Table Of Contents
Client-Initiated Dial-In VPDN Tunneling
NAS-Initiated Dial-In VPDN Tunneling
VPDN Group Configuration Modes
Feature Information for VPDN Technology Overview
VPDN Technology Overview
First Published: September 26, 2005Last Updated: November 25, 2009Virtual private dialup networks (VPDNs) securely carry private data over a public network, allowing remote users to access a private network over a shared infrastructure such as the Internet. VPDNs maintain the same security and management policies as a private network, while providing a cost-effective method for point-to-point connections between remote users and a central network.
Finding Feature Information
For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for VPDN Technology Overview" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Feature Information for VPDN Technology Overview
Information About VPDNs
To implement a VPDN deployment, you should understand the following concepts:
•
Overview of VPDN Technology
VPDNs extend private network dial-in services to remote users. VPDNs use Layer 2 tunneling technologies to create virtual point-to-point connections between remote clients and a private network. VPDNs maintain the same security and management policies as a private network, while providing a cost-effective method for point-to-point connections between remote users and a central network.
Instead of connecting directly to the remote private network, VPDN users connect to a nearby access server, which is often located at an Internet service provider (ISP) local point of presence (POP). Data is securely forwarded from the access server to the private network over the Internet, providing a cost-effective method of communication between remote clients and the private network.
A benefit of VPDNs is the way they delegate responsibilities for the network. The customer can outsource responsibility for the information technology (IT) infrastructure to an ISP that maintains the modems that the remote users dial in to, the access servers, and the internetworking expertise. The customer is then responsible only for authenticating users and maintaining the private network.
Figure 1 shows a basic VPDN network deployment.
Figure 1 Basic VPDN Network Deployment
A PPP client dials in to an ISP access server, called the Network Access Server (NAS). The NAS determines that it should forward that PPP session on to the router or access server that serves as the point of contact for the private network, the tunnel server. The tunnel server authenticates the user and initiates PPP negotiations. Once PPP setup is complete, all frames that are sent between the client and the tunnel server pass through the NAS.
VPDNs on the Cisco ASR 1000 Series Aggregation Services Routers can use only the Layer 2 Tunneling Protocol (L2TP) to tunnel link-level frames. Using L2TP, a tunnel is established between the NAS or client and the tunnel server, providing secure data transport over a shared infrastructure such as the Internet.
VPDN Terminology
This section defines the terminology used to describe the following VPDN components:
VPDN Hardware Devices
Generally three devices are involved in VPDN tunneling. Two of these devices function as tunnel endpoints—one device initiates the VPDN tunnel, and the other device terminates the VPDN tunnel. Depending on the tunneling architecture, different types of devices may act as the local tunnel endpoint.
As new tunneling protocols have been developed for VPDNs, protocol-specific terminology has been created to describe some of the devices that participate in VPDN tunneling. However, these devices perform the same basic functions no matter what tunneling protocol is being used. For the sake of clarity we will use the following generic terminology to refer to VPDN devices throughout this documentation:
•
•
Note
Depending on the tunneling architecture, the NAS will function as follows:
–
–
•
•
Although technically a tunnel switch is a tunnel endpoint for both the incoming tunnel and the outgoing tunnel, for the sake of simplicity the tunnel endpoints in a multihop deployment are considered to be the device that initiates the first tunnel and the device that terminates the final tunnel of the multihop path.
Table 1 lists the generic terms and the corresponding technology-specific terms that are sometimes used to describe the NAS and the tunnel server.
Note
VPDN Tunnels
A VPDN tunnel exists between the two tunnel endpoints. The tunnel consists of a control connection and zero or more Layer 2 sessions. The tunnel carries encapsulated PPP datagrams and control messages between the tunnel endpoints. Multiple VPDN sessions can use the same VPDN tunnel.
VPDN Sessions
A VPDN session is created between the tunnel endpoints when an end-to-end PPP connection is established between a client and the tunnel server. Datagrams related to the PPP connection are sent over the tunnel. There is a one-to-one relationship between an established session and the associated call. Multiple VPDN sessions can use the same VPDN tunnel.
VPDN Architectures
This section contains information on the following VPDN tunneling architectures:
•
•
•
Client-Initiated Dial-In VPDN Tunneling
Client-initiated dial-in VPDN tunneling is also known as voluntary tunneling. In a client-initiated dial-in VPDN tunneling scenario, the client device initiates a Layer 2 tunnel to the tunnel server, and the NAS does not participate in tunnel negotiation or establishment. In this scenario the NAS is not a tunnel endpoint, it simply provides Internet connectivity. The client device must be configured to initiate the tunnel.
