|
|
This chapter describes how to provision each of the methods of dial access to MPLS (Multiprotocol Label Switching) VPN (virtual private network) integration. It covers the following subjects:
 |
Note Because many of the configuration tasks for these two methods are the same, they are described in a single section, with differences noted where a task applies to only one of the access methods. |
The chapter also includes a section on Sample Configurations.
Descriptive overviews of the dial access methods and related features are covered in "Overview of Dial Access to MPLS VPN Integration".
The procedures provided here are specific to provisioning remote access to an MPLS VPN and are based on two assumptions:
1. That the following setup and configuration tasks have already been carried out:
2. That you have a good understanding of the architecture and features you are using and that you have selected the means you will use for implementing those features (for example, which of several strategies you will use for address management or for user authentication and authorization).
See "Overview of Dial Access to MPLS VPN Integration" for information that will help you understand the dial architectures and decide on your implementation approach.
Table 3-2 lists provisioning tasks for L2TP dial-in and for direct ISDN PE dial-in. Procedures for completing each task are described in the sections that follow. If you are viewing this document online, you can click on highlighted text to get details on the procedure.
Table 3-1 Checklist of Tasks for Dial-in Provisioning
| Task | L2TP Dial-In | Direct ISDN PE Dial-In | |
|---|---|---|---|
Before you begin, read the Cisco Remote Access to MPLS VPN Integration 2.0 Release Notes at http://www.cisco.com/univercd/cc/td/doc/product/vpn/solutio n/rampls2/relnote/index.htm |
|||
Task 2. Configure the SP AAA RADIUS Server with Client Information. |
|||
Task 1. Configure L2TP Information for New Customers (L2TP only). |
|||
Task 3. Configure VPDN Information for the Customer Group (L2TP only). |
|||
On one of the following, depending on how you are handling authentication and authorization: |
|||
Task 5. Configure Accounting Between the VHG/PE or NAS/PE and the Access Registrar. |
|||
Task 7. (If You Are Using MLP) Configure LCP Renegotiation and Enable MLP for Users in the Group. |
|||
Task 8. (If You Are Using MMP) Configure SGBP on Each Stack Group Member. |
|||
For miscellaneous component configuration details, refer to the documentation listed in Table 3-2.
Table 3-2 Miscellaneous component configurations
These tasks are done once and are not specific to a particular customer or VPN.
In L2TP dial-in, configure the VHG/PE routers. In direct ISDN PE dial-in, configure the NAS/PE routers. Perform the following steps:
Router (config)# interface loopback [number]
Step 2 Configure IGP (OSPF or IS-IS).
|
Note For details on configuring OSPF, refer to
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt2/1
cfo spf.htm. For details on configuring IS-IS, refer to http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt2/1 cfis is.htm |
Step 3 On the interface connected to the MPLS core, use the following commands to configure CEF and label switching:
Step 4 Use the following commands to configure a BGP peer from the VHG/PE or the NAS/PE to loop back on the remote PEs:
a. Router (config)# router bgp [autonomous system number of sp]
b. Router (config-router)# neighbor [ip address of the first remote pe] remote-as [same autonomous number]
c. Router (config-router)# neighbor [ip address of first remote pe] update-source Loopback0
Step 5 Use the following commands to configure the BGP session to exchange VPN-IPV4 route prefixes for each remote PE:
a. Router (config-router)# address-family vpnv4
b. Router (config-router-af)# neighbor [ip address of first remote pe] activate
c. Router (config-router-af)# neighbor [ip address of first remote pe] send-community extended
Table 3-3 provides links to relevant Cisco router configuration documentation.
Table 3-3 PE Routers and Configuration Documentation
| Platform | Documentation Location |
|---|---|
http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Hardware:7200&s=Hardware_Inf o#Hardware_Installation_%26_Configuration |
|
http://www.cisco.com/univercd/cc/td/doc/product/core/cis7505/cicg7500/cicg75bc.htm |
|
http://www.cisco.com/univercd/cc/td/doc/product/dsl_prod/6400/sw_setup/ss_nrp.htm |
You must perform this task if you are using a AAA RADIUS server in your network to provide address management or user authentication, authorization, and accounting.
