the local router requires a password from remote devices. If the remote device does not support CHAP or PAP, no traffic will be passed to that device.

Examples

The following example enables CHAP authentication for PPP sessions on virtual asynchronous interfaces:

vty-async ppp authentication chap

Related Commands

Command	Description
ppp bap call	Sets PPP BACP call parameters.
ppp use-tacacs	Enables TACACS for PPP authentication.
vty-async	Configures all virtual terminal lines on a router to support asynchronous protocol features.
vty-async ppp use-tacacs	Enables TACACS authentication for PPP on virtual asynchronous interfaces.

vty-async ppp use-tacacs

To enable TACACS authentication for PPP on virtual asynchronous interfaces, use the vty-async ppp use-tacacs command in global configuration mode. To disable TACACS authentication on virtual asynchronous interfaces, use the no form of this command.

vty-async ppp use-tacacs

no vty-async ppp use-tacacs

Syntax Description

This command has no arguments or keywords.

Defaults

TACACS for PPP is disabled.

Command Modes

Global configuration

Command History

Release	Modification
10.3	This command was introduced.

Usage Guidelines

This command requires the extended TACACS server.

After you have enabled TACACS, the local router requires a password from remote devices.

This feature is useful when integrating TACACS with other authentication systems that require a clear-text version of a user's password. Such systems include one-time password systems and token card systems.

If the username and password are contained in the CHAP password, the CHAP secret is not used by the router. Because most PPP clients require that a secret be specified, you can use any arbitrary string; Cisco IOS software ignores it.

You cannot enable TACACS authentication for SLIP on asynchronous or virtual asynchronous interfaces.

Examples

The example enables TACACS authentication for PPP sessions:

vty-async ppp use-tacacs

Related Commands

Command	Description
ppp use-tacacs	Enables TACACS for PPP authentication.
vty-async ppp authentication	Enables PPP authentication on virtual asynchronous interfaces.

vty-async virtual-template

To configure virtual terminal lines to support asynchronous protocol functions based on the definition of a virtual interface template, use the vty-async virtual-template command in global configuration mode. To disable virtual interface templates for asynchronous functions on virtual terminal lines, use the no form of this command.

vty-async virtual-template number

no vty-async virtual-template

Syntax Description

number

Virtual interface number.

Defaults

Asynchronous protocol features are not enabled by default on virtual terminal lines.

Command Modes

Global configuration

Command History

Release	Modification
10.3	The vty-async command was introduced.
11.3	The vty-async virtual-template command was introduced.

Usage Guidelines

The vty-async virtual-template command enables you to support tunneling of SLIP or PPP across X.25, TCP, or LAT networks by using two-step protocol translation.

Before issuing the vty-async virtual-template command, create and configure a virtual interface template by using the interface virtual-template command. Configure this virtual interface as a regular asynchronous serial interface. That is, assign the virtual interface template the IP address of the Ethernet interface, and configure addressing, just as on an asynchronous interface. You can also enter commands in interface configuration mode that compress TCP headers or configure CHAP authentication for PPP.

After creating a virtual interface template, apply it by issuing the vty-async virtual-template command. When a user dials in through a virtual terminal line, the router creates a virtual access interface, which is a temporary interface that supports the asynchronous protocol configuration specified in the virtual interface template. This virtual access interface is created dynamically, and is freed up as soon as the connection drops.

Before virtual templates were implemented, you could use the vty-async command to extend asynchronous protocol functions from physical asynchronous interfaces to virtual terminal lines. However, in doing so, you created a virtual asynchronous interface, rather than the virtual access interface. The difference is that the virtual asynchronous interfaces are allocated permanently, whereas the virtual access interfaces are created dynamically when a user calls in and closed down when the connection drops.

You can have up to 25 virtual templates interfaces, but you can apply only one template to vty-async interfaces on a router. There can be up to 300 virtual access interfaces on a router.

Examples

The following example enables asynchronous protocol features on virtual terminal lines:

vty-async

vty-async virtual-template 1

vty-async dynamic-routing

vty-async header-compression

!

interface virtual-template1

 ip unnumbered Ethernet0

 encapsulation ppp

 no peer default ip address

 ppp authentication chap 

Related Commands

Command	Description
interface virtual-template	Creates a virtual template interface that can be configured and applied dynamically in creating virtual access interfaces.
ppp	Starts an asynchronous connection using PPP.
slip	Starts a serial connection to a remote host using SLIP.
translate lat	Translates a LAT connection request automatically to another outgoing protocol connection.
translate tcp	Translates a TCP connection request automatically to another outgoing protocol connection.
translate x25	Translates an X.25 connection request automatically to another outgoing protocol connection.
vty-async	Configures all virtual terminal lines on a router to support asynchronous protocol features.

x25 aodi

To enable the Always On/Dynamic ISDN (AO/DI) client on an interface, use the x25 aodi command in interface configuration mode. To remove AO/DI client functionality, use the no form of this command.

x25 aodi

no x25 aodi

Syntax Description

This command has no arguments or keywords.

Defaults

AO/DI client is not enabled.

Command Modes

Interface configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Use this command to enable the AO/DI client on an interface.

Examples

The following example enables the AO/DI client on the interface running X.25, using the x25 aodi command:

interface bri0

 isdn x25 dchannel

 isdn x25 static-tei 8

interface bri0:0

 x25 aodi

 x25 address 12135551234

 x25 htc 4

 x25 win 3

 x25 wout 3

 x25 map ppp 12135556789 interface dialer 1

---

Note Configuring the BRI interface with the isdn x25 dchannel command creates a configurable interface (bri 0:0) for other necessary X.25 commands. Refer to the description for this command earlier in this publication for additional information about this command.

---

Related Commands

Command	Description
isdn x25 dchannel	Creates a configurable interface for X.25 traffic over the ISDN D channel.

x25 map ppp

To enable a PPP session over the X.25 protocol, use the x25 map ppp command in interface configuration mode. To remove a prior mapping, use the no form of this command.

x25 map ppp x121-address interface cloning-interface [no-outgoing]

no x25 map ppp x121-address interface cloning-interface [no-outgoing]

Syntax Description

x121-address	X.121 address as follows: •Client side—The calling number. •Server side—The called number.
interface cloning-interface	Interface to be used for cloning the configuration.
no-outgoing	(Optional) Ensures that the X.25 map does not originate calls.

Defaults

Disabled

Command Modes

Interface configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Use x25 map ppp command to allow a PPP session to run over X.25.

The interface keyword refers to the interface that will be used to clone the configuration.

---

Note For the x25 map command used in standard X.25 implementations, refer to the Cisco IOS Wide-Area Networking Command Reference publication.

---

Examples

Client Examples

The following example enables the AO/DI client on the interface and configures the D channel (BRI interface 0:0) with the x25 map statement in order to allow PPP sessions over X.25 encapsulation with the configured AO/DI server:

interface BRI0:0

 x25 address 16193368208 
 x25 aodi 
 x25 htc 4 
 x25 win 3 
 x25 wout 3 
 x25 map ppp 16193368209 interface dialer 1

Server Examples

The following example enables the AO/DI server to receive calls from the AO/DI client and configures the D channel (BRI0:0) with the x25 map statement which allows PPP sessions over X.25 encapsulation with the configured AO/DI client. The no-outgoing option is used with the x.25 map command since the AO/DI server is receiving, versus initiating, calls.

interface BRI0:0 
x25 address 16193368209 
 x25 htc 4 
 x25 win 3 
 x25 wout 3 
 x25 map ppp 16193368208 interface dialer 1 no-outgoing

---

Note Configuring the BRI interface with the isdn x25 dchannel command creates a configurable interface (bri 0:0).

---

Related Commands

Command	Description
isdn x25 dchannel	Creates a configurable interface for X.25 traffic over the ISDN D channel.