Table of Contents
Layer 2 Tunnel ProtocolRestrictions
Basic LAC Configuration
Basic LNS Configuration
Task 2: Configuring the Virtual Template Interface
Task 1 (Option 2): Configuring a Static Domain Name—VC Class Method
Verifying the Static Domain Name
Task 2: Enabling Domain Preauthorization
Verifying Domain Preauthorization
Task 3: Configuring Communication with the RADIUS Server
Verifying the Communication with the RADIUS Server Configuration
Task 4: Configuring the RADIUS User Profile for Domain Preauthorization
Verifying the RADIUS User Profile for Domain Preauthorization
Task 5: Configuring the RADIUS Service Profile for Tunnel Service Authorization
Verifying the RADIUS Service Profile for Tunnel Service Authorization
Verifying Sessions per Tunnel Limiting on the LAC
Option 2: Configuring Sessions per Tunnel Limiting in the RADIUS Service Profile
VPDN IP Address Limits
Example: Configuring Sessions per Tunnel Limiting in the RADIUS Service Profile
Verifying Tunnel Sharing Configuration on the LAC
Task 2: Configuring Tunnel Sharing in the RADIUS Service Profile
Verifying the Tunnel Sharing Configuration in the RADIUS Service Profile
Verifying VPDN and Multihop Functionality
Task 2: Terminating the Tunnel from the LAC
Verifying Termination of the Tunnel from the LAC
Task 3: Mapping the Ingress Tunnel Name to an LNS
Verifying the Ingress Tunnel Name to LNS Map
Task 4: Performing VPDN Tunnel Authorization Searches by Ingress Tunnel Name
Verifying VPDN Tunnel Authorization Searches by Ingress Tunnel Name
Comprehensive Example: L2TP Tunnel Switching Configurations
Layer 2 Tunnel Protocol
This chapter provides tasks and restrictions for Layer 2 tunnel protocol (L2TP) features supported by the Cisco 6400 in Cisco IOS Release 12.3.
This chapter only describes tasks that are specific to the Cisco 6400 and supplements the following documentation:
Provides general L2TP overview, configuration, verification, monitoring, and troubleshooting information.
- Layer 2 Tunnel Protocol feature module
Provides general L2TP overview, configuration, verification, monitoring, and troubleshooting information.
This chapter includes the following sections:
See the "Supported Features" chapter for additional documentation on L2TP features.
Restrictions
L2TP Tunnel Service Authorization Feature Restriction
Static tunnel service authorization does not support switched virtual channels (SVCs).
L2TP Tunnel Switching Feature Restriction
When using a RADIUS service profile for tunnel service authorization, the NRP configured as an L2TP tunnel switch must forward all sessions through L2TP tunnels. The L2TP tunnel switch must not terminate any of the sessions.
L2TP Multihop Feature Restriction
L2TP Multihop by remote tunnel hostname is not supported in Cisco IOS Release 12.2(4)B3.
L2TP Multihop by domain is supported in Cisco IOS Release 12.2(4)B3 with the following required configuration:
Enter the lcp renegotiation always configuration command on the L2TP network server (LNS) vpdn-group.
Basic LAC Configuration
The L2TP access concentrator (LAC) acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP network server (LNS). The LAC sits between an LNS and a remote system and forwards packets to and from each. Packets sent from the LAC to the LNS require tunneling with the L2TP protocol, and the connection from the LAC to the remote system is either local or a PPP link.
Configuring the LAC
Enter the following commands to enable VPDN on a LAC by using L2TP beginning in global configuration mode:
Basic LNS Configuration
The L2TP network server (LNS) is the termination point for an L2TP tunnel and is a peer to the LAC. The LNS is the logical termination point of a PPP session that is being tunneled from the remote system by the LAC. Basic LNS configuration consists of the following tasks:
You can configure the virtual template interface with configuration parameters you want to apply to virtual access interfaces. A virtual template interface is a logical entity configured for a serial interface, is not tied to any physical interface, and is applied dynamically as needed. Virtual access interfaces are cloned from a virtual template interface, used on demand, and then freed when no longer needed.
Task 1: Configuring the LNS to Initiate and Receive Calls
To configure the LNS to initiate and receive calls, enter the following commands beginning in global configuration mode:
|
Task 2: Configuring the Virtual Template Interface
To create and configure a virtual template interface, complete the following steps beginning in global configuration mode:
|
Optionally, you can configure other commands for the virtual template interface. For information about configuring virtual template interfaces, see the "Configuring Virtual Template Interfaces" chapter in the "Virtual Templates, Profiles, and Networks" part of the Cisco IOS Dial Technologies Configuration Guide.
