Полезная информация

cc/td/doc/product/software/ios120/120newft/120t
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Layer Two Tunnel Protocol (L2TP)

Feature Summary

Platforms

Prerequisites

Supported MIBs and RFCs

How L2TP Works

Configuration Tasks

Command Reference

Layer Two Tunnel Protocol (L2TP)

Feature Summary

L2TP is the standard method of building a VPDN, which allows mobile users and telecommuters to simulate a private network that uses a shared infrastructure (the Internet).

Layer Two Tunneling Protocol (L2TP) is an emerging Internet Engineering Task Force (IETF) standard that combines the best features of two existing tunneling protocols: Cisco's Layer Two Forwarding (L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP). L2TP is an extension to the Point-to-Point Protocol (PPP), which is an important component for VPDNs. VPDNs allow mobile users to connect to their corporate intranets or extranets, thus improving flexibility and reducing costs.

Traditional dial-up networking services only supported registered IP address, which limited the types of applications that could be implemented over Virtual Private Networks (VPNs). L2TP supports multiple protocols and unregistered and privately administered IP addresses over the Internet. This allows the existing access infastructure, such as the Internet, modems, access servers, and ISDN terminal adaptors (TAs), to be used.

L2TP can be initiated wherever PPTP or L2F is currently deployed and can be operated as a client initiated tunnel, such as PPTP or a network access server (NAS) initiated tunnel, such as L2F. Figure 1 shows the L2TP architecture in a typical dial-up environment.


Figure 1: L2TP Architecture

L2TP offers the same full-range spectrum of features as L2F, but offers additional functionality. A L2TP capable home gateway (HGW) will work with an existing L2F NAS and will concurrently support upgraded NASs running L2TP. LNSs do not require reconfiguration each time an individual NAS is upgraded from L2F to L2TP. Table 1 offers a quick-reference comparison of L2F and L2TP feature components...

Table 1: L2F and L2TP Feature Comparison

Function

L2F

L2TP

Flow Control

No

Yes

AVP hiding

No

Yes

Home gateway load sharing

Yes

Yes

Home gateway stacking

Yes

Yes

Home gateway primary and secondary backup

Yes

Yes

DNS name support

Yes

Yes

Domain name flexibility

Yes

Yes

Idle and absolute timeout

Yes

Yes

Multilink PPP support

Yes

Yes

Multichassis Multilink PPP support

Yes

Yes

Multihop support

Yes

Yes

Security

  • All security benefits of PPP, including multiple per-user authentication options (CHAP, MS-CHAP, PAP).

  • Tunnel authentication mandatory

  • All security benefits of PPP, including multiple per user authentication options (CHAP, MS-CHAP, PAP).

  • Tunnel authentication optional

Benefits

L2TP offers the following benefits:

List of Terms

attribute-value pair (AV pair)---A generic pair of values passed from a AAA server to a AAA client. For example, user = jane whereby "user is the attribute and "jane" is the value.

challenge handshake authentication protocol (CHAP)---A PPP cryptographic challenge/response authentication protocol in which the cleartext password is not passed over the line. This allows the secure exchange of a shared secret between the two endpoints of a connection.

Client---Instigator of the PPP session. Also referred to as the PPP client, or PPP peer.

control messages---An exchange of messages between the LAC and LNS pairs, operating in-band within the tunnel protocol. Control messages govern the aspects of the tunnel and sessions within the tunnel.

dial user---An end system or router attached to an on-demand PSTN or ISDN, which is either the initiator or recipient of a call. Also referred to as a dial-up or virtual dial-up client.

Layer Two Tunneling protocol (L2TP)---A layer 2 tunneling protocol that is an extension to the PPP protocol used for Virtual Private Networks (VPNs). L2TP merges the best features of two existing tunneling protocols: Microsoft's PPTP and Cisco's L2F. It is the emerging IETF standard, currently being drafted by participants from Ascend, Cisco Systems, Copper Mountain Networks, IBM, Microsoft, and 3Com.

Link Control Protocol (LCP)---A protocol that establishes, configures, and tests data link connections used by PPP.

L2TP access concentrator (LAC)---A L2TP device that the client directly connects to and whereby PPP frames are tunneled to the L2TP network server (LNS). The LAC needs only implement the media over which L2TP is to operate to pass traffic to one or more LNSs. It may tunnel any protocol carried within PPP. The LAC is the initiator of incoming calls and the receiver of outgoing calls. Analogous to the Layer Two Forwarding (L2F) network access server (NAS).

L2TP network server (LNS)---Termination point for L2TP tunnel and point where PPP frames are processed and passed to higher layer protocols. An LNS operates on any platform capable of PPP termination. The LNS handles the server side of the L2TP protocol. L2TP relies only on the single media over which L2TP tunnels arrive. The LNS may have a single LAN or WAN interface, yet still be able to terminate calls arriving at any of the LACs full range of PPP interfaces (asynchronous, synchronous, ISDN, V.120, etc.). The LNS is the initiator of outgoing calls and the receiver of incoming calls. Analogous to the Layer Two Forwarding (L2F) home gateway (HGW).

Multiplex Identifier (MID)---The number associated with a specific user's L2TP/L2F session.

Multilink PPP Protocol (MLP)---A protocol that provides the capability of splitting and recombining packets to a single end system across a logical pipe (also called a bundle) formed by multiple links. Multilink PPP provides bandwidth on demand and reduces transmission latency across WAN links.

Network Access Server (NAS)---A device providing temporary, on-demand network access to users. The access is point-to-point typically using PSTN or ISDN lines. A NAS may also serve as a LAC, LNS, or both. In Cisco's implementation for L2TP, the NAS serves as a LAC for incoming calls and serves as a LNS for outgoing calls. The NAS is synonymous with LAC.

Network Control protocol (NCP)---PPP protocol for negotiation of OSI layer 3, the network layer, parameters.

Password Authentication Protocol (PAP)---A simple PPP authentication mechanism in which a cleartext username and password are transmitted to prove identity. PAP is not as secure as CHAP due to the passing of the cleartext password.

point-of-presence (POP)---The access point to a service provider's network.

Point-to-Point Protocol (PPP)---A protocol that encapsulates network layer protocol information over point-to-point links. The RFC for PPP is RFC 1661.

Point-to-Point Tunneling Protocol (PPTP)---Microsoft's Point to Point Tunneling Protocol. SOme of the features in L2TP were derived from this.

session---A single, tunneled PPP session. Also referred to as a call.

tunnel---A virtual pipe between the LAC and LNS which can carry multiple PPP sessions.

tunnel ID---A 2 octet value which denotes a tunnel between a LAC and LNS

Virtual Private Dialup Networking (VPDN)---A system that permits dial-in networks to exist remotely to home networks, while giving the appearance of being directly connected. VPDNs use L2TP and L2F to terminate the layer 2 and higher parts of the network connection at the LNS, instead of the LAC.

Restrictions

The following restrictions apply to the L2TP feature:

Platforms

L2TP is supported on the following platforms:

Prerequisites

A Cisco router or access server must be using a Cisco IOS software image that supports VPDN.

Supported MIBs and RFCs

L2TP is an emerging standard and currently supports the L2TP Internet Engineering Task Force (IETF) draft document.

How L2TP Works

Using either L2F or L2TP tunneling, an Internet Service Provider (ISP) or other access service can create a virtual tunnel to link customer's remote sites or remote users with corporate home networks. Using L2TP functionality, the L2TP access concentrator (LAC) located at the ISP's point of presence (POP) exchanges PPP messages with remote users, and communicates by way of L2TP requests and responses with the customer's L2TP network server (LNS) to set up tunnels. L2TP passes protocol-level packets through the virtual tunnel between endpoints of a point-to-point connection. Frames from the remote users are accepted by the ISP's POP, stripped of any linked framing or transparency bytes, encapsulated in L2TP, and are forwarded over the appropriate tunnel. The customer's home gateway accepts these L2TP frames, strips the L2TP encapsulation, and processes the incoming frames for the appropriate interface.

Cisco routers fast switch L2TP traffic, which provides improved performance.

Configuration Tasks

By default, if your Cisco router or access server is running Cisco IOS Release 11.3(5)AA or 12.0(1)T, L2TP initiated tunnels are automatically enabled when you enable VPDN. In order to enable VPDN, using L2TP initiated tunnels, use the following commands beginning in global configuration mode:

Command Reference

This section documents new commands and existing commands that are modified for L2TP:

accept dialin

To specify the local name to use for authenticating and the virtual template to use for cloning new virtual access interfaces when an incoming L2TP tunnel connection is requested from a specific peer (remote peer), use the accept dialin global configuration command. To disable this function, use the no form of this command.

accept dialin [l2f | l2tp | any] remote remote-peer-name virtual-template virtual-template-number
no accept dialin [l2f | l2tp | any] remote remote-peer-name virtual-template virtual-template-number

Syntax Description

l2f | l2tp | any

Indicates which layer two tunnel protocol should be used for a dialin tunnel.