The main advantage of client-initiated VPDN tunneling is that it secures the connection between the client and the ISP NAS. However, client-initiated VPDNs are not as scalable and are more complex than NAS-initiated VPDNs.
Client-initiated VPDN tunneling can use the L2TP protocol if the client device is a Cisco ASR 1000 Series Router. If the client device is a PC, only the PPTP protocol is supported.
Figure 2 shows a client-initiated VPDN tunneling scenario.
Figure 2 Client-Initiated Dial-In VPDN Scenario
Before configuring a client-initiated dial-in VPDN tunneling deployment, you must complete the required tasks in Configuring AAA for VPDNs.
NAS-Initiated Dial-In VPDN Tunneling
NAS-initiated dial-in VPDN tunneling is also known as compulsory tunneling. In a NAS-initiated dial-in VPDN tunneling scenario, the client dials in to the NAS through a medium that supports PPP. If the connection from the client to the ISP NAS is over a medium that is considered secure, such as digital subscriber line (DSL), ISDN, or the public switched telephone network (PSTN), the client may choose not to provide additional security. The PPP session is securely tunneled from the NAS to the tunnel server without any special knowledge or interaction required from the client.
NAS-initiated VPDN tunneling can be configured with the L2TP protocol.
Figure 3 shows a NAS-initiated dial-in tunneling scenario.
Figure 3 NAS-Initiated Dial-In VPDN Scenario
For further information about NAS-initiated tunneling deployments, see Configuring NAS-Initiated Dial-In VPDN Tunneling.
Before configuring a NAS-initiated dial-in VPDN tunneling deployment, you must complete the required tasks in Configuring AAA for VPDNs.
Multihop VPDN Tunneling
Multihop VPDN is a specialized VPDN configuration that allows packets to pass through multiple tunnels. Ordinarily, packets are not allowed to pass through more than one tunnel. In a multihop tunneling deployment, the VPDN tunnel is terminated after each hop and a new tunnel is initiated to the next hop destination. A maximum of four hops is supported on the Cisco ASR 1000 Series Routers.
Multihop VPDN is required for the scenarios described in the following sections:
•
VPDN Tunneling to an MMP Stack Group
Multihop VPDN is required when the private network uses Multichassis Multilink PPP (MMP) with multiple tunnel servers in a stack group. Stack group configurations require the ability to establish Layer 2 tunnels between participating hardware devices. If the incoming data is delivered to the stack group over a VPDN tunnel, multihop VPDN is required for the stack group to function.
Multihop VPDN tunneling with MMP can be configured using the L2TP protocol.
Figure 4 shows a network scenario using a multihop VPDN with a MMP deployment.
Figure 4 MMP Using Multihop VPDN
For further information about configuring multihop VPDN for MMP deployments, see Configuring Multihop VPDN.
Before configuring a multihop VPDN for MMP deployment, you must configure MMP and you must complete the required tasks in Configuring AAA for VPDNs.
Tunnel Switching VPDNs
Multihop VPDN can be used to configure a router as a tunnel switch. A tunnel switch is a device that is configured as both a NAS and a tunnel server. A tunnel switch is able to receive packets from an incoming VPDN tunnel and send them out over an outgoing VPDN tunnel. Tunnel switch configurations can be used between ISPs to provide wholesale VPDN services.
Multihop tunnel switching can be configured using the L2TP protocol.
Figure 5 shows a network scenario using a tunnel switching deployment.
Figure 5 Tunnel Switching Using Multihop VPDN
For further information about multihop tunnel switching deployments, see Configuring Multihop VPDN.
Before configuring a multihop tunnel switching deployment, you must complete the required tasks in Configuring AAA for VPDNs.
VPDN Tunneling Protocols
VPDNs use Layer 2 protocols to tunnel the link layer of high-level protocols (for example, PPP frames or asynchronous High-Level Data Link Control (HDLC)). ISPs configure their NAS to receive calls from users and to forward the calls to the customer tunnel server.
Usually, the ISP maintains only information about the customer tunnel server. The customer maintains the users' IP addresses, routing, and other user database functions. Administration between the ISP and the tunnel server is reduced to IP connectivity.
