Table Of Contents
Session Limit per VPDN Template
Prerequisites for Session Limit per VPDN Template
Restrictions for Session Limit per VPDN Template
Information About Session Limit per VPDN Template
Benefits of Session Limit per VPDN Template
How Session Limit per VPDN Template Works
How to Configure Session Limit per VPDN Template
Configuring Session Limit per VPDN Template
Sample Output for the show running-config command
Monitoring and Maintaining Session Limit per VPDN Template
Configuration Examples for Session Limit per VPDN Template
Configuring Session Limit per VPDN Template Examples
Session Limit per VPDN Template
The Session Limit per VPDN Template feature allows you to apply session limits on all VPDN groups associated with a common virtual private dialup network (VPDN) template. You can limit the number of VPDN sessions that terminate in a single VRF.
Feature Specifications for the Session Limit per VPDN Template Feature
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.
Contents
•Prerequisites for Session Limit per VPDN Template
•Restrictions for Session Limit per VPDN Template
•Information About Session Limit per VPDN Template
•How to Configure Session Limit per VPDN Template
•Configuration Examples for Session Limit per VPDN Template
Prerequisites for Session Limit per VPDN Template
To enable the Session Limit per VPDN Template feature, you must have a VPDN enabled on the router and at least one VPDN group configured. The router must make a Level 2 Forwarding (L2F) or Layer 2 Tunneling Protocol (L2TP) connection before VPDN configurations can be established.
Restrictions for Session Limit per VPDN Template
Nesting of VPDN templates is not supported. A single VPDN group can be associated only with one template at a time.
Information About Session Limit per VPDN Template
To configure the Session Limit per VPDN Template feature, you should understand the following concepts:
•Benefits of Session Limit per VPDN Template
•How Session Limit per VPDN Template Works
Benefits of Session Limit per VPDN Template
The Session Limit per VPDN Template feature controls the resources consumed by a single customer account by limiting the number of concurrent sessions terminating in a single VPN Routing and Forwarding (VRF).
How Session Limit per VPDN Template Works
Before the implementation of the Session Limit per VPDN Template feature, a single default template carrying the configuration values of a subset of VPDN group commands were associated with all VPDN groups configured on the router. The Session Limit per VPDN Template feature allows you to limit the number of VPDN sessions terminated on a single VRF by allowing for session limits to be applied on all VPDN groups associated with a common virtual private dialup network (VPDN) template.
The Session Limit per VPDN Template feature enables you to create, define, and name multiple VPDN templates. You can then associate a specific template that matches VRF requirements with a VPDN group. A session limit can be configured at the VPDN template level to specify a combined session limit for all VPDN groups associated with the configured VPDN template.
How to Configure Session Limit per VPDN Template
This section contains the following procedures:
•Configuring Session Limit per VPDN Template (required)
•Monitoring and Maintaining Session Limit per VPDN Template (optional)
Configuring Session Limit per VPDN Template
Perform this task to configure the Session Limit per VPDN Template.
SUMMARY STEPS
1. vpdn enable
2. vpdn-template name
3. group session-limit number
4. Repeat Steps 2 and 3 to configure additional named VPDN templates.
5. exit
6. vpdn-group tag
7. accept-dialin
or
request-dialout
8. protocol protocol
9. exit
10. source vpdn-template name
11. Repeat Steps 6 through 10 to configure session limiting on additional VPDN groups.
DETAILED STEPS
Output Examples
This section shows you how to verify your configuration of the Session Limit per VPDN Template feature:
•Sample Output for the show running-config command
Sample Output for the show running-config command
Enter the show running-config command to verify the configuration of the Session Limit per VRF feature:
Router# show running-configBuilding configuration...Current configuration :2655 bytes!version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname lns!logging buffered 64000 debuggingno logging consoleaaa new-model!!aaa group server radius vpdn-groupserver 172.16.0.0 auth-port 1645 acct-port 1646!aaa authentication ppp default localaaa authorization network default localaaa accounting send stop-record authentication failureaaa accounting network default start-stop group radiusaaa session-id common!username client@cisco.com password 0 ciscousername lac password 0 ciscousername lns password 0 ciscoip subnet-zero!!no ip domain-lookup!ip cef!sgbp group cp6512vpdn enablevpdn multihopvpdn tunnel authorization password 7 040B521005255F58031D161D141D03003925223E3C31311D0818vpdn tunnel authorization virtual-template 200vpdn tunnel authorization network jkads!vpdn-template primary <! This output confirms the configuration of a VPDN template group "primary">group session-limit 3
!vpdn-group dialoutaccept-dialoutprotocol l2tpdialer 1terminate-from hostname lac!vpdn-group special! Default L2TP VPDN group! Default PPTP VPDN groupaccept-dialinprotocol anysource vpdn-template primary!Enter the show vpdn session command to display the status of all active tunnels:
Router# show vpdn session%No active L2TP tunnelsL2F Session Information Total tunnels 1 sessions 2CLID MID Username Intf State1 4 username@cisco.com Vi2 open1 3 username@cisco.com Vi1 open%No active PPTP tunnels%No active PPPoE tunnels
Monitoring and Maintaining Session Limit per VPDN Template
You may, optionally, verify or troubleshoot performance by performing any of the following steps, in any order.
SUMMARY STEPS
1. show vpdn group name
2. show vpdn
3. show vpdn history failure
4. show vpdn session [all [interface | tunnel | username] | packets | sequence | state | timers | window]
DETAILED STEPS
Troubleshooting Tips
•If you attempt to associate a VPDN group with a named VPDN template that has not been configured, the VPDN group uses the system defaults.
•You can associate a VPDN group with only one named VPDN template at a time. If you associate a VPDN group with a named VPDN template, and then with a second VPDN template, the VPDN group is unbound from the first VPDN template and associated with the second.
•If you configure the session-limit command, it takes precedence over the group session-limit command.
•If you configure the group session-limit command to allow fewer sessions than are currently active on the router, existing sessions are not brought down and new sessions cannot start.
•If you configure the vpdn session-limit command in global configuration mode, these parameters are applied for any settings not configured in the individual VPDN group or VPDN template.
•If you remove a named VPDN template that has VPDN groups associated with it, those VPDN groups are unbound from that VPDN template and are associated with the default VPDN template.
Configuration Examples for Session Limit per VPDN Template
This section provides the following configuration examples:
•Configuring Session Limit per VPDN Template Examples
Configuring Session Limit per VPDN Template Examples
In the following example, three VPDN groups are created called small-group, medium-group, and large-group. The small-group and medium-group VPDN groups are attached to the default VPDN template. Together, VPDN small-group and medium-group can have no more than ten concurrent sessions. If the small-group has three sessions, the medium-group can have only seven.
VPDN group small-group is configured to have no more than five sessions via the session-limit 5 command, which leaves at least five sessions available for the medium-group. Because it is part of the VPDN default template group, which has a session limit of ten, the medium-group is still limited to ten sessions (when the small-group has no active sessions), even though the session-limit 20 command has been configured.
The third VPDN group in this example, large-group, has no session limit configured. It has been detached from the default VPDN template by the no source vpdn-template command.
vpdn-templategroup session-limit 10exitvpdn-group medium-groupaccept-dialinprotocol anyexitsession-limit 20exitvpdn-group small-groupaccept-dialinprotocol anyexitsession-limit 5vpdn-group large-groupaccept-dialinprotocol anyexitno source vpdn-templateIn the following example the VPDN group called group-c is attached to the default VPDN template. It can have no more than ten concurrent sessions because the group session-limit 10 command has been configured for the default VPDN template. VPDN group group-c also inherits a local name of local-name from the default VPDN template.
The VPDN groups called group-a and group-b are attached to the VPDN template called template-a. Together, group-a and group-b are limited to 50 concurrent sessions. In addition, group-a and group-b are individually limited to 30 sessions.
Both group-a and group-b VPDN groups use the host name as their local name (host1). Because both group-a and group-b are associated with the VPDN template, template-a, they do not use any configuration from the default VPDN template.
hostname host1vpdn-templategroup session-limit 10local name local-nameexitvpdn-temmplate template-agroup session-limit 50exitvpdn-group group-aaccept-dialinprotocol anyexitsource vpdn-template template-asession-limit 30exitvpdn-group group-baccept-dialinprotocol anyexitsource vpdn-template template-asession-limit 30exitvpdn-group group-caccept-dialinprotocol anyIn the following example, two VPDN groups are configured, called group-a and group-b. In this example, group-a can have no more than 5 concurrent sessions, even though it has a VPDN group session limit of 20. The configuration of the global VPDN session limit at five sessions takes effect before the larger limit specific to group-a can take effect. Group-b can have no more than two concurrent sessions, even though the global VPDN session-limit is configured for five sessions. The configuration of the VPDN group session limit at two sessions takes effect before the global VPDN session limit can take effect.
vpdn session-limit 5vpdn-templategroup session-limit 10vpdn-group group-aaccept-dialinprotocol anyexitsession-limit 20exitvpdn-group group-baccept-dialinprotocol anyexitsession-limit 2Additional References
For additional information related to the Session Limit per VPDN Template feature, refer to the following references:
•MIBs
•RFCs
Related Documents
Related Topic Document TitleConfiguring your Cisco router or access server to support voice, video, and fax applications
•Cisco IOS Voice, Video, and Fax Command Reference, Release 12.2
•Cisco IOS Voice, Video, and Fax Configuration Guide, Release 12.2
VPDN group default template
VPDN group session limiting
Standards
MIBs
MIBs 1 MIBs LinkNone
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
1 Not all supported MIBs are listed.
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
Technical Assistance
Command Reference
This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
group session-limit
To specify the maximum concurrent sessions allowed across all virtual private dialup network (VPDN) groups associated with a particular VPDN template, use the group session-limit command in VPDN template configuration mode. To disable session limiting for a VPDN template, use the no form of this command.
group session-limit number
no group session-limit number
Syntax Description
number
Maximum number of concurrent sessions allowed across all VPDN groups associated with a particular VPDN template. Valid values are from 1 to 32767.
Defaults
No session limit is configured at the VPDN template level.
Command Modes
VPDN template configuration
Command History
Release Modification12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to specify the maximum concurrent sessions across all VPDN groups associated with a VPDN template. If you configure a group session limit for the default VPDN template, that session limit is the session limit for all VPDN groups not associated with a named VPDN template. The group session limit configured by this command does not terminate active sessions. If you configure a group session limit that is lower than the number of current active sessions, no sessions are terminated and no new sessions can start.
Session limits configured at the VPDN group level by the session-limit (VPDN) command take precedence over session limits configured at the VPDN template level when the VPDN group level session limit has a smaller configured value than the VPDN template level.
Examples
The following example shows how to configure 100 as the maximum number of concurrent sessions across all VPDN groups attached to the VPDN template called template1:
vpdn session-limit 100vpdn-template template1group session-limit 50Related Commands
source vpdn-template
To configure an individual virtual private dialup network (VPDN) group to use VPDN template settings for all unspecified parameters, use the source vpdn-template command in VPDN group configuration mode. To configure an individual VPDN group to use system default settings rather than the VPDN template settings for all unspecified parameters, use the no form of this command.
source vpdn-template [name]
no source vpdn-template [name]
Syntax Description
Defaults
VPDN template settings are applied to individual VPDN groups.
Command Modes
VPDN group configuration
Command History
Release Modification12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to couple or uncouple individual VPDN groups from the VPDN template.
The default hierarchy for the application of VPDN parameters to a VPDN group is as follows:
•VPDN parameters configured for the individual VPDN group are always applied to that VPDN group.
•VPDN parameters configured in the VPDN template are applied for any settings not specified in the individual VPDN group configuration.
•System default settings for VPDN parameters are applied for any settings not configured in the individual VPDN group or VPDN template.
Uncoupling an individual VPDN group from the VPDN template using the no source vpdn-template command results in the following hierarchy for the application of VPDN parameters to that individual VPDN group:
•VPDN parameters configured for the individual VPDN group are always applied to that VPDN group.
•System default settings for VPDN parameters are applied for any settings not configured in the individual VPDN group or VPDN template.
Use the optional name attribute to associate and name a VPDN template with a VPDN group. You can associate a VPDN group with one VPDN template at a time.
Examples
The following example shows how to configure VPDN group 1 to ignore the VPDN template settings and use the system default settings for all unspecified VPDN parameters:
vpdn-group 1no source vpdn-templateRelated Commands
vpdn-template
To enter VPDN group configuration mode to configure a virtual private dialup network (VPDN) template, use the vpdn-template command in global configuration mode. To inactivate the use of a VPDN template, use the no form of this command.
vpdn-template [name]
no vpdn-template [name]
Syntax Description
Defaults
No VPDN template exists. The system default values are applied to individual VPDN groups for any parameters that are not configured in the individual VPDN group.
Command Modes
Global configuration
Command History
Release Modification12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to configure global default values for VPDN parameters in a VPDN template. These global default values are applied to all VPDN groups, unless specific values are configured for individual VPDN groups. VPDN parameters that are not specified in the individual VPDN group or in the VPDN template are assigned system default values.
The default hierarchy for the application of VPDN parameters to a VPDN group follows:
•VPDN parameters configured for the individual VPDN group are always applied to that VPDN group.
•VPDN parameters configured in the VPDN template are applied for any settings not specified in the individual VPDN group configuration.
•System default settings for VPDN parameters are applied for any settings not configured in the individual VPDN group or VPDN template.
Not all commands that are available for configuring a VPDN group can be used to configure a VPDN template. Table 1 lists the commands that can be used to configure the VPDN template.
Examples
The following example shows how to enter VPDN template configuration mode and configure two VPDN parameters in the VPDN template:
vpdn-templatel2tp tunnel busy timeout 65l2tp tunnel password 7 tunnel4meThe following example shows how to configure a VPDN template called customer1 and apply a group session limit of 50 to all VPDN groups attached to that VPDN template:
vpdn-template customer1group session-limit 50Related Commands
Glossary
HGW—home gateway, also known as LNS in L2TP contexts.
L2F—Layer 2 Forwarding Protocol. Protocol that supports the creation of secure virtual private dialup networks over the Internet.
L2TP—Layer 2 Tunneling protocol. An Internet Engineering Task Force (IETF) standards track protocol defined in RFC 2661 that provides tunneling of PPP. Based upon the best features of L2F and PPTP, L2TP provides an industry-wide interoperable method of implementing VPDN.
LAC—L2TP access concentrator. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP network server (LNS). The LAC is located between an LNS and a remote system and forwards packets to and from each. Packets sent from the LAC to the LNS require tunneling with the L2TP Protocol. The connection from the LAC to the remote system is either local or a PPP link.
LNS—L2TP network server. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP access concentrator (LAC). The LNS is the logical termination point of a PPP session that is being tunneled from the remote system by the LAC. Analogous to the Layer 2 Forwarding (L2F) home gateway (HGW).
NAS—network access server, also known as LAC in L2TP context. Cisco platform (or collection of platforms, such as an AccessPath system) that interfaces between the packet world (for example, the Internet) and the circuit world (for example, the PSTN).
PPPoE—Point-to-Point Protocol over Ethernet.
PPTP—Point-to-Point Tunneling Protocol. RFC 2637 describes the PPTP protocol.
VPDN—virtual private dialup network. Also known as virtual private dial network. A VPDN is a network that extends remote access to a private network using a shared infrastructure. VPDNs use Layer 2 tunnel technologies (L2F, L2TP, and PPTP) to extend the Layer 2 and higher parts of the network connection from a remote user across an ISP network to a private network. VPDNs are a cost-effective method of establishing a long distance, point-to-point connection between remote dial users and a private network.
VRF—VPN routing and forwarding. A VRF consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine what goes into the forwarding table. In general, a VRF includes the routing information that defines a customer VPN site that is attached to a provider edge (PE) router.
Note Refer to Internetworking Terms and Acronyms for terms not included in this glossary.