Table Of Contents
pptp flow-control receive-window
radius-server attribute 87 circuit-id
radius-server attribute 31 remote-id
set variable (control policy-map class)
show interfaces virtual-access
snmp-server enable traps vpdn dead-cache
substitute (control policy-map class)
multihop-hostname
To enable a tunnel switch to initiate a tunnel based on the hostname or tunnel ID associated with an ingress tunnel, use the multihop-hostname command in VPDN request-dialin subgroup configuration mode. To disable this option, use the no form of this command.
multihop-hostname ingress-tunnel-name
no multihop-hostname ingress-tunnel-name
Syntax Description
Command Default
No multihop hostname is configured.
Command Modes
VPDN request-dialin subgroup configuration
Command History
Usage Guidelines
Use the multihop-hostname command only on a device configured as a tunnel switch.
The ingress-tunnel-name argument must specify either the hostname of the device initiating the tunnel that is to be to be switched, or the tunnel ID of the ingress tunnel that is to be switched.
Removing the request-dialin subgroup configuration will remove the multihop-hostname configuration.
Examples
The following example configures a Layer 2 Tunnel Protocol (L2TP) virtual private dialup network (VPDN) group on a tunnel switch to forward ingress sessions from the host named LAC-1 through an outgoing tunnel to IP address 10.3.3.3:
vpdn-group 11request-dialinprotocol l2tpmultihop-hostname LAC-1initiate-to ip 10.3.3.3local name tunnel-switchRelated Commands
pool-member
To assign a request-dialout virtual private dialup network (VPDN) subgroup to a dialer pool, use the pool-member command in VPDN request-dialout configuration mode. To remove the request-dialout VPDN subgroup from a dialer pool, use the no form of this command.
pool-member pool-number
no pool-member [pool-number]
Syntax Description
Defaults
Command is disabled.
Command Modes
VPDN request-dialout configuration
Command History
Usage Guidelines
Before you can enable the pool-member command, you must first enable the protocol l2tp command on the request-dialout VPDN subgroup. Removing the protocol l2tp command will remove the pool-member command from the request-dialout VPDN subgroup.
You can only configure one dialer profile pool (using the pool-member command) or dialer rotary group (using the rotary-group command). If you attempt to configure a second dialer resource, you will replace the first dialer resource in the configuration.
Examples
The following example configures VPDN group 1 to request L2TP dial-out to IP address 172.16.4.6 using dialer profile pool 1 and identifying itself using the local name "user1."
vpdn-group 1request-dialoutprotocol l2tppool-member 1initiate-to ip 172.16.4.6local name user1Related Commands
pptp flow-control receive-window
To specify how many packets the Point-to-Point Tunnel Protocol (PPTP) client can send before it must wait for acknowledgment from the tunnel server, use the pptp flow-control receive-window command in VPDN group or VPDN template configuration mode. To restore the default value, use the no form of this command.
pptp flow-control receive-window packets
no pptp flow-control receive-window
Syntax Description
packets
Number of packets the client can send before it has to wait for acknowledgment from the tunnel server. Valid values range from 1 to 64 packets. The default value is 16 packets.
Command Default
The PPTP client may send up to 16 packets before it must wait for acknowledgment.
Command Modes
VPDN group configuration
VPDN template configurationCommand History
12.0(5)XE5
This command was introduced
12.1(5)T
This command was integrated into Cisco IOS Release 12.1(5)T.
Examples
The following example shows how to fine-tune PPTP by specifying that a client associated with the virtual private dialup network (VPDN) group named group1 can send 20 packets before it must wait for acknowledgment from the tunnel server:
vpdn-group group1accept-dialinprotocol pptpvirtual-template 1!pptp flow-control receive-window 20Related Commands
pptp flow-control static-rtt
To specify the timeout interval of the Point-to-Point Tunnel Protocol (PPTP) tunnel server between sending a packet to the client and receiving a response, use the pptp flow-control static-rtt command in VPDN group or VPDN template configuration mode. To restore the default value, use the no form of this command.
pptp flow-control static-rtt seconds
no pptp flow-control static-rtt
Syntax Description
Command Default
The tunnel server will wait 1500 ms for a response before timing out.
Command Modes
VPDN group configuration
VPDN template configurationCommand History
12.0(5)XE5
This command was introduced.
12.1(5)T
This command was integrated into Cisco IOS Release 12.1(5)T.
Usage Guidelines
If the session times out, the tunnel server does not retry or resend the packet. Instead the flow control alarm is set off, and stateful mode is automatically switched to stateless.
Examples
The following example shows how to fine-tune PPTP by increasing the timeout interval for tunnels associated with the virtual private dialup network (VPDN) group named group1 on the tunnel server to 2000 ms:
vpdn-group group1accept-dialinprotocol pptpvirtual-template 1!pptp flow-control static-rtt 2000Related Commands
pptp tunnel echo
To specify the period of idle time on the Point-to-Point Tunnel Protocol (PPTP) tunnel that will trigger an echo message from the tunnel server to the client, use the pptp tunnel echo command in VPDN group or VPDN template configuration mode. To restore the default value, use the no form of this command.
pptp tunnel echo seconds
no pptp tunnel echo
Syntax Description
seconds
Echo packet interval, in seconds. Valid values range from 0 to 1000. The default value is 60.
Command Default
The tunnel server will send an echo message after a 60-second idle interval.
Command Modes
VPDN group configuration
VPDN template configurationCommand History
12.0(5)XE5
This command was introduced.
12.1(5)T
This command was integrated into Cisco IOS Release 12.1(5)T.
Usage Guidelines
Use the pptp tunnel echo command to set the idle time that the tunnel server will wait before sending an echo message to the client.
If the tunnel server does not receive a reply to the echo message within 20 seconds, it will tear down the tunnel. This 20-second interval is hard coded.
Examples
The following example shows how to fine-tune PPTP on the tunnel server by increasing the idle time interval for the tunnels associated with the virtual private dialup network (VPDN) group named group1 to 90 seconds:
vpdn-group group1accept-dialinprotocol pptpvirtual-template 1!pptp tunnel echo 90Related Commands
protocol (VPDN)
To specify the tunneling protocol that a virtual private dialup network (VPDN) subgroup will use, use the protocol command in the appropriate VPDN subgroup configuration mode. To remove the protocol-specific configurations from a VPDN subgroup, use the no form of this command.
protocol {any |l2f | l2tp | pppoe | pptp}
no protocol {any | l2f | l2tp | pppoe | pptp}
Syntax Description
Command Default
No protocol is specified.
Command Modes
VPDN accept-dialin group configuration (config-vpdn-acc-in)
VPDN accept-dialout group configuration (config-vpdn-acc-out)
VPDN request-dialin group configuration (config-vpdn-acc-in)
VPDN request-dialout group configuration (config-vpdn-req-out)Command History
12.0(5)T
This command was introduced.
12.1(1)T
The pppoe keyword was added.
12.4(11)T
The l2f keyword was removed from Cisco IOS Release 12.4(11)T.
Usage Guidelines
This command is required for any VPDN subgroup configuration.
L2TP is the only protocol that can be used for dialout subgroup configurations.
Removal of l2f Keyword
The l2f keyword was removed from Cisco IOS Release 12.4(11)T. It is available in releases prior to Release 12.4(11)T.
Changing the protocol will remove all the commands from the VPDN subgroup configuration, and any protocol-specific commands from the VPDN group configuration.
Note
Users must first enter the vpdn enable command to configure the PPP over Ethernet discovery daemon.
The show running-config command does not display the configured domain name and virtual template, unless you configure the protocol l2tp command.
