|
|
This feature module describes the L2TP Tunnel Switching feature. It includes information on the benefits of the new feature, supported platforms, related documents, and configuration information.
This document includes the following sections:
The L2TP Tunnel Switching feature enables the Cisco 6400 NRP to terminate tunnels from LACs and forward the sessions through new L2TP tunnels selected independently of the client-supplied domains. The NRP as a tunnel switch performs VPDN tunnel authorization based on the ingress tunnel names that are mapped to specified LNSes.
Figure 1 shows an example network topology using the L2TP tunnel switching feature.
Improved Provisioning Scalability
Aggregating LAC tunnels with an L2TP tunnel switch improves provisioning scalability on both the LAC and wholesaler ends.
Improved Permanent Virtual Circuit Interconnect Scalability
In a B-ISDN network, a multihop node can improve PVC interconnect scalability.
When using a RADIUS service profile for tunnel service authorization, the NRP configured as an L2TP tunnel switch must forward all sessions through L2TP tunnels. The L2TP tunnel switch must not terminate any of the sessions.
The L2TP Tunnel Switching feature is supported on the node route processor (NRP) of the Cisco 6400 UAC.
Standards
None
MIBs
None
RFCs
No new or modified RFCs are supported by this feature.
See the following sections for configuration tasks for the L2TP Tunnel Switching feature. All of the listed tasks are required to configure the L2TP tunnel switch.
 |
Note The NRP as a tunnel switch requires at least two VPDN groups: one to handle incoming tunnels from the LAC, and one to create the L2TP tunnels/sessions to the LNS. |
To use the L2TP Tunnel Switching feature, you must first enable VPDN and multihop capabilities by entering the following commands beginning in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step 1 | Router(config)#vpdn enable | Enables VPDN functionality. |
Step 2 | Router(config)#vpdn multihop | Enables VPDN multihop functionality. |
To verify that you enabled VPDN and multihop functionality, use the show running-config EXEC command.
To terminate the tunnel from the LAC, enter the following commands beginning in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step 1 | Router(config)#username remote-hostname password secret | Configures the secret (password). Must match the secret configured on the LAC. |
Step 2 | Router(config)#username local-name password secret | Configures the secret (password). Must match secret in Step 1. |
Step 3 | Router(config)#vpdn-group number | Selects the VPDN group. |
Step 4 | Router(config-vpdn)#accept-dialin | Accepts incoming L2TP tunnel connections. Enters VPDN accept-dialin group mode. |
Step 5 | Router(config-vpdn-acc-in)#protocol l2tp | Specifies the Layer 2 Tunnel Protocol. |
Step 6 | Router(config-vpdn-acc-in)#virtual-template number | Specifies the virtual template interface to use to clone the new virtual access interface. |
Step 7 | Router(config-vpdn-acc-in)#exit | Returns to VPDN group mode. |
Step 8 | Router(config-vpdn)# | Specifies the host name of the remote LAC that will be required when accepting a VPDN tunnel. Must match remote-hostname in Step 1. |
Step 9 | Router(config-vpdn)# | Specifies the local host name of the tunnel. Must match local-name in Step2. |
To verify that you successfully configured the tunnel switch to terminate tunnels from the LAC, use the show running-config EXEC command.
To map the ingress tunnel name to an LNS, complete the following steps beginning in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step 1 | Router(config)#username username password secret | Configures the secret (password). Username must match LNS's hostname or tunnel ID. Secret must match the secret configured on the LNS. |
Step 2 | Router(config)#username egress-tunnel-name password secret | Configures the secret (password). Must match secret in Step 1. |
Step 3 | Router(config)#vpdn-group number | Selects the VPDN group. |
Step 4 | Router(config-vpdn)#request-dialin | Enables the tunnel switch to request L2TP tunnels to the LNS. Enters VPDN request-dialin group mode. |
Step 5 | Router(config-vpdn-req-in)#protocol l2tp | Specifies the Layer 2 Tunnel Protocol. |
Step 6 | Router(config-vpdn-req-in)# | Initiates a tunnel based on the LAC's hostname or ingress tunnel ID. |
Step 7 | Router(config-vpdn-req-in)#exit | Returns to VPDN group mode. |
Step 8 | Router(config-vpdn)# | Specifies the LNS. Optionally specifies the maximum number of sessions per tunnel as well as the priority of the IP address (1 is highest). |
Step 9 | Router(config-vpdn)# | Specifies the local host name of the tunnel. Must match egress-tunnel-name in Step 2. |
To verify that you successfully mapped the ingress tunnel name to the LNS, use the show running-config EXEC command.
To specify how to perform VPDN tunnel authorization searches, enter the following command in global configuration mode:
| Command | Purpose |
|---|---|
Router(config)#vpdn search-order multihop-hostname [domain] | Specifies a search by the configured ingress tunnel name. Optionally specifies to search by domain or DNIS if the first search type fails. |
To verify that you successfully configured the tunnel switch to perform VPDN tunnel authorization searches by ingress tunnel name, use the show running-config EXEC command.
The examples in this section show the configurations necessary for the basic L2TP tunnel switch topology shown in Figure 2. In this topology, a tunnel switch terminates tunnels from two LACs and forwards all the sessions through one tunnel to the LNS.
This section provides the following configuration examples:
In the following example, LAC-1 performs tunnel authorization based on domain name and initiates a tunnel to the L2TP tunnel switch:
! vpdn enable ! username net.com password Secret1 username Tunnel-Switch-In password Secret1 ! vpdn-group 1 request-dialin protocol l2tp domain service1.net.com initiate-to ip 10.1.1.1 local name net.com !
In the following example, LAC-2 also performs tunnel authorization based on domain name and initiates a tunnel to the L2TP tunnel switch:
! vpdn enable ! username net.com password Secret2 username Tunnel-Switch-In password Secret2 ! vpdn-group 1 request-dialin protocol l2tp domain service2.net.com initiate-to ip 10.1.1.1 local name net.com !
In the following example, the NRP is configured as an L2TP tunnel switch. VPDN groups 1 and 2 are used to terminate the tunnels from the LAC. VPDN group 11 is used to initiate the tunnel to the LNS, and it performs tunnel authorization based on the configured ingress tunnel name.
! vpdn enable vpdn multihop vpdn search-order multihop-hostname domain ! username net.com password Secret1 username Tunnel-Switch-In password Secret1 username net.com password Secret2 username Tunnel-Switch-In password Secret2 username LNS password Secret3 username Tunnel-Switch-Out password Secret3 ! vpdn-group 1 accept-dialin protocol l2tp virtual-template 1 terminate-from hostname net.com local name Tunnel-Switch-In ! vpdn-group 11 request-dialin protocol l2tp multihop hostname net.com initiate-to ip 10.2.2.2 local name Tunnel-Switch-Out ! interface ATM 0/0/0.1001 point-to-point ip address 10.1.1.1 255.255.255.0 pvc 5/10 encapsulation aal5snap !
interface Virtual-Template 1 ip unnumbered FastEthernet 0/0/0 no ip directed-broadcast no keepalive no peer default ip address ppp authentication chap !
In the following example, the LNS terminates the tunnel from the L2TP tunnel switch:
vpdn enable ! username LNS password Secret3 username Tunnel-Switch-Out password Secret3 ! vpdn-group 1 accept-dialin protocol l2tp virtual-template 1 terminate-from hostname Tunnel-Switch local name LNS ! interface Virtual-Template 1 ip unnumbered FastEthernet 0/0/0 no ip directed-broadcast ip mroute-cache no keepalive peer default ip address pool pool-1 ppp authentication chap !
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.1 command reference publications.
To enable the L2TP tunnel switch to initiate a tunnel based on the LAC host name or ingress tunnel ID, use the multihop hostname VPDN request-dialin group configuration mode command. To disable this option, use the no form of this command.
multihop hostname ingress-tunnel-name
Syntax Description
ingress-tunnel-name LAC hostname or ingress tunnel ID.
Defaults
No default behavior or values.
Command Modes
VPDN request-dialin group
Command History
12.1(1) DC1 This command was introduced on the Cisco 6400 NRP.
Release
Modification
Examples
The following example enables the L2TP tunnel switch to forward sessions from LAC-1 through an outgoing tunnel to IP address 10.3.3.3:
! vpdn-group 11 request-dialin protocol l2tp multihop hostname LAC-1 initiate-to ip 10.3.3.3 local name Tunnel-Switch !
Related Commands
domain domain-name Selects VPDN group for tunnel initiation based on domain name. dnis dnis-number Selects VPDN group for tunnel initiation based on DNIS.
Command
Description
To specify how the service provider's NAS is to perform VPDN tunnel authorization searches, use the vpdn search-order global configuration command. To remove a prior specification, use the no form of the command.
vpdn search-order {multihop-hostname [domain] [dnis] | domain [dnis] [multihop-hostname] | dnis [domain] [multihop-hostname]}
Syntax Description
multihop-hostname Specifies a search on LAC host name or ingress tunnel ID. domain Specifies a search on the domain name. dnis Specifies a search on the DNIS information.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
11.3(5)AA This command was introduced. 12.1(1) DC1 The multihop-hostname keyword was added for the Cisco 6400 NRP.
Release
Modification
Usage Guidelines
VPDN authorization searches are performed only as specified.
The configuration shows the vpdn search-order command setting only if the command is explicitly configured.
Examples
The following example configures an L2TP tunnel switch to perform each VPDN authorization search by the multihop-hostname, and if unsuccessful, search by the domain name.
vpdn search-order multihop-hostname domain
B-ISDN--Broadband ISDN. ITU-T communication standards designed to handle high-bandwidth applications such as video. B-ISDN currently uses ATM technology over SONET-based transmission circuits to provide data rates from 155 to 622 Mbps and beyond.
DNIS--Dialed Number Identification Service. The called party number. Typically, this is a number used by call centers or a central office where different numbers are each assigned to a specific service.
L2TP--Layer 2 Tunnel Protocol. An Internet Engineering Task Force (IETF) standards track protocol defined in RFC 2661 that provides tunneling of PPP. Based upon the best features of L2F and PPTP, L2TP provides an industry-wide interoperable method of implementing VPDN.
LAC--L2TP Access Concentrator. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP network server (LNS). The LAC sits between an LNS and a remote system and forwards packets to and from each. Packets sent from the LAC to the LNS requires tunneling with the L2TP protocol as defined in this document. The connection from the LAC to the remote system is either local or a PPP link.
LNS--L2TP network server. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP access concentrator (LAC). The LNS is the logical termination point of a PPP session that is being tunneled from the remote system by the LAC. Analogous to the Layer 2 Forwarding (L2F) home gateway (HGW).
NAS--Network access server. A device providing local network access to users across a remote access network such as the PSTN. A NAS can also serve as a LAC, LNS, or both.
PVC--Permanent virtual circuit or connection. Virtual circuit that is permanently established. PVCs save bandwidth associated with circuit establishment and tear down in situations where certain virtual circuits must exist all the time. In ATM terminology, called a permanent virtual connection.
VPDN--Virtual Private Dialup Networking. A system that permits the physical dialup connection to appear to be connected directly to a home network while actually residing elsewhere on the network. A virtual pipe is connected between the physical dialup connections and the termination point at the home network.
Posted: Fri Aug 4 17:32:39 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.