Guest

Cisco IOS Software Releases 12.2 Special and Early Deployments

VPDN Multihop by DNIS

  • Viewing Options

  • PDF (305.0 KB)
  • Feedback
VPDN Multihop by DNIS

Table Of Contents

VPDN Multihop by DNIS

Contents

Prerequisites for VPDN Multihop by DNIS

Restrictions for VPDN Multihop by DNIS

Information About VPDN Multihop by DNIS

VPDN Basics

VPDN Multihop

VPDN Multihop by DNIS

How to Configure the VPDN Multihop Tunnel Switch

Verify VPDN Multihop by DNIS

Troubleshooting Tips

Configuration Examples for VPDN Multihop by DNIS

VPDN Multihop by DNIS Example

Verify VPDN Multihop by DNIS Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

vpdn multihop

Glossary


VPDN Multihop by DNIS


The Cisco VPDN Multihop by DNIS feature allows dialed number identification service (DNIS)-based multihop capability in a virtual private dial-up network (VPDN), which enables customers that dial in to a network using a standard telephone line to take advantage of the aggregation capability offered by multihop switching.

Feature Specifications for VPDN Multihop by DNIS

Feature History
 
Release
Modification

12.2(8)B

This feature was introduced.

12.2(13)T

This feature was migrated to Cisco IOS Release 12.2(13)T.

Supported Platforms

The VPDN Multihop by DNIS feature is platform independent. Use Feature Navigator to determine the feature set needed to obtain this feature.


Determining Platform Support Through Cisco Feature Navigator

Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.

Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.

To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:

http://www.cisco.com/register

Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:

http://www.cisco.com/go/fn

Availability of Cisco IOS Software Images

Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or Cisco Feature Navigator.

Contents

Prerequisites for VPDN Multihop by DNIS

Restrictions for VPDN Multihop by DNIS

Information About VPDN Multihop by DNIS

How to Configure the VPDN Multihop Tunnel Switch

Configuration Examples for VPDN Multihop by DNIS

Additional References

Command Reference

Glossary

Prerequisites for VPDN Multihop by DNIS

No new configuration commands are introduced by the VPDN Multihop by DNIS feature. The configuration required for the VPDN multihop support of DNIS is already supported by the existing Cisco IOS software commands. For VPDN multihop support of DNIS to take effect, you need a VPDN subsystem. Use the show subsystem name * EXEC command to check that this subsystem is supported on your router.

This document assumes that you are familiar with VPDN technology, and have a VPDN already configured and enabled that has been shown to support basic VPDN dialup between a client and an L2TP access concentrator (LAC). See the documents listed in the section "Additional References" for more information about VPDNs.

The VPDN Multihop by DNIS feature is enabled by adding the configuration for both a LAC and L2TP network server (LNS) on a router configured as a tunnel switch (also called a multihop node). See the configurations in the section "Configuration Examples for VPDN Multihop by DNIS" for examples.

Restrictions for VPDN Multihop by DNIS

The VPDN Multihop by DNIS feature requires that the LAC sends the DNIS string to the tunnel switch. Currently, this functionality is supported only by Layer 2 Forwarding (L2F) and the Layer 2 Tunneling Protocol (L2TP). These two protocols are not required to send the DNIS string but often do during session setup, and Cisco LACs always send the DNIS string during session setup. However, if a LAC does not send the DNIS string, then the multihop node would support only tunnel switching based on domain and multihop host name.

Information About VPDN Multihop by DNIS

To configure the VPDN Multihop by DNIS feature, you need to understand the following concepts:

VPDN Basics

VPDN Multihop

VPDN Multihop by DNIS

VPDN Basics

A VPDN carries private data over a public network, and extends remote access to users over a shared infrastructure. VPDNs maintain the same security and management policies as a private network, and provide a cost-effective method of establishing a point-to-point connection between remote users and a central network.

VPDNs allow separate and autonomous protocol domains to share common access infrastructure including modems, access servers, and ISDN routers. VPDNs, therefore, delegate much of the responsibilities associated with network infrastructure. The customer outsources the responsibility for the infrastructure to an Internet service provider (ISP) that maintains the modems that the remote users dial in to (called modem pools), the access servers, and the internetworking expertise. The customer is then responsible only for authenticating its users and maintaining its network.

As an added benefit, instead of connecting directly to the network using the plain old telephone service (POTS), which can be expensive, VPDN users need only use the POTS to connect to an ISP local point of presence (POP). The ISP then uses the Internet to forward users from the POP to the customer network. Forwarding a user call over the Internet provides dramatic cost savings for the customer.

VPDNs use Layer 2 tunneling and forwarding technologies to create a virtual point-to-point connection between users and the customer network. These tunneling technologies provide the same direct connectivity as the expensive POTS, but do so by using the Internet, which means that users anywhere in the world have the same connectivity as they would at the customer headquarters.

Figure 1 shows the PPP link that runs between a client (the user hardware and software) and the tunnel server (LNS).

Figure 1 End-to-End Access VPDN Protocol Flow: L2F or L2TP, PPP, and IP

Using either L2F or L2TP, an ISP or other access service can create a virtual tunnel to link customer remote sites or remote users with corporate home networks. In particular, a network access server (NAS) at the ISP POP exchanges PPP messages with the remote users and communicates by L2F or L2TP requests and responses with the customer tunnel server to set up tunnels. L2F and L2TP pass protocol-level packets through the virtual tunnel between endpoints of a point-to-point connection.

Frames from the remote users are accepted by the ISP POP, stripped of any linked framing or transparency bytes, encapsulated in L2F or L2TP, and then forwarded over the appropriate tunnel. The customer tunnel server accepts these frames, strips the Layer 2 encapsulation, and processes the incoming frames for the appropriate interface.

VPDN Multihop

The VPDN multihop feature allows a router configured as a tunnel switch to terminate tunnels from LACs and forward the sessions through multiple (up to four), newly established L2TP tunnels. The tunnels are selected using client-supplied matching criteria.

Figure 2 shows a basic VPDN multihop network configuration.

Figure 2 VPDN Multihop

Versions of Cisco IOS software prior to Cisco IOS Release 12.2(8)B support L2TP tunnel switching using only a user domain name or a remote tunnel name as the matching criteria.

VPDN Multihop by DNIS

The VPDN Multihop by DNIS feature adds a telephone number to the matching criteria for the tunnel switch. The tunnel switch can perform VPDN tunnel authorization based on a DNIS (a called telephone number), a user domain name, or ingress tunnel domain names that are mapped to specified LNSs. (The order in which the client-supplied matching criteria are searched by the Cisco IOS software is determined by the vpdn search-order global configuration command.)

Figure 3 shows an example network topology using the VPDN Multihop by DNIS feature.

Figure 3 Example Network Topology Using the VPDN Multihop by DNIS Tunnel Switching Feature

The VPDN Multihop by DNIS feature expands the aggregation capability offered by multihop switching to dial up users using the POTS to connect to the Internet by supporting telephone numbers (DNIS) as the matching criteria for forwarding the sessions through L2TP tunnels. This feature, therefore, offers service providers expanded connection services and more flexibility in how their network traffic is directed.

How to Configure the VPDN Multihop Tunnel Switch

To configure a tunnel switch (or multihop node) that supports the VPDN Multihop by DNIS feature, you need to configure a tunnel switch that contains both the LNS and LAC portions of the VPDN. Use the following commands:

SUMMARY STEPS

1. enable

2. configure {terminal | memory | network}

3. username {local-name | remote-hostname} password secret

4. vpdn enable

5. vpdn multihop

6. vpdn-group name

7. vpdn-group subcommands (accept-dialin and terminate-from for the incoming portion of the tunnel switch, and request-dialin and initiate-to for the outgoing portion, for example)

8. vpdn search-order {dnis | multihop-hostname | domain} (optional step that should be executed only when it is necessary to change the default search order)

DETAILED STEPS

1. Enable VPDN and VPDN multihop

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables higher privilege levels, such as privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure {terminal | memory | network}

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

username remote-hostname password secret

Example:

Router(config)# username LAC-1 password <secret>

Configures the secret (a password). Must match the secret word configured on the LAC.