When you unconfigure the protocol l2tp command, the configured domain name and virtual template are automatically removed. When you reconfigure the protocol l2tp command, the domain name and virtual template need to be explicitly added again.
Examples
The following example configures VPDN group 1 to accept dial-in calls using L2F and to request dial-out calls using L2TP:
Router> enableRouter# configure terminalRouter(config)# vpdn enableRouter(config)# vpdn-group 1Router(config-vpdn)# accept-dialinRouter(config-vpdn-acc-in)# protocol l2fRouter(config-vpdn-acc-in)# virtual-template 1Router(config-vpdn-acc-in)# exitRouter(config-vpdn)# request-dialoutRouter(config-vpdn-req-out)# protocol l2tpRouter(config-vpdn-req-out)# pool-member 1Router(config-vpdn-acc-in)# exitRouter(config-vpdn)# local name router1Router(config-vpdn)# terminate-from hostname router2Router(config-vpdn)# initiate-to ip 10.3.2.1Router(config-vpdn)# l2f ignore-mid-sequenceRouter(config-vpdn)# l2tp ip udp checksumIf you then use the no protocol command in VPDN request-dialout group configuration mode, the configuration will be changed to this:
vpdn enable!vpdn-group 1accept-dialinprotocol l2fvirtual-template 1terminate-from hostname router2local name router1l2f ignore-mid-sequenceThe following example shows how to set VPDN group 1 to request dial-in calls using PPTP:Router> enableRouter# configure terminalRouter(config)# vpdn enableRouter(config)# vpdn-group 1Router(config-vpdn)# request-dialinRouter(config-vpdn-req-in)# protocol pptpThe domain name command configures the domain name of the users that will be forwarded to the L2TP tunnel server. The virtual-template command selects the default virtual template from which to clone the virtual access interfaces for the L2TP tunnel. The following example shows how to configure the protocol l2tp, virtual-template, and domain name commands:
Router(config)# vpdn enableRouter(config)# vpdn-group l2tpRouter(config-vpdn)# request-dialinRouter(config-vpdn-req-in)# protocol l2tpRouter(config-vpdn-req-in)# virtual-template 1Router(config-vpdn-req-in)# domain example.comRouter(config-vpdn-req-in)# exitIf you then use the no protocol command in VPDN request-dialout group configuration mode, the configuration will be changed to this:
vpdn enable!vpdn-group l2tpThe following example shows the output from the show running-config command, if you reconfigure the protocol l2tp command:
vpdn enable!vpdn-group l2tprequest-dialinprotocol l2tpRelated Commands
radius-server attribute 87 circuit-id
To override the nas-port-id attribute with Circuit_ID in RADIUS AAA messages, use the radius-server attribute 87 circuit-id command in global configuration mode. To disable the command function (default), use the no form of this command.
radius-server attribute 87 circuit-id
no radius-server attribute 87 circuit-id
Syntax Description
This command has no arguments or keywords.
Command Default
The command function is disabled.
Command Modes
Global configuration
Command History
12.4(15)T
This command was introduced.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
Usage Guidelines
Configure the radius-server attribute 87 circuit-id command on the Line Network Server (LNS).
Examples
The following example shows the configuration on the LNS:
Router(config)# radius-server attribute 87 circuit-idRelated Commands
radius-server attribute 31 remote-id
To override the calling-station-id attribute with remote-id in RADIUS AAA messages, use the radius-server attribute 31 remote-id command in global configuration mode. To disable the command function (default), use the no form of this command.
radius-server attribute 31 remote-id
no radius-server attribute 31 remote-id
Syntax Description
This command has no arguments or keywords.
Command Default
Command function is disabled.
Command Modes
Global configuration mode
Command History
12.2(33)SRC
This command was introduced.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
Usage Guidelines
Configure the radius-server attribute 31 remote-id command on the LNS.
Examples
The following example shows the configuration on the LNS:
lns#radius-server attribute 31 remote-idRelated Commands
redirect identifier
To configure a virtual private dialup network (VPDN) redirect identifier to use for Layer 2 Tunneling Protocol (L2TP) call redirection on a network access server (NAS), use the redirect identifier command in VPDN group or VPDN template configuration mode. To remove the name of the redirect identifier from the NAS, use the no form of this command.
redirect identifier identifier-name
no redirect identifier identifier-name
Syntax Description
Command Default
No redirect identifier is configured.
Command Modes
VPDN group configuration
VPDN template configurationCommand History
12.2(8)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
The redirect identifier command is used only on the NAS. To configure the name of the redirect identifier on the stack group tunnel server, use the vpdn redirect identifier command in global configuration mode.
The NAS compares the redirect identifier with the one received from the stack group tunnel server to determine authorization information to redirect the call.
Configuring the redirect identifier is not necessary to perform redirects. If the redirect identifier is not configured, the NAS uses the redirect IP address in order to get authorization information to redirect the call. In that case, the IP address of the new redirected tunnel server must be present in the initiate-to command configuration of the VPDN group on the NAS.
The redirect identifier allows new stack group members to be added without the need to update the NAS configuration with their IP addresses. With the redirect identifier configured, a new stack group member can be added and given the same redirect identifier as the rest of the stack group.
If the authorization information for getting to the new redirected tunnel server is different, then you will need to configure the authorization information via RADIUS using tagged attributes:
Cisco:Cisco-Avpair = :0:"vpdn:vpdn-redirect-id=identifier name"The NAS will choose the correct tagged parameters to get authorization information for the new redirected tunnel server by first trying to match the redirect identifier (if present) or else by matching the Tunnel-Server-Endpoint IP address.
Examples
The following example configures the redirect identifier named lns1 on the NAS for the VPDN group named group1:
vpdn-group group1redirect identifier lns1Related Commands
request-dialin
To create a request dial-in virtual private dialup network (VPDN) subgroup that configures a network access server (NAS) to request the establishment of a dial-in tunnel to a tunnel server, and to enter request dial-in VPDN subgroup configuration mode, use the request-dialin command in VPDN group configuration mode. To remove the request dial-in VPDN subgroup configuration from a VPDN group, use the no form of this command.
request-dialin
no request-dialin
Syntax Description
This command has no arguments or keywords.
Defaults
No request dial-in VPDN subgroups are configured.
Command Modes
VPDN group configuration
Command History
Usage Guidelines
Use the request-dialin command on a NAS to configure a VPDN group to request the establishment of dial-in VPDN tunnels to a tunnel server.
For a VPDN group to request dial-in calls, you must also configure the following commands:
•
•
•
The NAS can also be configured to accept requests for Layer 2 Tunnel Protocol (L2TP) dial-out VPDN tunnels from the tunnel server using the accept-dialout command. Dial-in and dial-out calls can use the same L2TP tunnel.
Examples
The following example requests an L2TP dial-in tunnel to a remote peer at IP address 172.17.33.125 for a user in the domain named cisco.com:
Router(config)# vpdn-group 1Router(config-vpdn)# request-dialinRouter(config-vpdn-req-in)# protocol l2tpRouter(config-vpdn-req-in)# domain cisco.com!Router(config-vpdn)# initiate-to ip 172.17.33.125Related Commands
request-dialout
To create a request dial-out virtual private dialup network (VPDN) subgroup that configures a tunnel server to request the establishment of dial-out Layer 2 Tunnel Protocol (L2TP) tunnels to a network access server (NAS), and to enter request dial-out VPDN subgroup configuration mode, use the request-dialout command in VPDN group configuration mode. To remove the request dial-out VPDN subgroup configuration from a VPDN group, use the no form of this command.
request-dialout
no request-dialout
Syntax Description
This command has no arguments or keywords.
Command Default
No request dial-out VPDN subgroups are configured.
Command Modes
VPDN group configuration
Command History
12.0(5)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
Use the request-dialout command on a tunnel server to configure a VPDN group to request the establishment of dial-out VPDN tunnels to a NAS. L2TP is the only tunneling protocol that can be used for dial-out VPDN tunnels.
For a VPDN group to request dial-out calls, you must also configure the following commands:
•
•
•
•
If the dialer pool or dialer rotary group that the VPDN group is in contains physical interfaces, the physical interfaces will be used before the VPDN group configuration.
The tunnel server can also be configured to accept requests to establish dial-in VPDN tunnels from a NAS using the accept-dialin command. Dial-in and dial-out calls can use the same L2TP tunnel.
Cisco 10000 Series Router
The Cisco 10000 series router does not support Large-Scale Dial-Out (LSDO). The request-dialout command is not implemented.
Examples
The following example configures VPDN group 1 to request an L2TP tunnel to the peer at IP address 10.3.2.1 for tunneling dial-out calls from dialer pool 1:
Router(config)# vpdn-group 1Router(config-vpdn)# request-dialoutRouter(config-vpdn-req-ou)# protocol l2tpRouter(config-vpdn-req-ou)# pool-member 1Router(config-vpdn-req-ou)# exitRouter(config-vpdn)# initiate-to ip 10.3.2.1Router(config-vpdn)# exitRouter(config)# interface Dialer2Router(config-if)# ip address 172.16.2.3 255.255.128Router(config-if)# encapsulation pppRouter(config-if)# dialer remote-name dialer32Router(config-if)# dialer string 5550100Router(config-if)# dialer vpdnRouter(config-if)# dialer pool 1Router(config-if)# dialer-group 1Router(config-if)# ppp authentication chapRelated Commands
resource-pool profile vpdn
To create a virtual private dialup network (VPDN) profile and to enter VPDN profile configuration mode, use the resource-pool profile vpdn command in global configuration mode. To disable this function, use the no form of this command.
resource-pool profile vpdn name
no resource-pool profile vpdn name
Syntax Description
Defaults
No VPDN profiles are set up.
Command Modes
Global configuration
Command History
12.0(4)XI
This command was introduced.
12.0(5)T
This command was integrated into Cisco IOS Release 12.0(5)T.
Usage Guidelines
Use the resource-pool profile vpdn command to create a VPDN profile and enter VPDN profile configuration mode, or to enter VPDN profile configuration mode for a VPDN profile that already exists.
VPDN groups can be associated with a VPDN profile using the vpdn group command in VPDN profile configuration mode. A VPDN profile will count VPDN sessions across all associated VPDN groups.
VPDN session limits for the VPDN groups associated with a VPDN profile can be configured in VPDN profile configuration mode using the limit base-size command.
Examples
The following example createss the VPDN groups named l2tp and l2f, and associates both VPDN groups with the VPDN profile named profile32:
Router(config)# vpdn-group l2tpRouter(config-vpdn)#!Router(config)# vpdn-group l2fRouter(config-vpdn)#!Router(config)# resource-pool profile vpdn profile32Router(config-vpdn-profile)# vpdn group l2tpRouter(config-vpdn-profile)# vpdn group l2fRelated Commands
service vpdn group
To provide virtual private dialup network (VPDN) service for the Subscriber Service Switch policy, use the service vpdn group command in subscriber profile configuration mode. To remove VPDN service, use the no form of this command.
service vpdn group vpdn-group-name
no service vpdn group vpdn-group-name
Syntax Description
vpdn-group-name
Provides the VPDN service by obtaining the configuration from a predefined VPDN group.
Defaults
This command is disabled by default.
Command Modes
Subscriber profile configuration
Command History
Usage Guidelines
The service vpdn group command provides VPDN service by obtaining the configuration from a predefined VPDN group for the SSS policy defined with the subscriber profile command.
Examples
The following example provides VPDN service to users in the domain cisco.com, and uses VPDN group 1 to obtain VPDN configuration information:
!subscriber profile cisco.comservice vpdn group 1The following example provides VPDN service to dialed number identification service (DNIS) 1234567, and uses VPDN group 1 to obtain VPDN configuration information:
!subscriber profile dnis:1234567service vpdn group 1The following example provides VPDN service using a remote tunnel (used on the multihop node), and uses VPDN group 1 to obtain VPDN configuration information:
!subscriber profile host:lacservice vpdn group 1Related Commands
session-limit (VPDN)
To limit the number of simultaneous virtual private dialup network (VPDN) sessions allowed for a specified VPDN group, use the session-limit command in VPDN group configuration mode. To remove a configured session limit restriction, use the no form of this command.
session-limit number
no session-limit number
Syntax Description
number
The number of sessions allowed through a specified VPDN group. Valid values range from 0 to 32767.
Command Default
No session limit exists for a VPDN group.
Command Modes
VPDN group configuration
Command History
Usage Guidelines
Use this command to limit the number of allowed sessions for the specified VPDN group. If the session-limit command is configured to 0, no sessions are allowed on the VPDN group.
You must configure the VPDN group as either an accept dial-in or request dial-out VPDN subgroup before you can issue the session-limit command.
The maximum number of VPDN sessions can be configured globally using the vpdn session-limit command, at the level of a VPDN group using the session-limit command, or for all VPDN groups associated with a particular VPDN template using the group session-limit command.
The hierarchy for the application of VPDN session limits is as follows:
•
•
•
Examples
The following example configures an accept dial-in VPDN group named group1 and restricts the VPDN group to a maximum of three simulataneous sessions:
Router(config)# vpdn-group group1Router(config-vpdn)# accept-dialinRouter(config-vpdn-acc-in)# protocol l2tpRouter(config-vpdn-acc-in)# virtual-template 5Router(config-vpdn-acc-in)# exitRouter(config-vpdn)# terminate-from hostname host1Router(config-vpdn)# session-limit 3Related Commands
set variable (control policy-map class)
To create a temporary memory to hold the value of identifier types received by the policy manager, use the set variable command in configuration-control-policymap-class configuration mode. To remove a temporary memory to hold the value of identifier types received by the policy manager, use the no form of this command.
action-number set variable identifier type
no action-number set variable identifier type
Syntax Description
Command Default
The control policy is not affected.
Command Modes
Configuration-control-policymap-class configuration
Command History
Usage Guidelines
The set variable command allows you to create a temporary memory to hold the value of identifier types received by the policy manager.
Examples
The following example shows the policy map with the set variable statement shown in bold:
policy-map type control REPLACE_WITH_example.comclass type control always event session-start1 collect identifier unauthenticated-username2 set NEWNAME identifier unauthenticated-username3 substitute NEWNAME "(.*@).*" "\1example.com"4 authenticate variable NEWNAME aaa list EXAMPLE5 service-policy type service name examplepolicy-map type service abcservice vpdn group 1bba-group pppoe globalvirtual-template 1!interface Virtual-Template1service-policy type control REPLACE_WITH_example.comRelated Commands
show interfaces virtual-access
To display status, traffic data, and configuration information about a specified virtual access interface, use the show interfaces virtual-access command in privileged EXEC mode.
show interfaces virtual-access number [configuration]
Syntax Description
number
Number of the virtual access interface.
configuration
(Optional) Restricts output to configuration information.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
To identify the number of the vty on which the virtual access interface was created, enter the show users EXEC command.
The counts of output packet bytes as reported by the L2TP access server (LAC) to the RADIUS server in the accounting record do not match those of a client. The following paragraphs describe how the accounting is done and how you can determine the correct packet byte counts.
