[c-nsp] Cisco DSL Config Question - Multiple Domains

Paul Stewart pstewart at nexicomgroup.net
Wed Sep 6 13:10:28 EDT 2006 

Hmm.. Now that's interesting...

Since terminate-from will be the same on the two examples below, does
that not create a problem??  Sorry, not doubting you.. Just wondering as
I know DSL terminates in many many different flavors..;)  Unfortunately
I have to do this cutover during daytime hours so trying to play this
very safe...

All the best,

Paul Stewart
Network Administrator
Nexicom Inc.
http://www.nexicom.net/  

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Freedman
Sent: Wednesday, September 06, 2006 1:06 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco DSL Config Question - Multiple Domains

I'm guessing if you want multiple tunnels? (between multiple loopbacks)

If so you might want to split this into distinct vpdn groups.

Something like the following:

vpdn-group 1
  description Inbound Tunnels from Telco Loopback A
  accept-dialin
   protocol l2tp
   virtual-template 1
   source-ip <IP Of int Loopback1>
   terminate-from <telco specific>
   local name whatever
   lcp renegotiation always
   l2tp tunnel password 7 XXXXXXXXXXXXXXX

vpdn-group 2
  description Inbound Tunnels from Telco Loopback B
  accept-dialin
   protocol l2tp
   virtual-template 2
   source-ip <IP Of int Loopback2>
   terminate-from <telco specific>
   local name whatever
   lcp renegotiation always
   l2tp tunnel password 7 XXXXXXXXXXXXXXX


Dave.


Paul Stewart wrote:
> I'm hoping someone can help me here..;)  We have a Cisco 7206VXR that 
> we use for DSL termination from a telco via l2tp tunnels.  Below is 
> some snippets of the config.  Today, everything works fine but our 
> goal is to split up three domains coming in **without** using 
> proxy-radius and/or changing radius at all (don't go there). ;)
> 
> Our telco provider who is sending us the l2tp tunnels runs Juniper and

> can route each domain to a separate loopback on our side.  This all 
> made sense until I started looking at vpdn-group configuration etc...
> 
> If they terminate each domain onto a separate loopback interface, how 
> can I bind that to a separate virtual-template where I can also define

> separate radius servers and Ip pools for each domain?  Is there a way 
> to do this?  I had this figured out I thought until I found the 
> "virtual-template 1" statement on the vpdn-group.. Is there a way to 
> remove this and do it from the loopback instead?
> 
> Config:
> 
> aaa group server radius ABC
>  server-private xxx.xxx.xxx.28 auth-port 1812 acct-port 1813 key 7 
> XXXXXXXXXXXXX  server-private xxx.xxx.xxx.13 auth-port 1645 acct-port 
> 0 key 7 XXXXXXXXXXXXXXX  ip radius source-interface Loopback0 !
> aaa group server radius XYZ
>  server-private xxx.xxx.xxx.28 auth-port 1812 acct-port 1813 key 7 
> XXXXXXXXXXXXXX  server-private xxx.xxx.xxx.13 auth-port 1645 acct-port

> 0 key 7 XXXXXXXXXXXXXX  ip radius source-interface Loopback0
> 
> aaa authentication ppp ABC group ABC
> aaa authentication ppp XYZ group XYZ
> aaa authorization network ABC group ABC aaa authorization network XYZ 
> group XYZ aaa accounting delay-start aaa accounting network ABC 
> start-stop group ABC aaa accounting network XYZ start-stop group XYZ
> 
> virtual-profile if-needed
> vpdn enable
> vpdn multihop
> vpdn authen-before-forward
> vpdn authorize directed-request
> 
> vpdn-group TSW1-KITCHENER06
>  accept-dialin
>   protocol l2tp
>   virtual-template 1
>  terminate-from hostname nexxia1013
>  local name whatever
>  lcp renegotiation always
>  l2tp tunnel password 7 XXXXXXXXXXXXXXX
> 
> bba-group pppoe global
>  virtual-template 1
> 
> interface Loopback1
>  description ABC
>  ip address XXX.XXX.XXX.178 255.255.255.255 !
> interface Loopback2
>  description XYZ
>  ip address XXX.XXX.XXX.179 255.255.255.255
> 
> interface ATM1/0.13 point-to-point
>  description TSW1-KITCHENER06/nexxia1013  ip address 10.70.82.50 
> 255.255.255.252  no snmp trap link-status  atm route-bridged ip  pvc 
> 1/46
> 
> interface Virtual-Template1
>  description ABC
>  ip unnumbered Loopback1
>  ip mtu 1492
>  ip mroute-cache
>  no logging event link-status
>  no snmp trap link-status
>  peer default ip address pool ABC
>  ppp authentication pap ABC
>  ppp authorization ABC
>  ppp accounting ABC
>  no clns route-cache
> 
> interface Virtual-Template2
>  description XYZ
>  ip unnumbered Loopback2
>  ip mtu 1492
>  ip mroute-cache
>  no logging event link-status
>  no snmp trap link-status
>  peer default ip address pool XYZ
>  ppp authentication pap XYZ
>  ppp authorization XYZ
>  ppp accounting XYZ
>  no clns route-cache
> 
> ip local pool ABC XXX.XXX.XXX.1 XXX.XXX.XXX.254 ip local pool XYZ 
> YYY.YYY.YYY.1 YYY.YYY.YYY.254
> 
> radius-server attribute 44 include-in-access-req radius-server 
> attribute 32 include-in-access-req radius-server attribute 32 
> include-in-accounting-req radius-server attribute 55 
> include-in-acct-req radius-server attribute nas-port format d 
> radius-server directed-request radius-server domain-stripping 
> radius-server vsa send accounting radius-server vsa send 
> authentication
> 
> Paul Stewart
> Network Administrator
> Nexicom Inc.
> http://www.nexicom.net/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list