Tunnel Service Authorization Enhancements
 |
Note Before configuring this feature, see the "Restrictions" section. |
The tunnel service authorization enhancements enable the LAC to conduct static or dynamic tunnel service authorization. A static domain name can be configured on the ATM PVC port (directly or through a VC class) to override the domain name supplied by the client. If a static domain name is not configured, the LAC conducts dynamic tunnel service authorization, which includes two steps.
1. Domain Preauthorization—The LAC checks the client-supplied domain name against an authorized list configured on the RADIUS server for each PVC. If successful, the LAC proceeds to tunnel service authorization. If domain preauthorization fails, the LAC attempts PPP authentication/authorization for local termination.
2. Tunnel Service Authorization—The user profile on the RADIUS server provides a list of domains accessible to the user, enabling tunnel service authorization for the client-supplied domain. If successful, the LAC establishes an L2TP tunnel.
The tunnel service authorization enhancements provide the following benefits:
- Selecting tunnels by virtual connection—Static tunnel service authorization enables all PPP sessions originating from a particular PVC to be sent to the same L2TP tunnel.
- Supporting unstructured usernames—By configuring static domain names, usernames without domain names can undergo tunnel service authorization.
- Preventing arbitrary tunnel creation—Domain preauthorization prevents users from creating tunnels to arbitrary LNSs by simply reconfiguring the domains on the client equipment.
To configure the tunnel service authorization enhancements, complete the following tasks:
- Task 1 (Option 1): Configuring a Static Domain Name—PVC Method
- Task 1 (Option 2): Configuring a Static Domain Name—VC Class Method
- Task 2: Enabling Domain Preauthorization
- Task 3: Configuring Communication with the RADIUS Server
- Task 4: Configuring the RADIUS User Profile for Domain Preauthorization
- Task 5: Configuring the RADIUS Service Profile for Tunnel Service Authorization
Task 1 (Option 1): Configuring a Static Domain Name—PVC Method
To configure the static domain name directly on the PVC, enter the following commands beginning in global configuration mode:
|
Example: Configuring a Static Domain Name—PVC Method
The following example shows the static domain names "net1.com" and "net2.com" assigned to PVCs on an ATM interface. All PPP sessions originating from PVC 30/33 are sent to the "net1.com" L2TP tunnel; all PPP sessions originating from PVC 30/34 are sent to the "net2.com" tunnel.
Task 1 (Option 2): Configuring a Static Domain Name—VC Class Method
To configure the static domain name on the VC class, enter the following commands beginning in global configuration mode:
|
Example: Configuring a Static Domain Name—VC Class Method
In the following example, the static domain name "net.com" is assigned to a VC class. The VC class is then assigned to the VCs on an ATM subinterface.
Verifying the Static Domain Name
To verify that you successfully configured the static domain name, enter the show running-config EXEC command.
Task 2: Enabling Domain Preauthorization
To enable the LAC to perform domain authorization before tunneling, enter the following command in global configuration mode:
Dynamic tunnel service authorization requires additional commands for proper communication with the RADIUS server. See the "Task 3: Configuring Communication with the RADIUS Server" section.
Example: Enabling Domain Preauthorization
The following example shows the configuration necessary for the LAC to participate in domain preauthorization:
Verifying Domain Preauthorization
To check that you successfully enabled domain preauthorization, enter the show running-config EXEC command.
Task 3: Configuring Communication with the RADIUS Server
To enable the LAC to communicate properly with the RADIUS server for tunnel service authorization, complete following steps beginning in global configuration mode:
|
Example: Configuring Communication with the RADIUS Server
The following example shows the configuration necessary for the LAC to participate in tunnel service authorization:
Verifying the Communication with the RADIUS Server Configuration
To check that you successfully configured the LAC to communicate properly with the RADIUS server for tunnel service authorization, enter the show running-config EXEC command.
Task 4: Configuring the RADIUS User Profile for Domain Preauthorization
To enable domain preauthorization, enter the following configuration in the user profile on the RADIUS server:
|
Example: Configuring the RADIUS User Profile for Domain Preauthorization
The following example shows a domain preauthorization RADIUS user profile:
Verifying the RADIUS User Profile for Domain Preauthorization
To verify the RADIUS user profile, refer to the user documentation for your RADIUS server.
Task 5: Configuring the RADIUS Service Profile for Tunnel Service Authorization
To enable tunnel service authorization, use the following configuration in the service profile on the RADIUS server:
|
Example: Configuring the RADIUS Service Profile for Tunnel Service Authorization
The following example shows a tunnel service authorization RADIUS service profile:
Verifying the RADIUS Service Profile for Tunnel Service Authorization
To verify the RADIUS service profile, refer to the user documentation for your RADIUS server.
Sessions per Tunnel Limiting
This feature enables the initiate-to command to limit the number of sessions per L2TP tunnel. Choose one method to configure this feature:
Option 1: Configuring Sessions Per Tunnel Limiting on the LAC
To limit the number of sessions per tunnel without using a RADIUS server, complete the following steps on the NRP-LAC beginning in global configuration mode:
|
Example: Configuring Sessions Per Tunnel Limiting on the LAC
In the following example, the LAC initiates up to three tunnels. Each tunnel is limited to 40 sessions.
Verifying Sessions per Tunnel Limiting on the LAC
Step 1 Enter the show running-config EXEC command to check that you successfully configured the maximum number of sessions per tunnel.
Step 2 Enter the show vpdn tunnel privileged EXEC command to verify that the number of displayed sessions does not exceed your configured limit.
Option 2: Configuring Sessions per Tunnel Limiting in the RADIUS Service Profile
To use a RADIUS server to limit the number of sessions per tunnel, enter the following Cisco-AVpair attributes in the RADIUS service profile:
VPDN IP Addresses
This attribute specifies the IP addresses of the LNSs to receive the L2TP connections.
- Cisco-AVpair = "vpdn:ip-addresses=address1[<delimiter>address2][<delimiter>address3]..."
Syntax Description
In the following example, the LAC sends the first PPP session through a tunnel to 10.1.1.1, the second PPP session to 10.2.2.2, and the third to 10.3.3.3. The fourth PPP session is sent through the tunnel to 10.1.1.1, and so forth. If the LAC fails to establish a tunnel with any of the IP addresses in the first group, then the LAC attempts to connect to those in the second group (10.4.4.4 and 10.5.5.5).
Example (RADIUS Freeware Format)
Example (CiscoSecure ACS for UNIX)
VPDN IP Address Limits
This attribute specifies the maximum number of sessions in each tunnel to the IP addresses listed with the vpdn:ip-addresses attribute.
- Cisco-AVpair = "vpdn:ip-address-limits=limit1 [limit2] [limit3]... "
Syntax Description
Example (RADIUS Freeware Format)
Example (CiscoSecure ACS for UNIX)
|
Note You must enter a space between the final limit entry and the end quotation marks. |
Example: Configuring Sessions per Tunnel Limiting in the RADIUS Service Profile
The following example shows a tunnel service authorization RADIUS service profile with the session limiting entry. IP addresses 10.1.1.1 and 10.2.2.2 are assigned priority 1; IP addresses 10.3.3.3 and 10.4.4.4 are assigned priority 2. Tunnels to 10.1.1.1 are limited to 100 sessions, tunnels to 10.2.2.2 are limited to 200 sessions, tunnels to 10.3.3.3 are limited to 300 sessions, and tunnels to 10.4.4.4 are limited to 400 sessions.
Verifying Sessions per Tunnel Limiting in the RADIUS Service Profile
To verify the RADIUS service profile, refer to the user documentation for your RADIUS server.
Tunnel Sharing
This feature enables sessions that are authorized with different domains to share the same tunnel. Tunnel sharing reduces the number of tunnels required from the LAC. When used with the L2TP Tunnel Switching feature, tunnel sharing also reduces the number of tunnels to an LNS. While improving tunnel management, tunnel sharing helps to reduce the number of tunnel establishment messages that are sent after interface dropouts, reducing dropout recovery time.
Tunnel Sharing configuration consists of the following tasks:
Task 1: Configuring Tunnel Sharing on the LAC
To implement the tunnel sharing feature, complete the following steps on the NRP-LAC beginning in global configuration mode:
|
Example: Configuring Tunnel Sharing on the LAC
In the following example, all sessions that are locally authorized through VPDN group 1 are sent through the same tunnel to 10.1.1.1.
Verifying Tunnel Sharing Configuration on the LAC
Enter the show running-config EXEC command to check that you successfully enabled the tunnel sharing feature.
Task 2: Configuring Tunnel Sharing in the RADIUS Service Profile
To implement the tunnel sharing feature, enter the following Cisco-AVpair attributes in the RADIUS service profile:
VPDN Group
This attribute specifies the group to which the service belongs. All services with matching group names are considered members of the same VPDN group.
- Cisco-AVpair = "vpdn:vpdn-group=group-name"
Example (RADIUS Freeware Format)
Example (CiscoSecure ACS for UNIX)
Tunnel Share
This attribute indicates that the tunnel sharing feature is enabled for the service.
- Cisco-AVpair = "vpdn:tunnel-share=yes"
Syntax Description
This attribute has no arguments or keywords.
Example (RADIUS Freeware Format)
Example (CiscoSecure ACS for UNIX)
Example: Configuring Tunnel Sharing in the RADIUS Service Profile
In the following example, both the net1.com and net2.com services are members of the "group1" VPDN group. With tunnel sharing enabled in both service profiles, the sessions for net1.com and net2.com will be combined and sent through the same tunnels.
Verifying the Tunnel Sharing Configuration in the RADIUS Service Profile
To verify the RADIUS service profile, refer to the user documentation for your RADIUS server.
Tunnel Switching
|
Note Before configuring this feature, read the "Restrictions" section. |
The L2TP Tunnel Switching feature enables the NRP to terminate tunnels from LACs and forward the sessions through new L2TP tunnels selected independently of the client-supplied domains. The NRP as a tunnel switch performs VPDN tunnel authorization based on the ingress tunnel names that are mapped to specified LNSs.
Tunnel switching provides the following benefits:
Figure 2-1 shows an example network topology using the L2TP Tunnel Switching feature.
Figure 2-1 Example Network Topology Using the L2TP Tunnel Switching Feature
To configure the L2TP Tunnel Switching feature, complete the following tasks:
- Task 1: Enabling VPDN and Multihop Functionality
- Task 2: Terminating the Tunnel from the LAC
- Task 3: Mapping the Ingress Tunnel Name to an LNS
- Task 4: Performing VPDN Tunnel Authorization Searches by Ingress Tunnel Name
|
Note The NRP as a tunnel switch requires at least two VPDN groups: one to handle incoming tunnels from the LAC, and one to create the L2TP tunnels/sessions to the LNS. |
Task 1: Enabling VPDN and Multihop Functionality
To use the L2TP Tunnel Switching feature, you must first enable VPDN and multihop capabilities by entering the following commands in global configuration mode:
Verifying VPDN and Multihop Functionality
To verify that you enabled VPDN and multihop functionality, enter the show running-config EXEC command.
Task 2: Terminating the Tunnel from the LAC
To terminate the tunnel from the LAC, enter the following commands beginning in global configuration mode:
|
Verifying Termination of the Tunnel from the LAC
To verify that you successfully configured the tunnel switch to terminate tunnels from the LAC, enter the show running-config EXEC command.
Task 3: Mapping the Ingress Tunnel Name to an LNS
To map the ingress tunnel name to an LNS, complete the following steps beginning in global configuration mode:
|
Verifying the Ingress Tunnel Name to LNS Map
To verify that you successfully mapped the ingress tunnel name to the LNS, enter the show running-config EXEC command.
Task 4: Performing VPDN Tunnel Authorization Searches by Ingress Tunnel Name
To specify how to perform VPDN tunnel authorization searches, enter the following command in global configuration mode:
|
Verifying VPDN Tunnel Authorization Searches by Ingress Tunnel Name
To verify that you successfully configured the tunnel switch to perform VPDN tunnel authorization searches by ingress tunnel name, enter the show running-config EXEC command.
Comprehensive Example: L2TP Tunnel Switching Configurations
The examples in this section show the configurations necessary for the basic L2TP tunnel switch topology shown in Figure 2-2. In this topology, a tunnel switch terminates tunnels from two LACs and forwards all the sessions through one tunnel to the LNS.
Figure 2-2 Example L2TP Tunnel Switch Topology
This section provides the following configuration examples:
Example: LAC-1 Configuration
In the following example, LAC-1 performs tunnel authorization based on domain name and initiates a tunnel to the L2TP tunnel switch:
Example: LAC-2 Configuration
In the following example, LAC-2 also performs tunnel authorization based on domain name and initiates a tunnel to the L2TP tunnel switch:
Example: L2TP Tunnel Switch Configuration
In the following example, the NRP is configured as an L2TP tunnel switch. VPDN groups 1 and 2 are used to terminate the tunnels from the LAC. VPDN group 11 is used to initiate the tunnel to the LNS, and it performs tunnel authorization based on the configured ingress tunnel name.
Example: LNS Configuration
In the following example, the LNS terminates the tunnel from the L2TP tunnel switch: