VPDN LNS Address Checking

Similar documents
Modified LNS Dead-Cache Handling

Configuring an Intermediate IP Multicast Helper Between Broadcast-Only Networks

Contextual Configuration Diff Utility

VPDN Group Session Limiting

PPPoE Session Recovery After Reload

BGP Enforce the First Autonomous System Path

RADIUS Tunnel Preference for Load Balancing and Fail-Over

RADIUS NAS-IP-Address Attribute Configurability

Logging to Local Nonvolatile Storage (ATA Disk)

This feature was introduced. This feature was integrated into Cisco IOS Release 12.2(27)SBA.

Exclusive Configuration Change Access and Access Session Locking

Cisco Software Licensing Information for Cisco Unified Communications 500 Series for Small Business

IS-IS Incremental SPF

OSPF Incremental SPF

DHCP Lease Limit per ATM/RBE Unnumbered Interface

Per IP Subscriber DHCP Triggered RADIUS Accounting

RADIUS Logical Line ID

PPPoE Session Limits per NAS Port

SSG Service Profile Caching

Suppress BGP Advertisement for Inactive Routes

PPPoE Service Selection

Generic Routing Encapsulation Tunnel IP Source and Destination VRF Membership

ATM VP Average Traffic Rate

PPPoE Client DDR Idle Timer

IP SLAs Random Scheduler

PPP/MLP MRRU Negotiation Configuration

Maintenance Checklists for Microsoft Exchange on a Cisco Unity System

PPPoE Agent Remote-ID and DSL Line Characteristics Enhancement

Autosense of MUX/SNAP Encapsulation and PPPoA/PPPoE on ATM PVCs

ISSU and SSO DHCP High Availability Features

DHCP Option 82 Support for Routed Bridge Encapsulation

MPLS MTU Command Changes

Configuring Multiple Basic Service Set Identifiers and Microsoft WPS IE SSIDL

Using Microsoft Outlook to Schedule and Join Cisco Unified MeetingPlace Express Meetings

Connecting Cisco DSU/CSU High-Speed WAN Interface Cards

Configuration Replace and Configuration Rollback

IMA Dynamic Bandwidth

Extended NAS-Port-Type and NAS-Port Support

OSPF RFC 3623 Graceful Restart Helper Mode

Frame Relay Conditional Debug Support

QoS Child Service Policy for Priority Class

DHCP Relay MPLS VPN Support

Cisco Smart Business Communications System Teleworker Set Up

Connecting Cisco WLAN Controller Enhanced Network Modules to the Network

Cisco Unity Express Voic System User s Guide

Release Notes for Cisco ONS MA Release 9.01

Installing IEC Rack Mounting Brackets on the ONS SDH Shelf Assembly

Maintenance Checklists for Active Directory on a Cisco Unity System with Exchange as the Message Store

Cisco Virtual Office End User Instructions for Cisco 1811 Router Set Up at Home or Small Office

Configuring ISG VRF Transfer (Cisco IOS Release 12.2(28)SB)

Protocol-Independent MAC ACL Filtering on the Cisco Series Internet Router

Configuring Route Maps to Control the Distribution of MPLS Labels Between Routers in an MPLS VPN

Troubleshooting ISA with Session Monitoring and Distributed Conditional Debugging

This feature was introduced. This feature was integrated into Cisco IOS Release 12.2(27)SBA.

DHCP ODAP Server Support

Release Notes for Cisco ONS SDH Release 9.01

Cisco Video Surveillance Virtual Matrix Client Configuration Guide

Protected URL Database

Route Processor Redundancy Plus (RPR+)

IP SLAs Proactive Threshold Monitoring

PPPoE Agent Remote-ID and DSL Line Characteristics Enhancement

Using Application Level Gateways with NAT

Behavioral Change for Buffer Recarving

BECN and FECN Marking for Frame Relay over MPLS

Configuring Token Ring LAN Emulation for Multiprotocol over ATM

Cisco BTS Softswitch Site Preparation and Network Communications Requirements, Release 6.0. Safety and Compliance

Configuring the Cisco IOS DHCP Relay Agent

Connecting Cisco 4-Port FXS/DID Voice Interface Cards

Cisco Registered Envelope Recipient Guide

Cisco Voice Applications OID MIB

Configuring LDAP. Finding Feature Information. Contents

Release Notes for Catalyst 6500 Series and Cisco 7600 Series Internet Router CEF720 Module ROMMON Software

Cisco Aironet Directional Antenna (AIR-ANT-SE-WiFi-D)

Configuring ISA Accounting

Cisco Report Server Readme

RAID Controller Firmware Upgrade Instructions for the Cisco WAE-7341, 7371, and 674

Wireless LAN Error Messages

Chunk Validation During Scheduler Heapcheck

Application Firewall Instant Message Traffic Enforcement

LAN Emulation Overview

The CVD program consists of systems and solutions designed, tested, and documented to facilitate faster, more reliable, and more predictable customer

Cisco WAAS Mobile User Guide

Maintenance Checklists for Cisco Unity VPIM Networking (with Microsoft Exchange)

Release Notes for Cisco Video Surveillance Manager 4.1/6.1

Cisco BTS Softswitch Turkish ISUP Feature Module

Wireless LAN Overview

MPLS VPN: VRF Selection Based on Source IP Address

Cisco Unified Web and Interaction Manager Browser Settings Guide

7825-I4, 7828-I4 Hard Disk Firmware Update

IP Event Dampening. Feature History for the IP Event Dampening feature

Configuring MPLS Multi-VRF (VRF-lite)

Wireless-G IP Phone QUICK INSTALLATION GUIDE. Package Contents

Cisco 806, Cisco 820 Series, Cisco 830 Series, SOHO 70 Series and SOHO 90 Series Routers ROM Monitor Download Procedures

Installing the Cisco ONS Deep Door Kit

Release Notes for Cisco Small Business Pro ESW 500 Series Switches

Cisco Unified Web and Interaction Manager Browser Settings Guide

Cisco Aironet Very Short 5-GHz Omnidirectional Antenna (AIR-ANT5135SDW-R)

Packet Classification Using the Frame Relay DLCI Number

Low Latency Queueing with Priority Percentage Support

PPPoE on ATM. Finding Feature Information. Contents

Transcription:

First Published: Sept. 30, 2007 Last Updated: Aug. 28, 2008 The feature allows a Layer 2 Tunnel Protocol (L2TP) Access Concentrator (LAC), that is receiving data from an L2TP Network Server (LNS) to check if the IP addresses contained in the Start Control Connection Reply (SCCRP) and Start Control Connection Request (SCCRQ) messages are identical, prior to establishing an L2TP tunnel. If these IP addresses do not match, an L2TP tunnel is not established. This feature prevents any traffic from reaching the LNS when an ISP sends traffic back to an LNS using an alternate IP address. Finding Feature Information Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information for section on page 9. Use Cisco Feature Navigator to find information about platform support and Cisco IOS, Catalyst OS, and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required. Contents Prerequisites for, page 2 Information About, page 2 Configuring, page 3 Configuration Examples for, page 4 Additional References, page 6 Command Reference, page 7 Feature Information for, page 9 Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Prerequisites for Prerequisites for Before you can configure the LNS Address Checking feature, you must configure a VPDN deployment. For an overview of VPDN deployments, refer to the VPDN Technology Overview module. Information About To configure the LNS Address Checking feature, you should understand the following concepts: Benefits of, page 2 Using a RADIUS Server, page 2 Debugging Dropped Control Packets, page 2 Benefits of The LNS Address Checking feature allows a LAC to check the IP address of the LNS sending traffic to it during the setup of an L2TP tunnel, thus providing a check for uplink and downlink traffic arriving from different interfaces. The benefit of the LNS Address Checking feature is avoiding the loss of revenue from users sending back traffic through an alternate network. Using a RADIUS Server Use the Cisco attribute-value pair (AVP), downloaded from a RADIUS server during authentication, to enable IP address checking at the LAC. The Cisco AVP is: l2tp-security-ip-address-check=yes The following RADIUS profile example shows the LNS address checking enabled: example.com Password= example Service-Type=Outbound Cisco-Avpair= vpdn:tunnel-id=tunnel Cisco-Avpair= vpdn:tunnel-type=l2tp Cisco-Avpair= vpdn:ip-address=10.10.10.1 Cisco-Avpair= vpdn:l2tp-tunnel-password=example Cisco-Avpair= vpdn:l2tp-security-ip-address-check=yes Debugging Dropped Control Packets Use the LNS Address Checking feature to help troubleshoot dropped control packets. If you configure the debug vpdn 12x-error command, informational messages display for each control packet that is dropped in the following format: Tnl <tunnel-id> L2TP: Drop <L2TP-packet-name> from y.y.y.y (attempted) x.x.x.x 2

Configuring Configuring To configure the feature, follow this procedure. SUMMARY STEPS 1. enable 2. configure terminal 3. vpdn enable 4. vpdn group <vpdn-group-name> 5. l2tp security ip address-check 6. exit DETAILED STEPS Step 1 Step 2 Command or Action enable Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Step 4 Router# configure terminal vpdn enable Router(config)# vpdn enable vpdn group <vpdn-group-name> Enables virtual private dialup networking on the router and informs the router to look for tunnel definitions in a local database or on a remote authorization server (home gateway), if one is present. Creates a VPDN group and associates a name with it. Step 5 Step 6 Router(config)# vpdn group example l2tp security ip address-check Router(config-vpdn)# l2tp security ip address-check exit Configures the LNS to compare the IP addresses contained in the inbound and outbound message to ensure they are identical. If the IP addresses to not match, the L2TP tunnel is not established. Exits VPDN configuration mode. Router(config-vpdn)# exit 3

Configuration Examples for Example The following example shows the configuration for the LNS Address Checking feature. Router> enable Router# configure terminal Router(config)# vpdn enable Router(config)# vpdn-group example Router(config-vpdn)# l2tp security ip address-check Configuration Examples for The following shows an example configuration for the client router. hostname Client enable password example no aaa new-model vpdn enable bba-group pppoe 1 virtual-template 1 interface <interface toward LAC> pppoe enable group 1 interface Virtual-Template 1 ip unnumbered <interface> ppp pap sent-username@example.com end The following shows an example configuration for the LAC. hostname LAC enable password example no aaa new-model vpdn enable vpdn-group 1 request-dialin protocol l2tp domain example.com initiate-to ip <lns 1 IP address> l2tp tunnel password 0 example bba-group pppoe 1 virtual-template 1 interface Virtual-Template 1 no ip address ppp authentication pap interface <interface> pppoe enable group 1 4

Configuration Examples for end The following shows an example configuration for the LNS 1. hostname LNS1 enable password example aaa authentication ppp default local vpdn enable vpdn-group 1 Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 l2tp tunnel password 0 example vpdn-group 2 request-dialin protocol l2tp domain example.com initiate-to ip <lns 2 IP address> l2tp tunnel password 0 example interface Virtual-Template 1 ip unnumbered <interface> ppp authentication pap end 5

Additional References Additional References The following sections provide references related to the LNS Address Checking feature. Related Documents Related Topic L2TP Document Title Layer 2 Tunnel Protocol Technology Brief Standards Standard Title None MIBs MIB MIBs Link To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs RFCs RFC RFC 2661 Title Layer Two Tunneling Protocol (L2TP) Technical Assistance Description The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register on Cisco.com. Link http://www.cisco.com/techsupport 6

Command Reference Command Reference The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS VPDN Command Reference at http://www.cisco.com/en/us/docs/ios/vpdn/command/reference/vpd_book.html. For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/support/clilookup or the Cisco IOS Master Command List, All Releases, at http://www.cisco.com/en/us/docs/ios/mcl/allreleasemcl/all_book.html. l2tp security ip address-check 7

l2tp security ip address-check l2tp security ip address-check To enable the checking of an IP address from an L2TP Network Server (LNS) before the setup of an L2TP tunnel from the L2TP Access Concentrator (LAC) to the LNS, use the l2tp security ip address-check command in VPDN-group configuration mode. To disable the checking of an IP address from an LNS before the setup of an L2TP tunnel from the LAC to the LNS, use the no form of this command. l2tp security ip address-check no l2tp security ip address-check Syntax Description This command has no arguments or keywords. Command Default The command is disabled. Command Modes VPDN-group configuration (config-vpdn) Command History Release 12.2(31)ZV 12.2(34)SB Modification This command was introduced. This command was integrated in Cisco IOS Release 12.2SB. Usage Guidelines Use the l2tp security ip address-check command to enable or disable the matching, prior to an L2TP tunnel setup of an incoming transport IP address from a LNS against the output IP address of the LNS by the LAC. Once enabled, the LAC inspects, prior to establishing an L2TP tunnel if the IP addresses contained in the Start Control Connection Reply (SCCRP) and Start Control Connection Request (SCCRQ) messages, are identical. If these IP addresses do not match, an L2TP tunnel is not established. You can use the debug vpdn 12x-error command in conjunction with the l2tp security ip address-check command to display informational messages on each control packet dropped. Examples The following example shows how to enable the verification of an incoming transport IP address from an LNS against the output IP address of the LNS: Router> enable Router# configure terminal Router(config)# vpdn enable Router(config)# vpdn-group example Router(config-vpdn)# l2tp security ip address-check Related Commands Command debug vpdn 12x-error Description Displays a message for each control packet dropped. 8

Feature Information for Feature Information for Table 1 lists the release history for this feature. Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation. Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required. Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature. Table 1 Feature Information for LNS Address Checking Feature Name Releases Feature Information 12.2(34)SB 12.2(31)ZV Allows an L2TP Access Concentrator (LAC), receiving data from a L2TP Network Server (LNS), to check the IP address of the LNS prior to establishing an L2TP tunnel. The following command was introduced by this feature: l2tp security ip address-check. Modified LNS Dead-Cache Handling VPDN Extended Failover 12.2(34)SB 12.2(31)ZV 12.2(34)SB 12.2(31)ZV Displays and clears (restarts) any LNS entry in a dead-cache (DOWN) state. The following commands were introduced by this feature: clear vpdn dead-cache and show vpdn dead-cache. The following commands were modified by this feature: snmp-server enable traps and vpdn logging. Enables a failover with an LNS, if the LNS receives a valid L2TP CDN or stopcnn message before the LNS establishes a session. CCDE, CCVP, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iphone, IP/TV, iq Expertise, the iq logo, iq Net Readiness Scorecard, iquick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0801R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. 2008 Cisco Systems, Inc. All rights reserved. 9

Feature Information for 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback