[cisco-bba] Help with VPDN Group config

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Tue Apr 7 03:55:55 EDT 2009 

Actually, 12.4(20)T (and, I think, some future 12.2S*) will use the
source-ip as an addtl. criteria to select the vpdn-group. You can use
the command "show vpdn group-select { summary | keys ...}" to find out
which vpdn-group will be matched..

	oli

Tony <> wrote on Tuesday, April 07, 2009 07:17:

> Unfortunately, I think the answer is not what you are hoping for.
> 
> From:
>
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/vpdngrp.h
tm
> 
> =====
> Typically, you need one VPDN group for each LAC. For an LNS that
> services many LACs, the configuration can become cumbersome; however,
> you can use the default VPDN group configuration if all the LACs will
> share the same tunnel attributes. =====  
> Each VPDN group can only terminate from a single host name. If you
> enter a second terminate-from command on a VPDN group, it will
> replace the first terminate-from command. ===== 
> 
> 
> 
> regards,
> Tony.
> 
> 
> --- On Tue, 7/4/09, Andy Saykao <andy.saykao at staff.netspace.net.au>
> wrote: 
> 
>> From: Andy Saykao <andy.saykao at staff.netspace.net.au>
>> Subject: [cisco-bba] Help with VPDN Group config
>> To: cisco-bba at puck.nether.net
>> Date: Tuesday, 7 April, 2009, 1:30 PM
>> 
>> 
>> 
>> 
>> 
>> Hi
>> All,
>> 
>> We've recently
>> changed the way we configure our VPDN groups on the
>> LNS. In the past we use
>> to configure a VPDN group on our LNS for every LAC on the
>> Provider's end, but we
>> have found out that we can use one VPDN group to terminate
>> all incoming LAC
>> requests.
>> 
>> Old Way
>> - VPDN groups configured to terminate each
>> individual
>> LAC.
>> 
>> 
>> vpdn-group
>> PROVIDER1-NAB1 <-- Terminate a LAC in StateX
>>  accept-dialin
>> 
>> protocol l2tp
>>   virtual-template 2
>>  terminate-from hostname
>> provider1-nab1
>>  lcp renegotiation on-mismatch
>>  l2tp tunnel
>> password AAABBBCCCDDD
>>  l2tp tunnel
>> receive-window 100
>>  l2tp tunnel retransmit timeout min
>> 2
>> !
>> vpdn-group
>> PROVIDER1-ABC1 <--- Terminate a LAC in
>> StateY
>>  accept-dialin
>>   protocol l2tp
>>   virtual-template
>> 3
>>  terminate-from hostname provider1-abc1
>>  lcp renegotiation
>> on-mismatch
>>  l2tp tunnel
>> password AAABBBCCCDDD
>>  l2tp tunnel
>> receive-window 100
>>  l2tp tunnel retransmit timeout min
>> 2
>> 
>> 
>> New Way -
>> One VPDN group configured to terminate all
>> LACs.
>> 
>> vpdn-group
>> PROVIDER1-VPDN-1 <-- Terminate LACs in StateX
>> ! Default L2TP VPDN
>> group
>>  accept-dialin
>>   protocol l2tp
>> 
>> virtual-template 2
>>  source-ip 203.17.101.x
>>  lcp
>> renegotiation on-mismatch
>>  l2tp tunnel
>> password AAABBBCCCDDD
>>  l2tp tunnel
>> receive-window 100
>>  l2tp tunnel retransmit timeout min
>> 2
>> !
>> vpdn-group
>> PROVIDER1-VPDN-2 <--- Terminate LACs in
>> StateY
>>  accept-dialin
>>   protocol l2tp
>> 
>> virtual-template 3
>>  source-ip 203.17.101.y
>>  lcp
>> renegotiation on-mismatch
>>  l2tp tunnel
>> password AAABBBCCCDDD
>>  l2tp tunnel
>> receive-window 100
>>  l2tp tunnel retransmit timeout min
>> 2
>> 
>> Our LNS's actually
>> terminate LAC request from
>> two different states (but from the same
>> Provider). We're using Loopback0 as
>> the VPDN source-ip for StateX and Loopback1 for the VPDN
>> source-ip for StateY as
>> shown above. The LNS is physically located in
>> StateX.
>> 
>> What we're finding
>> out while doing it this way is that the LNS automatically
>> adds a comment "!
>> Default L2TP VPDN group" to our config making one of
>> the VPDN groups the default
>> VPDN group. In my example above, it has made vpdn-group
>> PROVIDER1-VPDN-1 which terminates LACs in StateX the default VPDN
>> group. Therefore, LAC 
>> requests from StateY were
>> not being terminated using the proper vpdn-group
>> PROVIDER1-VPDN-2 eventhough we had the correct VPDN
>> source-ip set. This caused
>> our call centre to sky rocket with calls from customers in
>> StateY who were
>> unable to establish a PPPoX connection.
>> 
>> 
>> We're not sure why the
>> config is behaving this way. I
>> would expect that given we've specified a VPDN
>> source-ip for each VPDN
>> group that the LAC would source it's terminatation
>> point from the VPDN group
>> with the correct source-ip that it's suppose to
>> initiate a L2TP tunnel with -
>> but we're finding that it's trying to establish a
>> L2TP tunnel with whatever VPDN
>> group has been set as the "Default L2TP VPDN
>> group".
>> 
>> Is there a way to fix this so
>> that LAC requests from
>> StateX will use it''s corresponding VPDN group and
>> likewise LAC requests
>> from StateY will use it's corresponding VPDN
>> group???
>> 
>> Thanks.
>> 
>> Andy
>> 
>> 
>> 
>> 
> 
> 
> 
> 
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba

More information about the cisco-bba mailing list