[c-nsp] Cisco DSL Config Question - Multiple Domains

Paul Stewart pstewart at nexicomgroup.net
Wed Sep 6 13:23:53 EDT 2006 

OK... I was hoping to find a way around this but it doesn't appear
possible..:)  Thanks for the replies.. I have put a request into the
telco (bell canada) to find out if they will do this...

All the best,

Paul Stewart
Network Administrator
Nexicom Inc.
http://www.nexicom.net/  

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Freedman
Sent: Wednesday, September 06, 2006 1:21 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco DSL Config Question - Multiple Domains

Sorry, I think what both ollie and I were saying implies that you need
two "tunnels" from the provider, each with a different name.

i.e

vpdn-group 1
  terminate from foo
vpdn-group 2
  terminate from bar


from the telco's point of view, they have two virtual routers each with
a tunnel using a different (unique) hostname, both foo and bar.

Dave.


Paul Stewart wrote:
> Hmm.. Now that's interesting...
> 
> Since terminate-from will be the same on the two examples below, does 
> that not create a problem??  Sorry, not doubting you.. Just wondering 
> as I know DSL terminates in many many different flavors..;)  
> Unfortunately I have to do this cutover during daytime hours so trying

> to play this very safe...
> 
> All the best,
> 
> Paul Stewart
> Network Administrator
> Nexicom Inc.
> http://www.nexicom.net/
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Freedman
> Sent: Wednesday, September 06, 2006 1:06 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco DSL Config Question - Multiple Domains
> 
> I'm guessing if you want multiple tunnels? (between multiple 
> loopbacks)
> 
> If so you might want to split this into distinct vpdn groups.
> 
> Something like the following:
> 
> vpdn-group 1
>   description Inbound Tunnels from Telco Loopback A
>   accept-dialin
>    protocol l2tp
>    virtual-template 1
>    source-ip <IP Of int Loopback1>
>    terminate-from <telco specific>
>    local name whatever
>    lcp renegotiation always
>    l2tp tunnel password 7 XXXXXXXXXXXXXXX
> 
> vpdn-group 2
>   description Inbound Tunnels from Telco Loopback B
>   accept-dialin
>    protocol l2tp
>    virtual-template 2
>    source-ip <IP Of int Loopback2>
>    terminate-from <telco specific>
>    local name whatever
>    lcp renegotiation always
>    l2tp tunnel password 7 XXXXXXXXXXXXXXX
> 
> 
> Dave.
> 
> 
> Paul Stewart wrote:
>> I'm hoping someone can help me here..;)  We have a Cisco 7206VXR that

>> we use for DSL termination from a telco via l2tp tunnels.  Below is 
>> some snippets of the config.  Today, everything works fine but our 
>> goal is to split up three domains coming in **without** using 
>> proxy-radius and/or changing radius at all (don't go there). ;)
>> 
>> Our telco provider who is sending us the l2tp tunnels runs Juniper 
>> and
> 
>> can route each domain to a separate loopback on our side.  This all 
>> made sense until I started looking at vpdn-group configuration etc...
>> 
>> If they terminate each domain onto a separate loopback interface, how

>> can I bind that to a separate virtual-template where I can also 
>> define
> 
>> separate radius servers and Ip pools for each domain?  Is there a way

>> to do this?  I had this figured out I thought until I found the 
>> "virtual-template 1" statement on the vpdn-group.. Is there a way to 
>> remove this and do it from the loopback instead?
>> 
>> Config:
>> 
>> aaa group server radius ABC
>>  server-private xxx.xxx.xxx.28 auth-port 1812 acct-port 1813 key 7 
>> XXXXXXXXXXXXX  server-private xxx.xxx.xxx.13 auth-port 1645 acct-port

>> 0 key 7 XXXXXXXXXXXXXXX  ip radius source-interface Loopback0 !
>> aaa group server radius XYZ
>>  server-private xxx.xxx.xxx.28 auth-port 1812 acct-port 1813 key 7 
>> XXXXXXXXXXXXXX  server-private xxx.xxx.xxx.13 auth-port 1645 
>> acct-port
> 
>> 0 key 7 XXXXXXXXXXXXXX  ip radius source-interface Loopback0
>> 
>> aaa authentication ppp ABC group ABC
>> aaa authentication ppp XYZ group XYZ
>> aaa authorization network ABC group ABC aaa authorization network XYZ

>> group XYZ aaa accounting delay-start aaa accounting network ABC 
>> start-stop group ABC aaa accounting network XYZ start-stop group XYZ
>> 
>> virtual-profile if-needed
>> vpdn enable
>> vpdn multihop
>> vpdn authen-before-forward
>> vpdn authorize directed-request
>> 
>> vpdn-group TSW1-KITCHENER06
>>  accept-dialin
>>   protocol l2tp
>>   virtual-template 1
>>  terminate-from hostname nexxia1013
>>  local name whatever
>>  lcp renegotiation always
>>  l2tp tunnel password 7 XXXXXXXXXXXXXXX
>> 
>> bba-group pppoe global
>>  virtual-template 1
>> 
>> interface Loopback1
>>  description ABC
>>  ip address XXX.XXX.XXX.178 255.255.255.255 !
>> interface Loopback2
>>  description XYZ
>>  ip address XXX.XXX.XXX.179 255.255.255.255
>> 
>> interface ATM1/0.13 point-to-point
>>  description TSW1-KITCHENER06/nexxia1013  ip address 10.70.82.50
>> 255.255.255.252  no snmp trap link-status  atm route-bridged ip  pvc
>> 1/46
>> 
>> interface Virtual-Template1
>>  description ABC
>>  ip unnumbered Loopback1
>>  ip mtu 1492
>>  ip mroute-cache
>>  no logging event link-status
>>  no snmp trap link-status
>>  peer default ip address pool ABC
>>  ppp authentication pap ABC
>>  ppp authorization ABC
>>  ppp accounting ABC
>>  no clns route-cache
>> 
>> interface Virtual-Template2
>>  description XYZ
>>  ip unnumbered Loopback2
>>  ip mtu 1492
>>  ip mroute-cache
>>  no logging event link-status
>>  no snmp trap link-status
>>  peer default ip address pool XYZ
>>  ppp authentication pap XYZ
>>  ppp authorization XYZ
>>  ppp accounting XYZ
>>  no clns route-cache
>> 
>> ip local pool ABC XXX.XXX.XXX.1 XXX.XXX.XXX.254 ip local pool XYZ
>> YYY.YYY.YYY.1 YYY.YYY.YYY.254
>> 
>> radius-server attribute 44 include-in-access-req radius-server 
>> attribute 32 include-in-access-req radius-server attribute 32 
>> include-in-accounting-req radius-server attribute 55 
>> include-in-acct-req radius-server attribute nas-port format d 
>> radius-server directed-request radius-server domain-stripping 
>> radius-server vsa send accounting radius-server vsa send 
>> authentication
>> 
>> Paul Stewart
>> Network Administrator
>> Nexicom Inc.
>> http://www.nexicom.net/
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list