  • l2f---The layer 2 forwarding protocol will be used

  • l2tp---The layer 2 tunnel protocol will be used

  • any---VPDN will use autodetect to determine which tunnel type to use, either l2f or l2tp

remote-peer-name

Case-sensitive name that the remote peer will use for identification and tunnel authentication.

virtual-template-number

The virtual template interface that the new virtual access interface cloned from.

Default

Disabled. Accept dialin must explicitly be configured.

Command Mode

VPDN group mode

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3(5)AA and 12.0(1)T.

This command is used on the LNS in response to a dialin L2F or L2TP tunnel "open request" from the specified peer. Once the request is accepted, it uses the specified virtual template to clone new virtual access interfaces.


Note The vpdn group command must be configured with the accept dialin or request dialin command to be functional. The requested initiates a dialing tunnel. The acceptor accepts a request for a dialin tunnel.

Example

The following example allows the LNS to accept an l2tp dialin tunnel from the remote peer (mugsy) and the virtual access interface will be cloned from virtual-template 1:

accept dialin l1tp peer mugsy virtual-template 1

Related Commands

vpdn incoming

clear vpdn tunnel

To shut down a specified tunnel and all sessions within the tunnel, use the clear vpdn tunnel EXEC command.

clear vpdn tunnel {l2f <nas-name> <hgw name> | l2tp <remote name> [<local name>]}

Syntax Description

l2f

Specifies the l2f tunnel protocol.

nas-hame

Name of the network access server at the far end of the tunnel.

hgw name

Host name of the home gateway at the local end of the tunnel.

l2tp

Specifies the l2tp tunnel protocol.

remote-name

(Optional) Host name of the tunnel peer. At the LNS, this is the name of the LAC; at the LAC, this is the name of the LNS.

local-name

(Optional) Local host name for the tunnel.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2
This command with the l2f and l2tp keywords and options, first appeared in Cisco IOS Release 11.3(5)AA.

Use this command for troubleshooting to force the tunnel to come down without unconfiguring it (the tunnel could be restarted immediately by a user logging in).

If you are using the l2tp keyword, you can clear the tunnel by matching either the remote name or remote name and local name.

Example

The following example clears a tunnel between access points, sophia and mugsy:

clear vpdn tunnel l2tp mugsy sophia

force-local-chap

To force the LNS to reauthenticate the client, use the force-local-chap global configuration command. To disable reauthentication use the no form of this command.

force-local-chap
no force-local-chap

Syntax Description

This command has no arguments or keywords.

Default

CHAP authentication at the LNS is disabled.Default authentication occurs at the LAC.

Command Mode

VPDN group mode

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3(5)AA and 12.0(1)T.

This command is only used of CHAP authentication is enabled for PPP (using the ppp authentication chap command. This command enhances security by forcing the LNS to reauthenticate the LNS in addition to the proxy authentication that occurs at the LAC. If the force-local-chap command is used, then the authentication challenge occurs twice; once from the LAC and the second challenge comes from the LNS. Some PPP clients may experience problems with double authentication. If this occurs, authentication challenge failures can be seen if debugging is enabled, using the debug ppp negotiation command.

Example

The following example enables CHAP authentication to occur at the LNS:

force-local-chap

lcp renegotiation

To allow the LNS to renegotiate the link control protocol (LCP) on dialin calls using L2TP or L2F, use the lcp  renegotiation command. To remove LCP renegotiation, use the no form of this command.

lcp renegotiation
no lcp renegotiation

Syntax Description

always

Always renegotiates PPP LCP at the LNS.

on-mismatch

Renegotiates PPP LCP at the LNS only in the even of an LCP mismatch between the LAC and LNS.

Default

LCP renegotiation is not enabled on the LNS.

Command Mode

VPDN group mode

Usage Guidelines

This command first appeared in Cisco IOS Release 11,3(5)AA and 12.0(1)T.

This command is only valid at the LNS. When a PPP session is started at the LAC and LCP parameters are negotiated and a tunnel initiated, the LNS can either accept the LAC LCP negotiations or can request LCP renegotiation. Using the lcp renegotiation always command forces renegotiation to occur at the LNS. If lcp renegotiation mismatch is configured, then renegotiation will only occur if there is an LCP mismatch between the LNS and LAC.


Note Older PC PPP clients may experience a "lock up" during PPP LCP renegotiation.

Example

The following example configures the LNS to renegotiate PPP LCP only if there is a mismatch in LCP parameters between the LAC and LNS:

lcp renegotiation on-mismatch

local name

To specify a local host name that the tunnel will use to identify itself, use the local name global configuration command. To remove a local name, use the no form of this command.

local name name
no local name name

Syntax Description

name

Local host name of the tunnel.

Default

Disabled. A local name must be explicitly configured.

