[cisco-bba] Cisco 7301 as LTS With Hundreds of Domains

Tom Storey tom at snnap.net
Tue Apr 8 21:58:24 EDT 2008


The ISP I work for uses "authenticate before forward" for some private VPN
services we offer.

Essentially your LTS/LACs will authenticate the user, and the RADIUS
response contains details about where the session should be forwarded
(rather than what details to terminate the session with), which can be a
list of your LNSs which the LAC can load balance accross.

Once the session has been forwarded on, your LNSs will authenticate the
user, and terminate the session.

I believe we are using two RADIUS instances for this, one for the auth
before forward stuff, and the second to actually authenticate the users
for termination on the destination LNS.

> Hi
>
> I suggest to get the domain information via radius server. Also have a
> quick look about the command "tunnel share" which might help you to
> reduce the number of tunnels to your lns.
>
> Regards
> 	Erich
>
>>
>> We currently have 8 x 7301'S running as LTS's to terminate ATM from
>> carrier and switch the tunnel to
>> 3 LNS (2 as primary using priority 1 and backup using priority 2)
>>
>> Copy of config below
>>
>> << From carrier >>
>>
>> vpdn-group IN-FROM-CARRIER
>> accept-dialin
>>  protocol any
>>  virtual-template 2
>> terminate-from hostname XX-XX-XX
>> lcp renegotiation on-mismatch
>> l2tp tunnel password 0 XXXXXXX
>>
>> << TO LNS FARM >>
>>
>> vpdn-group OUT-TO-LNS
>> request-dialin
>>  protocol l2tp
>> domain 1
>> domain 2
>> domain 100
>> domain 300
>> initiate-to ip 1.1.1.1 priority 1
>> initiate-to ip 2.2.2.2 priority 1
>> initiate-to ip 3.3.3.3 priority 2
>> source-ip 9.9.9.9
>> local name OUT-TO-LNS
>> l2tp tunnel password 0 XXXXXXX
>>
>> We now have about 300 domains, so the config is very long with every
>> domain listed in there becomes a nightmare to manage, so my question
>> is
>> there
>> Any way to put a wildcard * domain into this tunnel (the box only
>> has 1
>> request-dialin vpdn group) so that all realms received from carrier
>> and
>> tunnelled to the LNS's
>>
>> Thanks in advance
>>
>> Gareth
>>
>
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
>




More information about the cisco-bba mailing list