This section contains information on L2TP, which is the only protocol that can be used for VPDN tunneling on the Cisco ASR 1000 Series Routers.
L2TP
L2TP is an Internet Engineering Task Force (IETF) standard that combines the best features of the two older tunneling protocols: Cisco L2F and Microsoft PPTP.
L2TP offers the same full-range spectrum of features as L2F, but offers additional functionality. An L2TP-capable tunnel server will work with an existing L2F NAS and will concurrently support upgraded components running L2TP. Tunnel servers do not require reconfiguration each time an individual NAS is upgraded from L2F to L2TP. Table 2 compares L2F and L2TP feature components.
Traditional dialup networking services support only registered IP addresses, which limits the types of applications that are implemented over VPDNs. L2TP supports multiple protocols and unregistered and privately administered IP addresses. This allows the existing access infrastructure—such as the Internet, modems, access servers, and ISDN terminal adapters (TAs)—to be used. It also allows customers to outsource dial-out support, thus reducing overhead for hardware maintenance costs and 800 number fees, and allows them to concentrate corporate gateway resources.
Figure 6 shows the basic L2TP architecture in a typical dial-in environment.
Figure 6 L2TP Architecture
Using L2TP tunneling, an ISP or other access service can create a virtual tunnel to link remote sites or remote users with corporate home networks. The NAS located at the POP of the ISP exchanges PPP messages with remote users and communicates by way of L2TP requests and responses with the private network tunnel server to set up tunnels. L2TP passes protocol-level packets through the virtual tunnel between endpoints of a point-to-point connection. Frames from remote users are accepted by the ISP NAS, stripped of any linked framing or transparency bytes, encapsulated in L2TP, and forwarded over the appropriate tunnel. The private network tunnel server accepts these L2TP frames, strips the L2TP encapsulation, and processes the incoming frames for the appropriate interface.
Figure 7 depicts the events that occur during establishment of a NAS-initiated dial-in L2TP connection.
Figure 7 L2TP Protocol Negotiation Events
The following describes the sequence of events shown in Figure 7 and is keyed to the figure:
1.
2.
3.
4.
5.
6.
7.
VPDN Group Configuration Modes
Many VPDN configuration tasks are performed within a VPDN group. A VPDN group can be configured to function either as a NAS VPDN group or as a tunnel server VPDN group, but not as both. However, an individual router may be configured with both a NAS VPDN group and a tunnel server VPDN group.
You can configure a VPDN group as a specific type of VPDN group by issuing at least one of the commands listed in Table 3:
Many of the commands required to properly configure VPDN tunneling are issued in one of the VPDN subgroup configuration modes shown in Table 3. Removing the VPDN subgroup command configuration will remove all subordinate VPDN subgroup configuration commands as well.
Where to Go Next
Once you have identified the VPDN architecture you want to configure and the tunneling protocol you will use, you should perform the required tasks in Configuring AAA for VPDNs.
Additional References
The following sections provide references related to the VPDN technology overview.
Related Documents
Cisco IOS commands
Technical support documentation for L2TP
Technical support documentation for VPDNs
Additional information about commands used in this document
•
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
Technical Assistance
Feature Information for VPDN Technology Overview
Table 4 lists the features in this module and provides links to specific configuration information.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 4 Feature Information for VPDN Technology Overview
L2TP Layer 2 Tunneling Protocol
Cisco IOS XE Release 2.1
This feature was introduced on Cisco ASR 1000 Series Aggregation Services Routers.
VPDNs use Layer 2 protocols to tunnel the link layer of high-level protocols (for example, PPP frames or asynchronous HDLC). L2TP is an IETF standard that combines the best features of the two older tunneling protocols: Cisco L2F and Microsoft PPTP.
The following section provides information about this feature:
•
No commands were introduced or modified by this feature.
Virtual Private Dial-up Network (VPDN)
Cisco IOS XE Release 2.1
This feature was introduced on Cisco ASR 1000 Series Aggregation Services Routers.
VPDNs securely carry private data over a public network, allowing remote users to access a private network over a shared infrastructure such as the Internet. VPDNs maintain the same security and management policies as a private network, while providing a cost-effective method for point-to-point connections between remote users and a central network.
The following section provides information about this feature:
•
No commands were introduced or modified by this feature.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2005-2009 Cisco Systems, Inc. All rights reserved.
