Configuring Multihop VPDN

Multihop virtual private dialup networking (VPDN) is a specialized VPDN configuration that allows packets to pass through multiple tunnels. Ordinarily, packets are not allowed to pass through more than one tunnel. In a multihop deployment, the VPDN tunnel is terminated after each hop and a new tunnel is initiated to the next hop destination.

Multihop VPDN deployments can also be used to configure a device as a tunnel switch. A tunnel switch acts as both a network access server (NAS) and a tunnel server, able to receive packets from an incoming VPDN tunnel and send them out over an outgoing VPDN tunnel. Tunnel switch configurations can be used between Internet service providers (ISPs) to provide wholesale VPDN services.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Multihop VPDN

Before you configure multihop VPDN, a VPDN deployment must be configured. For more information about VPDN deployments that are compatible with multihop VPDN scenarios, see the Configuring a Multihop Tunnel Switch.

Restrictions for Multihop VPDN

Only the Layer 2 Tunneling Protocol (L2TP) is supported on the Cisco ASR 1000 Series Aggregation Services Routers.

Information About Multihop VPDN

Tunnel Switching Using Multihop VPDN

Multihop VPDN can be used to configure a device as a tunnel switch. A tunnel switch acts as both a NAS and a tunnel server, receiving packets from an incoming VPDN tunnel and sending them out over an outgoing VPDN tunnel. Tunnel switch configurations can be used between ISPs to provide wholesale VPDN services. A VPDN tunnel switch on the Cisco ASR 1000 Series Aggregation Services Routers can forward L2TP sessions. L2F or Point-to-Point Tunneling Protocol (PPTP) are not supported.

In an L2TP tunnel switching deployment, the tunnel endpoints are considered the originating NAS and the terminating tunnel server. The tunnel switch is not considered a tunnel endpoint.

The figure below shows a network scenario using a basic L2TP tunnel switching deployment.

Figure 1. Tunnel Switching Using Multihop VPDN

The tunnel switch can be configured to terminate incoming VPDN tunnels from multiple devices, and to initiate outgoing VPDN tunnels to one or more tunnel servers.

The Subscriber Service Switch (SSS) framework is supported for VPDN tunnel switching. SSS supports additional Layer 2 protocols, including PPP over Ethernet (PPPoE) and generic routing encapsulation (GRE). Configuring SSS for VPDN tunnel switching is optional. SSS profiles increase the scalability of tunnel switching configurations, particularly in multiprotocol environments.

How to Configure Multihop VPDN

Configuring a Multihop Tunnel Switch

Multihop VPDN can be used to configure a device as a tunnel switch. A tunnel switch acts as both a NAS and a tunnel server, and must be configured with both a NAS VPDN group and a tunnel server VPDN group.

Tunnel switching using the SSS infrastructure is supported. SSS allows L2TP, L2F, PPTP, PPPoE, PPPoA, GRE, and general packet radio service (GPRS) sessions to be switched over virtual links using a tunnel switch. SSS configurations are not required for tunnel switching data over L2TP, L2F, or PPTP tunnels, but SSS increases the scalability of tunnel switching deployments.


Note

On the Cisco ASR 1000 Series Aggregation Services Router, a multihop VPDN tunnel switch can be configured to forward L2TP tunnels only.

Perform these tasks to configure a device as a multihop VPDN tunnel switch:

Prerequisites for Configuring a Multihop Tunnel Switch

  • The tunnel endpoints must be configured for VPDN tunneling as described in the Configuring NAS-Initiated Dial-In VPDN Tunneling module.

  • If you want to perform VPDN tunnel authorization searches based on the multihop hostname, you must configure the search to use the multihop hostname as described in the Configuring AAA for VPDNs module.

Enabling Multihop VPDN on the Tunnel Switch

In tunnel switching deployments, packets must traverse multiple tunnels. Multihop VPDN must be enabled on the tunnel switch for the deployment to function.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. vpdn multihop

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

vpdn multihop

Example:

Router(config)# vpdn multihop

Enables VPDN multihop.

Configuring the Multihop Tunnel Switch to Terminate Incoming VPDN Tunnels

A tunnel switch must be configured as a tunnel server, allowing it to terminate incoming VPDN tunnels. You can configure a tunnel switch to terminate tunnels from multiple devices.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. vpdn-group name
  4. description string
  5. accept-dialin
  6. protocol l2tp
  7. virtual-template number
  8. exit
  9. terminate-from hostname host-name

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

vpdn-group name

Example:

Router(config)# vpdn-group 1

Creates a VPDN group and to enters VPDN group configuration mode.

Step 4

description string

Example:

Router(config-vpdn)# description myvpdngroup

(Optional) Adds a description to a VPDN group.

Step 5

accept-dialin

Example:

Router(config-vpdn)# accept-dialin

Configures a tunnel switch to accept requests from a NAS to establish a tunnel, creates an accept-dialin VPDN subgroup, and enters VPDN accept dial-in subgroup configuration mode.

Step 6

protocol l2tp

Example:

Router(config-vpdn-acc-in)# protocol l2tp

Specifies the Layer 2 Tunneling Protocol that the VPDN group will use.

Step 7

virtual-template number

Example:

Router(config-vpdn-acc-in)# virtual-template 1

(Optional) Specifies which virtual template will be used to clone virtual access interfaces.

This step is not required if the virtual access interface is not going to be cloned when a user connects.

Step 8

exit

Example:

Router(config-vpdn-acc-in)# exit

Exits to VPDN group configuration mode.

Step 9

terminate-from hostname host-name

Example:

Router(config-vpdn)# terminate-from hostname NAS12

Specifies the hostname of the remote NAS that will be required when accepting a VPDN tunnel.

What to Do Next

You must perform the task in the Configuring the Multihop Tunnel Switch to Initiate Outgoing VPDN Tunnels section.

Configuring the Multihop Tunnel Switch to Initiate Outgoing VPDN Tunnels

A tunnel switch must be configured as a NAS, allowing it to initiate outgoing VPDN tunnels. You can configure a tunnel switch to initiate tunnels to multiple devices.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. vpdn-group name
  4. description string
  5. request-dialin
  6. protocol l2tp
  7. Do one of the following:
    • domain domain-name
    • dnis {dnis-number | dnis-group-name }
    • multihop-hostname ingress-tunnel-name
  8. exit
  9. initiate-to ip ip-address [limit limit-number ] [priority priority-number ]

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

vpdn-group name

Example:

Router(config)# vpdn-group 1

Creates a VPDN group and enters VPDN group configuration mode.

Step 4

description string

Example:

Router(config-vpdn)# description myvpdngroup

(Optional) Adds a description to a VPDN group.

Step 5

request-dialin

Example:

Router(config-vpdn)# request-dialin

Configures a tunnel switch to request the establishment of a tunnel to a tunnel server, creates a request-dialin VPDN subgroup, and enters VPDN request dial-in subgroup configuration mode.

Step 6

protocol l2tp

Example:

Router(config-vpdn-req-in)# protocol l2tp

Specifies the Layer 2 Tunneling Protocol that the VPDN group will use.

Step 7

Do one of the following:

  • domain domain-name
  • dnis {dnis-number | dnis-group-name }
  • multihop-hostname ingress-tunnel-name
Example:

Router(config-vpdn-req-in)# domain company.com
Example:

Router(config-vpdn-req-in)# dnis 5687
Example:

Router(config-vpdn-req-in)# multihop-hostname nas1

Requests that PPP calls from a specific domain name be tunneled.

or

Requests that PPP calls from a specific DNIS number or DNIS group be tunneled.

or

Enables the tunnel switch to initiate a tunnel based on the NAS host name or the ingress tunnel ID.

Note 

If you use the multihop-hostname command to configure your tunnel switch, you must configure vpdn search-order command with the multihop-hostname keyword. For more information on configuring the VPDN tunnel authorization search order, see the Configuring AAA for VPDNs module.

Step 8

exit

Example:

Router(config-vpdn-req-in)# exit

Exits to VPDN group configuration mode.

Step 9

initiate-to ip ip-address [limit limit-number ] [priority priority-number ]

Example:

Router(config-vpdn)# initiate-to ip 10.1.1.1 limit 12

Specifies an IP address that will be used for Layer 2 tunneling.

  • limit --Maximum number of connections that can be made to this IP address.

  • priority --Priority for this IP address.

Note 

The priority keyword is typically not configured on a tunnel switch. Information used for load balancing and failover is configured on a remote authentication, authorization, and accounting (AAA) server instead. For more information about configuring load balancing and failover priorities using a remote AAA server, see the Configuring AAA for VPDNs module.

  • Multiple tunnel servers can be configured on the tunnel switch by configuring multiple initiate-to commands.

Configuration Examples for Multihop VPDN

Example Configuring Multihop VPDN Tunnel Switching

The following example configures a NAS, tunnel switch, and tunnel server to establish a multihop VPDN tunnel using L2TP:

NAS Configuration


! Configure the NAS to initiate VPDN dial-in sessions to the tunnel switch
vpdn-group 1
 request-dialin
  protocol l2tp
  domain cisco.com
!
 initiate-to ip 172.22.66.25 
 local name ISP-NAS

Tunnel Switch Configuration


!Enable VPDN
vpdn enable
!
!Enable multihop
vpdn multihop

!

! Configure the tunnel switch to use the multihop hostname in the authentication search.

 vpdn search-order multihop-hostname domain dnis

!

! Configure the tunnel switch to accept dial-in sessions from the NAS
vpdn-group tunnelin
 accept-dialin
  protocol l2tp
  virtual-template 1 
!
 terminate-from hostname ISP-NAS
 local name ISP-Sw
!
! Configure the tunnel switch to initiate VPDN dial-in sessions to the tunnel server
vpdn-group tunnelout
 request-dialin
  protocol l2tp
  multihop-hostname ISP-NAS
!
 initiate-to ip 10.2.2.2
 local name ISP-Sw

Tunnel Server Configuration


! Configure the tunnel server to accept dial-in sessions from the NAS
vpdn-group 1
 accept-dialin 
  protocol l2tp
  virtual-template 1 
! 
 terminate-from hostname ISP-Sw
 local name ENT-TS

Where to Go Next

You can perform any of the relevant optional tasks in the Configuring Additional VPDN Features and in the VPDN Tunnel Management modules.

Additional References

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

VPDN commands

Cisco IOS VPDN Command Reference

VPDN technology overview

VPDN Technology Overview

Broadband access aggregation and DSL commands

Cisco IOS Broadband Access Aggregation and DSL Command Reference

Standards

Standard

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

--

MIBs

MIB

MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFC

Title

RFC 2661

Layer Two Tunneling Protocol (L2TP)

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Multihop VPDN

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for Multihop VPDN

Feature Name

Software Releases

Feature Configuration Information

Multihop VPDN

Cisco IOS XE Release 2.2

This feature was introduced on Cisco ASR 1000 Series Routers.

Multihop VPDN is a specialized VPDN configuration that allows packets to pass through multiple tunnels. Ordinarily, packets are not allowed to pass through more than one tunnel. In a multihop deployment, the VPDN tunnel is terminated after each hop and a new tunnel is initiated to the next hop destination.

No commands were introduced or modified by this feature.

Subscriber Service Switch

Cisco IOS XE Release 2.2.1

This feature provides flexibility on where and how many subscribers are connected to available services and how those services are defined. The primary focus of SSS is to direct PPP from one point to another using a Layer 2 subscriber policy. The policy will manage tunneling of PPP in a policy-based bridging fashion.

The following VPDN commands were introduced or modified by this feature:

multihop-hostname and vpdn search-order .