[cisco-bba] Help with VPDN Group config

Andy Saykao andy.saykao at staff.netspace.net.au
Wed Apr 8 00:48:28 EDT 2009


For those interested, on our ASR running 12.2(33)XNB3, no default
vpdn-group is selected when all the vpdn-groups have a source-ip
configured.

This is my original vpdn-group config on the ASR. Notice how vpdn-group
nsdial has no source-ip set, and has been selected as the default
vpdn-group.

vpdn-group PROVIDER1-VPDN-GROUP-1
 accept-dialin
  protocol l2tp
  virtual-template 2
 source-ip 203.17.101.x
 lcp renegotiation on-mismatch
 l2tp tunnel password AAABBBCCCDDD
 l2tp tunnel receive-window 100
 l2tp tunnel retransmit timeout min 2
!
vpdn-group nsdial
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 3
 lcp renegotiation on-mismatch
 l2tp tunnel password WWWXXXYYYZZZ
 l2tp tunnel receive-window 100
 l2tp tunnel retransmit timeout min 2

When I add a source-ip to vpdn-group nsdial, the IOS no longer elects a
default vpdn-group. See how it's taken off the description "! Default
L2TP VPDN group" from vpdn-group nsdial.

vpdn-group PROVIDER1-VPDN-GROUP-1
 accept-dialin
  protocol l2tp
  virtual-template 2
 source-ip 203.17.101.x
 lcp renegotiation on-mismatch
 l2tp tunnel password AAABBBCCCDDD
 l2tp tunnel receive-window 100
 l2tp tunnel retransmit timeout min 2
!
vpdn-group nsdial
 description Soul Dialup Connections
 accept-dialin
  protocol l2tp
  virtual-template 3
 source-ip 203.17.101.y
 lcp renegotiation on-mismatch
 l2tp tunnel password WWWXXXYYYZZZ
 l2tp tunnel receive-window 100
 l2tp tunnel retransmit timeout min 2

Cheers.

Andy


-----Original Message-----
From: Tony [mailto:td_miles at yahoo.com] 
Sent: Tuesday, 7 April 2009 7:48 PM
To: Oliver Boehmer (oboehmer); cisco-bba at puck.nether.net; Andy Saykao
Subject: RE: [cisco-bba] Help with VPDN Group config


Thanks for clearing that up Oli.

I reserve the right to be both correct and incorrect, depending on IOS
version in use :)


regards,
Tony.

--- On Tue, 7/4/09, Andy Saykao <andy.saykao at staff.netspace.net.au>
wrote:

> From: Andy Saykao <andy.saykao at staff.netspace.net.au>
> Subject: RE: [cisco-bba] Help with VPDN Group config
> To: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>, "Tony" 
> <td_miles at yahoo.com>, cisco-bba at puck.nether.net
> Date: Tuesday, 7 April, 2009, 6:32 PM
> Thanks for the reply Oli.
> 
> We are currently using 12.2(31)SB14 on this LNS and the command  "show

> vpdn group-select" is not supported.
> 
> If the source-ip command is used as an additional criteria then this 
> might explain why it's working in another State where we've got three 
> different vpdn-groups set up (all of them not having the 
> "terminate-from hostname" in their vpdn-group config). These LNS's are

> ASR's running
> 122-33.XNB3 and they are properly terminating sessions correctly.
> 
> 
> -----Original Message-----
> From: Oliver Boehmer (oboehmer) [mailto:oboehmer at cisco.com]
> 
> Sent: Tuesday, 7 April 2009 5:56 PM
> To: Tony; cisco-bba at puck.nether.net;
> Andy Saykao
> Subject: RE: [cisco-bba] Help with VPDN Group config
> 
> Actually, 12.4(20)T (and, I think, some future 12.2S*) will use the 
> source-ip as an addtl. criteria to select the vpdn-group.
> You can use
> the command "show vpdn group-select { summary | keys ...}"
> to find out
> which vpdn-group will be matched..
> 
>     oli
> 
> Tony <> wrote on Tuesday, April 07, 2009 07:17:
> 
> > Unfortunately, I think the answer is not what you are
> hoping for.
> > 
> > From:
> >
> http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/vpdngrp
> .h
> tm
> > 
> > =====
> > Typically, you need one VPDN group for each LAC. For
> an LNS that
> > services many LACs, the configuration can become
> cumbersome; however,
> > you can use the default VPDN group configuration if
> all the LACs will
> > share the same tunnel attributes. ===== Each VPDN
> group can only
> > terminate from a single host name. If you enter a
> second
> > terminate-from command on a VPDN group, it will
> replace the first
> > terminate-from command. =====
> > 
> > 
> > 
> > regards,
> > Tony.
> > 
> > 
> > --- On Tue, 7/4/09, Andy Saykao <andy.saykao at staff.netspace.net.au>
> > wrote: 
> > 
> >> From: Andy Saykao <andy.saykao at staff.netspace.net.au>
> >> Subject: [cisco-bba] Help with VPDN Group config
> >> To: cisco-bba at puck.nether.net
> >> Date: Tuesday, 7 April, 2009, 1:30 PM
> >> 
> >> 
> >> 
> >> 
> >> 
> >> Hi
> >> All,
> >> 
> >> We've recently
> >> changed the way we configure our VPDN groups on
> the LNS. In the past
> >> we use to configure a VPDN group on our LNS for
> every LAC on the
> >> Provider's end, but we have found out that we can
> use one VPDN group
> >> to terminate all incoming LAC requests.
> >> 
> >> Old Way
> >> - VPDN groups configured to terminate each
> individual LAC.
> >> 
> >> 
> >> vpdn-group
> >> PROVIDER1-NAB1 <-- Terminate a LAC in
> StateX  accept-dialin
> >> 
> >> protocol l2tp
> >>   virtual-template 2
> >>  terminate-from hostname
> >> provider1-nab1
> >>  lcp renegotiation on-mismatch
> >>  l2tp tunnel
> >> password AAABBBCCCDDD
> >>  l2tp tunnel
> >> receive-window 100
> >>  l2tp tunnel retransmit timeout min
> >> 2
> >> !
> >> vpdn-group
> >> PROVIDER1-ABC1 <--- Terminate a LAC in
> StateY  accept-dialin
> >>   protocol l2tp
> >>   virtual-template
> >> 3
> >>  terminate-from hostname provider1-abc1
> lcp renegotiation
> >> on-mismatch  l2tp tunnel password
> AAABBBCCCDDD  l2tp tunnel
> >> receive-window 100  l2tp tunnel retransmit
> timeout min
> >> 2
> >> 
> >> 
> >> New Way -
> >> One VPDN group configured to terminate all LACs.
> >> 
> >> vpdn-group
> >> PROVIDER1-VPDN-1 <-- Terminate LACs in StateX !
> Default L2TP VPDN
> >> group  accept-dialin
> >>   protocol l2tp
> >> 
> >> virtual-template 2
> >>  source-ip 203.17.101.x
> >>  lcp
> >> renegotiation on-mismatch
> >>  l2tp tunnel
> >> password AAABBBCCCDDD
> >>  l2tp tunnel
> >> receive-window 100
> >>  l2tp tunnel retransmit timeout min
> >> 2
> >> !
> >> vpdn-group
> >> PROVIDER1-VPDN-2 <--- Terminate LACs in
> StateY  accept-dialin
> >>   protocol l2tp
> >> 
> >> virtual-template 3
> >>  source-ip 203.17.101.y
> >>  lcp
> >> renegotiation on-mismatch
> >>  l2tp tunnel
> >> password AAABBBCCCDDD
> >>  l2tp tunnel
> >> receive-window 100
> >>  l2tp tunnel retransmit timeout min
> >> 2
> >> 
> >> Our LNS's actually
> >> terminate LAC request from
> >> two different states (but from the same Provider).
> We're using
> >> Loopback0 as the VPDN source-ip for StateX and
> Loopback1 for the VPDN
> 
> >> source-ip for StateY as shown above. The LNS is
> physically located in
> 
> >> StateX.
> >> 
> >> What we're finding
> >> out while doing it this way is that the LNS
> automatically adds a
> >> comment "!
> >> Default L2TP VPDN group" to our config making one
> of the VPDN groups
> >> the default VPDN group. In my example above, it
> has made vpdn-group
> >> PROVIDER1-VPDN-1 which terminates LACs in StateX
> the default VPDN
> >> group. Therefore, LAC requests from StateY were
> not being terminated
> >> using the proper vpdn-group
> >> PROVIDER1-VPDN-2 eventhough we had the correct
> VPDN source-ip set. 
> >> This caused our call centre to sky rocket with
> calls from customers
> >> in StateY who were unable to establish a PPPoX
> connection.
> >> 
> >> 
> >> We're not sure why the
> >> config is behaving this way. I
> >> would expect that given we've specified a VPDN
> source-ip for each
> >> VPDN group that the LAC would source it's
> terminatation point from
> >> the VPDN group with the correct source-ip that
> it's suppose to
> >> initiate a L2TP tunnel with - but we're finding
> that it's trying to
> >> establish a L2TP tunnel with whatever VPDN group
> has been set as the
> >> "Default L2TP VPDN group".
> >> 
> >> Is there a way to fix this so
> >> that LAC requests from
> >> StateX will use it''s corresponding VPDN group and
> likewise LAC
> >> requests from StateY will use it's corresponding
> VPDN group???
> >> 
> >> Thanks.
> >> 
> >> Andy
> >> 
> >> 
> >> 
> >> 
> > 
> > 
> > 
> > 
> > _______________________________________________
> > cisco-bba mailing list
> > cisco-bba at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-bba
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________
> 
> This email and any files transmitted with it are confidential and 
> intended  solely for the use of the individual or entity to whom they 
> are addressed.
> Please notify the sender immediately by email if you have received 
> this email by mistake and delete this email from your system.
> Please note that
>  any views or opinions presented in this email are solely those of the

> author and do not necessarily represent those of the organisation.
> Finally, the recipient should check this email and any attachments for

> the presence of viruses. The organisation accepts no liability for any

> damage caused by any virus transmitted by this email.
> 
> 


      

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________


More information about the cisco-bba mailing list