[cisco-bba] L2TP on dynamic IP

LM asturluismi at gmail.com
Wed Jan 26 05:26:37 EST 2011


I have running L2TP between Android mobiles and Cisco routers for remote 
access in the team.

L2TP configuration is based on Virtual-template, so a connected route is 
configured for every L2TP session.
In other to provide a fixed IP address to each account the config is...

! definition of the user & passwd
username YYYY privilege 0 password 7 XXXXXXX

! Previous user must use an attribute list
username YYYY aaa attribute list YYYY

! attribute list with the fixed IP assigned over L2TP
aaa attribute list YYYY
attribute type addr 10.54.1.1

! Pool
ip local pool pool-l2tp 10.54.1.1 10.54.1.254


The rest of the config is a normal L2TP config so far.


Hope this helps :D

El 20/01/11 16:42, John Fitzgerald escribió:
>
> Hi Arie,
>
> I definitely would like to define a fixed IP to the customer, but on 
> the WAN side the CPE is configured by a third party provider (an 
> access provider).
>
> So in fact, I can’t get my hands on the CPE. So the idea was to place 
> an L2TP Client behind the CPE (on LAN side) which makes the connection 
> outbound to my Router. My router terminates the L2TP Tunnel.
>
> When my router recognizes the L2TP Connect, my router provides an IP 
> address statically of my pool to the client’s interface.
>
> Furthermore, my router will insert a somewhat static route to the 
> client in his routing table, so the customer will be reachable through 
> this IP. In detail, the customer L2TP Server has 2 NICs, one points to 
> the CPE and has masked IP Adresses (e.g. 192.168.X.X) and the other 
> one should route the ofically routed net, my router is sending (like 
> AAA.BBB.CCC.DDD).
>
> With this tunnel, I would be able to tunnel other data packets to the 
> client as well as speak bgp to the client though still use my IP space.
>
> At last, the customers computers would be reachable through the L2TP 
> tunnel and the IP addresses would be from my nets.
>
> The only trick is: The client as a access network from another 
> provider and I can’t get hands on the configuration of his CPE. 
> Furthermore, the external IP address of the customer might change from 
> day to day.
>
> For reliability, I would prefer fiber, of course. But the next fiber 
> is approx. 2 miles away and digging is approx. 40k EUROS (!).
>
> So, I am looking for a solution to provide BGP redundancy to smaller 
> customers (e.g. 50 Users) even at locations, where I can not do what I 
> want. This would make it possible for customers with provider 
> independent address space to have bgp with 2 neigbors (e.g. one is 
> thier standard ISP with a fast line (100Mbps), one is the backup ISP 
> (e.g. 20 Mbps via G.SHDSL …).
>
> Cheers,
>
> John
>
> *From:*arievayner at gmail.com [mailto:arievayner at gmail.com] *On Behalf 
> Of *Arie Vayner
> *Sent:* Wednesday, January 19, 2011 8:58 PM
> *To:* John Fitzgerald
> *Cc:* cisco-bba at puck.nether.net
> *Subject:* Re: [cisco-bba] L2TP on dynamic IP
>
> John,
>
> What would most likely be a better solution for both solutions is to 
> assign the customer a fixed IP allocated from RADIUS when they connect 
> over L2TP (I assume PPP...)
> This will allow you to have a static BGP session with the statically 
> allocated IP address.
>
> Another option is to look at the BGP dynamic neighbors feature:
> http://www.cisco.com/en/US/docs/ios/12_4t/ip_route/configuration/guide/brbpeer.html#wp1131929
>
> For IPSec there are quite a few solutions for IPSec sessions with 
> dynamic peers.
> I think this could be a good starting point:
> http://www.cisco.com/en/US/products/ps6635/prod_white_papers_list.html
>
> Arie
>
> On Wed, Jan 19, 2011 at 8:23 PM, John Fitzgerald 
> <john.fitzgerald at internet.de <mailto:john.fitzgerald at internet.de>> wrote:
>
> Hi,
>
> I've got two design questions:
>
>
> 1. Is it possible to map a net via L2TP (IPv4 PI Space) to a client, which
> comes from a dynamic IP Address? E.g he has RIPE PI Space AAA.BBB.CCC.DDD
> and as he connects, routers will allow traffic to his network
> AAA.BBB.CCC.DDD and BGPv4 will recognize an will aloe route servers to be
> changed...
>
> 2. Is it possible to have the IPSec with (1.)?
>
>
> Cheers,
>
>
> John
>
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net <mailto:cisco-bba at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-bba
>
>
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba


More information about the cisco-bba mailing list