First Published: Sept. 30, 2007 Last Updated: Aug. 28, 2008 The feature allows a Layer 2 Tunnel Protocol (L2TP) Access Concentrator (LAC), that is receiving data from an L2TP Network Server (LNS) to check if the IP addresses contained in the Start Control Connection Reply (SCCRP) and Start Control Connection Request (SCCRQ) messages are identical, prior to establishing an L2TP tunnel. If these IP addresses do not match, an L2TP tunnel is not established. This feature prevents any traffic from reaching the LNS when an ISP sends traffic back to an LNS using an alternate IP address. Finding Feature Information Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information for section on page 9. Use Cisco Feature Navigator to find information about platform support and Cisco IOS, Catalyst OS, and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required. Contents Prerequisites for, page 2 Information About, page 2 Configuring, page 3 Configuration Examples for, page 4 Additional References, page 6 Command Reference, page 7 Feature Information for, page 9 Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Prerequisites for Prerequisites for Before you can configure the LNS Address Checking feature, you must configure a VPDN deployment. For an overview of VPDN deployments, refer to the VPDN Technology Overview module. Information About To configure the LNS Address Checking feature, you should understand the following concepts: Benefits of, page 2 Using a RADIUS Server, page 2 Debugging Dropped Control Packets, page 2 Benefits of The LNS Address Checking feature allows a LAC to check the IP address of the LNS sending traffic to it during the setup of an L2TP tunnel, thus providing a check for uplink and downlink traffic arriving from different interfaces. The benefit of the LNS Address Checking feature is avoiding the loss of revenue from users sending back traffic through an alternate network. Using a RADIUS Server Use the Cisco attribute-value pair (AVP), downloaded from a RADIUS server during authentication, to enable IP address checking at the LAC. The Cisco AVP is: l2tp-security-ip-address-check=yes The following RADIUS profile example shows the LNS address checking enabled: example.com Password= example Service-Type=Outbound Cisco-Avpair= vpdn:tunnel-id=tunnel Cisco-Avpair= vpdn:tunnel-type=l2tp Cisco-Avpair= vpdn:ip-address=10.10.10.1 Cisco-Avpair= vpdn:l2tp-tunnel-password=example Cisco-Avpair= vpdn:l2tp-security-ip-address-check=yes Debugging Dropped Control Packets Use the LNS Address Checking feature to help troubleshoot dropped control packets. If you configure the debug vpdn 12x-error command, informational messages display for each control packet that is dropped in the following format: Tnl <tunnel-id> L2TP: Drop <L2TP-packet-name> from y.y.y.y (attempted) x.x.x.x 2
Configuring Configuring To configure the feature, follow this procedure. SUMMARY STEPS 1. enable 2. configure terminal 3. vpdn enable 4. vpdn group <vpdn-group-name> 5. l2tp security ip address-check 6. exit DETAILED STEPS Step 1 Step 2 Command or Action enable Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Step 4 Router# configure terminal vpdn enable Router(config)# vpdn enable vpdn group <vpdn-group-name> Enables virtual private dialup networking on the router and informs the router to look for tunnel definitions in a local database or on a remote authorization server (home gateway), if one is present. Creates a VPDN group and associates a name with it. Step 5 Step 6 Router(config)# vpdn group example l2tp security ip address-check Router(config-vpdn)# l2tp security ip address-check exit Configures the LNS to compare the IP addresses contained in the inbound and outbound message to ensure they are identical. If the IP addresses to not match, the L2TP tunnel is not established. Exits VPDN configuration mode. Router(config-vpdn)# exit 3
Configuration Examples for Example The following example shows the configuration for the LNS Address Checking feature. Router> enable Router# configure terminal Router(config)# vpdn enable Router(config)# vpdn-group example Router(config-vpdn)# l2tp security ip address-check Configuration Examples for The following shows an example configuration for the client router. hostname Client enable password example no aaa new-model vpdn enable bba-group pppoe 1 virtual-template 1 interface <interface toward LAC> pppoe enable group 1 interface Virtual-Template 1 ip unnumbered <interface> ppp pap sent-username@example.com end The following shows an example configuration for the LAC. hostname LAC enable password example no aaa new-model vpdn enable vpdn-group 1 request-dialin protocol l2tp domain example.com initiate-to ip <lns 1 IP address> l2tp tunnel password 0 example bba-group pppoe 1 virtual-template 1 interface Virtual-Template 1 no ip address ppp authentication pap interface <interface> pppoe enable group 1 4
Configuration Examples for end The following shows an example configuration for the LNS 1. hostname LNS1 enable password example aaa authentication ppp default local vpdn enable vpdn-group 1 Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 l2tp tunnel password 0 example vpdn-group 2 request-dialin protocol l2tp domain example.com initiate-to ip <lns 2 IP address> l2tp tunnel password 0 example interface Virtual-Template 1 ip unnumbered <interface> ppp authentication pap end 5
Additional References Additional References The following sections provide references related to the LNS Address Checking feature. Related Documents Related Topic L2TP Document Title Layer 2 Tunnel Protocol Technology Brief Standards Standard Title None MIBs MIB MIBs Link To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs RFCs RFC RFC 2661 Title Layer Two Tunneling Protocol (L2TP) Technical Assistance Description The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register on Cisco.com. Link http://www.cisco.com/techsupport 6
Command Reference Command Reference The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS VPDN Command Reference at http://www.cisco.com/en/us/docs/ios/vpdn/command/reference/vpd_book.html. For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/support/clilookup or the Cisco IOS Master Command List, All Releases, at http://www.cisco.com/en/us/docs/ios/mcl/allreleasemcl/all_book.html. l2tp security ip address-check 7
l2tp security ip address-check l2tp security ip address-check To enable the checking of an IP address from an L2TP Network Server (LNS) before the setup of an L2TP tunnel from the L2TP Access Concentrator (LAC) to the LNS, use the l2tp security ip address-check command in VPDN-group configuration mode. To disable the checking of an IP address from an LNS before the setup of an L2TP tunnel from the LAC to the LNS, use the no form of this command. l2tp security ip address-check no l2tp security ip address-check Syntax Description This command has no arguments or keywords. Command Default The command is disabled. Command Modes VPDN-group configuration (config-vpdn) Command History Release 12.2(31)ZV 12.2(34)SB Modification This command was introduced. This command was integrated in Cisco IOS Release 12.2SB. Usage Guidelines Use the l2tp security ip address-check command to enable or disable the matching, prior to an L2TP tunnel setup of an incoming transport IP address from a LNS against the output IP address of the LNS by the LAC. Once enabled, the LAC inspects, prior to establishing an L2TP tunnel if the IP addresses contained in the Start Control Connection Reply (SCCRP) and Start Control Connection Request (SCCRQ) messages, are identical. If these IP addresses do not match, an L2TP tunnel is not established. You can use the debug vpdn 12x-error command in conjunction with the l2tp security ip address-check command to display informational messages on each control packet dropped. Examples The following example shows how to enable the verification of an incoming transport IP address from an LNS against the output IP address of the LNS: Router> enable Router# configure terminal Router(config)# vpdn enable Router(config)# vpdn-group example Router(config-vpdn)# l2tp security ip address-check Related Commands Command debug vpdn 12x-error Description Displays a message for each control packet dropped. 8
Feature Information for Feature Information for Table 1 lists the release history for this feature. Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation. Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required. Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature. Table 1 Feature Information for LNS Address Checking Feature Name Releases Feature Information 12.2(34)SB 12.2(31)ZV Allows an L2TP Access Concentrator (LAC), receiving data from a L2TP Network Server (LNS), to check the IP address of the LNS prior to establishing an L2TP tunnel. The following command was introduced by this feature: l2tp security ip address-check. Modified LNS Dead-Cache Handling VPDN Extended Failover 12.2(34)SB 12.2(31)ZV 12.2(34)SB 12.2(31)ZV Displays and clears (restarts) any LNS entry in a dead-cache (DOWN) state. The following commands were introduced by this feature: clear vpdn dead-cache and show vpdn dead-cache. The following commands were modified by this feature: snmp-server enable traps and vpdn logging. Enables a failover with an LNS, if the LNS receives a valid L2TP CDN or stopcnn message before the LNS establishes a session. CCDE, CCVP, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iphone, IP/TV, iq Expertise, the iq logo, iq Net Readiness Scorecard, iquick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0801R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. 2008 Cisco Systems, Inc. All rights reserved. 9
Feature Information for 10