On the AAA RADIUS server, perform the steps in the following section to configure the Cisco Access Registrar (AR) application with information for either of the following dial-in situations:
--> set ipaddress [ip address]
--> set sharedsecret [sharedsecret]
Step 2 Repeat Step 1 to configure VHG/PE client information.
Use the following commands to configure the NAS/PE client:
Step 2 Change to the client directory:
Step 3 Add the NAS/PE router name to the client directory:
Step 4 Define the IP address and shared key of the NAS/PE :
--> set ipaddress [ip address]
--> set sharedsecret [sharedsecret]
For AR configuration details, refer to http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/index.htm
This task is required if you are using an AAA RADIUS server in your network to provide address management or user authentication, authorization, and accounting.
Perform the following steps on whichever device queries the SP AAA RADIUS server—the NAS/LAC or VHG/PE (in L2TP dial-in) or the NAS/PE (in direct ISDN PE dial-in):
a. Router (config)# aaa new-model
b. Router (config)# aaa authentication ppp default local group radius
c. Router (config)# aaa authorization network default local group radius
Step 2 Use the following command to configure the RADIUS server on the device:
Router (config)# radius-server host [ip address of radius server] key [sharedscret]
|
Note The sharedsecret must match the sharedsecret defined in Step 1d of "Task 2. Configure the SP AAA RADIUS Server with Client Information". |
To use the cisco VSA route command, enter:
cisco-avpair "ip:route = vrf vrf-name 10.10.100.0 255.255.255.0 [next hop ip address(opt)]"
To use the framed route attribute, enter:
framed-route = 10.10.100.0 255.255.255.0 [next hop ip address(opt)]
To use the framed-ip-address /framed-netmask (same function as framed route above), enter:
framed-route = 10.10.100.0/24 [next hop ip address(opt)]
Perform the tasks described in the following sections for each new customer group.
To configure L2TP information for new customers, do one of the following. The option you select depends on where the L2TP information is stored, on the NAS/LAC or on the AAA server.
Perform the following steps to configure local L2TP information on the NAS/LAC:
Step 2 Enable the search order to look up L2TP tunnels:
Router (config)# vpdn search-order domain dnis
Step 3 Define a new VPDN group for each user:
a. Router (config)# vpdn-group [number]
b. Router (config-vpdn)# request-dialin
Step 4 Define a local username and password for tunnel authentication:
Router (config)# username [hostname] password [tunnel password]
|
Note By default, the host name used in the L2TP tunnel authentication is the host name of the router.
You can change this by adding the following command to the VPDN group: Router (config-vpdn)# local name [hostname] |
Perform the following steps to configure L2TP information on the AAA server:
Step 2 Enable the search order to look up L2TP tunnels:
Router (config)# vpdn search-order domain dnis
Step 3 On the AAA server, enable AAA to look up L2TP information. For details, see "Task 3. Configure RADIUS AAA on the Querying Device".
Step 4 On the AAA server, configure the AR to receive L2TP information:
--> add /Radius/Services/[service name] [service name description] local "" "" RejectAll "" [userlist name]
--> set /Radius/DefaultAuthenticationService [service name]
--> set /Radius/DefaultAuthorizationService [service name]
|
Note You can also select the authentication and authorization service with scripting. For Access Registrar (AR) configuration details, refer to http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/index.htm . |
--> add /Radius/Userlists/[userlist name]
--> add /Radius/UserLists/[userlist name]/[domain name] [domain name description] cisco TRUE "" [attributes list]
|
Note All user records inside the AR database containing tunnel information must have cisco entered in the password field. |
The command for adding a DNIS user is:
--> add /Radius/UserLists/[userlist name]/dnis:[dnis number] [dnis description] cisco TRUE "" [attributes list]
--> add /Radius/Profiles/[attributes list]
--> cd /Radius/Profiles/[attributes list]/Attributes
--> set tunnel-medium-type_tag1 1
--> set tunnel-password_tag1 [tunnel password]
--> set tunnel-server-endpoint_tag1 [vhg ip address]
|
Note If you are using AR 1.6 Revision 1 or higher, the syntax for the following commands changes
from what is given above: --> set tunnel-medium-type_tag1 ipv4 --> set tunnel-type_tag1 l2tp |
To configure the customer virtual routing/forwarding instance (VRF), which is information associated with a specific VPN, perform the following steps on the VHG/PE or NAS/PE.
|
Note Before you begin, make sure you have performed the initial BGP configuration in "Task 1. Configure the PE Routers for MPLS". |
a. Router (config)# ip vrf [vpn name]
b. Router (config-vrf)# rd [route descriptor value]
c. Router (config-vrf)# route-target import [route target value]
d. Router (config-vrf)# route-target export [route target value]
Step 2 Configure the loopback interface:
Step 3 Configure the BGP session to transport VRF information:
|
Note The autonomous system number must match that defined in Step 4a of "Task 1. Configure the PE Routers for MPLS". |
b. Router (config-router)# address-family ipv4 vrf [vpn name]
c. Router (config-router-af)# redistribute connected metric 1
To configure VPDN information for the customer group, perform the following steps:
Step 2 Define a new VPDN group for each user:
a. Router (config)# vpdn-group [number]
b. Router (config-vpdn)# accept-dialin
c. Router (config-vpdn-acc-in)# protocol l2tp
d. Router (config-vpdn-acc-in)# virtual-template [virtual template number]
|
Note The host name must match the host name defined in Step 4 of "Task 1. Configure L2TP Information for New Customers (L2TP only)". |
Step 3 Define a local username and password for tunnel authentication:
Router (config)# username [hostname] password [tunnel password]
To configure components where user authentication and authorization take place, use one of the following options. (The choice you make depends on your strategy for authentication and authorization.)
|
Note Local authentication is not used with direct ISDN PE dial-in. |
To configure user authentication and authorization on the VHG/PE, perform the following steps:
|
Note The virtual template number must match the virtual template number defined in Step 2d of "Task 2. Configure VRF Information for the Customer Group". |
|
Note The vpn name must match the vpn name in Step 1a of "Task 2. Configure VRF Information for the Customer Group". |
|
Note The loopback number must match the loopback number in Step 2a of "Task 2. Configure VRF Information for the Customer Group". |
Step 2 For each user in the customer group, use the following command to configure a username and password:
Router (config)# username [username@domain] password [user password]
To configure user authentication and authorization on the SP AAA RADIUS server, perform the following steps:
a. Router (config)# aaa new-model
b. Router (config)# aaa authentication ppp default local group radius
c. Router (config)# aaa authorization ppp default local group radius
|
Note The virtual template number must match the virtual template number in Step 2d of "Task 2. Configure VRF Information for the Customer Group". |
f. Router (config-if)# ppp authentication chap callin
h. Router (config)# radius-server host [radius server ip address] key [sharedsecret]
Step 2 Configure the AR with VHG/PE or NAS/PE client information:
--> add /Radius/Clients/[vhg name] [vhg description] [vhg ip address] [sharedsecret] NAS "" [script ]
|
Note The script indicates which service needs to be selected for VPDN user authorization and authentication. |
--> add /Radius/Services/[vpdn name] {vpdn description] local "" "" RejectAll "" [vpdn userlist name]
|
Note The VPDN name is derived from the username that is sent by the VHG within the RADIUS access request packet. This information is provided by the script in Step 2a. For scripting procedures, refer to http://www/univercd/cc/td/doc/product/rtrmgmt/cnsar/index.htm . |
--> add /Radius/Userlists/[vpdn userlist name]
--> add /Radius/UserLists/[vpdn userlist name]/[vpdn username] [vpdn user description] [vpdn user password] TRUE "" [vpdn user attributes]
--> add /Radius/Profiles/[vpdn user attrbutes]
--> cd /Radius/Profiles/[vpdn user attrbutes]/Attributes
--> set cisco-avpair "lcp:interface-config=ip vrf forwarding [vpn name]\\n ip unnumbered Loopback [number]
|
Note The vpn name must match the vpn name in Step 1a of "Task 2. Configure VRF Information for the Customer Group". |
|
Note The loopback number must match the loopback number in Step 2a of "Task 2. Configure VRF Information for the Customer Group". |
To configure proxy AAA, perform the following steps:
a. Router (config)# aaa new-model
b. Router (config)# aaa authentication ppp default local group radius
c. Router (config)# aaa authorization ppp default local group radius
|
Note The virtual template number must match the virtual template number defined in Step 2d of "Task 2. Configure VRF Information for the Customer Group". |
f. Router (config-if)# ppp authentication chap callin
h. Router (config)# radius-server host [radius server ip address] key [sharedsecret]
Step 2 Configure the SP AAA RADIUS server:
--> add /Radius/Clients/[vhg name] [vhg description] [vhg ip address] [sharedsecret] NAS "" [script ]
|
Note The script indicates which service needs to be selected for VPDN user authorization and authentication. |
--> add /Radius/RemoteServers/[remote server host name] [remote server description] radius [remote server ip address] 1645 300000 [sharedsecret]
|
Note The remote server IP address cannot be reached from the SP AAA server because the MPLS service provider cloud does not have VPN customer routing information. To provide the SP AAA server with routing information, use route leaking or a management VPN. For information on VPN management refer to http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/vpnsc/mpls/index.htm . |
--> add /Radius/Services/[vpdn name] [vpdn description] radius
--> cd /Radius/Services/[vpdn name]/RemoteServers
--> set 1 [remote server host name]
|
Note The VPDN name is derived from the username that is sent by the VHG/PE in the RADIUS access request packet. This information is provided by the script in Step 2a. For scripting procedures, refer to http://www/univercd/cc/td/doc/product/rtrmgmt/cnsar/index.htm . |
To configure accounting between the VHG/PE or NAS/PE and the AR, perform the following steps:
|
Note Make sure you have performed the configuration of the user authentication and authorization on your AAA server, described in "Task 4. Configure Authentication and Authorization". |
Step 2 Configure the AR.
--> add /radius/services/[ accounting service name]
--> cd /radius/services/[ accounting service name]
|
Note The accounting service name is derived from the username that is sent by the VHG/PE in the RADIUS accounting request packet. This information is provided by the script in Step 2a. For scripting procedures, refer to http://www/univercd/cc/td/doc/product/rtrmgmt/cnsar/index.htm . |
Configure address management using one of the following procedures. The procedure you select depends on the address management strategy you are using.
To configure address management using local overlapping address pools, perform the following steps on the VHG/PE or NAS/PE:
Router (config)# ip local pool [vpn customer address pool] [start ip address] [end ip address]
Step 2 Perform one of the following steps. The step you select depends on how you configured user authentication and authorization in "Task 4. Configure Authentication and Authorization".
Router (config-if)# peer default ip address pool [vpn customer address pool]
--> set cisco-avpair "lcp:interface-config=ip vrf forwarding [vpn name]\\n ip unnumbered Loopback[number]\\n peer default ip address pool [vpn customer address pool]"
To configure address management on the SP AAA RADIUS server, perform the following steps.
|
Note Make sure you have performed the accounting configuration in "Task 5. Configure Accounting Between the VHG/PE or NAS/PE and the Access Registrar". Accounting is mandatory for address management on a RADIUS server. |
a. --> add /Radius/ResourceManagers/[resource manager for vpn customer]
b. --> cd /Radius/ResourceManagers/[resource manager for vpn customer]
Step 2 Define the session manager:
a. --> add /Radius/SessionManagers/[session manager name ]
b. --> cd /Radius/SessionManagers/[session manager name]/ResourceManagers
|
Note The session manager name is derived from the domain name that is sent by the VHG/PE in the RADIUS access request packet. This information is provided by the script in Step 2a. For scripting procedures, refer to http://www/univercd/cc/td/doc/product/rtrmgmt/cnsar/index.htm . |
If you are implementing ODAP, perform the following steps on VHG/PE or NAS/PE.
