[c-nsp] Default / catchall VPDN group for LNS

James Bensley jwbensley at gmail.com
Wed Jul 6 05:15:28 EDT 2016 

Hmm, not sure why you have a VPDN group per LAC.


On 6 July 2016 at 05:36, CiscoNSP List <CiscoNSP_list at hotmail.com> wrote:
> vpdn-group 1
> ! Default L2TP VPDN group
>  accept-dialin
>   protocol l2tp
>   virtual-template 1
>  local name LNS <- Can this be "anything"?
>  lcp renegotiation always
>  l2tp tunnel password xxxx
>  ip mtu adjust

Yeah that is basically the gist of it, as Arie said you have selection
rules, more specific wins. So from this example LNS below, we have
three VPDN groups, one for $WHOLESALE-PROVIDER-1, one for
$WHOLESALE-PROVIDER-2 and one for $OUT_LLU. You can see in the
selection summary below that incomming L2TP tunnels that connect in a
specific VRF / to a specific IP / asking for a specific hostname get
matched into each of the VPDN groups;


vpdn-group WHOLESALER-1
 description BT WBC (21CN) SWAN
 accept-dialin
  protocol l2tp
  virtual-template 1
 session-limit 400
 vpn vrf WS-1
 source-ip 1.1.1.1
 local name lns1-dc01
 lcp renegotiation always
 l2tp tunnel password 7 aaaaaa
 ip pmtu

vpdn-group WHOLESALER-2
 description TTB ADSL LTS
 accept-dialin
  protocol l2tp
  virtual-template 2
 vpn vrf WS-2
 source-ip 1.1.1.2
 local name lns1-dc01
 lcp renegotiation always
 l2tp tunnel password 7 bbbbbbb
 ip pmtu

vpdn-group OUR-LACS
 description TTB ADSL LTS
 accept-dialin
  protocol l2tp
  virtual-template 3
 vpn vrf LLU
 source-ip 1.1.1.3
 local name lns1-dc01
 lcp renegotiation always
 l2tp tunnel password 7 ccccccc
 ip pmtu

lns1-dc01#show vpdn group-select summary
 VPDN Group      Vrf        Remote Name   Source-IP       Protocol Direction
 WHOLESALER-1    WS1                      1.1.1.1         l2tp     accept-dialin
 WHOLESALER-2    WS2                      1.1.1.2         l2tp     accept-dialin
 OUR-LACS        LLU                      1.1.1.3         l2tp     accept-dialin



So with $WP1 we use RADIUS, in all RADIUS requests we return the
sub-interface IP 1.1.1.1 so they always connect to the sub-interface
with the IP 1.1.1.1 in the VRF WS1 and thus always connect to the VPDN
group WHOLESALER-1.

For $WP2 we have no RADIUS integration, they have it hard coded into
their RADIUS servers to connect to 1.1.1.2, that sub-interface is in
the WS2 VRF and so they match into the WHOLESALER-2 VPDN group, and so
on.

To give a view of the bigger picture. All LNS's have these VPDN groups
configured, each with a sub-interface for termianting from the
different sets of LACs. For $WP1 for example we return all
sub-interface IPs on all LNS's in the $WS1 VRF and they round-robin
across them all so we have even traffic distribution (but we can steer
in RADIUS if required) and we can graph the individual VPDN group
useage per LNS, and create aggregate stack graphs etc.

Hope that helps.

Cheers,
James.

More information about the cisco-nsp mailing list