See the "Supported Features" chapter for additional documentation on L2TP features.
Restrictions
L2TP Tunnel Service Authorization Feature Restriction
Static tunnel service authorization does not support switched virtual channels (SVCs).
L2TP Tunnel Switching Feature Restriction
When using a RADIUS service profile for tunnel service authorization, the NRP configured as an L2TP tunnel switch must forward all sessions through L2TP tunnels. The L2TP tunnel switch must not terminate any of the sessions.
L2TP Multihop Feature Restriction
L2TP Multihop by remote tunnel hostname is not supported in Cisco IOS Release 12.2(4)B3.
L2TP Multihop by domain is supported in Cisco IOS Release 12.2(4)B3 with the following required configuration:
Enter the lcp renegotiation always configuration command on the L2TP network server (LNS) vpdn-group.
Basic LAC Configuration
The L2TP access concentrator (LAC) acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP network server (LNS). The LAC sits between an LNS and a remote system and forwards packets to and from each. Packets sent from the LAC to the LNS require tunneling with the L2TP protocol, and the connection from the LAC to the remote system is either local or a PPP link.
Configuring the LAC
Enter the following commands to enable VPDN on a LAC by using L2TP beginning in global configuration mode:
Command
Purpose
Step 1
Router(config)# vpdn enable
Enables VPDN and informs the router to look for tunnel definitions from an LNS.
Step 2
Router(config)# vpdn groupgroup-number
Defines a local group number identifier for which other VPDN variables can be assigned. Valid group numbers range between 1 and 3000.
Enables the router to request a dial-in tunnel to an IP address if the dial-in user belongs to a specific domain or the dial-in user dialed a specific DNIS.
Basic LNS Configuration
The L2TP network server (LNS) is the termination point for an L2TP tunnel and is a peer to the LAC. The LNS is the logical termination point of a PPP session that is being tunneled from the remote system by the LAC. Basic LNS configuration consists of the following tasks:
You can configure the virtual template interface with configuration parameters you want to apply to virtual access interfaces. A virtual template interface is a logical entity configured for a serial interface, is not tied to any physical interface, and is applied dynamically as needed. Virtual access interfaces are cloned from a virtual template interface, used on demand, and then freed when no longer needed.
Task 1: Configuring the LNS to Initiate and Receive Calls
To configure the LNS to initiate and receive calls, enter the following commands beginning in global configuration mode:
Command
Purpose
Step 1
Router(config)# vpdn enable
Enables VPDN and informs the router to look for tunnel definitions from an LNS.
Step 2
Router(config)# vpdn groupgroup-number
Defines a local group number identifier for which other VPDN variables can be assigned. Valid group numbers range between 1 and 3000.
Allows the LNS to accept an open tunnel request from the specified remote peer and identify the virtual template to use for cloning virtual access interfaces.
Task 2: Configuring the Virtual Template Interface
To create and configure a virtual template interface, complete the following steps beginning in global configuration mode:
Command
Purpose
Step 1
Router(config)#interface virtual-templatenumber
Creates a virtual template interface and enters interface configuration mode.
Step 2
Router(config-if)#ip unnumbered ethernet 0
Enables IP without assigning a specific IP address on the LAN.
Step 3
Router(config-if)#encapsulation ppp
Enables PPP encapsulation on the virtual template interface, which will be applied to virtual access interfaces.
Step 4
Router(config-if)#ppp authentication {pap |
chap}
Enables PAP or CHAP authentication on the virtual template interface, which will be applied to virtual access interfaces.
Optionally, you can configure other commands for the virtual template interface. For information about configuring virtual template interfaces, see the "Configuring Virtual Template Interfaces" chapter in the "Virtual Templates, Profiles, and Networks" part of the Cisco IOS Dial Technologies Configuration Guide.
The tunnel service authorization enhancements enable the LAC to conduct static or dynamic tunnel service authorization. A static domain name can be configured on the ATM PVC port (directly or through a VC class) to override the domain name supplied by the client. If a static domain name is not configured, the LAC conducts dynamic tunnel service authorization, which includes two steps.
1. Domain Preauthorization—The LAC checks the client-supplied domain name against an authorized list configured on the RADIUS server for each PVC. If successful, the LAC proceeds to tunnel service authorization. If domain preauthorization fails, the LAC attempts PPP authentication/authorization for local termination.
2. Tunnel Service Authorization—The user profile on the RADIUS server provides a list of domains accessible to the user, enabling tunnel service authorization for the client-supplied domain. If successful, the LAC establishes an L2TP tunnel.
The tunnel service authorization enhancements provide the following benefits:
Selecting tunnels by virtual connection—Static tunnel service authorization enables all PPP sessions originating from a particular PVC to be sent to the same L2TP tunnel.
Supporting unstructured usernames—By configuring static domain names, usernames without domain names can undergo tunnel service authorization.
Preventing arbitrary tunnel creation—Domain preauthorization prevents users from creating tunnels to arbitrary LNSs by simply reconfiguring the domains on the client equipment.
To configure the tunnel service authorization enhancements, complete the following tasks:
Specifies the ATM interface and optional subinterface.
Step 2
Router(config-subif)# no ip directed-broadcast
Disables forwarding of directed broadcasts.
Step 3
Router(config-subif)# pvc [name]vpi/vci
Configures a PVC on the ATM interface or subinterface.
Step 4
Router(config-if-atm-vc)# encapsulation aal5mux ppp
Virtual-Template number
Sets encapsulation as PPP. Also specifies the virtual template interface to clone for the new virtual access interface.
Step 5
Router(config-if-atm-vc))# vpn service domain-name
Configures the static domain name on the PVC.
Example: Configuring a Static Domain Name—PVC Method
The following example shows the static domain names "net1.com" and "net2.com" assigned to PVCs on an ATM interface. All PPP sessions originating from PVC 30/33 are sent to the "net1.com" L2TP tunnel; all PPP sessions originating from PVC 30/34 are sent to the "net2.com" tunnel.
!
interface ATM 0/0/0.33 multipoint
pvc 30/33
encapsulation aal5ciscoppp Virtual-Template1
vpn service net1.com
!
pvc 30/34
encapsulation aal5ciscoppp Virtual-Template1
vpn service net2.com
!
Task 1 (Option 2): Configuring a Static Domain Name—VC Class Method
To configure the static domain name on the VC class, enter the following commands beginning in global configuration mode:
Command
Purpose
Step 1
Router(config)# vc-class atm vc-class-name
Creates and names a map class.
Step 2
Router(config-vc-class)# encapsulation aal5mux ppp
Virtual-Template number
Sets encapsulation as PPP. Also specifies the virtual template interface to clone for the new virtual access interface.
Step 3
Router(config-vc-class)# vpn service domain-name
Configures the static domain name on the VC class.
To check that you successfully enabled domain preauthorization, enter the show running-config EXEC command.
Task 3: Configuring Communication with the RADIUS Server
To enable the LAC to communicate properly with the RADIUS server for tunnel service authorization, complete following steps beginning in global configuration mode:
Verifying the Communication with the RADIUS Server Configuration
To check that you successfully configured the LAC to communicate properly with the RADIUS server for tunnel service authorization, enter the show running-config EXEC command.
Task 4: Configuring the RADIUS User Profile for Domain Preauthorization
To enable domain preauthorization, enter the following configuration in the user profile on the RADIUS server:
RADIUS Entry
Purpose
nas-port:ip-address:slot/subslot/port/vpi.vci
Configures the NAS port username for domain preauthorization. Includes the management IP address of the NSP.
Option 1: Configuring Sessions Per Tunnel Limiting on the LAC
To limit the number of sessions per tunnel without using a RADIUS server, complete the following steps on the NRP-LAC beginning in global configuration mode:
Command
Purpose
Step 1
Router(config)# vpdn-group number
Selects the VPDN group.
Step 2
Router(config-vpdn)# request-dialin
Enables the LAC to request L2TP tunnels to the LNS. Enters VPDN request-dialin group mode.
Groups IP addresses on left side in higher priority than the right side.