Packet counts for client packets in the input path are as follows:
•
•
PPPoE payload length + PPP address&control bytes = = PPPoE payload length + 2
•
IP len + PPP encapbytes (4) = = PPPoE payload length + 2
Packet counts for client packets in the output path are as follows:
•
Size = PPPoE payload + PPPoE hdr (6) + Eth hdr (14) + SNAP hdr (10) + media hdr (4 for ATM)
•
PPP payload size + 4 bytes of PPP hdr
•
Accounting is done for PPPoE, PPPoA PTA and L2X as follows:
•
•
•
•
Examples
The following is sample output from the show interfaces virtual-access command:
Router# show interfaces virtual-access 3Virtual-Access3 is up, line protocol is upHardware is Virtual Access interfaceMTU 1500 bytes, BW 149760 Kbit, DLY 100000 usec,reliability 255/255, txload 1/255, rxload 1/255Encapsulation PPP, LCP Open, multilink OpenLink is a member of Multilink bundle Virtual-Access4PPPoATM vaccess, cloned from Virtual-Template1Vaccess status 0x44Bound to ATM4/0.10000 VCD:16, VPI:15, VCI:200, loopback not setDTR is pulsed for 5 seconds on resetLast input never, output never, output hang neverLast clearing of "show interface" counters 00:57:37Input queue:0/75/0/0 (size/max/drops/flushes); Total output drops:0Queueing strategy:fifoOutput queue:0/40 (size/max)5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/sec676 packets input, 12168 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants, 0 throttles0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort676 packets output, 10140 bytes, 0 underruns0 output errors, 0 collisions, 0 interface resets0 output buffer failures, 0 output buffers swapped out0 carrier transitionsTable 12 describes the significant fields shown in the display.
Related Commands
interface virtual-template
Creates a virtual template interface that can be configured and applied dynamically in creating virtual access interfaces.
show ppp mppe
To display Microsoft Point-to-Point Encryption (MPPE) information for an interface, use the show ppp mppe command in privileged EXEC mode.
show ppp mppe {serial | virtual-access} [number]
Syntax Description
Command Modes
Privileged EXEC
Command History
12.0(5)XE5
This command was introduced.
12.1(5)T
This command was integrated into Cisco IOS Release 12.1(5)T.
Usage Guidelines
None of the fields in the output from the show ppp mppe command are fatal errors. Excessive packet drops, misses, out of orders, or CCP-Resets indicate that packets are getting lost. If you see such activity and have stateful MPPE configured, you may want to consider switching to stateless mode.
Examples
The following example displays MPPE information for virtual-access interface 3:
Router# show ppp mppe virtual-access 3Interface Virtual-Access3 (current connection)Hardware (ISA5/1, flow_id=13) encryption, 40 bit encryption, Stateless modepackets encrypted = 0 packets decrypted = 1sent CCP resets = 0 receive CCP resets = 0next tx coherency = 0 next rx coherency = 0tx key changes = 0 rx key changes = 0rx pkt dropped = 0 rx out of order pkt= 0rx missed packets = 0To update the key change information, reissue the show ppp mppe virtual-access 3 command:
Router# show ppp mppe virtual-access 3Interface Virtual-Access3 (current connection)Hardware (ISA5/1, flow_id=13) encryption, 40 bit encryption, Stateless modepackets encrypted = 0 packets decrypted = 1sent CCP resets = 0 receive CCP resets = 0next tx coherency = 0 next rx coherency = 0tx key changes = 0 rx key changes = 1rx pkt dropped = 0 rx out of order pkt= 0rx missed packets = 0Table 13 describes the significant fields shown in the displays.
Related Commands
show resource-pool vpdn
To display information about a specific virtual private dialup network (VPDN) group or specific VPDN profile, use the show resource-pool vpdn command in EXEC mode.
show resource-pool vpdn {group | profile} [name]
Syntax Description
group
All the VPDN groups configured on the router.
profile
All the VPDN profiles configured on the router.
name
(Optional) Specific VPDN group or profile.
Command Modes
EXEC
Command History
Examples
Use the show resource-pool vpdn group command to display information about a specific VPDN group.
Example 1
This example displays specific information about the VPDN group named vpdng2:
Router# show resource-pool vpdn group vpdng2VPDN Group vpdng2 found under Customer Profiles: customer2Tunnel (L2TP)--------dnis:customer2-calledgcisco.comEndpoint Session Limit Priority Active Sessions Status Reserved Sessions-------- ------------- -------- --------------- ------ -----------------172.21.9.97 * 1 0 OK------------- --------------- -----------------Total * 0 0Example 2
The following example displays information about all the VPDN groups configured on the router:
Router# show resource-pool vpdn groupList of VPDN Groups under Customer ProfilesCustomer Profile customer1: vpdng1Customer Profile customer2: vpdng2List of VPDN Groups under VPDN ProfilesVPDN Profile profile1: vpdng1VPDN Profile profile2: vpdng2Table 14 describes the significant fields shown in the displays.
Example 3
The following example displays a list of all VPDN profiles configured on the router:
Router# show resource-pool vpdn profile% List of VPDN Profiles:profile1profile2profile3Example 4
The following example displays details about a specific VPDN profile named vpdnp1:
Router# show resource-pool vpdn profile vpdnp10 active connections0 max number of simultaneous connections0 calls rejected due to profile limits0 calls rejected due to resource unavailable0 overflow connections0 overflow states entered0 overflow connections rejected3003 minutes since last clear commandTable 15 describes the significant fields shown in the displays.
Related Commands
show vpdn
To display basic information about all active virtual private dialup network (VPDN) tunnels, use the show vpdn command in user EXEC mode.
show vpdn
Syntax Description
This command has no arguments or keywords.
Command Modes
User EXEC
Command History
Usage Guidelines
Use the show vpdn command to display information about all active tunnels using Layer 2 Tunnel Protocol (L2TP), Layer 2 Forwarding (L2F), and Point-to-Point Tunnel Protocol (PPTP).
Note
The output of the show vpdn session command also displays PPPoE session information. PPPoE is supported on ATM permanent virtual connections (PVCs) compliant with RFC 1483 only. PPPoE is not supported on Frame Relay and any other LAN interfaces such as FDDI and Token Ring.
Examples
The following is sample output from the show vpdn command on a device with active L2F and L2TP tunnels:
Router> show vpdnActive L2F tunnelsNAS Name Gateway Name NAS CLID Gateway CLID Statenas gateway 4 2 openL2F MIDsName NAS Name Interface MID Staterouter1@cisco.com nas As7 1 openrouter2@cisco.com nas As8 2 open%No active PPTP tunnelsThe following is sample output from the show vpdn command on a device with an active PPPoE tunnels:
Router> show vpdn%No active L2TP tunnels%No active L2F tunnelsPPPoE Tunnel and Session Information Total tunnels 1 sessions 1PPPoE Tunnel InformationSession count:1PPPoE Session InformationSID RemMAC LocMAC Intf VASt OIntf VC1 0010.7b01.2cd9 0090.ab13.bca8 Vi4 UP AT6/0 0/104The following is sample output from the show vpdn command on a device with an active PPPoE session on an actual Ethernet interface:
Router> show vpdn%No active L2TP tunnels%No active L2F tunnelsPPPoE Tunnel and Session Information Total tunnels 1 sessions 1PPPoE Tunnel InformationSession count:1PPPoE Session InformationSID RemMAC LocMAC Intf VASt OIntf1 0090.bf06.c870 00e0.1459.2521 Vi1 UP Eth1Table 16 describes the significant fields shown in the displays.
Related Commands
show vpdn dead-cache
To display a list of dead-cache (DOWN) state Local Network Servers (LNSs), use the show vpdn dead-cache command in user or privileged EXEC mode.
show vpdn dead-cache {group <group-name> | all}
Syntax Description
group <group-name>
Displays all entries in the dead-cache for the specified VPDN group.
all
Displays all entries in the dead-cache for all VPDN groups.
