[cisco-bba] Help with VPDN Group config

Tony td_miles at yahoo.com
Tue Apr 7 05:48:04 EDT 2009 

Thanks for clearing that up Oli.

I reserve the right to be both correct and incorrect, depending on IOS version in use :)


regards,
Tony.

--- On Tue, 7/4/09, Andy Saykao <andy.saykao at staff.netspace.net.au> wrote:

> From: Andy Saykao <andy.saykao at staff.netspace.net.au>
> Subject: RE: [cisco-bba] Help with VPDN Group config
> To: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>, "Tony" <td_miles at yahoo.com>, cisco-bba at puck.nether.net
> Date: Tuesday, 7 April, 2009, 6:32 PM
> Thanks for the reply Oli.
> 
> We are currently using 12.2(31)SB14 on this LNS and the
> command  "show
> vpdn group-select" is not supported.
> 
> If the source-ip command is used as an additional criteria
> then this
> might explain why it's working in another State where we've
> got three
> different vpdn-groups set up (all of them not having the
> "terminate-from
> hostname" in their vpdn-group config). These LNS's are
> ASR's running
> 122-33.XNB3 and they are properly terminating sessions
> correctly.
> 
> 
> -----Original Message-----
> From: Oliver Boehmer (oboehmer) [mailto:oboehmer at cisco.com]
> 
> Sent: Tuesday, 7 April 2009 5:56 PM
> To: Tony; cisco-bba at puck.nether.net;
> Andy Saykao
> Subject: RE: [cisco-bba] Help with VPDN Group config
> 
> Actually, 12.4(20)T (and, I think, some future 12.2S*) will
> use the
> source-ip as an addtl. criteria to select the vpdn-group.
> You can use
> the command "show vpdn group-select { summary | keys ...}"
> to find out
> which vpdn-group will be matched..
> 
>     oli
> 
> Tony <> wrote on Tuesday, April 07, 2009 07:17:
> 
> > Unfortunately, I think the answer is not what you are
> hoping for.
> > 
> > From:
> >
> http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/vpdngrp.h
> tm
> > 
> > =====
> > Typically, you need one VPDN group for each LAC. For
> an LNS that 
> > services many LACs, the configuration can become
> cumbersome; however, 
> > you can use the default VPDN group configuration if
> all the LACs will 
> > share the same tunnel attributes. ===== Each VPDN
> group can only 
> > terminate from a single host name. If you enter a
> second 
> > terminate-from command on a VPDN group, it will
> replace the first 
> > terminate-from command. =====
> > 
> > 
> > 
> > regards,
> > Tony.
> > 
> > 
> > --- On Tue, 7/4/09, Andy Saykao <andy.saykao at staff.netspace.net.au>
> > wrote: 
> > 
> >> From: Andy Saykao <andy.saykao at staff.netspace.net.au>
> >> Subject: [cisco-bba] Help with VPDN Group config
> >> To: cisco-bba at puck.nether.net
> >> Date: Tuesday, 7 April, 2009, 1:30 PM
> >> 
> >> 
> >> 
> >> 
> >> 
> >> Hi
> >> All,
> >> 
> >> We've recently
> >> changed the way we configure our VPDN groups on
> the LNS. In the past 
> >> we use to configure a VPDN group on our LNS for
> every LAC on the 
> >> Provider's end, but we have found out that we can
> use one VPDN group 
> >> to terminate all incoming LAC requests.
> >> 
> >> Old Way
> >> - VPDN groups configured to terminate each
> individual LAC.
> >> 
> >> 
> >> vpdn-group
> >> PROVIDER1-NAB1 <-- Terminate a LAC in
> StateX  accept-dialin
> >> 
> >> protocol l2tp
> >>   virtual-template 2
> >>  terminate-from hostname
> >> provider1-nab1
> >>  lcp renegotiation on-mismatch
> >>  l2tp tunnel
> >> password AAABBBCCCDDD
> >>  l2tp tunnel
> >> receive-window 100
> >>  l2tp tunnel retransmit timeout min
> >> 2
> >> !
> >> vpdn-group
> >> PROVIDER1-ABC1 <--- Terminate a LAC in
> StateY  accept-dialin
> >>   protocol l2tp
> >>   virtual-template
> >> 3
> >>  terminate-from hostname provider1-abc1 
> lcp renegotiation 
> >> on-mismatch  l2tp tunnel password
> AAABBBCCCDDD  l2tp tunnel 
> >> receive-window 100  l2tp tunnel retransmit
> timeout min
> >> 2
> >> 
> >> 
> >> New Way -
> >> One VPDN group configured to terminate all LACs.
> >> 
> >> vpdn-group
> >> PROVIDER1-VPDN-1 <-- Terminate LACs in StateX !
> Default L2TP VPDN 
> >> group  accept-dialin
> >>   protocol l2tp
> >> 
> >> virtual-template 2
> >>  source-ip 203.17.101.x
> >>  lcp
> >> renegotiation on-mismatch
> >>  l2tp tunnel
> >> password AAABBBCCCDDD
> >>  l2tp tunnel
> >> receive-window 100
> >>  l2tp tunnel retransmit timeout min
> >> 2
> >> !
> >> vpdn-group
> >> PROVIDER1-VPDN-2 <--- Terminate LACs in
> StateY  accept-dialin
> >>   protocol l2tp
> >> 
> >> virtual-template 3
> >>  source-ip 203.17.101.y
> >>  lcp
> >> renegotiation on-mismatch
> >>  l2tp tunnel
> >> password AAABBBCCCDDD
> >>  l2tp tunnel
> >> receive-window 100
> >>  l2tp tunnel retransmit timeout min
> >> 2
> >> 
> >> Our LNS's actually
> >> terminate LAC request from
> >> two different states (but from the same Provider).
> We're using 
> >> Loopback0 as the VPDN source-ip for StateX and
> Loopback1 for the VPDN
> 
> >> source-ip for StateY as shown above. The LNS is
> physically located in
> 
> >> StateX.
> >> 
> >> What we're finding
> >> out while doing it this way is that the LNS
> automatically adds a 
> >> comment "!
> >> Default L2TP VPDN group" to our config making one
> of the VPDN groups 
> >> the default VPDN group. In my example above, it
> has made vpdn-group
> >> PROVIDER1-VPDN-1 which terminates LACs in StateX
> the default VPDN 
> >> group. Therefore, LAC requests from StateY were
> not being terminated 
> >> using the proper vpdn-group
> >> PROVIDER1-VPDN-2 eventhough we had the correct
> VPDN source-ip set. 
> >> This caused our call centre to sky rocket with
> calls from customers 
> >> in StateY who were unable to establish a PPPoX
> connection.
> >> 
> >> 
> >> We're not sure why the
> >> config is behaving this way. I
> >> would expect that given we've specified a VPDN
> source-ip for each 
> >> VPDN group that the LAC would source it's
> terminatation point from 
> >> the VPDN group with the correct source-ip that
> it's suppose to 
> >> initiate a L2TP tunnel with - but we're finding
> that it's trying to 
> >> establish a L2TP tunnel with whatever VPDN group
> has been set as the 
> >> "Default L2TP VPDN group".
> >> 
> >> Is there a way to fix this so
> >> that LAC requests from
> >> StateX will use it''s corresponding VPDN group and
> likewise LAC 
> >> requests from StateY will use it's corresponding
> VPDN group???
> >> 
> >> Thanks.
> >> 
> >> Andy
> >> 
> >> 
> >> 
> >> 
> > 
> > 
> > 
> > 
> > _______________________________________________
> > cisco-bba mailing list
> > cisco-bba at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-bba
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email
> Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
> 
> This email and any files transmitted with it are
> confidential and intended
>  solely for the use of the individual or entity to whom
> they are addressed. 
> Please notify the sender immediately by email if you have
> received this 
> email by mistake and delete this email from your system.
> Please note that
>  any views or opinions presented in this email are solely
> those of the
>  author and do not necessarily represent those of the
> organisation. 
> Finally, the recipient should check this email and any
> attachments for 
> the presence of viruses. The organisation accepts no
> liability for any 
> damage caused by any virus transmitted by this email.
> 
>

More information about the cisco-bba mailing list