In the following example, the LAC sends the first PPP session through a tunnel to 10.1.1.1, the second PPP session to 10.2.2.2, and the third to 10.3.3.3. The fourth PPP session is sent through the tunnel to 10.1.1.1, and so forth. If the LAC fails to establish a tunnel with any of the IP addresses in the first group, then the LAC attempts to connect to those in the second group (10.4.4.4 and 10.5.5.5).
Note You must enter a space between the final limit entry and the end quotation marks.
Example: Configuring Sessions per Tunnel Limiting in the RADIUS Service Profile
The following example shows a tunnel service authorization RADIUS service profile with the session limiting entry. IP addresses 10.1.1.1 and 10.2.2.2 are assigned priority 1; IP addresses 10.3.3.3 and 10.4.4.4 are assigned priority 2. Tunnels to 10.1.1.1 are limited to 100 sessions, tunnels to 10.2.2.2 are limited to 200 sessions, tunnels to 10.3.3.3 are limited to 300 sessions, and tunnels to 10.4.4.4 are limited to 400 sessions.
Verifying Sessions per Tunnel Limiting in the RADIUS Service Profile
To verify the RADIUS service profile, refer to the user documentation for your RADIUS server.
Tunnel Sharing
This feature enables sessions that are authorized with different domains to share the same tunnel. Tunnel sharing reduces the number of tunnels required from the LAC. When used with the L2TP Tunnel Switching feature, tunnel sharing also reduces the number of tunnels to an LNS. While improving tunnel management, tunnel sharing helps to reduce the number of tunnel establishment messages that are sent after interface dropouts, reducing dropout recovery time.
Tunnel Sharing configuration consists of the following tasks:
This attribute specifies the group to which the service belongs. All services with matching group names are considered members of the same VPDN group.
Cisco-AVpair = "vpdn:vpdn-group=group-name"
Example (RADIUS Freeware Format)
Cisco-AVpair="vpdn:vpdn-group=group1"
Example (CiscoSecure ACS for UNIX)
9,1="vpdn:vpdn-group=group1"
Tunnel Share
This attribute indicates that the tunnel sharing feature is enabled for the service.
Cisco-AVpair = "vpdn:tunnel-share=yes"
Syntax Description
This attribute has no arguments or keywords.
Example (RADIUS Freeware Format)
Cisco-AVpair="vpdn:tunnel-share=yes"
Example (CiscoSecure ACS for UNIX)
9,1="vpdn:tunnel-share=yes"
Example: Configuring Tunnel Sharing in the RADIUS Service Profile
In the following example, both the net1.com and net2.com services are members of the "group1" VPDN group. With tunnel sharing enabled in both service profiles, the sessions for net1.com and net2.com will be combined and sent through the same tunnels.
user = net1.com{
profile_id = 45
profile_cycle = 18
member = me
radius=Cisco {
check_items= {
2=cisco
}
reply_attributes= {
9,1="vpdn:tunnel-id=LAC-1"
9,1="vpdn:l2tp-tunnel_password=MySecret"
9,1="vpdn:tunnel-type=l2tp"
9,1="vpdn:ip-addresses=10.10.10.10"
9,1="vpdn:vpdn-group=group1"
9,1="vpdn:tunnel-share=yes"
6=5
}
}
}
user = net2.com{
profile_id = 45
profile_cycle = 18
member = me
radius=Cisco {
check_items= {
2=cisco
}
reply_attributes= {
9,1="vpdn:tunnel-id=LAC-1"
9,1="vpdn:l2tp-tunnel_password=MySecret"
9,1="vpdn:tunnel-type=l2tp"
9,1="vpdn:ip-addresses=10.10.10.10"
9,1="vpdn:vpdn-group=group1"
9,1="vpdn:tunnel-share=yes"
6=5
}
}
}
Verifying the Tunnel Sharing Configuration in the RADIUS Service Profile
To verify the RADIUS service profile, refer to the user documentation for your RADIUS server.
The L2TP Tunnel Switching feature enables the NRP to terminate tunnels from LACs and forward the sessions through new L2TP tunnels selected independently of the client-supplied domains. The NRP as a tunnel switch performs VPDN tunnel authorization based on the ingress tunnel names that are mapped to specified LNSs.