Command Mode

VPDN group mode

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3(5)AA and 12.0(1)T.

If an L2TP tunnel password is not defined using the l2tp tunnel password command, the router will use the password configured, using the local name command for L2TP tunnel authentication.

Example

The following example configures the local host name of the tunnel as dusty:

local name sophia

Related Commands

hostname

l2f ignore-mid-sequence

To ignore multiplex ID (MID) sequence numbers for sessions in an L2TP tunnel, use the l2f  ignore-mid-sequence global configuration command. To remove MID sequence number ignoring, use the no form of this command.

l2f ignore-mid-sequence
no l2f ignore-mid-sequence

Syntax Description

This command has no arguments or keywords.

Default

MID sequence number ignoring is disabled.

Command Mode

VPDN group mode

Usage Guidelines

This command first appeared in Cisco IOS Release11.3(5)AA and 12.0(1)T.

Example

The following example ignores MID sequencing for L2TP sessions:

l2tp ignore-mid-sequence

l2tp drop out-of-order

To instruct a LAC or LNS using L2TP to drop packets that are received out of order, use the l2tp  drop  out-of-order command. To disable dropping of out-of-sequence packets, use the no form of this command

l2tp drop out-of-order
no l2tp drop out-of-order

Syntax Description

This command has no keywords or arguments.

Default

Disabled.

Command Mode

VPDN group mode

Usage Guidelines

This command first appeared in Cisco IOS Release11.3(5)AA and 12.0(1)T.

This command is valid only for tunnels where sequencing is enabled.

Example

The following example causes the LAC or LNS to drop any packets that are received out of order:

l2tp drop out-of-order

l2tp flow-control backoff

To define the maximum number of packets that can be queued locally for a session when a peer's receive window is full, use the l2tp flow-control backoff-queuesize command. To change the value of the queuesize simply reenter the command with the new queue size To remove a manually configured flow-control backoff value, use the no form of this command.

l2tp flow-control backoff-queuesize queue-size
no l2tp flow-control backoff-queuesize queue-size

Syntax Description

queuesize

Sets the queue size limit on a LAC or LNS so that when the remote peer's "receive" window is full, the LAC or LNS will backoff sending additional packets.

Default

L2tp flow control backoff queuing is enabled and uses a default value of 25.

Command Mode

VPDN group mode

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3(5)AA and 12.0(1)T.

This command is used for congestion control. This command will not appear as a valid option if the l2tp  flow-control  receive-window command is disabled or the value is set to zero (for sequencing only).

Example

The following example sets the l2tp flow-control receive-window option to 8, which in turn enables the l2tp flow-control backoff-queuesize option to be enabled. When the remote peer's receive window is full, the maximum packets that can be queued locally for an L2TP session is set to 35.

l2tp flow-control receive-window 8
l2tp flow-control backoff-queuesize 35

Related Commands

l2tp flow-control maximum-ato
l2tp flow-control receive-window

l2tp flow-control maximum-ato

To define the maximum adaptive time-out for congestion control, use the l2tp  flow-control  maximum-ato command. To reset the time-out to a new value, simply reenter the command with the new value. To remove a manually configured disable the time-out valueless the no form of this command.

l2tp flow-control maximum-ato milliseconds
no l2tp flow-control maximum-ato milliseconds

Syntax Description

milliseconds

The wait-time period before the LAC or LNS probes its remote peer's receive-window to resume sending packets.

Default

2000 milliseconds.

Command Mode

VPDN group mode

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3(5)AA and 12.0(1)T.

This command is used for congestion control between the LAC and LNS. This command will not appear as a valid option if the l2tp  flow-control receive-window command is disabled or set to zero.

Example

The following for force the LAC/LNS to wait 4000 milliseconds before attempting to probe the remote peer's receive-status window again:

l2tp flow-control maximum-ato 4000

Related Commands

l2tp flow-control backoff-queuesize
l2tp flow-control receive-window

l2tp flow-control receive-window

To define the LAC/LNS receive window and whether to send sequence numbers, use the l2tp  flow-control  receive-window command. Use the no form of this command to disable the receive window and sending of sequence numbers.

l2tp flow-control receive-window
nol2tp flow-control receive-window

Syntax Description

windowsize

The number of packets that can be received by the remote end device before backoff queuing occurs.

Default

Receive window and sequence numbers are disabled.

Command Mode

VPDN group mode

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3(5)AA and 12.0(1)T.

If the receive-window value is set to zero, then sequence numbers are not sent and congestion control is not enabled. Data zero length body (ZLB) acknowledgments are not sent when congestion control is disabled. If the receive-window value is greater than zero, then congestion control is enabled and the value that is configured is sent to the L2TP receive window attribute value pair (AVP).

Using the l2tp flow-control receive-window command with a value greater than zero, allows you to configure the following L2TP (optional) commands:

   l2tp flow-control maximum-ato
   l2tp flow-control backoff-queuesize

If the l2tp flow-control receive-window command is not enabled or the value is set to zero, then the l2tp flow-control maximum-ato and 2tp flow-control backoff-queuesize will not appear as configurable options by the command parser.

Example

The following example configures a receive window value of 25 to be communicated to the remote peer and subsequently enables the configuration of the l2tp flow-control maximum-ato and l2tp flow-control backoff-queuesize commands.

l2tp flow-control receive-window 10
l2tp flow-control maximum-ato 15
l2tp flow-control backoff-queuesize 35

Related Commands

l2tp flow-control backoff-queuesize
l2tp flow-control maximum-ato

l2tp flow-control static-rtt

To define a static round-trip time for congestion control use the l2tp flow-control static-rtt global configuration command. To apply a different value once this command is configured, simply reenter the command with the new value. To disable a static round-trip time, use the no form of this command.

l2tp flow-control static-rtt
no l2tp flow-control static-rtt

Syntax Description

round-trip-time

Sets the static round trip time in milliseconds.

Default

Disabled; adaptive timeouts are used.

Command Mode

VPDN group mode

Usage Guidelines

This command first appeared in Cisco IOS Release11.3(5)AA and 12.01(1)T.

If the LAC/LNS is configured to use a static round-trip time then adaptive time-outs (ATO) is calculated on the fixed round-trip time value configured using the l2tp flow-control  static-rtt command. If the device is not configured with the l2tp flow-control static-rtt command, then flow control is automatically calculated based on packet send and receive times.

Example

The following example sets a static round-trip delay of 15000 milliseconds, which in turn disables adaptive timeouts:

l2tp flow-control static-rtt 2500

Note You must have the l2tp-flow control receive-window command enabled with a value greater than zero in order to use the l2tp flow-control maximum-ato command.

Related Commands

l2tp flow-control backoff-queuesize
l2tp flow-control maximum-ato
l2tp flow-control receive-window

l2tp hidden

To enable L2TP AVP hiding, which hides the AVP value, use the l2tp hidden command. To disable L2TP AVP hiding, use the no form of this command.

l2tp hidden
no
l2tp hidden

Syntax Description

This command has no keywords or arguments.

Default

L2TP AV pair hiding is disabled.

Command Mode

VPDN group mode

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3(5)AA and 12.0(1)T.

This command is useful for additional security if PPP is using PAP or proxy authentication between the LAC and LNS. When AVP hiding is enabled, then the L2TP hiding algorithm is executed and sensitive passwords that are used between the L2TP AVPs are disguised during the PAP or proxy authentication. This command is not required if one-time PAP password authentication is used.

Example

The following example enables AV pair hiding so that the password used between

l2tp hidden

l2tp ip udp checksum

To enable IP UDP checksums on L2TP payload packets, use the l2tp ip udp checksum command. To disable IP UDP checksums, use the no form of this command.

l2tp ip udp checksum
no
l2tp ip udp checksum

Syntax Description

There are no keywords or arguments for this command.

Default

Disabled

Command Mode

VPDN group mode

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3(5)AA and 12.0(1)T.

Enabling IP UDP checksum packets will cause the switching path to revert to process-level switching.

Example

The following example enables IP UDP checksums on L2TP payload packets:

l2tp ip udp checksum

l2tp offset

To enable or disable the offset field in L2TP payload packets, use the l2tp offset command. To disable the offset field, use the no form of this command.

l2tp offset
no
l2tp offset

Syntax Description

This command has no keywords or arguments.

Default

The offset field in L2TP payload packets is enabled.

Command Mode

VPDN group mode

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3(5)AA and 12.0(1)T.

Enabling the offset field forces longword header alignment and may improve performance on some platforms however, this potentially increases the size of the packets.


Note L2TP offset is enabled by default. Therefore, there is no need to enable this command unless it was previously disabled.

Example

The following example disables the offset field:

l2tp offset

l2tp tunnel authentication

To enable L2TP tunnel authentication, use the l2tp tunnel authentication command. To disable L2TP tunnel authentication, use the no form of this command.

l2tp tunnel authentication
no l2tp tunnel authentication

Syntax Description

This command has no keywords or arguments.

Default

L2TP tunnel authentication is enabled.

Command Mode

VPDN group mode

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3(5)AA and 12.0(1)T.

Example

The following example enables L2TP tunnel authentication:

l2tp tunnel authentication

Note L2TP tunnel authentication is enabled by default. Therefore, there is no need to enable this command unless it was previously disabled.

l2tp tunnel hello

To set the number of seconds between sending hello keepalive packets for a L2TP tunnel, use the l2tp tunnel hello command. To change the tunnel hello value, simply reenter the command with the new value. To disable the sending of hello keepalive packets, use the no form of this command.

l2tp tunnel hello hello-interval
no l2tp tunnel hello hello-interval

Syntax Description

hello-interval

The interval in seconds, that the LAC/LNS waits before sending the next L2TP tunnel keepalive packet.

Default

L2TP tunnel hello value is set to 60.

Command Mode

VPDN group mode

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3(5)AA and 12.0(1)T.

The L2TP tunnel keepalive timers do not have to be the same value on both sides of the tunnel.

Example

The following example changes the L2TP tunnel hello value from the default value of 60, to a value of 90:

l2tp tunnel hello 90

l2tp tunnel password

To set the password that the router will use to authenticate the tunnel, use the l2tp tunnel password command. To remove a previously configured password, use the no form of this command.

l2tp tunnel password password
no l2tp tunnel password password

Syntax Description

password

Identifies the password that the router will use for tunnel authentication.

Default

Disabled. If the l2tp tunnel password is not configured, the local password is used. If no local password is configured, the hostname is used.

Command Mode

VPDN group mode

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3(5)AA and 12.0(1)T.

The password defined with the l2tp tunnel password command is also used for AV pair hiding.

Example

The following example configures the tunnel password, dustie, which will be used to authenticate the tunnel between local and remote peer:

l2tp tunnel password dustie

Related Commands

l2tp hidden

request dialin

To specify a dialin L2F or L2TP tunnel to a remote peer if a dialin request is received for a specified domain or Digital Number Information String (DNIS), use the request dialin global configuration command. To remove this function, use the no form of this command.

request dialin [l2f | l2tp] ip ip-address {domain domain-name | dnis dialed-number}
no request dialin [l2f | l2tp] ip ip-address {domain domain-name | dnis dialed-number}

Syntax Description

dnis dialed-number

Dialed number to be used for selecting a specific tunnel that will forward traffic to the LNS or HGW.

domain domain-name

Case-sensitive name of the domain to tunnel.

ip ip-address

IP address of the remote peer that is the other end of the tunnel.

l2f | l2tp

L2F or L2TP tunnel protocol should be used.

Default

Request dialin must explicitly be configured.

Command Mode

VPDN group mode

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3(5)AA and 12.0(1)T.

This command is used to initiate a tunnel to a remote peer defined by a specific IP address if a dialin tunnel is received for users under a specific domain name or if a specific DNIS is called. The VPDN group command must be configured to use either request dialin or accept dialin; request dialin indicates a dial in tunnel is requested and accept dialin accepts the request for the dial in tunnel.


Note The vpdn group command must be configured with the accept dialin or request dialin command in order to enable VPDN. The requested initiates a dialing tunnel. The acceptor accepts a request for a dialin tunnel.

Example

The following example requests an L2TP dial in tunnel to a remote peer at IP address 172.17.33.125 for a user in domain partner.com:

request dialin l2tp ip 172.17.33.125 partner.com

Related Commands

accept dialin
vpdn incoming
vpdn outgoing

show vpdn session

To display information about active Layer 2 Tunneling Protocol (l2TP) or Level 2 Forwarding (L2F) sessions in a virtual private dialup network, use the show vpdn session EXEC command.If the show  vpdn command is used without the session or tunnel keywords, both session and tunnel information is displayed by default.

show vpdn session [all [interface | tunnel | username] | packets | sequence | state | timers | window]

Syntax Description

all

All session information for active sessions.

interface ---(Optional) Interface associated to a specific session.

tunnel---(Optional) Tunnel attribute filter.

username---(Optional) Username filter.

packets

(Optional) Packet/byte count.

sequence

(Optional) Sequence numbers.

state

(Optional) State of each session.

timers

(Optional) Timer information.

window

(Optional) Window information.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2
This command was modified for l2TP and L2F session and tunnel variables in 11.3(5)AA and 12.0(1)T.

Sample Displays

This section displays several examples using the show vpdn command and keyword options. Table 2 shows the output values for the show vpdn and show vpdn session commands, which use a summary-style display for active L2F and L2TP sessions.

The following example shows the show vpdn command without any keywords or arguments, which by default, displays all session information:

router#sh vpdn 
L2TP Tunnel and session Information (Total tunnels=1 sessions=1)
LocID RemID Remote Name   State  Remote Address  Port  Sessions
2     10    wander        est    172.21.9.13     1701  1       
LocID RemID TunID Intf    Username      State  Last Chg
1     1     2     As7     bum1@cisco.co est    00:23:01
L2F Tunnel and Session
 NAS CLID HGW CLID NAS Name        HGW Name        State
 10        2        stella          acadia          open   
                    172.21.9.4      172.21.9.232   
 CLID   MID    Username       Intf   State
 2      1      jdo@hp.com     As6    open 

The following example shows the show vpdn session command:

router# show vpdn session
L2TP Session Information (Total tunnels=1 sessions=1)
LocID RemID TunID Intf    Username      State  Last Chg
1     1     2     As7     bum1@cisco.co est    00:29:34
L2F Session
 CLID   MID    Username       Intf   State
 3      1      jdo@hp.com     As6    open   

The following example displays the show vpdn command and the session, all, and username keywords:

stella#sh vpdn session all username bum1@cisco.com
L2TP Session Information (Total tunnels=1 sessions=1)
Call id 1 is up on tunnel id 2
Remote tunnel name is wander
  Internet Address: 172.21.9.13
  Session username is bum1@cisco.com, state is established
    Time since change: 00:34:28, Interface As7
    Remote call id: 1
    212 packets sent, 425 received, 6003 bytes sent, 12008 received
    Sequencing is on
      Ss=211 Sr=213  Remote Ns=212  Remote Nr=0  Out of order=0
      Remote has not requested congestion control
% No active L2F tunnels
stella#sh vpdn session all username jdo@hp.com
% No active L2TP tunnels
L2F Session
MID: 1
User:  jdo@hp.com
Interface:  Async6
State:  open
Packets out: 139
Bytes out: 4518
Packets in: 422
Bytes in: 27013

Table 2 shows the output value for the show vpdn session command.


Table 2: Show VPDN Session Field Descriptions
Field Description
L2TP Session Information

Total Tunnels

Number of active tunnels.

Total Sessions

Number of active sessions.

LocID

A unique number that identifies the local id for the session.

RemID

A unique number that identifies the remote id for the session.

TunID

A unique number that identifies the tunnel.

Intf

The interface associated with a specific session.

Username

Username of the session.

State

Indicates status for the individual user in the tunnel. The states are: opening, open, closed, closing, and waiting_for_tunnel.

The waiting_for_tunnel state means that the user connection is waiting until the main tunnel can be brought up before it moves to the opening state.

Last Chg

Last status change.

L2F Session

CLID

MID

The multiplex identifier.

Username

Username of the person from whom a protocol message was forwarded over the tunnel.

Intf

Interface from which the protocol message was sent.

State

Indicates whether the tunnel is open, opening, closing, or closed.

Related Commands

show vpdn
show vpdn tunnel

show vpdn tunnel

To display information about active Layer 2 Tunneling Protocol (l2TP) or Level 2 Forwarding (L2F) tunnels in a virtual private dialup network, use the show vpdn tunnel EXEC command. If the show  vpdn command is used without the session or tunnel keywords, both session and tunnel information is displayed by default.

show vpdn tunnel [all [id | local-name | remote-name] | packets | state | summary | transport]

Syntax Description

all

All information for active tunnels.

id ---(Optional) Local tunnel ID.

local-name---(Optional) Name of local end of tunnel.

remote-name---(Optional) Name of remote end of tunnel.

packets

(Optional) Packet/byte count.

state

(Optional) Tunnel state information.

summary

(Optional) Tunnel information summary.

transport

(Optional) Tunnel transport information.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.
This command was modified for l2TP and L2F session and tunnel variables in 11.3(5)AA and 12.0(1)T.

Sample Display

This section displays several examples using the show vpdn command and keyword options. The following example shows the show vpdn command without any keywords or arguments:

router#sh vpdn 
L2TP Tunnel and session Information (Total tunnels=1 sessions=1)
LocID RemID Remote Name   State  Remote Address  Port  Sessions
2     10    wander        est    172.21.9.13     1701  1       
LocID RemID TunID Intf    Username      State  Last Chg
1     1     2     As7     bum1@cisco.co est    00:23:01
L2F Tunnel and Session
 NAS CLID HGW CLID NAS Name        HGW Name        State
 10        2        stella          acadia          open   
                    172.21.9.4      172.21.9.232   
 CLID   MID    Username       Intf   State
 2      1      jdo@hp.com     As6    open 

The following example shows the show vpdn tunnel command:

router#sh vpdn tunnel
L2TP Tunnel Information (Total tunnels=1 sessions=1)
LocID RemID Remote Name   State  Remote Address  Port  Sessions
2     10    wander        est    172.21.9.13     1701  1       
L2F Tunnel
 NAS CLID HGW CLID NAS Name        HGW Name        State
 9         1        stella          acadia          open   
                    172.21.9.4      172.21.9.232 

Related Commands

show vpdn
show vpdn session

vpdn domain-delimiter

To specify the characters to be use to delimit the domain prefix or domain suffix, use the vpdn domain-delimiter global configuration command.

domain-delimiter delimiter-characters [suffix | prefix]

Syntax Description

delimiter-characters

One or more specific characters to be used as suffix or prefix diameters. Available characters are %, -, @, \ , #, and /.

If a backslash (\) is the last delimiter in the command line, enter it as a double backslash (\\).

suffix | prefix

Usage of the specified characters.

Default

This command is disabled.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3.

You can enter one vpdn domain-delimiter command to list the suffix delimiters and another vpdn domain-delimiter command to list the prefix delimiters. However, no character can be both a suffix delimiter and a prefix delimiter.

This command allows the network access server to parse a list of home gateway DNS domain names and addresses sent by an AAA server. The AAA server can store domain names or IP addresses in the following AV pair:

cisco-avpair = "lcp:interface-config=ip address 1.1.1.1 255.255.255.255.0",

cisco-avpair = "lcp:interface-config=ip address bigrouter@excellentinc.com,

Examples

The following example lists three suffix delimiters and three prefix delimiters:

vpdn domain-delimiter %-@ suffix
vpdn domain-delimiter #/\\ prefix

This example allows the following host and domain names:

cisco.com#houstonddr
houstonddr@cisco.com

Related Commands

You can use the master indexes or search online to find documentation of related commands.

vpdn enable
vpdn search-order
vpdn search-order
vpdn search-order

vpdn enable

To enable VPDN on the router and inform the router to look for tunnel definitions in a local database and on a remote authorization server (LNS), if one is present, use the vpdn enable global configuration command. To disable vpdn, use the no form of this command.

vpdn enable
no vpdn enable

Syntax Description

This command has no keywords or arguments.

Default

VPDN is not enabled.

Command Mode

Global configuration.

Usage Guidelines

This command first appeared in Cisco IOS Release11.2.

Sample Display

The following example enables VPDN on the router:

vpdn enable

vpdn-group

To define a local, unique group number identifier use the vpdn-group global configuration command. To remove a group number, use the no form of this command.

vpdn-group group-number
no vpdn-group group-number

Syntax Description

group-number

Local group number. Valid group numbers range between 1 and 3000.

Default

VPDN group number assignments are not enabled.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release11.3(5)AA and 12.0(1)T.
The vpdn-group number command is a local, unique identifier for each VPDN group.

Example

The following example establishes local vpdn group number 1 for which other variables, such as force-local chap, can be assigned:

vpdn group-number 1

vpdn search-order

To specify how the service provider's network access server is to perform VPDN tunnel authorization searches, use the vpdn search-order global configuration command. To remove a prior specification, use the no form of the command.

vpdn search-order {dnis domain | domain dnis | domain | dnis}
no vpdn search-order

Syntax Description

dnis domain

Search first on the Dialed Number Information Service (DNIS) information provided on ISDN lines and then search on the domain name.

domain dnis

Search first on the domain name and then search on the DNIS information.

domain

Search on the domain name only.

dnis

Search on the DNIS information only.

Default

When this command is not used, the default is to search first on the Dialed Number Information Service (DNIS) information provided on ISDN lines and then search on the domain name. This is equivalent to using the vpdn search-order dnis domain command.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3.

VPDN authorization searches are performed only as specified.

The configuration shows the vpdn search-order command setting only if the command is explicitly configured.

Example

The following example configures a network access server to select a tunnel destination based on the use of DNIS and a specific dialed number and to perform tunnel authorization searches based on the DNIS information only.

vpdn enable
vpdn outgoing dnis 2387765 gocardinal ip 170.16.44.56
vpdn search-order dnis

vpdn source-ip

To set the source IP address of the network access server, use the vpdn source-ip global configuration command.

vpdn source-ip address

Syntax Description

address

IP address of the network access server.

Default

This command is disabled. No default IP address is provided.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3.

One source IP address is configured on the network access server. The source IP address is configured per network access server, not per domain.

Example

This example enables VPDN on the network access server and sets an IP source address of 171.4.48.3.

vpdn enable 
vpdn source-ip 171.4.48.3

Related Commands

You can use the master indexes or search online to find documentation of related commands.

vpdn enable


hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1998 © Cisco Systems Inc.