Router(config)# ip dhcp pool address pool name
Step 2 Tie the pool to a particular VPN.
Step 3 Configure the network access server to recognize and use vendor-specific attributes.
a. Router(config)# radius-server host ip address
b. Router(config)# radius-server key string
Step 4 Enable an address pooling mechanism used to supply IP addresses.
Router(config)# ip address-pool dhcp-pool
Step 5 Create a virtual template interface.
Router(config)# interface virtual-template number
Step 6 Specify an address from the DHCP mechanism to be returned to a remote peer connecting to this virtual-template interface.
Router(config-if)# peer default ip address dhcp-pool
|
Note Since the user name might be the same as the VPDN domain name, either use scripts on the RADIUS AR to differentiate between requests for subnets and VPDN information, or make the VRF name different from the domain name. |
To configure the RADIUS AR for ODAP, use a script that accomplishes the following:
Cisco AR 1.7 R1 has been enhanced to make ODAP functionality more accessible and to enable ODAP requests and normal user authentication to occur on the same Cisco AR server. To achieve this functionality, a new Cisco vendor script CiscoWithODAPIncomingScript was written to direct ODAP requests to particular services and session managers. CiscoWithODAPIncomingScript also provides the same functionality as the previous CiscoIncomingScript.
Additionally, Cisco AR 1.7 R1 has a new vendor type, CiscoWithODAP which references CiscoWithODAPIncomingScript as its IncomingScript and references the existing script, CiscoOutgoingScript, as its Outgoing Script.
For Cisco AR configuration details, see http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/1_7/users/odap.htm#xtocid1 .
If you are implementing MLP, perform the following steps on the VHG/PE or NAS/PE:
|
Note The vpdn-group number is the number defined for this group in "Task 3. Configure VPDN Information for the Customer Group (L2TP only)". |
|
Note Without LCP renegotiation, the NAS/LAC might reject MLP requests during initial LCP negotiation between the dial-in user and the NAS/LAC. |
Step 2 Use the following command on the virtual template (in L2TP dial-in) or the physical interface or rotary dialer group (in direct ISDN PE dial-in) to enable MLP for users in the group:
|
Note Enabling MLP is exactly the same in this context as in a non-MPLS environment. For more information, refer to http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fdial_c/fnsprt9/ dcd ppp.htm. |
|
Note To use MMP, you must also implement MLP. See Task 7. (If You Are Using MLP) Configure LCP Renegotiation and Enable MLP for Users in the Group. |
If you are implementing MMP, perform the following steps to configure SGBP on each stack group member (VHG/PE or NAS/PE). Do not define more than one stack group on the same router. In this example, you are configuring stack group member C.
Router (config)# sgbp group <stack-group-name>
Where <stack-group-name> is the name of the stack group. A stack group name is a unique name used for all members of the group.
Step 2 Define the username and the password for stack group member authentication between members of the group:
Router (config)# user <stack-group-name> password <password>
|
Note The username and password must be the same for all members of the group. |
Step 3 Specify the host name and IP address of each stack group peer of this router. For each peer (but not for the local system), enter the following command:
Router (config)# sgbp member <peer-name> <peer-ip-address>
You provision L2TP dial backup in the same way as L2TP dial-in (see "Dial-In Provisioning Checklist"), with the following differences:
For more information on dial backup technology, refer to "Dial Backup Configuration" in the Cisco IOS Dial Technologies Configuration Guide, Release 12.2 at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fdial_c/fnsprt6/dcdbakdp.h tm.
In dial backup, either static or dynamic routing can be used, depending on whether dynamic routing is enabled on the primary link.
If dynamic routing is not enabled on the primary link between the CE and the VHG/PE, you must configure static VRF routes for the backup link on the VHG/PE. When the primary link goes down because of lack of connectivity, the primary static route is withdrawn.
For the backup PPP session, the static route is downloaded from the RADIUS AAA server as part of the virtual profile, and the route is inserted into the appropriate VRF when the backup virtual interface is brought up. When the primary link is restored, the primary static VRF route is also restored, and the CE terminates the backup connection. The PE then deletes the backup static VRF route.
If dynamic routing is enabled on the primary CE-PE link, you should configure dynamic routing for the backup link also.
Where static routing is used for the backup link, the static route is configured on the SP RADIUS AAA server as part of the virtual profile and downloaded to the VHG/PE. The route is inserted into the appropriate VRF when the backup virtual interface is brought up.
To configure static routing, perform the following steps:
--> cisco-avpair "ip:route = <nexthop IP address netmask>" (the next hop IP address is optional)
--> cisco-avpair "ip:route = vrf [vrf-name] <nexthop IP address netmask>
Defining the next hop IP address configures static routing. When the CE requests an IP address for the PPP link, the next hop will be set to this address. (If the next hop is not defined, routing is dynamic.)
Step 2 Download the above information to the VHG/PE.
Where you have configured dynamic routing on the primary CE-PE link, also configure dynamic routing on the backup VHG/PE.
To configure dynamic routing, perform the following steps on the VHG/PE:
Step 2 Assign an address in a.b.c.d format (an IP address on the VHG/PE) to the loopback interface:
Router (config-if)# ip address [a.b.c.d] 255.255.255.255
Step 3 Configure the IGP instance (such as RIP, in this example) for this VRF:
Step 4 Make network a.b.c.d part of the IGP:
Router (config-router-at)# network a.0.0.0
For example, if the IP address in Step 2 is 10.10.33.241, enter network 10.0.0.0.
Step 5 Use a virtual template to download virtual access interface-specific settings from the SP AAA RADIUS server.
--> add /Radius/Services/[vpdn name] {vpdn description] local "" "" RejectAll "" [vpdn userlist name]
|
Note The VPDN name is derived from the PPP session username that is sent by the VHG/PE in the RADIUS access request packet. This information is provided by the script in Task 4, Configure Authentication and Authorization, Option 2. Configure Authorization and Authentication on the SP AAA RADIUS Server. For scripting procedures, refer to http://www/univercd/cc/td/doc/product/rtrmgmt/cnsar/index.htm . |
--> add /Radius/Userlists/[vpdn userlist name]
--> add /Radius/UserLists/[vpdn userlist name]/[vpdn username] [vpdn user description] [vpdn user password] TRUE "" [vpdn user attrbutes]
--> add /Radius/Profiles/[vpdn user attrbutes]
--> cd /Radius/Profiles/[vpdn user attrbutes]/Attributes
--> set cisco-avpair "lcp:interface-config=ip vrf forwarding [vpn name]\\n ip unnumbered Loopback [number]
|
Note The vpn name must match the vpn name in Step 1a of "Task 2. Configure VRF Information for the Customer Group". The loopback number must match the loopback number in Step 2a of "Task 2. Configure VRF Information for the Customer Group". The virtual interface should be unnumbered to the loopback interface. |
|
Note If you are using a third-party RADIUS server, use the PPP session username to select the RADIUS record. The RADIUS record should contain the attributes in the set cisco-avpair command above. |
Provisioning dial-out access is similar to provisioning dial-in access, with these exceptions:
The procedures provided here are specific to provisioning remote access to an MPLS VPN and are based on two assumptions:
1. That the following setup and configuration tasks have already been carried out:
2. That you have a good understanding of the architecture and features you are using and that you have selected the means you will use for implementing those features (for example, which of several strategies you will use for address management or for user authentication and authorization).
See "Overview of Dial Access to MPLS VPN Integration" for information that will help you understand the dial architectures and decide on your implementation approach.
Table 3-4 lists tasks for dial-out provisioning. Procedures for completing each task are described in the sections that follow. If you are viewing this document online, you can click on highlighted text to get details on the procedure.
Table 3-4 Checklist of Tasks for Dial-out Provisioning
| Task | L2TP Dial-Out | Direct ISDN PE Dial-Out | |
|---|---|---|---|
Before you begin, read the Cisco Remote Access to MPLS VPN Integration 2.0 Release Notes at http://www.cisco.com/univercd/cc/td/doc/product/vpn/solutio n/rampls2/relnote/index.htm |
|||
For miscellaneous component configuration details, see Table 3-2.
