|
|
This feature module describes further enhancements to the Node Route Processor---Service Selection Gateway (NRP-SSG) feature. It includes information on the benefits of the enhancements, supported platforms, related documents, and configuration.
This document includes the following sections:
The enhancements described in this document are included in Cisco IOS Release 12.0(7) DC. The NRP-SSG feature was first released in 12.0(3) DC, and initial enhancements were added in 12.0(5) DC.
The NRP-SSG is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using high-speed data circuit equipment (DCE) such as asymmetric digital subscriber line (ADSL) to allow simultaneous access to network services. The NRP-SSG with Web Selection works in conjunction with the Cisco Service Selection Dashboard (SSD), an open source web-based server application that allows users to select from multiple passthrough and proxy services through a standard web browser.
Enable and Disable Control of NRP-SSG
NRP-SSG is now disabled by default. A new command is available to enable and disable NRP-SSG.
Web Selection of L2TP Service Type
NRP-SSG now supports L2TP. When a subscriber selects a service via the Cisco Service Selection Dashboard (SSD), the NRP as an L2TP access concentrator (LAC) will send the PPP session through the service specific L2TP tunnel. If the tunnel does not already exist, the NRP-LAC creates the proper tunnel to the L2TP network server (LNS).
Scalability
Numerous changes were made in the way PPP sessions and L2TP tunnels were handled, providing support for up to 2000 PPPoA or PPPoE sessions and up to 300 tunnels. Consult the Cisco IOS Release Notes for the latest details on session and tunnel scalability.
NRP-SSG does not support simultaneous use of Cisco Express Forwarding (CEF) and Routed Bridge Encapsulation (RBE).
Defined by RFC 2661, L2TP is an emerging Internet Engineering Task Force (IETF) standard that combines the best features of two existing tunneling protocols: Cisco's Layer 2 Forwarding (L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP). For a description, benefits, restrictions, and configuration information for L2TP, see the Cisco IOS Release 12.0(1)T Layer 2 Tunnel Protocol feature module.
The NRP-SSG works in conjunction with the Cisco SSD. The Cisco SSD is a specialized web server, populated by the service provider, that lists all of the potential networks (or services) a particular customer can access. Customers select and deselect services from a menu through a frames-enabled HTML browser.
Node Route Processor-Service Selection Gateway Enhancements II are supported on the Cisco 6400 node route processor (NRP).
Standards
None
MIBs
None
RFCs
No new or modified RFCs are supported by these feature enhancements.
If you want to perform Layer 3 service selection, you must install and configure the Cisco SSD.
To achieve 2000 L2TP sessions, you need at least 128 MB of DRAM on the NRP.
See the following sections to configure the NRP-SSG enhancements. Each task in the list is required.
As of Cisco IOS Release 12.0(7) DC, NRP-SSG is disabled by default. To enable NRP-SSG, use the following command in global configuration mode:
| Command | Purpose |
|---|---|
Router(config)# ssg enable
| Enables NRP-SSG functionality. |
To verify that NRP-SSG is enabled, use the EXEC command show running-config.
To configure the Cisco 6400 NRP as a LAC, use the following command in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step 1 | Router(config)# vpdn enable
| Enables L2TP functionality. |
To verify the NRP-LAC configuration, use the EXEC command show running-config.
For general information on configuring RADIUS profiles for NRP-SSG, see the "Configuring RADIUS Profiles" section in the Node Route Processor ---Service Selection Gateway feature module.
The NRP-SSG uses vendor-specific RADIUS attributes. If using the NRP-SSG with Cisco User Control Point (UCP) software, specify settings that allow processing of the NRP-SSG attributes while configuring the CiscoSecure Access Control Server (ACS) component. If using another AAA server, you must customize that server's RADIUS dictionary to incorporate the NRP-SSG vendor-specific attributes.
Table 1 lists vendor-specific attributes used by the NRP-SSG to support L2TP. The vendor ID for all of the Cisco-specific attributes is 9.
| AttrID | Vendor ID | SubAttrID | SubAttrName | SubAttrDataType |
|---|---|---|---|---|
26 | 9 | 1 | Cisco-AVpair | String |
26 | 9 | 250 | Account-Info | String |
26 | 9 | 251 | Service-Info | String |
These Cisco-AVpair attributes are used in the service profile to configure VPDN.
This attribute specifies the IP addresses of the home gateways (LNSes) to receive the L2TP connections.
Cisco-AVpair = "vpdn:ip-addresses=address1[<delimiter>address2][<delimiter>address3]..." Syntax Description
address | IP address of the home gateway. | |
<delimiter> | , (comma) | Selects load sharing among IP addresses. |
(space) | Selects load sharing among IP addresses. | |
/ (slash) | Groups IP addresses on left side in higher priority than the right side. | |
In the following example, the LAC will send the first PPP session through a tunnel to 10.1.1.1, the second PPP session to 10.2.2.2, the third to 10.3.3.3. The fourth PPP session will be sent through the tunnel to 10.1.1.1, and so forth. If the LAC fails to establish a tunnel with any of the IP addresses in the first group, then the LAC will attempt to connect to those in the second group (10.4.4.4 and 10.5.5.5).
Example (RADIUS Freeware Format)
Cisco-AVpair="vpdn:ip-addresses=10.1.1.1,10.2.2.2,10.3.3.3/10.4.4.4,10.5.5.5"
Example (CiscoSecure ACS for UNIX)
9,1="vpdn:ip-addresses=10.1.1.1,10.2.2.2,10.3.3.3/10.4.4.4,10.5.5.5"
This attribute specifies the name of the tunnel that must match the tunnel ID specified in the LNS VPDN group, as shown in Step 4 in the "Configuring the LNS" section.
Cisco-AVpair = "vpdn:tunnel-id=name" Syntax Description
name | Tunnel name. |
Example (RADIUS Freeware Format)
Cisco-AVpair="vpdn:tunnel-id=My-Tunnel"
Example (CiscoSecure ACS for UNIX)
9,1="vpdn:tunnel-id=My-Tunnel"
This attribute is the secret (password) used for L2TP tunnel authentication.
Cisco-AVpair = "vpdn:tunnel-password=secret" Syntax Description
secret | Secret (password) for L2TP tunnel authentication. |
Example (RADIUS Freeware Format)
Cisco-AVpair="vpdn:l2tp-tunnel-password=cisco"
Example (CiscoSecure ACS for UNIX)
9,1="vpdn:l2tp-tunnel-password=cisco"
This Account-Info attribute is used in the user profile to subscribe the user to a VPDN service.
This attribute subscribes the user to the specified service.
Account-Info = "Nname" Syntax Description
name | Name of the service profile. |
Example (RADIUS Freeware Format)
Account-Info = "Nl2tp_tunnel.com"
Example (CiscoSecure ACS for UNIX)
9,250="l2tp_tunnel.com"
Service-Info attributes are used to define a service. The following attribute defines the L2TP service parameter in the service profile.
This attribute indicates that the service is a tunnel type of service.
Service-Info = "Ttype" Syntax Description
type | T---Tunnel. Indicates that this is a tunneled service. |
Example (RADIUS Freeware Format)
Service-Info = "TT"
Example (CiscoSecure ACS for UNIX)
9,251="TT"
To verify the RADIUS profiles, refer to the user documentation for your RADIUS server.
To configure the LNS, typically a Cisco 7200 or another NRP, use the following commands beginning in global configuration mode.
| Command | Purpose | |
|---|---|---|
Step 1 | Router(config)# username name password secret
| Specifies the password to be used for PAP and CHAP. Each subscriber requires a unique username and password. |
Step 2 | Router(config)# vpdn-group number
| Selects the VPDN group. Each L2TP tunnel requires a unique VPDN group. |
Step 3 | Router(config-vpdn)# | Accepts incoming L2TP tunnel connections. Also specifies the virtual template interface to use to clone the new virtual access interface. |
Router(config-vpdn)# terminate-from hostname hostname
| Specifies the tunnel ID that will be required when accepting a VPDN tunnel. This must match the VPDN tunnel ID configured in the RADIUS service profile. | |
Step 5 | Router(config-vpdn)# l2tp tunnel password password
| Identifies the password that the router will use for tunnel authentication. |
Step 6 | Router(config-vpdn)# exit
| Returns to global configuration mode. |
Step 7 | Router(config)# interface Virtual-Template number
| Creates a virtual template interface that can clone new virtual access interfaces. |
Step 8 | Router(config-if)# ip unnumbered interface-type interface-number
| Configures the interface as unnumbered and provides a local address. |
Step 9 | Router(config-if)# peer default ip address | Specifies the pool from which to retrieve the IP address to assign to a remote peer dialing in to the interface. |
Step 10 | Router(config-if)# ppp authentication | Specifies the order in which the CHAP or PAP protocols are requested on the interface. |
The following privileged EXEC commands will help you monitor and maintain the NRP-SSG support of L2TP.
| Command | Purpose |
|---|---|
show ssg l2x {dialer-config | dialer-list | dialer-status | | Displays NRP-SSG L2TP information, including dialer configuration, dialer-list tables, tunnel information, and vpdn-group information. |
show vpdn tunnel [all | packets | state | summary | transport] | Displays VPDN tunnel information including tunnel protocol, ID, packets sent and received, receive window sizes, retransmission times, and transport status. |
show vpdn session [all [interface | tunnel | username]| | Displays VPDN session information including interface, tunnel, username, packets, status, and window statistics. |
clear vpdn tunnel l2tp remote-name local-name
| Shuts down a specific tunnel and all the sessions within the tunnel. |
This section provides the following configuration examples:
The following example shows a basic NRP-SSG configuration for a LAC:
!
vpdn enable
ssg enable
!
The following example shows a basic RADIUS user profile for NRP-SSG support of L2TP:
user = l2tp_user{
member = Some-Users
radius=CSUNIX_RADIUS_DICTIONARY_for_6400-NRP-SSG-v1.0 {
check_items= {
2=cisco
}
reply_attributes= {
6=2
7=1
9,250="Nl2tp_tunnel.com"
}
}
}
The following example shows a basic RADIUS service profile for NRP-SSG support of L2TP:
reply_attributes= {
9,251="R10.6.6.0;255.255.255.0"
9,251="ODomain.com"
9,251="D10.7.7.7;10.7.7.8"
9,251="ITunnel1"
9,251="TT"
9,251="S10.7.7.7;1645;1646;cisco"
9,1="vpdn:ip-addresses=10.8.8.8"
9,1="vpdn:tunnel-id=My-Tunnel"
9,1="vpdn:l2tp-tunnel-password=cisco"
The following example shows a basic LNS configuration:
!
username l2tp_user password 0 cisco
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname My-Tunnel
l2tp tunnel password 7 02050D480809
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
no ip directed-broadcast
peer default ip address pool pool2
ppp authentication pap chap
!
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.
To display NRP-SSG L2TP information, use the show ssg l2x global configuration command.
show ssg l2x {dialer-config | dialer-list | dialer-status | info | vpdn-group} service-name
Syntax Description
dialer-config Displays dialer configuration. dialer-list Displays dialer-list table. dialer-status Displays runtime dialer status. info Displays SSG L2TP tunnel information. vpdn-group Displays vpdn-group information. service-name RADIUS service profile name.
Defaults
No default behavior or values.
Command Modes
EXEC
Command History
12.0(7) DC This command was introduced on the Cisco 6400 node route processor (NRP).
Release
Modification
Examples
The following examples display the output of the show ssg l2x command:
Router# show ssg l2x dialer-config l2tp_tunnel.com
Dialer3
ip address negotiated
ip nat outside
dialer vpdn
dialer-group 0
dialer idle-timeout 2147483
no keepalive
Router# show ssg l2x dialer-list l2tp_tunnel.com
l2tp_tunnel.com 1
Router# show ssg l2x dialer-status l2tp_tunnel.com
Dialer3 is up (spoofing), line protocol is up (spoofing)
Hardware is Unknown
Internet address will be negotiated using IPCP
MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
Keepalive not set
DTR is pulsed for 1 seconds on reset
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue:0/75/0 (size/max/drops); Total output drops:0
Queueing strategy:weighted fair
Output queue:0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/16 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes
0 packets output, 0 bytes
Router# show ssg l2x info
1 :srv:l2tp_tunnel.com Didb:Dialer1
Conn Statistics:total:1 up:1 pending:0
### Total L2TPObject Count:1
### Total L2TP Connection Count:1
Router# sh ssg l2x vpdn-group My-l2tp
vpdn-group __SSG1
request-dialin
protocol l2tp
rotary-group 1
local name My-Tunnel
initiate-to ip 10.8.8.8 priority 1
l2tp tunnel password 7 060506324F41
To enable NRP-SSG, use the ssg enable global configuration command. To disable NRP-SSG, use the no form of this command.
ssg enableSyntax Description
This command has no arguments or keywords.
Defaults
NRP-SSG is disabled
Command Modes
Global configuration
Command History
12.0(7) DC This command was introduced on the Cisco 6400.