Command Modes
User EXEC
Privileged EXECCommand History
Usage Guidelines
Use the show vpdn dead-cache command in global configuration mode on the L2TP Access Concentrator (LAC) gateway to display a list of LNS entries in a dead-cache state, including the IP address of the LNS and how long, in seconds, the entry has been in a dead-cache state.
Use the clear vpdn dead-cache command in global configuration mode on the LAC gateway to clear the list of LNS entries in the dead-cache. Once the LNS is cleared, the LNS is active and can establish new sessions.
Use the vpdn logging dead-cache command in global configuration mode on the LAC gateway to trigger either a syslog or SNMP event when an LNS enters or exits a dead-cache state.
To display an SNMP or system message log (syslog) event when an LNS enters or exits a dead-cache state, you must configure the vpdn logging dead-cache command.
Examples
The following example shows how to display the status of the dead-cache for a particular VPDN group:
Router> enableRouter# show vdpn dead-cache group examplevpdn-group ip address down timeexampleA 192.168.2.2 00:01:23exampleB 192.168.2.3 00:01:16The following example shows how to display the status of the dead-cache for all VPDN groups:
Router> enableRouter# show vdpn dead-cache allvpdn-group ip address down timeexampleA 192.168.2.2 00:01:23exampleB 192.168.2.3 00:01:16Table 17 describes the significant fields shown in the displays.
Related Commands
clear vpdn dead-cache
Clears the entries in the dead-cache for VPDN groups.
vpdn logging dead-cache
Enables the logging of VPDN events.
show vpdn domain
To display all virtual private dialup network (VPDN) domains and DNIS groups configured on the network access server, use the show vpdn domain command in privileged EXEC mode.
show vpdn domain
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output from the show vpdn domain command:
Router# show vpdn domainTunnel VPDN Group------ ----------dnis:cg2 vgdnis (L2F)domain:twu-ultra test (L2F)Table 18 describes the significant fields shown in the display.
Table 18 show vpdn domain Field Descriptions
Tunnel
The assigned name of the tunnel endpoint.
VPDN Group
The assigned name of the VPDN group using the tunnel.
Related Commands
show vpdn group
To display a summary of the relationships among virtual private dialup network (VPDN) groups and customer/VPDN profiles, or to summarize the configuration of a VPDN group including DNIS/domain, load sharing information, and current session information, use the show vpdn group command in Privileged EXEC mode.
show vpdn group [name] [domain | endpoint]
Syntax Description
name
(Optional) VPDN group name summarizes the configuration of the specified group.
domain
(Optional) DNIS/domain information.
endpoint
(Optional) Endpoint session information.
Command Modes
Privileged EXEC
Command History
12.0(4)XI
This command was introduced.
12.2(8)T
The "resource-pool disabled" message was added to the command output.
Usage Guidelines
Use the show vpdn group command in EXEC mode to see a summary of the relationships among VPDN groups and customer/VPDN profiles, or to summarize the configuration of a VPDN group including domain/DNIS, load sharing information, and current session information. To summarize relationships among VPDN groups and customer/VPDN profiles, use the syntax show vpdn group name.
The following usage guidelines apply only to the Cisco AS5300, AS5400, and AS5800 access servers. If the resource manager has been disabled by the resource-pool disable global configuration command, the show vpdn group command only displays a message stating that the resource-pool is disabled. If you enter the show vpdn group name command when the resource-pool disable command is enabled, the router will display the message stating that the resource-pool is disabled followed by a summary of active VPDN sessions.
Examples
The following is sample output from the show vpdn group command summarizing all VPDN group and profile relationships:
Router# show vpdn groupVPDN Group Customer Profile VPDN Profile---------- ---------------- ------------1 - -2 - -3 - -lisun cp1 -outgoing-2 - -test - -*vg1 cpdnis -*vg2 cpdnis -vgdnis +cp1 vp1vgnumber - -vp1 - -* VPDN group not configured+ VPDN profile under Customer profile
Note
Note
The following is sample output from the show vpdn group command for a VPDN group named vgdnis:
Router # show vpdn group vgdnisTunnel (L2TP)------dnis:cg1dnis:cg2dnis:jancisco.comEndpoint Session Limit Priority Active Sessions Status Reserved Sessions-------- ------------- -------- --------------- ------ -----------------172.21.9.67 * 1 0 OK ---------------- ------------- --------------- -----------------Total * 0 0
Note
The session limit endpoint is the sum of the session limits of all endpoints and is marked with "*" if there is no limit (indicated by "*") for any endpoint.
If the endpoint has no session limit, reserved sessions are marked with "-".The following is sample output from the show vpdn group command:
Router# show vpdn groupVPDN Group Customer Profile VPDN Profile---------- ---------------- ------------customer1-vpdng customer1 customer1-profilecustomer2-vpdng customer2 -Router# show vpdn group customer1-vpdngTunnel (L2TP)--------cisco.comcisco1.comdnis:customer1-calledgEndpoint Session Limit Priority Active Sessions Status Reserved Sessions-------- ------------- -------- --------------- ------ -----------------172.21.9.67 * 1 0 OK172.21.9.68 100 1 0 OK172.21.9.69 * 5 0 OK------------- --------------- -----------------Total * 0 0The following is sample output from the show vpdn group command on a Cisco AS5300 access server when the resource-pool disable command is configured:
Router # show vpdn group% Resource-pool disabledThe following is sample output from the show vpdn group vpdnis command on a Cisco AS5300 access server when the resource-pool disable command is configured. The summary of tunnel information is only displayed if there is an active VPDN session.
Router # show vpdn group vgdnis% Resource-pool disabledTunnel (L2TP)------dnis:cg1cisco.comEndpoint Session Limit Priority Active Sessions Status Reserved Sessions-------- ------------- -------- --------------- ------ -----------------172.21.9.67 * 1 1 OK ---------------- ------------- --------------- -----------------Table 19 describes the significant fields shown in the displays.
Related Commands
show vpdn group-select
To display a summary of the relationships among virtual private dialup network (VPDN) groups and customer or VPDN profiles, or to summarize the configuration of the default VPDN group including DNIS or domain, load sharing information, and current session information, use the show vpdn group-select command in user EXEC or privileged EXEC mode.
show vpdn group-select {summary | default}
Syntax Description
Command Modes
EXEC
Privileged EXECCommand History
Usage Guidelines
Use the show vpdn group-select command in user or privileged EXEC mode to see a summary of the relationships among VPDN groups and customer or VPDN profiles, or to summarize the configuration of the default VPDN group including domain or DNIS, load sharing information, and current session information.
Examples
The following is sample output from the show vpdn group-select default command summarizing all VPDN group and profile relationships:
Router> show vpdn group-select defaultDefault VPDN Group Protocolvgdefault l2tpNone pptpThe following is sample output from the show vpdn group-select summary command:
Router> show vpdn group-select summaryVPDN Group Vrf Remote Name Source-IP Protocol Direction vg_ip2 10.1.1.2 l2tp accept-dialin vg_ip3 10.1.1.3 l2tp accept-dialin vg_lts lts 0.0.0.0 l2tp accept-dialin vg_lts1 lts1 0.0.0.0 l2tp accept-dialin vg_lts1_ip2 lts1 10.1.1.2 l2tp accept-dialin vgdefault 0.0.0.0 l2tp accept-dialinTable 20 describes the significant fields shown in the displays.
Related Commands
show vpdn group-select keys
To display a summary of the relationships among virtual private dialup network (VPDN) groups and customer or VPDN profiles, or to summarize the configuration of a VPDN group including DNIS or domain, load sharing information, and current session information, use the show vpdn group-select keys command in user EXEC or privlieged EXEC mode.
show vpdn group-select keys hostname hostname source-ip ip- address vpn [id vpn-id | vrf vrf-name]
Syntax Description
Command Modes
EXEC
Privileged EXECCommand History
Usage Guidelines
Use the show vpdn group-select keys command in user of privledged EXEC mode to display a summary of the relationships among VPDN groups and customer or VPDN profiles, or to summarize the configuration of a VPDN group including domain or DNIS, load sharing information, and current session information.
Examples
The following is sample output from the show vpdn group-select keys command for a host with the name lts and an IP address of 10.1.1.2:
Router> enableRouter# show vpdn group-select keys hostname lts source-ip 10.1.1.2VPDN group example will be selectedThe following is sample output from the show vpdn group-select keys command for a host with the name lts and an IP address of 10.1.1.2, and vrf number 101:
Router> enableRouter# show vpdn group-select keys hostname lts source-ip 10.1.1.2 vpn vrf vrf101VPDN group example-a will be selectedRelated Commands
show vpdn history failure
To display the content of the failure history table, use the show vpdn history failure command in EXEC mode.
show vpdn history failure [user-name]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
If a username is specified, only the entries mapped to that username are displayed; when the username is not specified, the whole table is displayed.
You can obtain failure results for the output of the show vpdn history failure command by referencing
RFC 2661, Section 4.4.2, L2TP Result and Error Codes.
Examples
The following is sample output from the show vpdn history failure command, which displays the failure history table for a specific user:
Router# show vpdn history failureTable size: 20Number of entries in table: 1User: example@example.com, MID = 1NAS: isp, IP address = 172.21.9.25, CLID = 1Gateway: hp-gw, IP address = 172.21.9.15, CLID = 1Log time: 13:08:02, Error repeat count: 1Failure type: The remote server closed this sessionFailure reason: Administrative interventionTable 21 describes the significant fields shown in the display.
Related Commands
show vpdn multilink
To display the multilink sessions authorized for all virtual private dialup network (VPDN) groups, use the show vpdn multilink command in EXEC mode.
show vpdn multilink
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Examples
Following is sample output comparing the show vpdn tunnel command with the show vpdn multilink command:
Router# show vpdn tunnelL2F Tunnel and Session Information (Total tunnels=1 sessions=1)NAS CLID HGW CLID NAS Name HGW Name State24 10 centi3_nas twu253_hg open172.21.9.46 172.21.9.67CLID MID Username Intf State10 1 twu@twu-ultra.cisco.com Se0:22 openRouter# show vpdn multilinkMultilink Bundle Name VPDN Group Active links Reserved links Bundle/Link Limit--------------------- ---------- ------------ -------------- -----------------twu@twu-ultra.cisco.com vgdnis 1 0 */*Table 22 describes the significant fields shown in the display.
Related Commands
show vpdn redirect
To display statistics for Layer 2 Tunneling Protocol (L2TP) redirects and forwards, use the show vpdn redirect command in privileged EXEC mode.
show vpdn redirect
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Statistics about the number of L2TP forwards and redirects that were done by the router as an L2TP network access server (NAS) or L2TP tunnel server are displayed when you enter the show vpdn redirect command. To clear the redirect counters, use the clear vpdn redirect command.
Examples
The following example displays statistics for redirects and forwards for a router configured as an L2TP NAS:
Router# show vpdn redirectvpdn redirection enabledsessions redirected as access concentrator: 2sessions redirected as network server: 0sessions forwarded: 2Table 23 describes the significant fields shown in the display.
Related Commands
show vpdn session
To display session information about active Layer 2 sessions for a virtual private dialup network (VPDN), use the show vpdn session command in privileged EXEC mode.
show vpdn session [l2f | l2tp | pptp] [all | packets | sequence | state [filter]]
Syntax Description
l2f
(Optional) Displays information about Layer 2 Forwarding (L2F) calls only.
l2tp
(Optional) Displays information about Layer 2 Tunnel Protocol (L2TP) calls only.
pptp
(Optional) Displays information about Point-to-Point Tunnel Protocol (PPTP) calls only.
all
(Optional) Displays extensive reports about active sessions.
packets
(Optional) Displays information about packet and byte counts for sessions.
sequence
(Optional) Displays sequence information for sessions.
state
(Optional) Displays state information for sessions.
filter
(Optional) One of the filter parameters defined in Table 24.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the show vpdn session command to display information about all active sessions using L2TP, L2F, and PPTP.
The output of the show vpdn session command displays PPPoE session information as well. PPPoE is supported on ATM permanent virtual connections (PVCs) compliant with RFC 1483 only. PPPoE is not supported on Frame Relay and any other LAN interfaces such as FDDI and Token Ring.
Reports and options for this command depend upon the configuration in which it is used. Use the command-line question mark (?) help function to display options available with the show vpdn session command.
Table 24 defines the filter parameters available to refine the output of the show vpdn session command. You may use any one of the filter parameters in place of the filter argument.
Examples
The show vpdn session command provides reports on call activity for all active sessions. The following output is from a device carrying active L2TP, L2F, and PPPoE sessions:
Router# show vpdn sessionL2TP Session Information Total tunnels 1 sessions 4LocID RemID TunID Intf Username State Last Chg Uniq ID4 691 13695 Se0/0 nobody2@cisco.com est 00:06:00 45 692 13695 SSS Circuit nobody1@cisco.com est 00:01:43 86 693 13695 SSS Circuit nobody1@cisco.com est 00:01:43 93 690 13695 SSS Circuit nobody3@cisco.com est 2d21h 3L2F Session Information Total tunnels 1 sessions 2CLID MID Username Intf State Uniq ID1 2 nobody@cisco.com SSS Circuit open 101 3 nobody@cisco.com SSS Circuit open 11%No active PPTP tunnelsPPPoE Session Information Total tunnels 1 sessions 7PPPoE Session InformationUID SID RemMAC OIntf Intf SessionLocMAC VASt state3 1 0030.949b.b4a0 Fa2/0 N/A CNCT_FWDED0010.7b90.08406 2 0030.949b.b4a0 Fa2/0 Vi1.1 CNCT_PTA0010.7b90.0840 UP7 3 0030.949b.b4a0 Fa2/0 Vi1.2 CNCT_PTA0010.7b90.0840 UP8 4 0030.949b.b4a0 Fa2/0 N/A CNCT_FWDED0010.7b90.08409 5 0030.949b.b4a0 Fa2/0 N/A CNCT_FWDED0010.7b90.084010 6 0030.949b.b4a0 Fa2/0 N/A CNCT_FWDED0010.7b90.084011 7 0030.949b.b4a0 Fa2/0 N/A CNCT_FWDED0010.7b90.0840Table 25 describes the significant fields shown in the show vpdn session display.
The show vpdn session packets command provides reports on call activity for all the currently active sessions. The following output is from a device carrying an active PPPoE session:
Router# show vpdn session packets%No active L2TP tunnels%No active L2F tunnelsPPPoE Session Information Total tunnels 1 sessions 1PPPoE Session InformationSID Pkts-In Pkts-Out Bytes-In Bytes-Out1 202333 202337 2832652 2832716Table 26 describes the significant fields shown in the show vpdn session packets command display.
The show vpdn session all command provides extensive reports on call activity for all the currently active sessions. The following output is from a device carrying active L2TP, L2F, and PPPoE sessions:
Router# show vpdn session allL2TP Session Information Total tunnels 1 sessions 4Session id 5 is up, tunnel id 13695Call serial number is 3355500002Remote tunnel name is User03Internet address is 10.0.0.63Session state is established, time since change 00:03:5352 Packets sent, 52 received2080 Bytes sent, 1316 receivedLast clearing of "show vpdn" counters neverSession MTU is 1464 bytesSession username is nobody@cisco.comInterfaceRemote session id is 692, remote tunnel id 58582UDP checksums are disabledSSS switching enabledNo FS cached header information availableSequencing is offUnique ID is 8Session id 6 is up, tunnel id 13695Call serial number is 3355500003Remote tunnel name is User03Internet address is 10.0.0.63Session state is established, time since change 00:04:2252 Packets sent, 52 received2080 Bytes sent, 1316 receivedLast clearing of "show vpdn" counters neverSession MTU is 1464 bytesSession username is nobody@cisco.comInterfaceRemote session id is 693, remote tunnel id 58582UDP checksums are disabledSSS switching enabledNo FS cached header information availableSequencing is offUnique ID is 9Session id 3 is up, tunnel id 13695Call serial number is 3355500000Remote tunnel name is User03Internet address is 10.0.0.63Session state is established, time since change 2d21h48693 Packets sent, 48692 received1947720 Bytes sent, 1314568 receivedLast clearing of "show vpdn" counters neverSession MTU is 1464 bytesSession username is nobody2@cisco.comInterfaceRemote session id is 690, remote tunnel id 58582UDP checksums are disabledSSS switching enabledNo FS cached header information availableSequencing is offUnique ID is 3Session id 4 is up, tunnel id 13695Call serial number is 3355500001Remote tunnel name is User03Internet address is 10.0.0.63Session state is established, time since change 00:08:40109 Packets sent, 3 received1756 Bytes sent, 54 receivedLast clearing of "show vpdn" counters neverSession MTU is 1464 bytesSession username is nobody@cisco.comInterface Se0/0Remote session id is 691, remote tunnel id 58582UDP checksums are disabledIDB switching enabledFS cached header information:encap size = 36 bytes4500001C BDDC0000 FF11E977 0A00003E0A00003F 06A506A5 00080000 0202E4D602B30000Sequencing is offUnique ID is 4L2F Session Information Total tunnels 1 sessions 2MID: 2User: nobody@cisco.comInterface:State: openPackets out: 53Bytes out: 2264Packets in: 51Bytes in: 1274Unique ID: 10Last clearing of "show vpdn" counters neverMID: 3User: nobody@cisco.comInterface:State: openPackets out: 53Bytes out: 2264Packets in: 51Bytes in: 1274Unique ID: 11Last clearing of "show vpdn" counters never%No active PPTP tunnelsPPPoE Session Information Total tunnels 1 sessions 7PPPoE Session InformationSID Pkts-In Pkts-Out Bytes-In Bytes-Out1 48696 48696 681765 13146572 71 73 1019 10433 71 73 1019 10434 61 62 879 15675 61 62 879 15676 55 55 791 13637 55 55 795 1363The significant fields shown in the show vpdn session all command display are similar to those defined in Table 25 and Table 26.
Related Commands
show vpdn tunnel
To display information about active Layer 2 tunnels for a virtual private dialup network (VPDN), use the show vpdn tunnel command in privileged EXEC mode.
show vpdn tunnel [l2f | l2tp | pptp] [all [filter] | packets [filter] | state [filter] | summary [filter] | transport [filter]]
Syntax Description
l2f
(Optional) Specifies that only information about Layer 2 Forwarding (L2F) tunnels will be displayed.
l2tp
(Optional) Specifies that only information about Layer 2 Tunnel Protocol (L2TP) tunnels will be displayed.
pptp
(Optional) Specifies that only information about Point-to-Point Tunnel Protocol (PPTP) tunnels will be displayed.
all
(Optional) Displays summary information about all active tunnels.
filter
(Optional) One of the filter parameters defined in Table 27.
packets
(Optional) Displays packet numbers and packet byte information.
state
(Optional) Displays state information for a tunnel.
summary
(Optional) Displays a summary of tunnel information.
transport
(Optional) Displays tunnel transport information.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the show vpdn tunnel command to display detailed information about L2TP, L2F, and PPTP VPDN tunnels.
Table 27 defines the filter parameters available to refine the output of the show vpdn tunnel command. You may use any one of the filter parameters in place of the filter argument.
Examples
The following is sample output from the show vpdn tunnel command for L2F and L2TP sessions:
Router# show vpdn tunnelL2TP Tunnel Information (Total tunnels=1 sessions=1)LocID RemID Remote Name State Remote Address Port Sessions2 10 router1 est 172.21.9.13 1701 1L2F TunnelNAS CLID HGW CLID NAS Name HGW Name State9 1 nas1 HGW1 open172.21.9.4 172.21.9.232%No active PPTP tunnelsTable 28 describes the significant fields shown in the display.
The following example shows L2TP tunnel activity, including information about the L2TP congestion avoidance:
Router# show vpdn tunnel l2tp allL2TP Tunnel Information Total tunnels 1 sessions 1Tunnel id 30597 is up, remote id is 45078, 1 active sessionsTunnel state is established, time since change 00:08:27Tunnel transport is UDP (17)Remote tunnel name is LAC1Internet Address 172.18.184.230, port 1701Local tunnel name is LNS1Internet Address 172.18.184.231, port 1701Tunnel domain unknownVPDN group for tunnel is 1L2TP class for tunnel is4 packets sent, 3 received194 bytes sent, 42 receivedLast clearing of "show vpdn" counters neverControl Ns 2, Nr 4Local RWS 500, Remote RWS 500Control channel Congestion Control is enabledCongestion Window size, Cwnd 3Slow Start threshold, Ssthresh 500Mode of operation is Slow StartTunnel PMTU checking disabledRetransmission time 1, max 2 secondsUnsent queuesize 0, max 0Resend queuesize 0, max 1Total resends 0, ZLB ACKs sent 2Current nosession queue check 0 of 5Retransmit time distribution: 0 0 0 0 0 0 0 0 0Sessions disconnected due to lack of resources 0Control message authentication is disabledTable 29 describes the significant fields shown in the display.
Related Commands
show vtemplate
To display information about all configured virtual templates, use the show vtemplate command in privileged EXEC mode.
show vtemplate
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output from the show vtemplate command:
Router# show vtemplateVirtual access subinterface creation is globally enabledActive Active Subint Pre-clone Pre-clone InterfaceInterface Subinterface Capable Available Limit Type--------- ------------ ------- --------- --------- ---------Vt1 0 0 Yes -- -- SerialVt2 0 0 Yes -- -- SerialVt4 0 0 Yes -- -- SerialVt21 0 0 No -- -- TunnelVt22 0 0 Yes -- -- EtherVt23 0 0 Yes -- -- SerialVt24 0 0 Yes -- -- SerialUsage SummaryInterface Subinterface--------- ------------Current Serial in use 1 0Current Serial free 0 3Current Ether in use 0 0Current Ether free 0 0Current Tunnel in use 0 0Current Tunnel free 0 0Total 1 3Cumulative created 8 4Cumulative freed 0 4Base virtual access interfaces: 1Total create or clone requests: 0Current request queue size: 0Current free pending: 0Maximum request duration: 0 msecAverage request duration: 0 msecLast request duration: 0 msecMaximum processing duration: 0 msecAverage processing duration: 0 msecLast processing duration: 0 msecLast processing duration:0 msecTable 30 describes the significant fields shown in the example.
Related Commands
snmp-server enable traps vpdn dead-cache
To enable the sending of a Simple Network Management Protocol (SNMP) message notification when an L2TP Network Server (LNS) enters or exits a dead-cache (DOWN) state, use the snmp-server enable traps vpdn dead-cache command in global configuration mode. To disable the SNMP notifications, use the no form of this command.
snmp-server enable traps vpdn dead-cache
no snmp-server enable traps vpdn dead-cache
Syntax Description
This command has no arguments or keywords.
Command Default
SNMP notification is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
SNMP notifications can be sent as traps or inform requests. This command enables SNMP trap events.
This command controls (enables or disables) an SNMP message notification when an LNS exits or enters the dead-cache state. SNMP are status notification messages that are generated by the routing device during operation. These messages are typically logged to a destination (such as the terminal screen, to a system buffer, or to a remote host).
You can use the show vpdn dead-cache command to view an LNS entry in the dead-cache state.
You can use the clear vpdn dead-cache command to clear an LNS entry in the dead-cache state.
Examples
The following example enables the router to send an SNMP message when an LNS enters or exits a dead-cache state:
Router(config)# snmp-server enable traps vpdn dead-cacheRelated Commands
clear vpdn dead-cache
Clears an LNS entry in a dead-cache state.
show vpdn dead-cache
Displays LNS entries in a dead-cache state.
source vpdn-template
To associate a virtual private dialup network (VPDN) group with a VPDN template, use the source vpdn-template command in VPDN group configuration mode. To disassociate a VPDN group from a VPDN template, use the no form of this command.
source vpdn-template [name]
no source vpdn-template [name]
Syntax Description
Command Default
Global VPDN template settings are applied to individual VPDN groups if a global VPDN template has been defined. If no global VPDN template has been defined, system default settings are applied to individual VPDN groups.
Command Modes
VPDN group configuration
Command History
Usage Guidelines
Use the source vpdn-template command to associate a VPDN group with a VPDN template. By default, VPDN groups are associated with the global VPDN template if one is defined. A VPDN group can be associated with only one VPDN template. Associating a VPDN group with a named VPDN template automatically disassociates it from the global VPDN template.
The hierarchy for the application of VPDN parameters to a VPDN group is as follows:
•
•
•
Disassociating a VPDN group from the global VPDN template using the no source vpdn-template command results in the following hierarchy for the application of VPDN parameters to that VPDN group:
•
•
If you disassociate a VPDN group from a named VPDN template, the VPDN group will be associated with the global VPDN template if one is defined.
Examples
The following example configures the VPDN group named group1 to ignore the global VPDN template settings and use the system default settings for all unspecified VPDN parameters:
Router(config)# vpdn-group group1Router(config-vpdn)# no source vpdn-templateThe following example creates a VPDN template named l2tp, enters VPDN template configuration mode, configures two VPDN parameters in the VPDN template, and associates the VPDN group named l2tptunnels with the VPDN template:
Router(config)# vpdn-template l2tpRouter(config-vpdn-templ)# l2tp tunnel busy timeout 65Router(config-vpdn-templ)# l2tp tunnel password 7 tunnel4me!Router(config)# vpdn-group l2tptunnelsRouter(config-vpdn)# source vpdn-template l2tpThe following example disassociates the VPDN group named l2tptunnels from the VPDN template named l2tp. The VPDN group will be associated with the global VPDN template if one has been defined.
Router(config)# vpdn-group l2tptunnelsRouter(config-vpdn)# no source vpdn-template l2tpRelated Commands
vpdn-group
Creates a VPDN group and enters VPDN group configuration mode.
vpdn-template
Creates a VPDN template and enters VPDN template configuration mode.
source-ip
To specify an IP address that is different from the physical IP address used to open a virtual private dialup network (VPDN) tunnel for the tunnels associated with a VPDN group, use the source-ip command in VPDN group configuration mode. To remove the alternate IP address, use the no form of this command.
source-ip ip-address
no source-ip
Syntax Description
Command Default
No alternate IP address is specified.
Command Modes
VPDN group configuration
Command History
12.0(5)T
This command was introduced.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
Usage Guidelines
Use the source-ip command in VPDN group configuration mode to configure an alternate IP address to be used for only those tunnels associated with that VPDN group. Each VPDN group on a router can be configured with a unique source-ip command.
Use the vpdn source-ip command to specify a single alternate IP address to be used for all tunnels on the device. A single source IP address can be configured globally per device.
The VPDN group-level configuration will override the global configuration.
Examples
The following example configures a network access server (NAS) to accept Layer 2 Tunnel Protocol (L2TP) dial-out calls using the alternate IP address 172.23.33.7, which is different from the physical IP address used to open the L2TP tunnel:
vpdn-group 3accept-dialoutprotocol l2tpdialer 2terminate-from hostname router21source-ip 172.23.33.7Related Commands
substitute (control policy-map class)
To match the contents, stored in temporary memory of identifier types received by the policy manager, against a specified matching-pattern and perform the substitution defined in a rewrite-pattern, use the substitite command in configuration-control-policymap-class configuration mode. To disable the substitution of regular expressions, use the no form of this command.
action-number substitute variable matching-pattern rewrite-pattern
no action-number substitute variable matching-pattern rewrite-pattern
Syntax Description
action-number
Number of the action. Actions are executed sequentially within the policy rule.
substitute
Uses the contents in the storage designated by a variable (created by a preceding set command) for substitution and stores the results of the substitution in the same storage.
variable
Uses the contents in the temporary memory storage designated by a variable (created by a set command) for substitution and stores the results of the substitution in the same temporary memory.
matching-pattern
A regular expression. Rejected if the matching-pattern value violates any regular expression syntax rules. For more information on regular expression, see "Regular Expressions".
rewrit-pattern
A string containing back-referenced characters \0 through \9 that is replaced by strings that match by the whole of, or the 1st to 9th parenthetical part of matching-pattern. The pattern matching method is the longest matching first.
Command Default
The control policy will not initiate substitution.
Command Modes
Configuration-control-policymap-class configuration
Command History
Usage Guidelines
The substitute command allows you to match the contents of a variable using a matching-pattern value and perform the substitution defined in a rewrite-pattern. This command is rejected if variable value is not present in a preceding set action in the same control-policy class map, or if the matching-pattern value violates any regular expression syntax rules.
Examples
The following example shows the policy map with the substitute statement shown in bold:
policy-map type control REPLACE_WITH_example.comclass type control always event session-start1 collect identifier unauthenticated-username2 set NEWNAME identifier unauthenticated-username3 substitute NEWNAME "(.*@).*" "\1example.com"4 authenticate variable NEWNAME aaa list EXAMPLE5 service-policy type service name examplepolicy-map type service abcservice vpdn group 1bba-group pppoe globalvirtual-template 1!interface Virtual-Template1service-policy type control REPLACE_WITH_example.comRelated Commands
terminate-from
To specify the hostname of the remote L2TP access concentrator (LAC) or L2TP network server (LNS) that will be required when accepting a virtual private dialup network (VPDN) tunnel, use the terminate-from command in VPDN group configuration mode. To remove the hostname from the VPDN group, use the no form of this command.
terminate-from hostname host-name
no terminate-from [hostname host-name]
Syntax Description
Defaults
Disabled
Command Modes
VPDN group configuration
Command History
Usage Guidelines
Before you can use this command, you must have already enabled one of the two accept VPDN subgroups by using either the accept-dialin or accept-dialout command.
Each VPDN group can only terminate from a single hostname. If you enter a second terminate-from command on a VPDN group, it will replace the first terminate-from command.
Examples
The following example configures a VPDN group to accept L2TP tunnels for dial-out calls from the LNS cerise by using dialer 2 as its dialing resource:
vpdn-group 1accept-dialoutprotocol l2tpdialer 2terminate-from hostname host1Related Commands