In this task, you configure a dialer profile (on the VHG/PE or NAS/PE) to be part of the customer VRF. In L2TP dial-out, you also configure the dialer profile to use a VPDN group.
Router (config-if)# ip vrf forwarding [vpn name]
Step 2 (L2TP only) On the VHG/PE, include the dialer vpdn command in the dialer profile to configure the dialer profile for L2TP:
Router (config-if)# dialer vpdn
In Example 3-3, the commands listed above are in bold. The dialer profile defined is Dialer50. The vpn name is V1.17.com. The dialer pool number, 4, is referenced in the configuration of the VPDN group in Task 2.
|
Note The dialer-group command specifies which dialer list to use. In the example, dialer-group 1 is linked to dialer-list 1 protocol ip permit, a global command that, like an access list, tells the router which traffic (in this case, all IP traffic) will trigger the dialer profile and thus the call. Alternatively, you can use an access list to filter out routing updates or allow only HTTP traffic (URL requests) to trigger a call. |
For more information on configuring dialer profiles, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fdial_c/fnsprt5/
dcdiprof.htm.
This task applies to L2TP dial-out only. In this task, you configure the VPDN group as a pool member of the dialer pool defined in the dialer profile in Task 1.
On the VHG/PE, use the following command to configure the VPDN group as a pool member:
Router (config-vpdn-group)# pool-member [pool number]
In Example 3-4, the pool-member corresponds to the pool number in the dialer profile configured in Task 1.
The l2tp tunnel password command overrides the default password in the local user database. You can also define a username for the local name in the global configuration. To do so, use this command:
Router (config)# username c72d2-2-V1.17 password <password>
In this task, you configure the customer VRF (on the VHG/PE or NAS/PE) with a static route for this dial-out user. This will attract traffic to the appropriate remote CE.
On the VHG/PE, in the customer VRF use this command to configure a static route for this dial-out user:
Router (vrf)# ip route vrf [vpnname][CE ip address] 255.255.255.255 Dialer50 permanent
Perform the following steps to configure VPDN for dial-out on the NAS. See Example 3-5 for a configuration example.
Step 2 Configure the VPDN group to accept dial-out (when the VHG/PE requests a tunnel and attempts to trigger a session):
Router (config-vpdn-group-acc-out)# dialer 1
Step 3 Configure the tunnel secret to be used for VPN tunnel authentication for this VPDN group:
Router (config)# l2tp tunnel password [tunnel password]
|
Note The secret must match that used in the VPDN group on the VHG/PE or the entry in the local user password database. |
Step 4 On the dialer interface, enable dial-on-demand routing:
Router (config-if)# dialer aaa
|
Note This enables the dialer to use the AAA server to locate the profiles to use for dialing information. When the VHG/PE sends dialer string attributes, the rotary group will trigger the call. |
Step 5 On the physical dialer interface, use this command to reference the rotary group dialer 1:
Router (config)# interface serial [physical dialer interface]
Router (config-ip)# dialer rotary-group 1
This section includes sample configurations. The examples are presented as illustrations only; your configuration specifics depend on how you are implementing remote access to MPLS VPN and will vary from what is presented here. The relevant commands for remote access to MPLS VPN are in bold and are described in italicized comments.
On the NAS, you configure the VPDN group that will bring up the L2TP tunnel to the VHG/PE.
|
Note All MPLS VPN-relevant commands are configured on the VHG/PE, not the NAS. |
In this example, the VHG/PE is configured to terminate L2TP sessions received from the NAS and query the RADIUS server for dial options authorized for a given dial-in user.
In this example, the SP AAA server is configured to:
In the example, you are assumed to be logged in to the RADIUS host and to have accessed the Access Registrar application.
|
Note Be sure that you save and reload after changing the Access Registrar configuration. |
Posted: Fri Mar 28 16:09:54 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.