Tunnel switching provides the following benefits:
Improved Provisioning Scalability—Aggregating LAC tunnels with an L2TP tunnel switch improves provisioning scalability on both the LAC and wholesaler ends.
Improved Permanent Virtual Circuit Interconnect Scalability—In a B-ISDN network, a multihop node can improve PVC interconnect scalability.
Figure 2-1 shows an example network topology using the L2TP Tunnel Switching feature.
Figure 2-1 Example Network Topology Using the L2TP Tunnel Switching Feature
To configure the L2TP Tunnel Switching feature, complete the following tasks:
Note The NRP as a tunnel switch requires at least two VPDN groups: one to handle incoming tunnels from
the LAC, and one to create the L2TP tunnels/sessions to the LNS.
Task 1: Enabling VPDN and Multihop Functionality
To use the L2TP Tunnel Switching feature, you must first enable VPDN and multihop capabilities by entering the following commands in global configuration mode:
Command
Purpose
Step 1
Router(config)# vpdn enable
Enables VPDN functionality.
Step 2
Router(config)# vpdn multihop
Enables VPDN multihop functionality.
Verifying VPDN and Multihop Functionality
To verify that you enabled VPDN and multihop functionality, enter the show running-config EXEC command.
Task 2: Terminating the Tunnel from the LAC
To terminate the tunnel from the LAC, enter the following commands beginning in global configuration mode:
Specifies a search order. You can specify to search by onfigured ingress tunnel name (multihop-hostname), domain, and/or DNIS. The order you specify in the command controls the order of the resulting search.
Verifying VPDN Tunnel Authorization Searches by Ingress Tunnel Name
To verify that you successfully configured the tunnel switch to perform VPDN tunnel authorization searches by ingress tunnel name, enter the show running-config EXEC command.
The examples in this section show the configurations necessary for the basic L2TP tunnel switch topology shown in Figure 2-2. In this topology, a tunnel switch terminates tunnels from two LACs and forwards all the sessions through one tunnel to the LNS.
Figure 2-2 Example L2TP Tunnel Switch Topology
This section provides the following configuration examples:
In the following example, LAC-1 performs tunnel authorization based on domain name and initiates a tunnel to the L2TP tunnel switch:
!
vpdn enable
!
username net.com password Secret1
username Tunnel-Switch-In password Secret1
!
vpdn-group 1
request-dialin
protocol l2tp
domain service1.net.com
initiate-to ip 10.1.1.1
local name net.com
!
Example: LAC-2 Configuration
In the following example, LAC-2 also performs tunnel authorization based on domain name and initiates a tunnel to the L2TP tunnel switch:
!
vpdn enable
!
username net.com password Secret2
username Tunnel-Switch-In password Secret2
!
vpdn-group 1
request-dialin
protocol l2tp
domain service2.net.com
initiate-to ip 10.1.1.1
local name net.com
!
Example: L2TP Tunnel Switch Configuration
In the following example, the NRP is configured as an L2TP tunnel switch. VPDN groups 1 and 2 are used to terminate the tunnels from the LAC. VPDN group 11 is used to initiate the tunnel to the LNS, and it performs tunnel authorization based on the configured ingress tunnel name.
!
vpdn enable
vpdn multihop
vpdn search-order multihop-hostname domain
!
username net.com password Secret1
username Tunnel-Switch-In password Secret1
username net.com password Secret2
username Tunnel-Switch-In password Secret2
username LNS password Secret3
username Tunnel-Switch-Out password Secret3
!
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname net.com
local name Tunnel-Switch-In
!
vpdn-group 11
request-dialin
protocol l2tp
multihop hostname net.com
initiate-to ip 10.2.2.2
local name Tunnel-Switch-Out
!
interface ATM 0/0/0.1001 point-to-point
ip address 10.1.1.1 255.255.255.0
pvc 5/10
encapsulation aal5snap
!
interface Virtual-Template 1
ip unnumbered FastEthernet 0/0/0
no ip directed-broadcast
no keepalive
no peer default ip address
ppp authentication chap
!
Example: LNS Configuration
In the following example, the LNS terminates the tunnel from the L2TP tunnel switch:
