Feedback
Table Of Contents
Configuring NAS-Initiated Dial-In VPDN Tunneling
Prerequisites for Configuring NAS-Initiated Dial-In VPDN Tunneling
Restrictions for Configuring NAS-Initiated Dial-In VPDN Tunneling
Information About NAS-Initiated Dial-In VPDN Tunneling
NAS-Initiated Dial-in VPDN Tunneling
L2TP Calling Station ID Suppression
How to Configure NAS-Initiated Dial-In VPDN Tunneling
Configuring the NAS to Request Dial-In VPDN Tunnels
Configuring the Tunnel Server to Accept Dial-In VPDN Tunnels
Configuring the Virtual Template on the Tunnel Server
Verifying a NAS-Initiated VPDN Configuration
Verifying and Troubleshooting Tunnel Establishment Between the NAS and the Tunnel Server
Verifying the Connection Between the Client and the NAS
Configuring L2TP Calling Station ID Suppression
Prerequisites for Configuring L2TP Calling Station ID Suppression
Configuring Global L2TP Calling Station ID Suppression on the NAS
Configuring L2TP Calling Station ID Suppression for a VPDN Group on the NAS
Configuring L2TP Calling Station ID Suppression on the NAS Remote RADIUS Server
Configuration Examples for NAS-Initiated Dial-In VPDN Tunneling
Example: Configuring the NAS for Dial-In VPDNs
Example: Configuring the Tunnel Server for Dial-in VPDNs
Example: L2TP Calling Station ID Suppression with Local Authorization
Example: L2TP Calling Station ID Suppression with RADIUS Authorization
Feature Information for NAS-Initiated Dial-In VPDN Tunneling
Configuring NAS-Initiated Dial-In VPDN Tunneling
First Published: October 31, 2005Last Updated: November 25, 2009Network access server (NAS)-initiated dial-in tunneling provides secure tunneling of a PPP session from a NAS to a tunnel server without any special knowledge or interaction required from the client.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for NAS-Initiated Dial-In VPDN Tunneling" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Configuring NAS-Initiated Dial-In VPDN Tunneling
•
•
•
•
•
Prerequisites for Configuring NAS-Initiated Dial-In VPDN Tunneling
•
•
Restrictions for Configuring NAS-Initiated Dial-In VPDN Tunneling
•
Information About NAS-Initiated Dial-In VPDN Tunneling
•
•
NAS-Initiated Dial-in VPDN Tunneling
NAS-initiated dial-in VPDN tunneling is also known as compulsory tunneling. In NAS-initiated dial-in VPDN tunneling, the client dials in to the NAS through a medium that supports PPP. If the connection from the client to the Internet service provider (ISP) NAS is over a medium that is considered secure, such as DSL, ISDN, or the PSTN, the client might choose not to provide additional security. The PPP session is securely tunneled from the NAS to the tunnel server without any special knowledge or interaction required from the client. NAS-initiated dial-in VPDN tunnels use the Layer 2 Tunneling Protocol (L2TP).
A NAS-initiated dial-in tunneling scenario is shown in Figure 1.
Figure 1 NAS-Initiated Dial-In VPDN Scenario
L2TP Calling Station ID Suppression
In a NAS-initiated dial-in L2TP tunneling scenario, when the NAS connects to a tunnel server it transfers numerous attribute-value (AV) pairs as part of the session setup process. One of these AV pairs is L2TP AV pair 22, the Calling Number ID. The Calling Number ID AV pair includes the calling station ID of the originator of the session, which can be the phone number of the originator, the Logical Line ID (LLID) used to make the connection on the LAC, or the MAC address of the PC connecting to the network. This information can be considered sensitive in cases where the NAS and tunnel server are being managed by different entities. Depending on the security requirements of the NAS or end users, it might be desirable for the NAS to suppress part or all of the calling station ID.
Parts of the calling station ID can be masked, or the calling station ID can be removed completely. Calling station ID suppression can be configured globally on the NAS, for individual VPDN groups on the NAS, or on the remote RADIUS server if one is configured.
L2TP Failover
If a NAS fails to contact its peer during L2TP tunnel establishment, it can fail over to another configured tunnel server and attempt tunnel establishment with that device.
Failover can occur in these scenarios:
•
•
•
In both the StopCCN control message and the CDN control message, a Result Code AV pair is included, which indicates the reason for tunnel or session termination, respectively. This AV pair might also include an optional Error Code, which further describes the nature of the termination. The various Result Code and Error Code values have been standardized in RFC 2661. Failover will occur if the combination of Result Code and Error Code values as defined in Table 1 is received from the peer.
Table 1 Defined Result and Error Codes from RFC 2661
StopCCN, CDN
2: General error, see Error Code.
4: Insufficient resources to handle this operation now.
6: A generic vendor-specific error occurred.1
7: Try another.
9: Try another directed.
CDN
4: Temporary lack of resources.
—
1 For failover, this error code would be accompanied by a vendor-specific error AVP in the error message—in this case containing the Cisco vendor code (SMI_CISCO_ENTERPRISE_CODE) and a Cisco error code (L2TP_VENDOR_ERROR_SLIMIT).
When one of the three scenarios occurs, the router marks the peer IP address as busy for 60 seconds by default. During that time no attempt is made to establish a session or tunnel with the peer. The router selects an alternate peer to contact if one is configured. If a tunnel already exists to the alternate peer, new sessions are brought up in the existing tunnel. Otherwise, the router begins negotiations to establish a tunnel to the alternate peer.
How to Configure NAS-Initiated Dial-In VPDN Tunneling
In a NAS-initiated dial-in VPDN scenario, when a dial-in user requests contact with a remote network, the NAS must request the establishment of a VPDN tunnel to the tunnel server at the remote network. The tunnel server must be configured to accept the VPDN tunnels the NAS requests, and a virtual template interface must be established from which the tunnel server can clone a virtual access interface on demand.
•
•
•
•
•
Configuring the NAS to Request Dial-In VPDN Tunnels
The NAS must be configured to request tunnel establishment with the remote tunnel server. Perform this task on the NAS to configure a VPDN request dial-in subgroup and the IP address of the tunnel server that will be the other endpoint of the VPDN tunnel.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
or
dnis {dnis-number | dnis-group-name}8.
9.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
Router(config)# vpdn-group 1
Creates a VPDN group and enters VPDN group configuration mode.
Step 4
Router(config-vpdn)# description myvpdngroup
(Optional) Adds a description to a VPDN group.
Step 5
request-dialin
Example:Router(config-vpdn)# request-dialinConfigures a NAS to request the establishment of an L2F or L2TP tunnel to a tunnel server, creates a request-dialin VPDN subgroup, and enters VPDN request dial-in subgroup configuration mode.
Step 6
protocol l2tp
Example:Router(config-vpdn-req-in)# protocol l2tp
Specifies the Layer 2 protocol that the VPDN group will use.
Step 7
domain domain-name
or
dnis {dnis-number | dnis-group-name}
Example:Router(config-vpdn-req-in)# domain example.comor
Router(config-vpdn-req-in)# dnis 5687
Requests that PPP calls from a specific domain name be tunneled.
or
Requests that PPP calls from a specific Dialed Number Identification Service (DNIS) number or DNIS group be tunneled.
Step 8
exit
Example:Router(config-vpdn-req-in)# exit
Exits to VPDN group configuration mode.
Step 9
initiate-to ip ip-address [limit limit-number] [priority priority-number]
Example:Router(config-vpdn)# initiate-to ip 10.1.1.1 limit 12Specifies an IP address that will be used for Layer 2 tunneling.
•
•
Note
•
What to Do Next
You must perform the task in the "Configuring the Tunnel Server to Accept Dial-In VPDN Tunnels" section.
Configuring the Tunnel Server to Accept Dial-In VPDN Tunnels
The tunnel server must be configured to accept tunnel requests from the remote NAS. Perform this task on the tunnel server to create a VPDN accept dial-in subgroup and to configure the tunnel server to accept tunnels from the NAS that will be the other endpoint of the VPDN tunnel. To configure the tunnel server to accept tunnels from multiple NASs, you must perform this task for each NAS.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
What to Do Next
You must perform the task in the "Configuring the Virtual Template on the Tunnel Server" section.
Configuring the Virtual Template on the Tunnel Server
When a request to establish a tunnel is received by the tunnel server, the tunnel server must create a virtual access interface. The virtual access interface is cloned from a virtual template interface, used, and then freed when no longer needed. The virtual template interface is a logical entity that is not tied to any physical interface. Perform this task on the tunnel server to configure a basic virtual template.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPSWhat to Do Next
•
•
Verifying a NAS-Initiated VPDN Configuration
•
•
Verifying and Troubleshooting Tunnel Establishment Between the NAS and the Tunnel Server
Perform this task to verify that a tunnel between the NAS and the tunnel server has been established, and to troubleshoot problems with tunnel establishment.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Step 1
Enter this command to enable privileged EXEC mode. Enter your password if prompted:
Router> enableStep 2
Enter this command to display details about all active VPDN tunnels. This example shows an example of "No active L2TP tunnels":
Router# show vpdn tunnel all% No active L2TP tunnels...If no active tunnels have been established with the NAS, proceed with the following steps to troubleshoot the problem.
Step 3
Enter this command to ping the NAS. The following output shows the result of a successful ping from the tunnel server to the NAS:
Router# ping 172.22.66.25Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.30.2.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 128/132/152 msIf the tunnel server is unable to ping the NAS, there might be a problem with the routing path between the devices, or the NAS might not be functional.
Step 4
Enter the debug vpdn event command to display the VPDN events that occur during tunnel establishment. The following output from the tunnel server shows normal VPDN tunnel establishment for an L2TP tunnel:
Router# debug vpdn event20:19:17: L2TP: I SCCRQ from ts1 tnl 820:19:17: L2X: Never heard of ts120:19:17: Tnl 7 L2TP: New tunnel created for remote ts1, address 172.21.9.420:19:17: Tnl 7 L2TP: Got a challenge in SCCRQ, ts120:19:17: Tnl 7 L2TP: Tunnel state change from idle to wait-ctl-reply20:19:17: Tnl 7 L2TP: Got a Challenge Response in SCCCN from ts120:19:17: Tnl 7 L2TP: Tunnel Authentication success20:19:17: Tnl 7 L2TP: Tunnel state change from wait-ctl-reply to established20:19:17: Tnl 7 L2TP: SM State established20:19:17: Tnl/Cl 7/1 L2TP: Session FS enabled20:19:17: Tnl/Cl 7/1 L2TP: Session state change from idle to wait-for-tunnel20:19:17: Tnl/Cl 7/1 L2TP: New session created20:19:17: Tnl/Cl 7/1 L2TP: O ICRP to ts1 8/120:19:17: Tnl/Cl 7/1 L2TP: Session state change from wait-for-tunnel to wait-connect20:19:17: Tnl/Cl 7/1 L2TP: Session state change from wait-connect to established20:19:17: Vi1 VPDN: Virtual interface created for user1@cisco.com20:19:17: Vi1 VPDN: Set to Async interface20:19:17: Vi1 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking20:19:18: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up20:19:18: Vi1 VPDN: Bind interface direction=220:19:18: Vi1 VPDN: PPP LCP accepting rcv CONFACK20:19:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to upStep 5
Enter this command to display error messages that are generated during tunnel establishment. The following output from the NAS shows an authentication failure during tunnel establishment.
Router# debug vpdn errors%LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, changed state to down%LINK-5-CHANGED: Interface Async1, changed state to reset%LINK-3-UPDOWN: Interface Async1, changed state to down%LINK-3-UPDOWN: Interface Async1, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, changed state to upVPDN tunnel management packet failed to authenticateVPDN tunnel management packet failed to authenticateIf an authentication failure occurs, verify that both the NAS and the tunnel server are configured with the same secret password. You can also perform tasks to verify L2TP tunnel establishment, PPP negotiations, and authentication with the remote client as described i the n Configuring AAA for VPDNs module.
Verifying the Connection Between the Client and the NAS
Perform this task to verify the connection between the dial-in client and the NAS.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Step 1
Ensure that the client PC is able to connect to the NAS by establishing a dial-in connection. As the call comes into the NAS, a LINK-3-UPDOWN message automatically appears on the NAS terminal screen. In the following example, the call comes into the NAS on asynchronous interface 14:
*Jan 1 21:22:18.410: %LINK-3-UPDOWN: Interface Async14, changed state to up
Note
If this message is not displayed by the NAS, there is a problem with the dial-in configuration.
Step 2
Enter this command to enable privileged EXEC mode. Enter your password if prompted:
Router> enableStep 3
Enter this command on the tunnel server to verify that the client received an IP address. The following example shows that user3 is using IP address 10.0.0.1.
Router# show caller user user3@cisco.comUser: user3@cisco.com, line Vi2.502, service PPPoVPDNConnected for 1d10hTimeouts: Limit Remaining Timer Type- - -PPP: LCP Open, CHAP (<-), IPCPIP: Local 10.0.0.1, remote 172.16.2.247Counts: 2052 packets input, 32826 bytes2053 packets output, 106742 bytesIf an incorrect IP address or no IP address is displayed, there is a problem with IP addresses assignment. Verify the configuration of the peer default ip address command in the virtual template on the tunnel server.
Step 4
Enter this command to verify that the interface is up, that LCP is open, and that no errors are reported. The following output shows a functional interface:
Router# show interfaces virtual-access 2.502Virtual-Access2.502 is up, line protocol is upHardware is Virtual Access interfaceInterface is unnumbered. Using address of Loopback1001 (60.0.0.1)MTU 1454 bytes, BW 2000000 Kbit, DLY 100000 usec,reliability 255/255, txload 1/255, rxload 5/255Encapsulation PPP, LCP OpenOpen: IPCPPPPoVPDN vaccess, cloned from Virtual-Template1Vaccess status 0x0Protocol l2tp, tunnel id 30485, session id 55909Keepalive set (60 sec)2056 packets input, 32890 bytes2057 packets output, 106950 bytesLast clearing of ''show interface'' counters neverThe virtual access interface is up and the line protocol is up, showing that virtual interface establishment was successful.
Step 5
Enter this command on the tunnel server to verify that there are active VPDN sessions. This example shows output from a tunnel server with several active tunnels.
Router# show vpdn sessionL2TP Session Information Total tunnels 4000 sessions 15960LocID RemID TunID Username, Intf/ State Last Chg Uniq IDVcid, Circuit43202 40336 22 user@ci..., Vi2.9171 est 1d10h 918434090 31996 22 user@ci..., Vi2.1734 est 1d10h 17351217 42591 22 user@ci..., Vi2.9312 est 1d10h 93256737 22325 22 user@ci..., Vi2.1729 est 1d10h 173059420 17035 34 user@ci..., Vi2.9338 est 1d10h 935145069 60982 34 user@ci..., Vi2.1645 est 1d10h 164627825 44751 34 user@ci..., Vi2.1653 est 1d10h 165424600 7627 34 user@ci..., Vi2.9096 est 1d10h 910913018 65037 43 user@ci..., Vi2.8166 est 1d10h 817943090 34448 43 user@ci..., Vi2.8176 est 1d10h 818931798 41505 43 user@c..., Vi2.15752 est 1d10h 1576556832 64322 43 user@c..., Vi2.15655 est 1d10h 1566853944 25409 48 user@c..., Vi2.14115 est 1d10h 1412816215 52915 48 user@c..., Vi2.14134 est 1d10h 1414717332 14000 48 user@ci..., Vi2.6630 est 1d10h 664312466 54817 48 user@ci..., Vi2.6622 est 1d10h 663528290 37822 50 user@ci..., Vi2.5094 est 1d10h 1590544839 30137 50 user@c..., Vi2.15875 est 1d10h 15888If there is no session established for the client, perform the troubleshooting steps in the "Verifying and Troubleshooting Tunnel Establishment Between the NAS and the Tunnel Server" section.
Configuring L2TP Calling Station ID Suppression
Calling station ID suppression can be configured globally on the NAS, for individual VPDN groups on the NAS, or on the remote RADIUS server if one is configured.
The order of precedence for L2TP calling station ID suppression configurations is as follows:
•
•
•
Perform one or more of the following tasks to configure L2TP calling station ID suppression:
•
•
•
Prerequisites for Configuring L2TP Calling Station ID Suppression
•
•
•
Configuring Global L2TP Calling Station ID Suppression on the NAS
The calling station ID information included in L2TP AV pair 22 can be removed or masked for every L2TP session established on the router if you configure L2TP calling station ID suppression globally. This configuration is compatible with either local or remote authorization.
Perform this task on the NAS to configure global L2TP calling station ID suppression.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuring L2TP Calling Station ID Suppression for a VPDN Group on the NAS
The calling station ID information included in L2TP AV pair 22 can be removed or masked for calls associated with a specific VPDN group. This configuration is compatible with local authorization configurations.
Perform this task on the NAS to configure L2TP calling station ID suppression for calls associated with a particular VPDN group when using local authorization.
Prerequisites
You must configure the NAS and the tunnel server for local authorization as described i the n Configuring AAA for VPDNs module.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuring L2TP Calling Station ID Suppression on the NAS Remote RADIUS Server
L2TP calling station ID suppression can be configured directly on the NAS, or in the RADIUS user profile. Configuring L2TP calling station ID suppression in the RADIUS user profile allows the configuration to be propagated to multiple NASs without having to configure each one.
Perform this task on the RADIUS server to configure a user profile that will allow the RADIUS server to instruct NASs to remove or mask the L2TP calling station ID.
Prerequisites
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPSConfiguration Examples for NAS-Initiated Dial-In VPDN Tunneling
•
•
•
•
Example: Configuring the NAS for Dial-In VPDNs
The following example configures a NAS named ISP-NAS to tunnel PPP calls to a tunnel server named ENT-TS using L2TP and local authentication and authorization:
! Enable AAA authentication and authorization with RADIUS as the default methodaaa new-modelaaa authentication ppp default radiusaaa authorization network default radius!! Configure the VPDN tunnel authentication password using the local nameusername ISP-NAS password 7 tunnelmeusername ENT-TS password 7 tunnelme!vpdn enable!! Configure VPN to first search on the client domain name and then on the DNISvpdn search-order domain dnis!! Allow a maximum of 10 simultaneous VPDN sessionsvpdn session-limit 10!! Configure the NAS to initiate VPDN dial-in sessions to the tunnel servervpdn-group 1request-dialinprotocol l2tpdomain cisco.com!initiate-to ip 172.22.66.25local name ISP-NAS!! Specifies the RADIUS server IP address, authorization port, and accounting portradius-server host 172.22.66.16 auth-port 1645 acct-port 1646!! Specifies the authentication key to be used with the RADIUS serverradius-server key cisco!Example: Configuring the Tunnel Server for Dial-in VPDNs
The following example show a tunnel server named ENT-TS configured to accept L2TP tunnels from a NAS named ISP-NAS using local authentication and authorization:
! Configure AAA to first use the local database and then contact the RADIUS server for ! PPP authenticationaaa new-modelaaa authentication ppp default local radius!! Configure AAA network authorization and accounting by using the RADIUS serveraaa authorization network default radiusaaa accounting network default start-stop radius!! Configure the VPDN tunnel authentication password using the local nameusername ISP-NAS password 7 tunnelmeusername ENT-TS password 7 tunnelme!vpdn enable!! Configure the tunnel server to accept dial-in sessions from the NASvpdn-group 1accept-dialinprotocol l2tpvirtual-template 1!terminate-from hostname ISP-NASlocal name ENT-TSforce-local-chap!! Configure the virtual templateinterface Virtual-Template1gigabitethernet0/0/0ppp authentication chappeer default ip address pool defaultencapsulation ppp!! Specifies the RADIUS server IP address, authorization port, and accounting portradius-server host 172.22.66.13 auth-port 1645 acct-port 1646!! Specifies the authentication key to be used with the RADIUS serverradius-server key ciscoExample: L2TP Calling Station ID Suppression with Local Authorization
The following example configures a NAS for PPP over Gigabit Ethernet over virtual LAN (PPPoEoVLAN). The NAS obtains a calling station ID from LLID NAS port preauthorization through RADIUS. The calling station ID will be removed from AV pair 22 for tunnels associated with the VPDN group named L2TP if the string #184 is included in the username.
For more information about configuring PPPoE and its options, see the PPPoE part of the Cisco IOS XE Broadband Access Aggregation and DSL Configuration Guide.
hostname LAC!enable secret 5 $1$8qtb$MHcYeW2kn8VNYgz932eXl.enable password lab!aaa new-model!aaa group server radius LLID-Radiusserver 192.168.1.5 auth-port 1645 acct-port 1646!aaa group server radius LAC-Radiusserver 192.168.1.6 auth-port 1645 acct-port 1646!aaa authentication ppp default localaaa authorization network default localaaa authorization network LLID group LLID-Radiusaaa accounting network default start-stop group LAC-Radiusaaa nas port extendedaaa session-id common!ip subnet-zeroip cefno ip domain lookup!vpdn enablevpdn search-order domain!vpdn-group L2TPrequest-dialinprotocol l2tpdomain cisco.comdomain cisco.com#184!initiate-to ip 192.168.1.4local name testl2tp tunnel password 0 ciscol2tp attribute clid mask-method remove match #184!bba-group ppoe 2virtual-template 1nas-port format d 2/2/4!subscriber access pppoe pre-authorize nas-port-id LLID send username!interface Loopback0no ip address!interface Loopback1ip address 10.1.1.1 255.255.255.0!interface gigabitethernet0/0/0ip address 192.168.1.3 255.255.255.0no cdp enable!interface gigabitethernet0/0/0.20encapsulation dot1Q 1024no snmp trap link-statusppoe enable group 2pppoe max-sessions 200no cdp enable!interface gigabitethernet1/0/0ip address 10.1.1.10 255.255.255.0no cdp enable!interface Serial2/0/0no ip addressshutdownserial restart-delay 0!interface Serial3/0/0no ip addressshutdownserial restart-delay 0!interface Virtual-Template1ip unnumbered gigabitethernet1/0/0ip mroute-cacheno peer default ip addressppp authentication pap!ip classlessip route 0.0.0.0 0.0.0.0 gigabitethernet0/0/0ip route 10.0.0.0 255.0.0.0 gigabitethernet1/0/0!no ip http server!radius-server attribute 69 clearradius-server host 192.168.1.5 auth-port 1645 acct-port 1646radius-server host 192.168.1.6 auth-port 1645 acct-port 1646radius-server domain-stripping delimiter #radius-server key ciscoradius-server vsa send accountingradius-server vsa send authentication!control-plane!line con 0exec-timeout 0 0line aux 0line vty 0 4password labExample: L2TP Calling Station ID Suppression with RADIUS Authorization
The following example configures a NAS for PPPoEoVLAN. The NAS obtains a calling station ID from LLID NAS port preauthorization through RADIUS. The RADIUS user profile specifies that the calling station ID should be masked by replacing the rightmost six characters with the character X.
For more information about configuring PPPoE and its options, see the PPPoE part of the Cisco IOS XE Broadband Access Aggregation and DSL Configuration Guide.
NAS Configuration
hostname LAC!enable secret 5 $1$8qtb$MHcYeW2kn8VNYgz932eXl.enable password lab!aaa new-model!aaa group server radius LLID-Radiusserver 192.168.1.5 auth-port 1645 acct-port 1646!aaa group server radius LAC-Radiusserver 192.168.1.6 auth-port 1645 acct-port 1646!aaa authentication ppp default localaaa authorization network default group LAC-Radiusaaa authorization network LLID group LLID-Radiusaaa accounting network default start-stop group LAC-Radiusaaa nas port extendedaaa session-id common!ip subnet-zeroip cefno ip domain lookup!vpdn enablevpdn search-order domain!bba-group ppoe 2virtual-template 1nas-port format d 2/2/4!subscriber access pppoe pre-authorize nas-port-id LLID send username!interface Loopback0no ip address!interface Loopback1ip address 10.1.1.1 255.255.255.0!interface gigabitethernet0/0/0ip address 192.168.1.3 255.255.255.0no cdp enable!interface gigabitethernet0/0/0.20encapsulation dot1Q 1024no snmp trap link-statuspppoe enable group 2pppoe max-sessions 200no cdp enable!interface gigabitethernet1/0/0ip address 10.1.1.10 255.255.255.0no cdp enable!interface Serial2/0/0no ip addressshutdownserial restart-delay 0!interface Serial3/0/0no ip addressshutdownserial restart-delay 0!interface Virtual-Template1ip unnumbered gigabitethernet1/0/0ip mroute-cacheno peer default ip addressppp authentication pap!ip classlessip route 0.0.0.0 0.0.0.0 gigabitethernet0/0/0ip route 10.0.0.0 255.0.0.0 gigabitethernet1/0/0!no ip http server!radius-server attribute 69 clearradius-server host 192.168.1.5 auth-port 1645 acct-port 1646radius-server host 192.168.1.6 auth-port 1645 acct-port 1646radius-server domain-stripping delimiter #radius-server key ciscoradius-server vsa send accountingradius-server vsa send authentication!control-plane!line con 0exec-timeout 0 0line aux 0line vty 0 4password labRADIUS User Profile Configuration
Cisco-Avpair = vpdn:l2tp-tunnel-password=ciscoCisco-Avpair = vpdn:tunnel-type=l2tpCisco-Avpair = vpdn:tunnel-id=testCisco-Avpair = vpdn:ip-address=192.168.1.4Cisco-Avpair = vpdn:l2tp-clid-mask-method=right:X:6Where to Go Next
You can perform any of the relevant optional tasks in the Configuring Additional VPDN Features and in the VPDN Tunnel Management modules.
Additional References
Related Documents
Cisco IOS commands
VPDN commands
VPDN technology overview
Technical support documentation for L2TP
Technical support documentation for VPDNs
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
Technical Assistance
Feature Information for NAS-Initiated Dial-In VPDN Tunneling
Table 2 lists the features in this module and provides links to specific configuration information.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 2 Feature Information for NAS-Initiated Dial-In VPDN Tunneling
L2TP Calling Station ID Suppression
Cisco IOS XE Release 2.1
This feature was introduced on Cisco ASR 1000 Series Aggregation Services Routers.
This feature allows the NAS to suppress part or all of the calling station ID from the NAS in the L2TP AV pair 22, the Calling Number ID. Calling station ID suppression can be configured globally on the router, for individual VPDN groups on the router, or on the remote RADIUS server if one is configured.
The following sections provide information about this feature:
•
•
The following commands were introduced by this feature: l2tp attribute clid mask-method, vpdn l2tp attribute clid mask-method.
L2TP Extended Failover
Cisco IOS XE Release 2.1
This feature was introduced on Cisco ASR 1000 Series Aggregation Services Routers.
This feature extends L2TP failover to occur if, during tunnel establishment, a router receives a StopCCN message from its peer, or during session establishment a router receives a CDN message from its peer. In either case, the router selects an alternate peer to contact.
The following provides information about this feature:
No commands were introduced or modified by this feature.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2005-2010 Cisco Systems, Inc. All rights reserved.
