Contents
- Configuring Multihop VPDN
- Finding Feature Information
- Prerequisites for Multihop VPDN
- Information About Multihop VPDN
- Using Multihop VPDN with an MMP Stack Group
- L2TP Redirect for MMP Multihop Deployments
- How L2TP Redirect Works
- Number of Redirect Attempts on the NAS
- Load Balancing Calls Using L2TP Redirect
- Redirect Identifier
- Redirect Source
- Tunnel Switching Using Multihop VPDN
- How to Configure Multihop VPDN
- Configuring an MMP Stack Group for Multihop VPDN
- Configuring L2TP Redirect for MMP VPDNs
- Prerequisites for Configuring L2TP Redirect
- Restrictions for Configuring L2TP Redirect
- Enabling L2TP Redirect
- What to Do Next
- Enabling Multihop VPDN on the NAS
- Configuring the Redirect Identifier on the NAS
- What to Do Next
- Configuring the Redirect Identifier on the RADIUS Server
- What to Do Next
- Configuring the Redirect Identifier on the Stack Group Tunnel Servers
- Configuring the Redirect Source on the Stack Group Tunnel Servers
- Monitoring L2TP Redirect Configurations
- Configuring a Multihop Tunnel Switch
- Prerequisites for Configuring a Multihop Tunnel Switch
- Restrictions for Configuring a Multihop Tunnel Switch
- Enabling Multihop VPDN on the Tunnel Switch
- What to Do Next
- Configuring the Multihop Tunnel Switch to Terminate Incoming VPDN Tunnels
- What to Do Next
- Configuring the Multihop Tunnel Switch to Initiate Outgoing VPDN Tunnels
- Configuration Examples for Multihop VPDN
- Example Configuring Multihop VPDN on an MMP Stack Group
- Example Configuring L2TP Redirect
- Example Configuring L2TP Redirect with a Redirect Identifier
- Example Configuring Redirect Identifiers on the RADIUS Server
- Example Configuring the Redirect Source on a Stack Group Tunnel Server
- Example Configuring Multihop VPDN Tunnel Switching
- Where to Go Next
- Additional References
- Feature Information for Multihop VPDN
Configuring Multihop VPDN
Multihop virtual private dialup networking (VPDN) is a specialized VPDN configuration that allows packets to pass through multiple tunnels. Ordinarily, packets are not allowed to pass through more than one tunnel. In a multihop deployment, the VPDN tunnel is terminated after each hop and a new tunnel is initiated to the next hop destination.
Multihop VPDN deployments are required when the remote private network uses Multichassis Multilink PPP (MMP) with multiple tunnel servers in a stack group.
Multihop VPDN deployments can also be used to configure a device as a tunnel switch. A tunnel switch acts as both a network access server (NAS) and a tunnel server, able to receive packets from an incoming VPDN tunnel and send them out over an outgoing VPDN tunnel. Tunnel switch configurations can be used between Internet service providers (ISPs) to provide wholesale VPDN services.
- Finding Feature Information
- Prerequisites for Multihop VPDN
- Information About Multihop VPDN
- How to Configure Multihop VPDN
- Configuration Examples for Multihop VPDN
- Where to Go Next
- Additional References
- Feature Information for Multihop VPDN
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Multihop VPDN
Before you configure multihop VPDN, a VPDN deployment must be configured. For more information about VPDN deployments that are compatible with multihop VPDN scenarios, see the Configuring an MMP Stack Group for Multihop VPDN or the Configuring a Multihop Tunnel Switch.
Information About Multihop VPDN
Using Multihop VPDN with an MMP Stack Group
Multihop VPDN is required when a VPDN tunnel delivers Multilink PPP (MLP) data to a private network that uses an MMP stack group.
MLP provides the capability of splitting and recombining packets to a single end system across a logical pipe (also called a bundle) formed by multiple links.
MMP deployments link multiple tunnel servers in a stack group. Different members of a stack group can terminate MLP links from the same source. Stack group tunnel servers must establish Layer 2 tunnels between each other so that MLP packets from a single host can be properly recombined. If the incoming MLP data is delivered to the stack group over a VPDN tunnel, multihop VPDN is required for the stack group to function.
MMP using multihop VPDN can use only the Layer 2 Tunnel Protocol (L2TP) or Layer 2 Forwarding (L2F) protocol on the NAS and the stack group members.
The figure below shows a network scenario using a multihop VPDN with a MMP deployment.
Data from the client is tunneled from the NAS to a stack group member using either L2TP or L2F. If the client is using MLP, multiple data links can terminate on different stack members. Stack group bidding protocol (SGBP) is used to determine which stack member is the MLP bundle owner. Tunnel servers that receive calls belonging to a bundle owned by a different stack group member will forward those calls to the owner using an L2TP or L2F tunnel. Because the data must traverse two VPDN tunnels in this scenario, multihop VPDN must be enabled.
L2TP Redirect for MMP Multihop Deployments
In a traditional MMP deployment, the stack group tunnel servers use L2TP or L2F tunnels to deliver MLP links to the bundle owner. This architecture does not easily scale beyond a few routers per tunnel server stack, and inherently adds hops and latency variations between links in a bundle.
Enabling L2TP redirect allows a stack group member to send a redirect message to the NAS if it receives a link that is owned by another stack group member. L2TP redirect increases the scalability of MMP deployments, load balances sessions across the stack group tunnel servers, and smooths traffic as all links in a multilink bundle experience the same delay and latency.
The figure below shows a network scenario using L2TP redirect for an MMP deployment.
When tunnel server 1 answers the initial call, SGBP bidding is performed by all stack group members to determine which device owns the call. If the call is owned by a different tunnel server, such as tunnel server 2, the call must be passed from tunnel server 1 to the owner.
In a traditional multihop SGBP deployment, tunnel server 1 would establish an L2F or L2TP tunnel to to tunnel server 2 and forward the call over that tunnel.
With L2TP redirect enabled, instead of establishing a new tunnel to tunnel server 2, tunnel server 1 sends a redirect message to the NAS informing it that tunnel server 2 actually owns the call. The NAS then tears down the initial connection to tunnel server 1 and establishes a new L2TP tunnel directly to tunnel server 2.
- How L2TP Redirect Works
- Number of Redirect Attempts on the NAS
- Load Balancing Calls Using L2TP Redirect
- Redirect Identifier
- Redirect Source
How L2TP Redirect Works
In a traditional SGBP multihop VPDN deployment, if a stack group member receives a call that belongs to a different stack group member, it forwards the call to the bundle owner over an L2TP or L2F tunnel. When L2TP redirect is configured, instead of forwarding the call to the bundle owner the stack group member will send a redirect message to the NAS. The redirect message includes the IP address or redirect identifier of the bundle owner. The NAS will terminate the initial connection, and initiate a new connection directly to the bundle owner.
For L2TP redirect to function, it must be enabled on both the NAS and the stack group tunnel servers. If the NAS is not configured for L2TP redirect, the tunnel server will forward the call to the bundle owner using traditional multihop technology. This maintains interoperability with non-Cisco devices and Cisco devices running older versions of Cisco IOS software.
In order to redirect the call, the NAS must perform redirect authorization for the bundle owner. If a redirect identifier has been configured on the bundle owner, the NAS uses that identifier to get redirect authorization information. Otherwise, the IP address of the bundle owner must be configured on the NAS.
Number of Redirect Attempts on the NAS
In some cases, a stack group member other than the device that answers the first call from a particular MLP bundle might win the SGBP bid for that call. The call will be redirected to the winning device, but because the call is again the first call from that MLP bundle, another SGBP bid will be triggered. In some rare instances this behavior might result in the initial call being passed from one stack group member to another as different devices win the bid each time.
By default, the NAS will redirect a particular call only three times, preventing excessive redirects. The number of redirect attempts the NAS will make can be configured to meet the needs of a particular network deployment. Once the NAS has redirected a call the configured number of times it will refuse further redirection requests, and traditional multihop forwarding will occur on the stack group.
Load Balancing Calls Using L2TP Redirect
Enabling L2TP redirect allows load balancing of calls to be performed by the stack group rather than the NAS. The stack group tunnel servers bid for each link that comes in, and those tunnel servers with the lightest load will win the bid and become the bundle owner. The managing of bids in this manner results in an even load distribution of sessions among a stack of tunnel servers.
L2TP redirect can also be used to load balance all L2TP PPP calls (not just MLP calls) across a stack group. All the NASs for a particular domain can point to a primary contact tunnel server. This primary tunnel server must have SGBP and the sgbp ppp-forward command configured to force it to issue a mastership query to the stack group for every PPP link. As when performing MLP load balancing, the stack group tunnel servers bid for each link that comes in, and those tunnel servers with the lightest load will win the bids. The primary tunnel server might not actually terminate any sessions; it might simply issue the mastership query, collects the bids, choose the highest one, and redirect the originating NAS to that tunnel server.
Redirect Identifier
The redirect identifier is an optional configuration that simplifies the task of configuring NASs to perform L2TP redirects. If the redirect identifier is not configured, the IP address of every tunnel server in the stack group must be configured with the initiate-to command on each NAS.
The redirect identifier allows new stack group members to be added without the need to update the NAS configuration with their IP addresses. With the redirect identifier configured, a new stack group member can be added and given the same redirect identifier as the rest of the stack group. If stack group members have different authorization information, unique redirect identifiers must be configured.
The redirect identifier can also be configured on a remote RADIUS server, rather than directly on the NAS. The RADIUS server can update multiple NASs with the redirect identifier information, avoiding the requirement to configure the redirect identifier on each NAS.
Redirect Source
The redirect source is an optional configuration that allows a stack group member to advertise a public IP address for L2TP redirection, rather than the IP address used for SGBP bidding. Often a stack group will use private IP addresses for stack group bidding, and these IP addresses will not be reachable by the NAS. Configuring a public IP address as the redirect source allows a stack group member to inform the NAS of the reachable IP address of another stack group member in the redirect request.
Tunnel Switching Using Multihop VPDN
Multihop VPDN can be used to configure a device as a tunnel switch. A tunnel switch acts as both a NAS and a tunnel server, receiving packets from an incoming VPDN tunnel and sending them out over an outgoing VPDN tunnel. Tunnel switch configurations can be used between ISPs to provide wholesale VPDN services. A VPDN tunnel switch can forward L2TP, L2F, or Point-to-Point Tunneling Protocol (PPTP) sessions.
In an L2TP or L2F tunnel switching deployment, the tunnel endpoints are considered the originating NAS and the terminating tunnel server. The tunnel switch is not considered a tunnel endpoint.
In a PPTP tunnel switching deployment, the tunnel endpoints are considered the originating client device and the terminating tunnel server. The tunnel switch is not considered a tunnel endpoint.
The figure below shows a network scenario using a basic L2TP tunnel switching deployment.
The tunnel switch can be configured to terminate incoming VPDN tunnels from multiple devices, and to initiate outgoing VPDN tunnels to one or more tunnel servers.
The Subscriber Service Switch (SSS) framework is supported for VPDN tunnel switching. SSS supports additional Layer 2 protocols, including PPP over Ethernet (PPPoE), PPP over ATM (PPPoA), and generic routing encapsulation (GRE). Configuring SSS for VPDN tunnel switching is optional. SSS profiles increase the scalability of tunnel switching configurations, particularly in multiprotocol environments.
How to Configure Multihop VPDN
Configuring an MMP Stack Group for Multihop VPDN
Multihop VPDN is required when a VPDN tunnel delivers MLP data to a private network that uses a MMP stack group.
Perform this task on each of the stack group tunnel servers to enable multihop VPDN.
MMP must be enabled, and a stack group must be configured.
The NAS must be configured to initiate L2TP or L2F VPDN tunnels. For information on configuring the NAS to initiate L2TP or L2F VPDN tunnels, see the Configuring NAS-Initiated Dial-In Tunneling module.
The stack group tunnel servers must be configured to accept incoming L2TP or L2F VPDN tunnels. For information on configuring the stack group tunnel servers to accept incoming L2TP or L2F VPDN tunnels, see the Configuring NAS-Initiated Dial-In Tunneling module.
1.
enable
2.
configure
terminal
3.
vpdn
multihop
DETAILED STEPS
| Command or Action | Purpose |
|---|
Configuring L2TP Redirect for MMP VPDNs
Enabling L2TP redirect allows a tunnel server in a stack group to send a redirect message to the NAS if it receives a link that belongs to another tunnel server in the stack group. L2TP redirect increases the scalability of MMP deployments. Because all links in a multilink bundle will travel directly to the bundle master after redirection they will experience the same delays and latency, resulting in smoother traffic.
L2TP redirect can be used to load balance both MLP and PPP calls across a stack group.
Perform these tasks to configure L2TP redirect:
- Prerequisites for Configuring L2TP Redirect
- Restrictions for Configuring L2TP Redirect
- Enabling L2TP Redirect
- Enabling Multihop VPDN on the NAS
- Configuring the Redirect Identifier on the NAS
- Configuring the Redirect Identifier on the RADIUS Server
- Configuring the Redirect Identifier on the Stack Group Tunnel Servers
- Configuring the Redirect Source on the Stack Group Tunnel Servers
- Monitoring L2TP Redirect Configurations
Prerequisites for Configuring L2TP Redirect
The NAS and tunnel servers must be Cisco equipment.
MMP must be enabled, and a stack group must be configured.
The NAS and the stack group tunnel servers must be configured for L2TP VPDN tunneling. For configuration information, see the Configuring NAS-Initiated Dial-In VPDN Tunneling module.
Multihop VPDN must be enabled on the stack group members. To enable multihop VPDN on the stack group, perform the task in the Configuring an MMP Stack Group for Multihop VPDN section.
Restrictions for Configuring L2TP Redirect
Only the L2TP tunneling protocol is supported.
L2TP redirect capability is supported only for stack group deployments.
Enabling L2TP Redirect
For the redirection of calls to occur, L2TP redirect must be enabled on the NAS and on each participating tunnel server.
Perform this task to enable L2TP redirect on all participating devices and to optionally set the number of allowed redirect attempts on the NAS.
1.
enable
2.
configure
terminal
3.
vpdn
redirect
4.
vpdn
redirect
attempts
number-of-attempts
DETAILED STEPS
What to Do Next
You must perform the task in the Enabling Multihop VPDN on the NAS section.
Enabling Multihop VPDN on the NAS
Because redirected packets will pass through multiple VPDN tunnels, multihop must be enabled on the NAS for L2TP redirect to function.
1.
enable
2.
configure
terminal
3.
vpdn
multihop
DETAILED STEPS
| Command or Action | Purpose |
|---|
Configuring the Redirect Identifier on the NAS
The L2TP redirect identifier is an optional configuration that simplifies the task of configuring the NAS for L2TP redirect. The redirect identifier can be configured directly on the NAS, or on the remote RADIUS server. Configuring the redirect identifier on the remote RADIUS server allows it to be propagated to multiple NASs without having to configure each NAS directly.
Perform this task to configure the redirect identifier directly on the NAS.
To configure the redirect identifier on the RADIUS server, perform the task in the Configuring the Redirect Identifier on the RADIUS Server instead.
1.
enable
2.
configure
terminal
3.
vpdn-group
name
4.
redirect
identifier
identifier-name
DETAILED STEPS
| Command or Action | Purpose | |||||
|---|---|---|---|---|---|---|
| Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
| ||||
| Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. | ||||
| Step 3 |
vpdn-group
name
Example: Router(config)# vpdn-group 1 |
Creates a VPDN group and to enters VPDN group configuration mode. | ||||
| Step 4 |
redirect
identifier
identifier-name
Example: Router(config-vpdn)# redirect identifier stack1 |
Configures a VPDN redirect identifier to use for L2TP call redirection on a NAS.
|
What to Do Next
You must perform the task in the Configuring the Redirect Identifier on the Stack Group Tunnel Servers.
Configuring the Redirect Identifier on the RADIUS Server
The L2TP redirect identifier is an optional configuration that simplifies the task of configuring the NAS for L2TP redirect. The redirect identifier can be configured directly on the NAS, or on the remote RADIUS server. Configuring the redirect identifier on the remote RADIUS server allows it to be propagated to multiple NASs without having to configure each one.
Perform this task to configure the redirect identifier in the RADIUS server profile.
To configure the redirect identifier directly on a NAS, perform the task in the“Configuring the Redirect Identifier on the NAS instead.
1.
:0:"
vpdn:vpdn-redirect-id
=
identifier-name
"
DETAILED STEPS
| Command or Action | Purpose | |||||
|---|---|---|---|---|---|---|
| Step 1 |
:0:"
vpdn:vpdn-redirect-id
=
identifier-name
"
Example: :0:"vpdn:vpdn-redirect-id = stack1" |
Configures the redirect identifier in the RADIUS profile.
|
What to Do Next
You must perform the task in the Configuring the Redirect Identifier on the Stack Group Tunnel Servers.
Configuring the Redirect Identifier on the Stack Group Tunnel Servers
The redirect identifier is an optional configuration that simplifies the task of configuring the NAS for L2TP redirect. The redirect identifier must be configured on each member of the stack group.
Perform this task on each stack group tunnel server to configure the redirect identifier.
1.
enable
2.
configure
terminal
3.
vpdn
redirect
identifier
identifier-name
DETAILED STEPS
| Command or Action | Purpose | |||||
|---|---|---|---|---|---|---|
| Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
| ||||
| Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. | ||||
| Step 3 |
vpdn
redirect
identifier
identifier-name
Example: Router(config)# vpdn redirect identifier stack1 |
Configures a VPDN redirect identifier to use for L2TP call redirection on a stack group tunnel server.
|
Configuring the Redirect Source on the Stack Group Tunnel Servers
The redirect source is an optional configuration that allows a stack group member to advertise a public IP address for L2TP redirect, rather than the default IP address. The default IP address is that used for SGBP bidding. If your stack group uses private IP addresses for SGBP bidding, you must configure the redirect source for each tunnel server in the stack. Otherwise the NAS will be redirected to the default IP address, which will be unreachable.
Perform this task on each stack group tunnel server to configure the redirect source.
1.
enable
2.
configure
terminal
3.
vpdn
redirect
source
redirect-ip-address
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
| Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
| Step 3 |
vpdn
redirect
source
redirect-ip-address
Example: Router(config)# vpdn redirect source 10.1.1.1 |
Configures the public redirect IP address of a tunnel server. |
Monitoring L2TP Redirect Configurations
The number of L2TP sessions that were redirected or forwarded using traditional multihop technology can be monitored. Statistics are maintained on both the NAS and the tunnel servers.
Perform this task on the NAS or a tunnel server to examine L2TP redirect statistics.
1.
enable
2.
show
vpdn
redirect
3.
clear
vpdn
redirect
DETAILED STEPS
| Step 1 |
enable
Enter this command to enable privileged EXEC mode. Enter your password if prompted: Example: Router> enable |
| Step 2 |
show
vpdn
redirect
Enter this command to display statistics for all L2TP call redirects and forwards. The display shown in this example is from a tunnel server that redirected four calls using L2TP redirect, and forwarded two calls using traditional multihop VPDN. Example: Router# show vpdn redirect ‘vpdn redirection enabled’ ‘sessions redirected as access concentrator: 4’ ‘sessions redirected as network server: 0’ ‘sessions forwarded: 2’
|
| Step 3 |
clear
vpdn
redirect
Enter this command to clear the counters for the show vpdn redirect command. Example: Router# clear vpdn redirect |
Configuring a Multihop Tunnel Switch
Multihop VPDN can be used to configure a device as a tunnel switch. A tunnel switch acts as both a NAS and a tunnel server, and must be configured with both a NAS VPDN group and a tunnel server VPDN group.
Tunnel switching using the SSS infrastructure is supported. SSS allows L2TP, L2F, PPTP, PPPoE, PPPoA, GRE, and general packet radio service (GPRS) sessions to be switched over virtual links using a tunnel switch. SSS configurations are not required for tunnel switching data over L2TP, L2F, or PPTP tunnels, but SSS increases the scalability of tunnel switching deployments .
A multihop VPDN tunnel switch can be configured to forward L2TP, L2F, or PPTP tunnels.
Perform these tasks to configure a device as a multihop VPDN tunnel switch:
- Prerequisites for Configuring a Multihop Tunnel Switch
- Restrictions for Configuring a Multihop Tunnel Switch
- Enabling Multihop VPDN on the Tunnel Switch
- Configuring the Multihop Tunnel Switch to Terminate Incoming VPDN Tunnels
- Configuring the Multihop Tunnel Switch to Initiate Outgoing VPDN Tunnels
Prerequisites for Configuring a Multihop Tunnel Switch
The tunnel endpoints must be configured for VPDN tunneling as described in the Configuring Client-Initiated Dial-In VPDN Tunneling or in the Configuring NAS-Initiated Dial-IN VPDN Tunneling module.
If you want to perform VPDN tunnel authorization searches based on the multihop hostname, you must configure the search to use the multihop hostname as described in the Configuring the VPDN Tunnel Authorization Search Order section of the Configuring AAA for VPDNs module.
Restrictions for Configuring a Multihop Tunnel Switch
Tunnel switching based on dialed number identification service (DNIS) numbers or multihop hostnames is supported only in Cisco IOS Release 12.2(13)T and later releases.
Enabling Multihop VPDN on the Tunnel Switch
In tunnel switching deployments, packets must traverse multiple tunnels. Multihop VPDN must be enabled on the tunnel switch for the deployment to function.
1.
enable
2.
configure
terminal
3.
vpdn
multihop
DETAILED STEPS
| Command or Action | Purpose |
|---|
What to Do Next
You must perform the task in the Configuring the Multihop Tunnel Switch to Terminate Incoming VPDN Tunnels.
Configuring the Multihop Tunnel Switch to Terminate Incoming VPDN Tunnels
A tunnel switch must be configured as a tunnel server, allowing it to terminate incoming VPDN tunnels. You can configure a tunnel switch to terminate tunnels from multiple devices.
1.
enable
2.
configure
terminal
3.
vpdn-group
name
4.
description
string
5.
accept-dialin
6.
protocol
{any |
l2f |
l2tp |
pptp}
7.
virtual-template
number
8.
exit
9.
terminate-from
hostname
host-name
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode. |
| Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
| Step 3 |
vpdn-group
name
Example: Router(config)# vpdn-group 1 |
Creates a VPDN group and to enters VPDN group configuration mode. |
| Step 4 |
description
string
Example: Router(config-vpdn)# description myvpdngroup |
(Optional) Adds a description to a VPDN group. |
| Step 5 |
accept-dialin
Example: Router(config-vpdn)# accept-dialin |
Configures a tunnel switch to accept requests from a NAS to establish a tunnel, creates an accept-dialin VPDN subgroup, and enters VPDN accept dial-in subgroup configuration mode. |
| Step 6 |
protocol
{any |
l2f |
l2tp |
pptp}
Example: Router(config-vpdn-acc-in)# protocol l2tp |
Specifies the Layer 2 protocol that the VPDN group will use. |
| Step 7 |
virtual-template
number
Example: Router(config-vpdn-acc-in)# virtual-template 1 |
(Optional) Specifies which virtual template will be used to clone virtual access interfaces. This step is not required if the virtual access interface is not going to be cloned when a user connects. |
| Step 8 |
exit
Example: Router(config-vpdn-acc-in)# exit |
Exits to VPDN group configuration mode. |
| Step 9 |
terminate-from
hostname
host-name
Example: Router(config-vpdn)# terminate-from hostname NAS12 |
Specifies the hostname of the remote NAS that will be required when accepting a VPDN tunnel. |
What to Do Next
You must perform the task in the Configuring the Multihop Tunnel Switch to Initiate Outgoing VPDN Tunnels.
Configuring the Multihop Tunnel Switch to Initiate Outgoing VPDN Tunnels
A tunnel switch must be configured as a NAS, allowing it to initiate outgoing VPDN tunnels. You can configure a tunnel switch to initiate tunnels to multiple devices.
1.
enable
2.
configure
terminal
3.
vpdn-group
name
4.
description
string
5.
request-dialin
6.
protocol
{any |
l2f |
l2tp |
pptp}
8.
exit
9.
initiate-to
ip
ip-address
[limit
limit-number] [priority
priority-number]
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode. | ||
| Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. | ||
| Step 3 |
vpdn-group
name
Example: Router(config)# vpdn-group 1 |
Creates a VPDN group and enters VPDN group configuration mode. | ||
| Step 4 |
description
string
Example: Router(config-vpdn)# description myvpdngroup |
(Optional) Adds a description to a VPDN group. | ||
| Step 5 |
request-dialin
Example: Router(config-vpdn)# request-dialin |
Configures a tunnel switch to request the establishment of a tunnel to a tunnel server, creates a request-dialin VPDN subgroup, and enters VPDN request dial-in subgroup configuration mode. | ||
| Step 6 |
protocol
{any |
l2f |
l2tp |
pptp}
Example: Router(config-vpdn-req-in)# protocol l2tp |
Specifies the Layer 2 protocol that the VPDN group will use. | ||
| Step 7 | Do one of the following:
Example: Router(config-vpdn-req-in)# domain company.com Example: Router(config-vpdn-req-in)# dnis 5687 Example: Router(config-vpdn-req-in)# multihop-hostname nas1 |
Requests that PPP calls from a specific domain name be tunneled. or Requests that PPP calls from a specific DNIS number or DNIS group be tunneled. or Enables the tunnel switch to initiate a tunnel based on the NAS host name or the ingress tunnel ID.
| ||
| Step 8 |
exit
Example: Router(config-vpdn-req-in)# exit |
Exits to VPDN group configuration mode. | ||
| Step 9 |
initiate-to
ip
ip-address
[limit
limit-number] [priority
priority-number]
Example: Router(config-vpdn)# initiate-to ip 10.1.1.1 limit 12 |
Specifies an IP address that will be used for Layer 2 tunneling.
|
Configuration Examples for Multihop VPDN
- Example Configuring Multihop VPDN on an MMP Stack Group
- Example Configuring L2TP Redirect
- Example Configuring L2TP Redirect with a Redirect Identifier
- Example Configuring Redirect Identifiers on the RADIUS Server
- Example Configuring the Redirect Source on a Stack Group Tunnel Server
- Example Configuring Multihop VPDN Tunnel Switching
Example Configuring Multihop VPDN on an MMP Stack Group
The following example configures a stack group and a NAS for dial-in L2F VPDN tunneling with multihop VPDN enabled:
Tunnel Server A Configuration
!Enable VPDN vpdn enable ! !Enable multihop VPDN vpdn multihop ! !Configure the tunnel server to accept L2F tunnels from the NAS vpdn-group group1 accept-dialin protocol l2f virtual-template 1 exit terminate-from 172.18.32.139 ! !Configure the tunnel server as a stack group member username user1 password mypassword sgbp group mystack sgbp member tunnelserverb 10.1.1.2 sgbp member tunnelserverc 10.1.1.3
Tunnel Server B Configuration
!Enable VPDN vpdn enable ! !Enable multihop VPDN vpdn multihop ! !Configure the tunnel server to accept L2F tunnels from the NAS vpdn-group group1 accept-dialin protocol l2f virtual-template 1 exit terminate-from 172.18.32.139 ! !Configure the tunnel server as a stack group member username user1 password mypassword sgbp group mystack sgbp member tunnelservera 10.1.1.1 sgbp member tunnelserverc 10.1.1.3
Tunnel Server C Configuration
!Enable VPDN vpdn enable ! !Enable multihop VPDN vpdn multihop ! !Configure the tunnel server to accept L2F tunnels from the NAS vpdn-group group1 accept-dialin protocol l2f virtual-template 1 exit terminate-from 172.18.32.139 ! !Configure the tunnel server as a stack group member username user1 password mypassword sgbp group mystack sgbp member tunnelservera 10.1.1.1 sgbp member tunnelserverb 10.1.1.2
NAS Configuration
!Enable VPDN vpdn enable ! !Configure the NAS to initiate L2TP tunnels vpdn-group group1 request-dialin protocol l2tp domain cisco.com ! !Configure the NAS with the IP address of each tunnel server in the stack group initiate-to ip 10.1.1.1 initiate-to ip 10.1.1.2 initiate-to ip 10.1.1.3
Example Configuring L2TP Redirect
The following example configures a stack group and a NAS for dial-in L2TP VPDN tunneling and enables basic L2TP redirect:
Tunnel Server A Configuration
!Enable VPDN vpdn enable ! !Enable multihop to ensure interoperability with devices that are not capable of !performing L2TP redirect. vpdn multihop ! !Enable L2TP redirect vpdn redirect ! !Configure the tunnel server to accept L2TP tunnels from the NAS vpdn-group group1 accept-dialin protocol l2tp virtual-template 1 exit terminate-from 172.18.32.139 ! !Configure the tunnel server as a stack group member username user1 password mypassword sgbp group mystack sgbp member tunnelserverb 10.1.1.2 sgbp member tunnelserverc 10.1.1.3
Tunnel Server B Configuration
!Enable VPDN vpdn enable ! !Enable multihop to ensure interoperability with devices that are not capable of !performing L2TP redirect. vpdn multihop ! !Enable L2TP redirect vpdn redirect ! !Configure the tunnel server to accept L2TP tunnels from the NAS vpdn-group group1 accept-dialin protocol l2tp virtual-template 1 exit terminate-from 172.18.32.139 ! !Configure the tunnel server as a stack group member username user1 password mypassword sgbp group mystack sgbp member tunnelservera 10.1.1.1 sgbp member tunnelserverc 10.1.1.3
Tunnel Server C Configuration
!Enable VPDN vpdn enable ! !Enable multihop to ensure interoperability with devices that are not capable of !performing L2TP redirect. vpdn multihop ! !Enable L2TP redirect vpdn redirect ! !Configure the tunnel server to accept L2TP tunnels from the NAS vpdn-group group1 accept-dialin protocol l2tp virtual-template 1 exit terminate-from 172.18.32.139 ! !Configure the tunnel server as a stack group member username user1 password mypassword sgbp group mystack sgbp member tunnelservera 10.1.1.1 sgbp member tunnelserverb 10.1.1.2
NAS Configuration
!Enable VPDN vpdn enable ! !Enable multihop VPDN vpdn multihop ! !Enable L2TP redirect vpdn redirect ! !Configure the NAS to initiate L2TP tunnels vpdn-group group1 request-dialin protocol l2tp domain cisco.com ! !Configure the NAS with the IP address of each tunnel server in the stack group initiate-to ip 10.1.1.1 initiate-to ip 10.1.1.2 initiate-to ip 10.1.1.3
Example Configuring L2TP Redirect with a Redirect Identifier
The following example configures the NAS and stack group tunnel servers for L2TP redirect using a redirect identifier:
Tunnel Server A Configuration
!Enable VPDN vpdn enable ! !Enable multihop to ensure interoperability with devices that are not capable of !performing L2TP redirect. vpdn multihop ! !Enable L2TP redirect vpdn redirect ! !Configure the tunnel server to accept L2TP tunnels from the NAS vpdn-group group1 accept-dialin protocol l2tp virtual-template 1 exit terminate-from 172.18.32.139 ! !Configure the tunnel server as a stack group member username user1 password mypassword sgbp group mystack sgbp member tunnelserverb 10.1.1.2 sgbp member tunnelserverc 10.1.1.3 ! !Configure the redirect identifier vpdn redirect identifier stack1
Tunnel Server B Configuration
!Enable VPDN vpdn enable ! !Enable multihop to ensure interoperability with devices that are not capable of !performing L2TP redirect. vpdn multihop ! !Enable L2TP redirect vpdn redirect ! !Configure the tunnel server to accept L2TP tunnels from the NAS vpdn-group group1 accept-dialin protocol l2tp virtual-template 1 exit terminate-from 172.18.32.139 ! !Configure the tunnel server as a stack group member username user1 password mypassword sgbp group mystack sgbp member tunnelservera 10.1.1.1 sgbp member tunnelserverc 10.1.1.3 ! !Configure the redirect identifier vpdn redirect identifier stack1
Tunnel Server C Configuration
!Enable VPDN vpdn enable ! !Enable multihop to ensure interoperability with devices that are not capable of !performing L2TP redirect. vpdn multihop ! !Enable L2TP redirect vpdn redirect ! !Configure the tunnel server to accept L2TP tunnels from the NAS vpdn-group group1 accept-dialin protocol l2tp virtual-template 1 exit terminate-from 172.18.32.139 ! !Configure the tunnel server as a stack group member username user1 password mypassword sgbp group mystack sgbp member tunnelservera 10.1.1.1 sgbp member tunnelserverb 10.1.1.2 ! !Configure the redirect identifier vpdn redirect identifier stack1
NAS Configuration
!Enable VPDN vpdn enable ! !Enable L2TP redirect vpdn redirect ! !Configure the NAS to initiate L2TP tunnels vpdn-group group1 request-dialin protocol l2tp domain cisco.com ! !Configure the NAS with the redirect identifier redirect identifier stack1
Example Configuring Redirect Identifiers on the RADIUS Server
The following example shows the RADIUS server profile configured with three unique redirect identifiers for stack group members with unique authentication requirements. Each stack group member must be configured with the corresponding unique redirect identifier. When the NAS receives a redirect request containing the redirect identifier of the owner of the call, it can look up the proper authentication information in the RADIUS profile associated with that redirect identifier.
cisco.com Password = "cisco"
Tunnel-Type = :0:L2TP,
Tunnel-Medium-Type = :0:IP,
Tunnel-Server-Endpoint = :0:"10.1.1.1",
Cisco:Cisco-Avpair = :0:"vpdn:vpdn-redirect-id=ts1",
Tunnel-Type = :1:L2TP,
Tunnel-Medium-Type = :1:IP,
Tunnel-Server-Endpoint = :1:"10.1.1.2",
Cisco:Cisco-Avpair = :1:"vpdn:vpdn-redirect-id=ts2"
Tunnel-Type = :2:L2TP,
Tunnel-Medium-Type = :1:IP,
Tunnel-Server-Endpoint = :1:"10.1.1.3",
Cisco:Cisco-Avpair = :1:"vpdn:vpdn-redirect-id=ts3"
Example Configuring the Redirect Source on a Stack Group Tunnel Server
The following example configures one member of a stack group to accept dial-in L2TP VPDN tunnels and enables L2TP redirect using a redirect source IP address:
!Enable VPDN vpdn enable ! !Enable multihop to ensure interoperability with devices that are not capable of !performing L2TP redirect. vpdn multihop ! !Enable L2TP redirect vpdn redirect ! !Configure the tunnel server to accept L2TP tunnels vpdn-group group1 accept-dialin protocol l2tp virtual-template 1 exit terminate-from 172.18.32.139 ! !Configure the tunnel server as a stack group member username user1 password mypassword sgbp group stack1 sgbp member tunnelserverb 10.1.1.2 sgbp member tunnelserverc 10.1.1.3 ! !Configure the redirect source vpdn redirect source 172.23.1.1
Example Configuring Multihop VPDN Tunnel Switching
The following example configures a NAS, tunnel switch, and tunnel server to establish a multihop VPDN tunnel using L2TP:
NAS Configuration
! Configure the NAS to initiate VPDN dial-in sessions to the tunnel switch vpdn-group 1 request-dialin protocol l2tp domain cisco.com ! initiate-to ip 172.22.66.25 local name ISP-NAS
Tunnel Switch Configuration
!Enable VPDN vpdn enable ! !Enable multihop vpdn multihop
!
! Configure the tunnel switch to use the multihop hostname in the authentication search.
vpdn search-order multihop-hostname domain dnis
!
! Configure the tunnel switch to accept dial-in sessions from the NAS vpdn-group tunnelin accept-dialin protocol l2tp virtual-template 1 ! terminate-from hostname ISP-NAS local name ISP-Sw ! ! Configure the tunnel switch to initiate VPDN dial-in sessions to the tunnel server vpdn-group tunnelout request-dialin protocol l2tp multihop-hostname ISP-NAS ! initiate-to ip 10.2.2.2 local name ISP-Sw
Tunnel Server Configuration
! Configure the tunnel server to accept dial-in sessions from the NAS vpdn-group 1 accept-dialin protocol l2tp virtual-template 1 ! terminate-from hostname ISP-Sw local name ENT-TS
Where to Go Next
You can perform any of the relevant optional tasks in the Configuring Additional VPDN Features and in the VPDN Tunnel Management modules.
Additional References
Related Documents
|
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
VPDN commands |
Cisco IOS VPDN Command Reference |
|
VPDN technology overview |
VPDN Technology Overview module |
|
Information about Multichassis Multilink PPP |
Implementing Multichassis Multilink PPP module |
|
Information about virtual templates |
Configuring Virtual Template Interfaces module |
|
Dial Technologies commands |
Cisco IOS Dial Technologies Command Reference |
|
Information about SSS |
Configuring a Cisco Subscriber Service Switch Policy module |
|
Broadband access aggregation and DSL command: complete command syntax, command mode, defaults, usage guidelines, and examples |
Cisco IOS Broadband Access Aggregation and DSL Command Reference |
Standards
|
Standard |
Title |
|---|---|
|
None |
-- |
MIBs
|
MIB |
MIBs Link |
|---|---|
|
None |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
|
RFC |
Title |
|---|---|
|
RFC 2341 |
Cisco Layer Two Forwarding (Protocol) L2F |
|
RFC 2661 |
Layer Two Tunneling Protocol L2TP |
Technical Assistance
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Multihop VPDN
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to . An account on Cisco.com is not required.|
Feature Name |
Software Releases |
Feature Configuration Information |
|---|---|---|
|
L2TP Redirect |
12.2(13)T |
This feature allows a tunnel server participating in SGBP to send a redirect message to the NAS if another stack group member wins the SGBP bid. The NAS will then reinitiate the call to the newly redirected tunnel server. The following commands were introduced by this feature: clear vpdn redirect, show vpdn redirect, vpdn redirect, vpdn redirect attempts, vpdn redirect identifier, vpdn redirect source. |
|
Subscriber Service Switch |
12.2(13)T |
This feature provides flexibility on where and how many subscribers are connected to available services and how those services are defined. The primary focus of SSS is to direct PPP from one point to another using a Layer 2 subscriber policy. The policy will manage tunneling of PPP in a policy-based bridging fashion. The following VPDN commands were introduced or modified by this feature: multihop-hostname, vpdn search-order.
|
|
VPDN Multihop by DNIS |
12.2(13)T |
This feature allows DNIS-based multihop capability for VPDNs. The following commands were introduced or modified by this feature: vpdn multihop, vpdn search-order. |