Release
Modification
Examples
The following example enables NRP-SSG:
ssg enable
To bind a service to a particular dialer-list, use the ssg l2x dialer-list global configuration command. To undo the bind, use the no form of this command.
ssg l2x dialer-list {default | service-name} number
Syntax Description
default Selects the default dialer list for all unspecified service names. service-name Service name, as configured in the RADIUS service profile. number Dialer group number.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
12.0(7) DC This command was introduced on the Cisco 6400 node route processor (NRP).
Release
Modification
Examples
The following example binds the service "l2tp_tunnel.com" to dialer list 1:
ssg l2x dialer-list l2tp_tunnel.com 1
Related Commands
show ssg l2x dialer-list Displays NRP-SSG L2TP information.
Command
Description
To test the NRP-SSG L2TP data path by sending a ping packet, use the test ssg l2x data global configuration command.
test ssg l2x data host-address service-name destination-address
Syntax Description
host-address IP address of target host. service-name Service name of active connection. destination-address IP address of destination to send ping packet.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
12.0(7) DC This command was introduced on the Cisco 6400.
Release
Modification
Examples
The following example tests the active L2TP connection:
Router# test ssg l2x data 10.10.10.10 l2tp_tunnel.com 10.11.11.11
hostip 10.10.10.10, service l2tp_tunnel.com, destip 10.11.11.11
Creating ping packet (src=10.10.10.10, dest=10.11.11.11).
Performing a source address NAT with real IP 10.12.12.12.
Sending ping packet out via vidb Virtual-Access2
Challenge Handshake Authentication Protocol---See CHAP.
CHAP---Challenge Handshake Authentication Protocol. Security feature supported on lines using PPP encapsulation that prevents unauthorized access. CHAP does not itself prevent unauthorized access, it merely identifies the remote end. The router or access server then determines whether that user is allowed access. Compare to PAP.
L2TP---Layer 2 Tunnel Protocol. An Internet Engineering Task Force (IETF) standards track protocol defined in RFC 2661 that provides tunneling of PPP. Based upon the best features of L2F and PPTP, L2TP provides an industry-wide interoperable method of implementing VPDN.
L2TP access concentrator---See LAC.
L2TP network server---See LNS.
L2TP session---Communications transactions between the LAC and LNS that support tunneling of a single PPP connection. There is a one-to-one relationship among the PPP connection, L2TP session, and L2TP call.
LAC---L2TP access concentrator. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP network server (LNS). The LAC sits between an LNS and a remote system and forwards packets to and from each. Packets sent from the LAC to the LNS requires tunneling with the L2TP protocol as defined in this document. The connection from the LAC to the remote system is either local or a PPP link.
Layer 2 Tunnel Protocol---See L2TP.
LNS---L2TP network server. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP access concentrator (LAC). The LNS is the logical termination point of a PPP session that is being tunneled from the remote system by the LAC. Analogous to the Layer 2 Forwarding (L2F) home gateway (HGW).
NAS---Network access server. A device providing local network access to users across a remote access network such as the PSTN. A NAS can also serve as a LAC, LNS, or both.
Network access server---See NAS.
PAP---Password Authentication Protocol. Authentication protocol that allows PPP peers to authenticate one another. The remote router attempting to connect to the local router is required to send an authentication request. Unlike CHAP, PAP passes the password and host name or username in the clear (unencrypted). PAP does not itself prevent unauthorized access, but merely identifies the remote end. The router or access server then determines if that user is allowed access. PAP is supported only on PPP lines. Compare with CHAP.
Password Authentication Protocol---See PAP.
ping---Packet internet groper. ICMP echo message and its reply. Often used in IP networks to test the reachability of a network device.
Point-to-Point Protocol---See PPP.
PPP---Point-to-Point Protocol. A protocol that encapsulates network layer protocol information over point-to-point links. PPP is defined in RFC 1661.
RBE---Routed bridge encapsulation. The process by which a stub-bridged segment is terminated on a point-to-point routed interface. Specifically, the router is routing on an IEEE 802.3 or Ethernet header carried over a point-to-point protocol such as PPP, RFC 1483 ATM, or RFC 1490 Frame Relay.
routed bridge encapsulation---See RBE.
tunnel---A virtual pipe between the LAC and LNS that can carry multiple L2TP sessions.
Posted: Sun Mar 26 14:56:36 PST 2000
Copyright 1989 - 2000©Cisco Systems Inc.