Step 4 

username local-name password secret

Example:

Router(config)# username Multi-Hop password <secret>

Configures the secret (password). Must match the secret word configured in Step 3.

Step 5 

vpdn enable


Router(config)# vpdn enable

Enables virtual private dialup networking on the router.

Step 6 

vpdn multihop


Router(config)# vpdn multihop

Enables VPDN multihop functionality.


2. Configure the Incoming (LNS) Portion of the Tunnel Switch

 
Command or Action
Purpose

Step 7 

vpdn-group number

Example:

Router(config)# vpdn-group 1

Selects the VPDN group.

Step 8 

accept-dialin

Example:

Router(config-vpdn)# accept-dialin

Enables the tunnel switch to accept incoming L2TP tunnel connections and enters VPDN accept-dialin group configuration mode.

Step 9 

protocol l2tp/l2f

Example:

Router(config-vpdn-acc-in)# protocol l2tp

Specifies L2TP and L2F.

Step 10 

virtual-template number


Router(config-vpdn-acc-in)# virtual-template 1

Specifies the virtual template interface to use to clone the new virtual access interface.

Step 11 

exit

Example:

Router(config-vpdn-acc-in)# exit

Returns to VPDN group configuration mode.

Step 12 

terminate-from hostname hostname

Example:

Router(config-vpdn)# terminate-from hostname LAC-1

Specifies the host name of the remote LAC that will be required when accepting a VPDN tunnel.

Must match the remote-hostname configured in Step 3.

Step 13 

local name local-name

Example:

Router(config-vpdn)# local name Multi-Hop

Specifies the local host name of the tunnel.

Must match the local-name configured in Step 4.

Step 14 

exit

Example:

Router(config-vpdn)# exit

Returns to global configuration mode.


3. Configure the Outgoing (LAC) Portion of the Tunnel Switch

 
Command
Purpose

Step 15 

vpdn-group number

Example:

Router(config)# vpdn-group 2

Selects the VPDN group.

Step 16 

request-dialin

Example:

Router(config-vpdn)# request-dialin

Enables the tunnel switch to request L2TP tunnels to the LNS and enters VPDN request-dialin group configuration mode.

Step 17 

protocol l2tp/l2f

Example:

Router(config-vpdn-req-in)# protocol l2tp/l2f

Specifies L2TP and L2F.

Step 18 

dnis telephone-number

Example:

Router(config-vpdn-req-in)# dnis 5555555

Initiates a tunnel based on the user DNIS number.

Step 19 

exit

Example:

Router(config-vpdn-req-in)# exit

Returns to VPDN group configuration mode.

Step 20 

initiate-to ip ip-address [limit limit-number]
[priority priority-number]

Example:

Router(config-vpdn)# initiate-to ip 10.10.1.1

Specifies the LNS.

Optionally specifies the maximum number of sessions per tunnel and the priority of the IP address (1 is highest).

Step 21 

local name local-name

Example:

Router(config-vpdn)# local name Multi-Hop

Specifies the local host name of the tunnel.

Must match the local-name configured in Step 4.

Step 22 

Router(config-vpdn)# exit

Returns to global configuration mode.

4. Changing the Default Search Order (Optional)

 
Command
Purpose

Step 23 

vpdn search-order {dnis | domain | multihop-hostname}

Example:

Router(config)# vpdn search-order dnis multihop-hostname domain

(Optional) Specifies the policy for the VPDN group search order. By default, the search is first by DNIS, then domain name, and finally the ingress tunnel domain name mapped to a specified LNS.

Step 24 

Router(config)# exit

Exits global configuration mode.


Verify VPDN Multihop by DNIS

To verify that the VPDN Multihop by DNIS feature is working, perform the following optional steps:

SUMMARY STEPS

1. Make a call using the DNIS

2. enable

3. show vpdn

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables higher privilege levels, such as privileged EXEC mode.

Enter your password if prompted.

Step 2 

show vpdn

Example:

Router# show vpdn

(Optional) Displays information about active L2F tunnels and message identifiers in a VPDN.

Troubleshooting Tips

The configuration commands in the previous sections should be entered on an operational VPDN. See the section "Prerequisites for VPDN Multihop by DNIS" for information about configuring and troubleshooting a VPDN.

If the call is not successful, enter the debug vpdn l2x-packet EXEC command to display the dialog between the LAC and LNS for tunnel creation. Check for the attribute-value pair (AVP), which will have the DNIS number in it, when using L2TP. When using L2F, check the CLID/DNIS pair for the telephone number.

Configuration Examples for VPDN Multihop by DNIS

This section provides the following configuration example to match the identified configuration tasks in the previous section.

VPDN Multihop by DNIS Example

Verify VPDN Multihop by DNIS Example

VPDN Multihop by DNIS Example

The following example shows how to configure both the LAC and LNS in a tunnel switch, so that the VPDN Multihop by DNIS feature will work:

vpdn multihop

vpdn-group 1
 accept-dialin
  protocol l2tp/l2f
  virtual-template 1
 terminate-from hostname LAC-1
 local name Multi-Hop

vpdn-group 2
 request-dialin
  protocol l2tp/l2f
  dnis 5555555
 initiate-to ip 10.10.1.1
 local name Multi-Hop

The policy for VPDN group search order is determined by the vpdn search-order global configuration command. The default search order is based on DNIS, domain, and then the multihop host name.

Verify VPDN Multihop by DNIS Example

The following example shows the tunnel and session reports from the show vpdn EXEC command:

Router# show vpdn

L2TP Tunnel and Session Information Total tunnels 2 sessions 2

LocID RemID Remote Name   State  Remote Address  Port  Sessions VPDN Group
785   7059  Router1      est    1.1.1.1         1701  1        2              

LocID RemID TunID Intf          Username               State  Last Chg
28    15    785   SSS Circuit   gomer@l2tp.com         est    00:01:31

LocID RemID Remote Name   State  Remote Address  Port  Sessions VPDN Group
7718  57428 Router5      est    1.1.4.5         1701  1        3              

LocID RemID TunID Intf          Username               State  Last Chg
29    15    7718  SSS Circuit   27                     est    00:01:31

%No active L2F tunnels

%No active PPTP tunnels

%No active PPPoE tunnels

Additional References

For additional information related to VPDN Multihop by DNIS, refer to the following references:

Related Documents

Related Topic
Document Title

Dial commands

Cisco IOS Dial Technologies Command Reference, Release 12.2

VPDN

Cisco IOS Dial Technologies Configuration Guide, Release 12.2; see the part "Virtual Templates, Profiles, and Networks.

L2TP tunneling

"Layer 2 Tunnel Protocol"

VPDN multihop

"Multihop VPDN"

"Configuring L2TP Multihop to Perform Several Hops from the NAS to the LNS"


Standards

Standards
Title

None


MIBs

MIBs
MIBs Link

None

To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://tools.cisco.com/ITDIT/MIBS/servlet/index

If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:

http://www.cisco.com/register

RFCs

RFCs
Title

None


Technical Assistance

Description
Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, tools, and lots more. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml


Command Reference

This section documents a modified command, vpdn multihop. All other commands used with this feature are documented in the Cisco IOS Release 12.2 and 12.2T command reference publications.

vpdn multihop

To enable virtual private dialup network (VPDN) multihop, use the vpdn multihop command in global configuration mode. To disable VPDN multihop capability, use the no form of this command.

vpdn multihop

no vpdn multihop

Syntax Description

This command has no arguments or keywords.

Defaults

Multihop capability is not enabled.

Command Modes

Global configuration

Command History

Release
Modification

11.3(5)T

This command was introduced.

12.2(8)B

Support was added for dialed number identification service (DNIS)-based multihop capability.

12.2(13)T

The DNIS-based multihop capability was integrated into Cisco IOS Release 12.2(13)T.


Usage Guidelines

The VPDN multihop feature allows a router configured as a tunnel switch to terminate tunnels from Layer 2 access concentrators (LACs) and forward the sessions through up to four newly established Layer 2 Tunneling Protocol (L2TP) tunnels. The tunnels are selected using client-supplied matching criteria. Versions of Cisco IOS software prior to Cisco IOS Release 12.2(8)B support L2TP tunnel switching using only a user domain name or a remote tunnel name as the matching criterion.

The dialed number identification service (DNIS)-based multihop capability added a telephone number to the matching criteria for the tunnel switch. The tunnel switch can perform VPDN tunnel authorization based on a DNIS (a called telephone number), a user domain name, or ingress tunnel domain names that are mapped to specified L2TP network servers (LNSs). The order in which the client-supplied matching criteria are searched by the Cisco IOS software is determined by the vpdn search-order global configuration command.

Before using the vpdn multihop command, refer to the Cisco IOS Dial Technologies Configuration Guide, Release 12.2, to learn more about Multilink PPP and Multichassis Multilink PPP.

Examples

The following example shows how to configure the Cisco Multihop VPDN feature:

!
vpdn enable
vpdn multihop
vpdn search-order domain
!
vpdn-group 1
 request-dialin
  protocol l2tp
  domain cisco.com
 initiate-to ip 172.22.53.144 priority 1
 initiate-to ip 172.22.53.145 priority 1
!
l2tp tunnel password 7 secret
!

The following example shows how to configure DNIS-based multihop capability:

!
vpdn enable
vpdn multihop
!
vpdn-group 1
 accept-dialin
  protocol l2tp/l2f
  virtual-template 1
 terminate-from hostname LAC-1
 local name Multi-Hop
 
vpdn-group 2
 request-dialin
  protocol l2tp/l2f
  dnis 5555555
 initiate-to ip 10.10.1.1
 local name Multi-Hop
!
 

The following example shows a configuration where a packet traverses a VPDN tunnel over a service provider link, and then a second tunnel by traversing a hop between home gateways on the corporate network. The bundle owner is Home-Gateway1 and the stack group peer, Home-Gateway2, is specified as a peer (1.1.1.2).

	vpdn multihop
username stack password hellothere
multilink virtual-template 1

sgbp group stack
sgbp member Home-Gateway2 1.1.1.2

interface virtual-template 1
ip unnumbered e0
ppp multilink
ppp auth chap

Related Commands

Command
Description

vpdn enable

Enables VPDN networking on the router and informs the router to look for tunnel definitions in a local database and on a remote authorization server (home gateway), if one is present.

vpdn-group

Associates a VPDN group to a customer or VPDN profile.

vpdn search-order

Specifies how the service provider's network access server is to perform VPDN tunnel authorization searches.


Glossary

CLID—calling line ID. Information about the billing telephone number from which a call originated. The CLID value might be the entire phone number, the area code, or the area code plus the local exchange.

DNIS—dialed number identification service (the called party number). Typically, this is a number used by call centers or a central office where different numbers are each assigned to a specific service.

LAC—L2TP access concentrator. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP network server (LNS). The LAC sits between an LNS and a remote system and forwards packets to and from each. Packets sent from the LAC to the LNS require tunneling with the L2TP protocol. The connection from the LAC to the remote system is either local or a PPP link.

LNS—L2TP network server. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP access concentrator (LAC). The LNS is the logical termination point of a PPP session that is being tunneled from the remote system by the LAC.

NAS—network access server. A device providing local network access to users across a remote access network such as the POTS. A NAS can also serve as a LAC, LNS, or both.

VPDN—virtual private dial-up network. Also known as virtual private dial network. A VPDN is a network that permits the physical dialup connection to appear to be connected directly to a home network while actually residing elsewhere on the network. A virtual pipe is connected between the physical dialup connections and the termination point at the home network.


Note Refer to the Internetworking Terms and Acronyms for terms not included in this glossary.