Detailed Scenario for Access VPDN Dial-in Using L2TP
This detailed scenario describes how a large ISP partners with a medium-sized service provider and an enterprise customer to implement an access VPDN dial-in network that uses L2TP as the tunneling protocol The following sections provide specific details about the access VPDN network shown in Figure 4:
•Designing the Access VPDN Network
•Configuring the Access VPDN Network
•Verifying that the Access VPDN Network Functions Properly
Figure 4 Access VPDN Network Topology
Designing the Access VPDN Network
The following sections describe how the partners design the access VPDN network:
VPDN Services Questionnaire
To begin planning the L2TP network, the service provider and enterprise complete a VPDN services questionnaire. The ISP uses the information from this questionnaire to design the L2TP network. Table 1 lists the design questions and the customer responses.
Network Requirements
Based on the design choices in Table 1, the ISP determines that the partners will require the equipment and services described in Table 2.
IP Address Space
Before the partners configure the networks, the ISP prepares Table 3 to document all of the involved networks and subnets. This table should be posted in the network operations centers (NOCs) of each partner for easy reference.
Device Characteristics
Table 4 lists the characteristics for the partner devices. This table should be posted in the NOCs of the partners for easy reference.
Roles and Resources
Table 5 describes the partner roles and resources for the VPDN network.
Configuring the Access VPDN Network
To configure the L2TP network, the partners perform the following tasks:
Step 1 Configuring ISP-LAC-1 for Local AAA:
a. Configuring basic settings
b. Commissioning the T1 controllers
c. Configuring the serial channels
d. Configuring the modems and asynchronous lines
e. Configuring the group-asynchronous interface
f. Configuring the VPDN groups
Step 2 Configuring ISP-RTR-1 to Forward L2TP Sessions:
a. Configuring basic settings
b. Configuring the serial interfaces
c. Configuring static routes
Step 3 Configuring SER-LNS-1 for Local AAA:
a. Configuring basic settings
b. Configuring the VPDN group
c. Configuring the virtual template
d. Specifying the IP address pool
Step 4 Configuring ENT-LNS-1 for Local AAA:
a. Configuring basic settings
b. Configuring the VPDN group
c. Configuring the virtual template
d. Specifying the IP address pool
Configuring ISP-LAC-1 for Local AAA
ISP-LAC-1 is a Cisco AS5300 access server maintained by the ISP. In the access VPDN network, its function is to receive dial-in calls, negotiate L2TP tunnels with the LNSs, and forward the calls on to ISP-RTR-1, which then forwards the calls to the appropriate LNS.
!
!Identifies the version of Cisco IOS software running on the LAC version 12.1
!Includes millisecond timestamps on log and debug entries that are useful for !troubleshooting and optimizing the network service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
!Specifies that passwords will not be encrypted in configuration output. This is useful !when first configuring a network, but is a security risk when the network is !operational. no service password-encryption
!
!Configures the hostname for the LAC. hostname ISP-LAC-1
!
!Retains 100000 bytes of debug output in the internal log buffer logging buffered 100000 debugging
!
!Configures AAA on the LAC. Specifies that the LAC will authenticate and authorize VPDN !tunnels locally using the local user database. aaa new-model
aaa authentication ppp default local
aaa authorization network default local
!Configures the enable password enable password cisco
!
!Configures the network administrator username and password. Because the ISP configures !an L2TP tunnel password in the VPDN groups, it does not need to configure VPDN tunnel !secrets as usernames. username jane-admin password 0 cisco
spe 1/0 1/9
firmware location system:/ucode/mica_port_firmware
!
!
resource-pool disable
!
!
!
!
!
!Configures the timezone and Daylight Savings Time adjustment. clock timezone PST -8
clock summer-time PDT recurring
!Instructs the LAC to use its internal hardware clock to set the software clock when the !router reloads. clock calendar-valid
!Allows for the configuration of the first subnet in each classfull network. ip subnet-zero
!
!Turns on VPDN. vpdn enable
!Instructs the LAC to first attempt to tunnel VPDN calls based on the user domain name, !and to then attempt to tunnel based on the DNIS number if the user does not have a !domain name. vpdn search-order domain dnis
!
!This is the VPDN group for the service provider. vpdn-group 1
!Configures a request dial-in VPDN subgroup. request-dialin
!Configures L2TP as the tunnel protocol. protocol l2tp
!Specifies that users with the domain name service.com will be tunneled by this VPDN !group. domain service.com
!Specifies the IP address of the service provider LNS. The priority keyword is only !necessary if the service provider had multiple LNSs. To equally share the load of calls !between all the LNSs, each IP address would be given the same priority number. To !specify an LNS as a backup, it would be given a higher priority number. initiate-to ip 192.168.48.1 priority 1
!Configures the local name that the ISP will use to identify itself for L2TP tunnel !authentication with the service provider LNS. If the ISP expands to a stacked-LAC !environment, it will need to use the same local name on all of the LACs. local name ISP-LAC-1
!Configures the L2TP tunnel password that is used to authenticate L2TP tunnels with !SER-LNS-1. Both tunnel endpoints must have the same L2TP tunnel password configured. l2tp tunnel password 7 tunnel4me
!
!This is the VPDN group for the service provider. vpdn-group 2
!Configures a request dial-in VPDN subgroup. request-dialin
!Configures L2TP as the tunnel protocol. protocol l2tp
!Specifies that users with the domain name enterprise.com will be tunneled by this VPDN !group.
domain enterprise.com
!Specifies the IP address of the enterprise LNS. The priority keyword is only necessary !if the enterprise had multiple LNSs. To equally share the load of calls between all the !LNSs, each IP address would be given the same priority number. To specify an LNS as a !backup, it would be given a higher priority number. initiate-to ip 172.22.64.1 priority 1
!Configures the local name that the ISP will use to identify itself for L2TP tunnel !authentication with the enterprise LNS. If the ISP expands to a stacked-LAC environment, it will need to use the same local name on all of the LACs. local name ISP-LAC-1
!Configures the L2TP tunnel password that is used to authenticate L2TP tunnels with
!ENT-LNS-1. Both tunnel endpoints must have the same L2TP tunnel password configured.
l2tp tunnel password 7 tunnel4me
!
!Configures the IP addresses of DNS servers that translate hostnames to IP addresses. async-bootp dns-server 171.68.10.70 171.68.10.140
!Configures the telco switch type. When the switch type is configured in global !configuration mode, it is automatically propagated into the individual serial !interfaces. isdn switch-type primary-5ess
cns event-service server
mta receive maximum-recipients 0
!
!
!
!
controller T1 0
!Configures the T1 framing type as super frame (ESF). framing esf
!Configures the LAC to gets its primary clocking from T1 controller 0. clock source line primary
!Configures the T1 line code type as B8ZS. linecode b8zs
!Assigns all 24 T1 timeslots as ISDN PRI channels and creates a D-channel serial !interface (Serial interface 0:23). Individual B-channel serial interfaces are also !created (Serial interfaces 0:0 through 0:22), but they are not shown in the !configuration. pri-group timeslots 1-24
!
!The same configuration on controller T1 0 is applied to the three remaining controllers. !The only exception is that the they are configured to be secondary clocking resources. controller T1 1
framing esf
clock source line secondary 1
linecode b8zs
pri-group timeslots 1-24
!
controller T1 2
framing esf
clock source line secondary 2
linecode b8zs
pri-group timeslots 1-24
!
controller T1 3
framing esf
clock source line secondary 3
linecode b8zs
pri-group timeslots 1-24
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
!Serial interface 0:23 is the D channel that corresponds to controller T1 0. The behavior !of the B-channel serial interfaces (0:0 through 0:22) is controlled by the configuration !of Serial interface 0:23. interface Serial0:23
!Specifies that the interface does not require an IP address. no ip address
encapsulation ppp
ip mroute-cache
dialer-group 1
!This command is automatically configured on all of the serial interfaces by the isdn !switch-type global configuration mode command. isdn switch-type primary-5ess
!Specifies that analog modem voice calls coming in through the B channels to be connected !to the integrated modems. isdn incoming-voice modem
fair-queue 64 256 0
ppp authentication chap pap
ppp multilink
!
!The same configuration on Serial interface 0:23 is applied to the other three D channels !(Serial interfaces 1:23, 2:23, and 3:23). interface Serial1:23
no ip address
encapsulation ppp
ip mroute-cache
dialer-group 1
isdn switch-type primary-5ess
isdn incoming-voice modem
fair-queue 64 256 0
ppp authentication chap pap
ppp multilink
!
interface Serial2:23
no ip address
encapsulation ppp
ip mroute-cache
dialer-group 1
isdn switch-type primary-5ess
isdn incoming-voice modem
fair-queue 64 256 0
ppp authentication chap pap
ppp multilink
!
interface Serial3:23
no ip address
encapsulation ppp
ip mroute-cache
dialer-group 1
isdn switch-type primary-5ess
isdn incoming-voice modem
fair-queue 64 256 0
ppp authentication chap pap
ppp multilink
!
!Configures the Fast Ethernet interface that is used to forward VPDN traffic to !ISP-RTR-1, which then forwards VPDN traffic on to the LNSs. interface FastEthernet0
description to ISP-RTR-1 for forwarding of VPDN traffic
ip address 172.22.16.1 255.255.240.0
duplex full
speed 100
!
!Configures the group-asynchronous interface that controls the configuration of all !asynchronous interfaces on the LAC.
interface Group-Async1
!Specifies that the asynchronous interfaces will use the IP address of FastEthernet0. ip unnumbered FastEthernet0
!Enables PPP. encapsulation ppp
!Configures interactive mode on the asynchronous interfaces. Interactive mode allows for !dial-in clients to either receive a router prompt or establish a PPP session, as opposed !to dedicated mode, which only allows dial-in clients to establish PPP sessions. async mode interactive
!Specifies the range of asynchronous interfaces that are included in the group. group-range 1 60
!
ip default-gateway 172.22.16.9
ip classless
ip route 0.0.0.0 0.0.0.0 172.22.16.9
no ip http server
!
!
!
!
line con 0
transport input none
!Specifies the range of modems. line 1 60
!The following two autoselect commands relate to the interactive mode on the asynchronous !interfaces. !Displays the username:password prompt as the modems connect. autoselect during-login
!Enables PPP dial-in clients to bypass the EXEC prompt and automatically start PPP. autoselect ppp
!Enables support for both incoming and outgoing modem calls. modem InOut
!Specifies which protocols can be used for outgoing connections from these lines. transport output pad telnet rlogin udptn v120 lapb-ta
line aux 0
line vty 0 4
password cisco
!
!The Network Time Protocol (NTP) clock-period is automatically updated by the NTP server. ntp clock-period 17179843
!Configures NTP to periodically update the LAC hardware calendar. ntp update-calendar
!Specifies the IP address of the NTP server. In this network, ISP-RTR-1 is the NTP server !for all of the devices in the network. This ensures that all of the devices will be !synchronized. ntp server 172.22.16.9
end
Configuring ISP-RTR-1 to Forward L2TP Sessions
ISP-RTR-1 is a Cisco 7206 router maintained by the ISP. In the access VPDN network, its function is to forward VPDN traffic from ISP-LAC-1 to SER-LNS-1 and ENT-LNS-1. Two serial interfaces are dedicated to forwarding VPDN traffic, and static routes are configured to the service provider and enterprise networks.
!
!Identifies the version of Cisco IOS software running on the LAC version 12.1
!Includes millisecond timestamps on log and debug entries that are useful for !troubleshooting and optimizing the network service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
!Specifies that passwords will not be encrypted in configuration output. This is useful !when first configuring a network, but is a security risk when the network is !operational. no service password-encryption
!
!Configures the hostname of the forwarding router. hostname ISP-RTR-1
!
!Retains 100000 bytes of debug output in the internal log buffer. logging buffered 100000 debugging
!Configures local login authentication. aaa new-model
aaa authentication login default local
!Configures the enable password enable password cisco
!
!Configures the network administrator username and password. username jane-admin password 0 cisco
!
!
!
!Configures the timezone and Daylight Savings Time adjustment. clock timezone PST -8
clock summer-time PDT recurring
!Instructs the LAC to use its internal hardware clock to set the software clock when the !router reloads. clock calendar-valid
!Allows for the configuration of the first subnet in each classfull network. ip subnet-zero
no ip domain-lookup
!
!Configures the IP addresses of DNS servers that translate hostnames to IP addresses. async-bootp dns-server 171.68.10.70 171.68.10.140
!
!
cns event-service server
!
!
!
!
!
!Configures the IP address for interface Fast Ethernet 0/0, which is used to forward all !VPDN traffic. interface FastEthernet0/0
ip address 172.22.16.9 255.255.240.0
full-duplex
!
!This interface is dedicated to forwarding VPDN traffic to the service provider network. interface Serial2/0
description to SER-LNS-1
ip unnumbered FastEthernet0/0
clockrate 2015232
!
!This interface is dedicated to forwarding VPDN traffic to the enterprise network. interface Serial2/1
description to ENT-LNS-1
ip unnumbered FastEthernet0/0
clockrate 2015232
!
interface Serial2/2
no ip address
shutdown
!
interface Serial2/3
no ip address
shutdown
!
ip classless
!This static route is to the enterprise device subnet. ip route 172.22.64.0 255.255.240.0 Serial2/1
!This static route is to the enterprise IP address pool subnet. ip route 172.22.129.0 255.255.255.0 Serial2/1
!This static route is to the service provider device subnet. ip route 192.168.48.0 255.255.255.0 Serial2/0
!This static route is to the service provider IP address pool subnet. ip route 192.168.49.0 255.255.255.0 Serial2/0
no ip http server
!
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
!
!Configures ISP-RTR-1 to be the NTP master for the network. This means that ISP-RTR-1 !synchronizes the calendars of all of the devices on the network. ntp master
!Configures NTP to periodically update the LAC hardware calendar. ntp update-calendar
end
Configuring SER-LNS-1 for Local AAA
SER-LNS-1 is a Cisco 7206 router owned and maintained by the service provider. In the access VPDN network, its function is to terminate VPDN tunnels from ISP-LAC-1 and negotiate VPDN sessions with long-distance dial-in users of the service provider.
!Identifies the version of Cisco IOS software running on the LAC version 12.1
!Includes millisecond timestamps on log and debug entries that are useful for !troubleshooting and optimizing the network service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
!Specifies that passwords will not be encrypted in configuration output. This is useful !when first configuring a network, but is a security risk when the network is !operational. no service password-encryption
!
!Configures the hostname of the router. hostname SER-LNS-1
!
!Retains 100000 bytes of debug output in the internal log buffer logging buffered 100000 debugging
!
!Configures AAA on the LNS. Specifies that the LNS will authenticate and authorize VPDN !tunnels and users locally using the local user database. aaa new-model
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default local
!Configures the enable password enable password cisco
!
!Configures username and password for the network administrator. username jane-admin password 7 pass2me
!Configures the username and password for the VPDN test user. username ser-test-1@service.com password 7 ser-pass-1
!
!
!
!Configures the timezone and Daylight Savings Time adjustment. clock timezone PST -8
clock summer-time PDT recurring
!Instructs the LNS to use its internal hardware clock to set the software clock when the !router reloads. clock calendar-valid
!Allows for the configuration of the first subnet in each classfull network. ip subnet-zero
ip name-server 171.68.10.70
!
!Turns on VPDN. vpdn enable
!
!Creates the VPDN group for the LNS. vpdn-group 1
!Creates an accept dial-in VPDN subgroup. accept-dialin
!Specifies L2TP as the tunneling protocol. protocol l2tp
!Instructs the LNS to clone virtual access interfaces for VPDN sessions from virtual !template 1. virtual-template 1
!Specifies that this VPDN group will negotiate L2TP tunnels with LACs that identify !themselves with the local name ISP-LAC-1. terminate-from hostname ISP-LAC-1
!Configures the L2TP tunnel password that is used to authenticate L2TP tunnels with !ISP-LAC-1. Both tunnel endpoints must have the same L2TP tunnel password configured. l2tp tunnel password 7 tunnel4me
!Instructs the LNS to use the IP address of Fast Ethernet interface 0/0 for all traffic !for this VPDN group. This command should be used when the LNS has more than one IP !address configured on it. source-ip 192.168.48.1
!
!Configures the IP addresses of DNS servers that translate hostnames to IP addresses. async-bootp dns-server 172.23.1.10 172.23.2.10
!Configures the IP addresses of WINS servers that provide dynamic NetBIOS names that !Windows devices use to communicate without IP addresses. async-bootp nbns-server 172.23.1.11 172.23.2.11
!
!
cns event-service server
!
!
!
!
!
!Configures the IP address of FastEthernet 0/0, through which all VPDN traffic passes. interface FastEthernet0/0
ip address 192.168.48.1 255.255.255.0
media-type MII
full-duplex
!
interface Serial2/0
ip unnumbered FastEthernet0/0
!
interface Serial2/1
no ip address
shutdown
!
interface Serial2/2
no ip address
shutdown
!
interface Serial2/3
no ip address
shutdown
!
!Creates virtual template 1, which is used to clone virtual access interfaces for !incoming VPDN sessions. interface Virtual-Template1
!Specifies that the virtual access interfaces will use the IP address of Fast Ethernet
!interface 0/0. ip unnumbered FastEthernet0/0
!Instructs the LNS to assign an IP address to VPDN sessions from the default pool. peer default ip address pool default
!Enables CHAP authentication using the local username database. ppp authentication chap
!Enables PPP. encapsulation ppp
!
!Creates a pool of IP addresses that are assigned to incoming VPDN sessions. ip local pool default 192.168.49.1 192.168.49.126
ip classless
ip route 0.0.0.0 0.0.0.0 Serial2/0
no ip http server
!
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password 7 cisco
!The NTP clock-period is automatically updated by the NTP server. ntp clock-period 17179843
!Configures NTP to periodically update the LAC hardware calendar. ntp update-calendar
!Specifies the IP address of the NTP server. In this network, ISP-RTR-1 is the NTP server !for all of the devices in the network. This ensures that all of the devices will be !synchronized. ntp server 172.22.16.9
end
Configuring ENT-LNS-1 for Local AAA
ENT-LNS-1 is a Cisco 7206 router that the enterprise leases from the ISP. In the access VPDN network, its function is to terminate VPDN tunnels from ISP-LAC-1 and negotiate VPDN sessions with employees and partners of the enterprise that want to remotely access the enterprise network.
!Identifies the version of Cisco IOS software running on the LAC. version 12.1
!Includes millisecond timestamps on log and debug entries that are useful for !troubleshooting and optimizing the network. service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
!Specifies that passwords will not be encrypted in configuration output. This is useful !when first configuring a network, but is a security risk when the network is !operational. no service password-encryption
!
!Configures the hostname of the router. hostname ENT-LNS-1
!
!Retains 100000 bytes of debug output in the internal log buffer. logging buffered 100000 debugging
!
!Configures AAA on the LNS. Specifies that the LNS will authenticate and authorize VPDN !tunnels and users locally using the local user database. aaa new-model
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default local
!Configures the enable password. enable password cisco
!
!Configures username and password for the network administrator. username jane-admin password 7 pass2me
!Configures the username and password for the VPDN test user. username ent-pass-1@enterprise.com password 7 ent-pass-1
!
!
!
!
!Configures the timezone and Daylight Savings Time adjustment. clock timezone PST -8
clock summer-time PDT recurring
!Instructs the LNS to use its internal hardware clock to set the software clock when the !router reloads. clock calendar-valid
!Allows for the configuration of the first subnet in each classfull network. ip subnet-zero
ip name-server 171.68.10.70
!
!Turns on VPDN. vpdn enable
!
!Creates the VPDN group for the LNS. vpdn-group 1
!Creates an accept dial-in VPDN subgroup. accept-dialin
!Specifies L2TP as the tunneling protocol. protocol l2tp
!Instructs the LNS to clone virtual access interfaces for VPDN sessions from virtual !template 1. virtual-template 1
!Specifies that this VPDN group will negotiate L2TP tunnels with LACs that identify !themselves with the local name ISP-LAC-1. terminate-from hostname ISP-LAC-1
!Configures the L2TP tunnel password that is used to authenticate L2TP tunnels with !ISP-LAC-1. Both tunnel endpoints must have the same L2TP tunnel password configured. l2tp tunnel password 7 tunnel4me
!Instructs the LNS to use the IP address of Fast Ethernet interface 0/0 for all traffic !for this VPDN group. This command should be used when the LNS has more than one IP !address configured on it. source-ip 172.22.64.1
!
!Configures the IP addresses of DNS servers that translate hostnames to IP addresses. async-bootp dns-server 172.23.1.10 172.23.2.10
!Configures the IP addresses of WINS servers that provide dynamic NetBIOS names that !Windows devices use to communicate without IP addresses. async-bootp nbns-server 172.23.1.11 172.23.2.11
!
!
cns event-service server
!
!
!
!
!
!Configures the IP address of FastEthernet 0/0, through which all VPDN traffic passes. interface FastEthernet0/0
ip address 172.22.64.1 255.255.240.0
shutdown
media-type MII
full-duplex
!
interface Serial2/0
ip unnumbered FastEthernet0/0
no fair-queue
!
interface Serial2/1
no ip address
shutdown
!
interface Serial2/2
no ip address
shutdown
!
interface Serial2/3
no ip address
shutdown
!
interface FastEthernet3/0
no ip address
shutdown
half-duplex
!
!Creates virtual template 1, which is used to clone virtual access interfaces for !incoming VPDN sessions. interface Virtual-Template1
!Specifies that the virtual access interfaces will use the IP address of Fast Ethernet !interface 0/0. ip unnumbered FastEthernet0/0
!Instructs the LNS to assign an IP address to VPDN sessions from the default pool. peer default ip address pool default
!Enables CHAP authentication using the local username database. ppp authentication chap
!Enables PPP. encapsulation ppp
!
!Creates a pool of IP addresses that are assigned to incoming VPDN sessions. ip local pool default 172.22.128.1 172.22.128.254
ip classless
ip route 0.0.0.0 0.0.0.0 Serial2/0
no ip http server
!
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password 7 cisco
!
!The NTP clock-period is automatically updated by the NTP server. ntp clock-period 17179843
!Configures NTP to periodically update the LAC hardware calendar. ntp update-calendar
!Specifies the IP address of the NTP server. In this network, ISP-RTR-1 is the NTP server !for all of the devices in the network. This ensures that all of the devices will be !synchronized. ntp server 172.22.16.9
end
Verifying that the Access VPDN Network Functions Properly
When the partners have configured the network, they verify that it functions properly by performing the following tasks:
•Pinging the LNS from the Client
•Viewing VPDN Information on the LAC and LNS
The following sections show verification information for a session to the service provider network using the test username ser-test-1. When the partners have verified VPDN connectivity with the service provider network, they repeat the following steps to verify VPDN connectivity with the enterprise network.
Before you begin you should have the following applications open:
•Dialup utility on the dial-in client
•MS-DOS prompt on the dial-in client
•Telnet or console connection to ISP-LAC-1
•Telnet or console connection to SER-LNS-1
Dialing In to ISP-LAC-1
From the client, dialin to ISP-LAC-1 using a dialup utility. You will need to specify the following information in the dialup utility:
•username: ser-test-1@service.com
•password: ser-pass-1
•PRI telephone number: the PRI number assigned to the LAC
When ISP-LAC-1 receives the call, the following message appears on the console screen of ISP-LAC-1:
*May 16 21:35:52.595: %LINK-3-UPDOWN: Interface Async8, changed state to up
This message indicates that asynchronous interface has been assigned to the call and brought up, and that the modem has reached steady state.
Pinging the LNS from the Client
From the MS-DOS prompt on the client, enter ping 192.168.48.1, which is the IP address of SER-LNS-1, and verify that the client can successfully ping SER-LNS-1. The following messages show a successful ping:
Pinging 192.168.48.1 with 32 bytes of data:
Reply from 192.168.48.1: bytes=32 time=5ms TTL=244
Reply from 192.168.48.1: bytes=32 time=4ms TTL=244
Reply from 192.168.48.1: bytes=32 time=4ms TTL=244
Reply from 192.168.48.1: bytes=32 time=5ms TTL=244
Ping statistics for 192.168.48.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 5ms, Average = 4ms
Viewing VPDN Information on the LAC and LNS
On ISP-LAC-1, enter the show vpdn command to view information about the L2TP tunnel and session. The first line displays a summary of the active L2TP tunnels and sessions on ISP-LAC-1. The second two lines display information about the L2TP tunnel between ISP-LAC-1 and SER-LNS-1. The next two lines display information about the L2TP session for ser-test-1.
ISP-LAC-1# show vpdn
L2TP Tunnel and Session Information Total tunnels 1 sessions 1
LocID RemID Remote Name State Remote Address Port Sessions
8173 15991 SER-LNS-1 est 192.168.48.1 1701 1
LocID RemID TunID Intf Username State Last Chg Fastswitch
6 4 8173 As8 ser-test-1@se est 00:07:55 enabled
% No active L2F tunnels
On SER-LNS-1, enter the show caller command to view information about active sessions. The following output shows ser-test-1@service.com connected through virtual access interface 1 (listed as Vi1) for both PPP and L2TP service:
SER-LNS-1# show caller
Active Idle
Line User Service Time Time
con 0 jane-admin TTY 00:12:49 00:00:00
Vi1 ser-test-1@service.com \
PPP L2TP 00:02:46 00:00:04
On SER-LNS-1, enter the show caller user ser-test-1@service.com command to view detailed information about the L2TP session. The IP address of SER-LNS-1 is listed as the local IP address, and the IP address assigned to ser-test-1@service.com from the local IP address pool is listed as the remote IP address.
SER-LNS-1# show caller user ser-test-1@service.com
User: ser-test-1@service.com, line Vi1, service PPP L2TP
Active time 00:02:56, Idle time 00:00:04
Timeouts: Absolute Idle
Limits: - -
Disconnect in: - -
PPP: LCP Open, CHAP (<- AAA), IPCP
IP: Local 192.168.48.1, remote 192.168.49.1
VPDN: NAS ISP-LAC-1, MID 4, MID close-wait
HGW , NAS CLID 0, HGW CLID 0, tunnel open
Counts: 97 packets input, 7732 bytes, 0 no buffer
0 input errors, 0 CRC, 0 frame, 0 overrun
85 packets output, 4510 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
On the Telnet or console connection to SER-LNS-1, enter the show interface virtual-access 1 command to display the following detailed information about the virtual access interface for ser-test-1@service.com:
SER-LNS-1# show interface virtual-access 1
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of FastEthernet0/0 (192.168.48.1)
MTU 1500 bytes, BW 49 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
Keepalive set (10 sec)
DTR is pulsed for 5 seconds on reset
LCP Open
Open: IPCP
Last input 00:00:03, output never, output hang never
Last clearing of "show interface" counters 3d16h
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
80 packets input, 6304 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
68 packets output, 3671 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
On SER-LNS-1, enter the show vpdn session all command to view the following detailed information about the L2TP session for ser-test-1@service.com:
SER-LNS-1# show vpdn session all
L2TP Session Information Total tunnels 1 sessions 1
Call id 4 is up on tunnel id 15991
Remote tunnel name is ISP-LAC-1
Internet Address is 172.22.16.1
Session username is ser-test-1@service.com, state is established
Time since change 00:02:33, interface Vi1
Remote call id is 6
Fastswitching is enabled
74 packets sent, 85 received, 2443 bytes sent, 7654 received
Sequencing is on
Ss 74, Sr 85, Remote Ns 84, Remote Nr 74
0 out of order packets received
% No active L2F tunnels
On SER-LNS-1, enter the show vpdn tunnel all command to view the following detailed information about the L2TP tunnel:
SER-LNS-1# show vpdn tunnel all
L2TP Tunnel Information Total tunnels 1 sessions 1
Tunnel id 15991 is up, remote id is 8173, 1 active sessions
Tunnel state is established, time since change 00:02:44
Remote tunnel name is ISP-LAC-1
Internet Address 172.22.16.1, port 1701
Local tunnel name is SER-LNS-1
Internet Address 192.168.48.1, port 1701
78 packets sent, 89 received, 2471 bytes sent, 8009 received
Control Ns 2, Nr 4
Local RWS 3000 (default), Remote RWS 800
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 1
Total resends 0, ZLB ACKs sent 2
Current nosession queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Sessions disconnected due to lack of resources 0
On SER-LNS-1, enter the show ip local pool command to view information about the local IP address pool. The following output shows the range of IP addresses in the pool and that one of the IP addresses is in use:
SER-LNS-1# show ip local pool
Pool Begin End Free In use
default 192.168.49.1 192.168.49.126 125 1
On SER-LNS-1, enter the ping 192.168.49.1 command to verify that SER-LNS-1 can ping the client.
SER-LNS-1# ping 192.168.49.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.49.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/111/128 ms
SER-LNS-1#
Analyzing the Debug Output
The following sections contain comprehensive debug output for an L2TP tunnel and session that are created between ISP-LAC-1 and SER-LNS-1:
Debug Output on ISP-LAC-1
To view the following debug output, enable the following debug commands on ISP-LAC-1 and dial in to ISP-LAC-1 using username ser-test-1@service.com and password pass2me:
•debug isdn q931
•debug modem csm
•debug ppp authentication
•debug ppp negotiation
•debug vpdn event
•debug vpdn l2x-events
Note The portions of debug output that pertain to the descriptions are highlighted in bold.
The call is received:
*May 16 21:35:25.659: ISDN Se0:23: RX <- SETUP pd = 8 callref = 0x17
Bearer capability 0x8090A2 indicates that it is an analog call:
*May 16 21:35:25.659: Bearer Capability i = 0x8090A2
*May 16 21:35:25.659: Channel ID i = 0xA98393
*May 16 21:35:25.659: Called Party Number i = 0x80, '1123', Plan:Unknown
*May 16 21:35:25.659: VDEV_ALLOCATE: 1/7 is allocated
*May 16 21:35:25.663: ISDN Se0:23: TX -> CALL_PROC pd = 8 callref = 0x8017
*May 16 21:35:25.663: Channel ID i = 0xA98393
*May 16 21:35:25.663: EVENT_FROM_ISDN::dchan_idb=0x62171A04, call_id=0x1F, ces=1
bchan=0x12, event=0x1, cause=0x0
*May 16 21:35:25.663: EVENT_FROM_ISDN:(001F): DEV_INCALL at slot 1 and port 7
*May 16 21:35:25.663: CSM_PROC_IDLE: CSM_EVENT_ISDN_CALL at slot 1, port 7
These MICA technologies modem debug lines indicate that the call is sent to MICA modem 1/7:
*May 16 21:35:25.663: Mica Modem(1/7): Configure(0x1 = 0x0)
*May 16 21:35:25.663: Mica Modem(1/7): Configure(0x23 = 0x0)
*May 16 21:35:25.663: Mica Modem(1/7): Call Setup
*May 16 21:35:25.663: Enter csm_connect_pri_vdev function
*May 16 21:35:25.663: csm_connect_pri_vdev:tdm_allocate_bp_ts() call. BP TS all0
*May 16 21:35:25.663: ISDN Se0:23: TX -> ALERTING pd = 8 callref = 0x8017
*May 16 21:35:25.763: Mica Modem(1/7): State Transition to Call Setup
*May 16 21:35:25.763: Mica Modem(1/7): Went offhook
*May 16 21:35:25.763: CSM_PROC_IC2_RING: CSM_EVENT_MODEM_OFFHOOK at slot 1, port 7
*May 16 21:35:25.763: ISDN Se0:23: TX -> CONNECT pd = 8 callref = 0x8017
*May 16 21:35:25.819: ISDN Se0:23: RX <- CONNECT_ACK pd = 8 callref = 0x17
*May 16 21:35:25.823: ISDN Se0:23: CALL_PROGRESS: CALL_CONNECTED call id 0x1F, 0
*May 16 21:35:25.823: EVENT_FROM_ISDN::dchan_idb=0x62171A04, call_id=0x1F, ces=1
bchan=0x12, event=0x4, cause=0x0
*May 16 21:35:25.823: EVENT_FROM_ISDN:(001F): DEV_CONNECTED at slot 1 and port 7
*May 16 21:35:25.823: CSM_PROC_IC6_WAIT_FOR_CONNECT: CSM_EVENT_ISDN_CONNECTED at
slot 1 and port 7
*May 16 21:35:25.823: Mica Modem(1/7): Link Initiate
*May 16 21:35:26.903: Mica Modem(1/7): State Transition to Connect
*May 16 21:35:31.407: Mica Modem(1/7): State Transition to Link
*May 16 21:35:42.815: Mica Modem(1/7): State Transition to Trainup
*May 16 21:35:46.775: Mica Modem(1/7): State Transition to EC Negotiating
*May 16 21:35:47.375: Mica Modem(1/7): State Transition to Steady State
ISP-LAC-1 and the client have successfully negotiated, and asynchronous interface 8 is assigned to the call and brought up:
*May 16 21:35:52.595: %LINK-3-UPDOWN: Interface Async8, changed state to up
PPP negotiation begins on asynchronous interface 8 with Link Control Protocol (LCP) negotiation:
*May 16 21:35:52.595: As8 PPP: Treating connection as a dedicated line
*May 16 21:35:52.595: As8 PPP: Phase is ESTABLISHING, Active Open
*May 16 21:35:52.595: As8 LCP: O CONFREQ [Closed] id 1 len 25
*May 16 21:35:52.595: As8 LCP: ACCM 0x000A0000 (0x0206000A0000)
ISP-LAC-1 requires that the client authenticate with CHAP:
*May 16 21:35:52.595: As8 LCP: AuthProto CHAP (0x0305C22305)
*May 16 21:35:52.595: As8 LCP: MagicNumber 0x28C9DAF1 (0x050628C9DAF1)
*May 16 21:35:52.595: As8 LCP: PFC (0x0702)
*May 16 21:35:52.595: As8 LCP: ACFC (0x0802)
*May 16 21:35:53.471: As8 LCP: I CONFREQ [REQsent] id 3 len 23
*May 16 21:35:53.471: As8 LCP: ACCM 0x000A0000 (0x0206000A0000)
*May 16 21:35:53.471: As8 LCP: MagicNumber 0x3D675D0F (0x05063D675D0F)
*May 16 21:35:53.471: As8 LCP: PFC (0x0702)
*May 16 21:35:53.471: As8 LCP: ACFC (0x0802)
*May 16 21:35:53.471: As8 LCP: Callback 6 (0x0D0306)
ISP-LAC-1 rejects the client request for callback service, and the client then resends its request without the rejected callback option:
*May 16 21:35:53.475: As8 LCP: O CONFREJ [REQsent] id 3 len 7
*May 16 21:35:53.475: As8 LCP: Callback 6 (0x0D0306)
*May 16 21:35:54.595: As8 LCP: TIMEout: State REQsent
*May 16 21:35:54.595: As8 LCP: O CONFREQ [REQsent] id 2 len 25
*May 16 21:35:54.595: As8 LCP: ACCM 0x000A0000 (0x0206000A0000)
*May 16 21:35:54.595: As8 LCP: AuthProto CHAP (0x0305C22305)
*May 16 21:35:54.595: As8 LCP: MagicNumber 0x28C9DAF1 (0x050628C9DAF1)
*May 16 21:35:54.595: As8 LCP: PFC (0x0702)
*May 16 21:35:54.595: As8 LCP: ACFC (0x0802)
*May 16 21:35:54.703: As8 LCP: I CONFACK [REQsent] id 2 len 25
*May 16 21:35:54.703: As8 LCP: ACCM 0x000A0000 (0x0206000A0000)
*May 16 21:35:54.703: As8 LCP: AuthProto CHAP (0x0305C22305)
*May 16 21:35:54.707: As8 LCP: MagicNumber 0x28C9DAF1 (0x050628C9DAF1)
*May 16 21:35:54.707: As8 LCP: PFC (0x0702)
*May 16 21:35:54.707: As8 LCP: ACFC (0x0802)
*May 16 21:35:56.483: As8 LCP: I CONFREQ [ACKrcvd] id 4 len 23
*May 16 21:35:56.483: As8 LCP: ACCM 0x000A0000 (0x0206000A0000)
*May 16 21:35:56.483: As8 LCP: MagicNumber 0x3D675D0F (0x05063D675D0F)
*May 16 21:35:56.483: As8 LCP: PFC (0x0702)
*May 16 21:35:56.483: As8 LCP: ACFC (0x0802)
*May 16 21:35:56.483: As8 LCP: Callback 6 (0x0D0306)
*May 16 21:35:56.483: As8 LCP: O CONFREJ [ACKrcvd] id 4 len 7
*May 16 21:35:56.483: As8 LCP: Callback 6 (0x0D0306)
*May 16 21:35:56.579: As8 LCP: I CONFREQ [ACKrcvd] id 5 len 20
*May 16 21:35:56.579: As8 LCP: ACCM 0x000A0000 (0x0206000A0000)
*May 16 21:35:56.579: As8 LCP: MagicNumber 0x3D675D0F (0x05063D675D0F)
*May 16 21:35:56.579: As8 LCP: PFC (0x0702)
*May 16 21:35:56.579: As8 LCP: ACFC (0x0802)
*May 16 21:35:56.579: As8 LCP: O CONFACK [ACKrcvd] id 5 len 20
*May 16 21:35:56.579: As8 LCP: ACCM 0x000A0000 (0x0206000A0000)
*May 16 21:35:56.579: As8 LCP: MagicNumber 0x3D675D0F (0x05063D675D0F)
*May 16 21:35:56.579: As8 LCP: PFC (0x0702)
*May 16 21:35:56.579: As8 LCP: ACFC (0x0802)
LCP negotiation is complete:
*May 16 21:35:56.579: As8 LCP: State is Open
*May 16 21:35:56.579: As8 PPP: Phase is AUTHENTICATING, by this end
ISP-LAC-1 sends a CHAP challenge, and the client replies with a CHAP response:
*May 16 21:35:56.579: As8 CHAP: O CHALLENGE id 1 len 30 from "ISP-LAC-1"
*May 16 21:35:56.707: As8 CHAP: I RESPONSE id 1 len 40 from "ser-test-1@service.com"
*May 16 21:35:56.707: As8 PPP: Phase is FORWARDING
*May 16 21:35:56.707: As8 VPDN: Got DNIS string 1123
VPDN determines the domain name of the username and searches the VPDN groups for a matching domain name:
*May 16 21:35:56.707: As8 VPDN: Looking for tunnel -- service.com --
*May 16 21:35:56.707: As8 VPDN/ISP-LAC-1/1: Got tunnel info for service.com
*May 16 21:35:56.707: As8 VPDN/ISP-LAC-1/1: LAC ISP-LAC-1
*May 16 21:35:56.707: As8 VPDN/ISP-LAC-1/1: l2tp-busy-disconnect yes
ISP-LAC-1 sends the L2TP tunnel password to SER-LNS-1 at IP address 192.168.48.1:
*May 16 21:35:56.707: As8 VPDN/ISP-LAC-1/1: l2tp-tunnel-password xxxxxx
*May 16 21:35:56.707: As8 VPDN/ISP-LAC-1/1: IP 192.168.48.1
*May 16 21:35:56.711: As8 VPDN/1: curlvl 1 Address 0: 192.168.48.1, priority 1
*May 16 21:35:56.711: As8 VPDN/1: Select non-active address 192.168.48.1, priority 1
ISP-LAC-1 assigns the tunnel the local tunnel ID 8173.:
*May 16 21:35:56.711: Tnl 8173 L2TP: SM State idle
ISP-LAC-1 sends a Start-Control-Connection-Request (SCCRQ) message to SER-LNS-1 to begin L2TP tunnel negotiation:
*May 16 21:35:56.711: Tnl 8173 L2TP: O SCCRQ
*May 16 21:35:56.711: Tnl 8173 L2TP: Tunnel state change from idle to wait-ctl-reply
*May 16 21:35:56.711: Tnl 8173 L2TP: SM State wait-ctl-reply
*May 16 21:35:56.711: As8 VPDN: Find LNS process created
*May 16 21:35:56.711: As8 VPDN: Forward to address 192.168.48.1
*May 16 21:35:56.711: As8 VPDN: Pending
*May 16 21:35:56.711: As8 VPDN: Process created
ISP-LAC-1 receives a Start-Control-Connection-Reply (SCCRP) message from SER-LNS-1, which indicates that SER-LNS-1 received the SCCRQ message:
*May 16 21:35:56.715: Tnl 8173 L2TP: I SCCRP from SER-LNS-1
ISP-LAC-1 and SER-LNS-1 successfully authenticate their L2TP tunnel passwords, and ISP-LAC-1 changes the tunnel state to established:
*May 16 21:35:56.715: Tnl 8173 L2TP: Got a challenge from remote peer, SER-LNS-1
*May 16 21:35:56.715: Tnl 8173 L2TP: Got a response from remote peer, SER-LNS-1
*May 16 21:35:56.715: Tnl 8173 L2TP: Tunnel Authentication success
*May 16 21:35:56.715: Tnl 8173 L2TP: Tunnel state change from wait-ctl-reply to established
ISP-LAC-1 sends a Start-Control-Connection-Connected (SCCN) message to SER-LNS-1, which completes L2TP tunnel negotiation. This debug line also contains tunnel ID 15991 from SER-LNS-1 for this tunnel:
*May 16 21:35:56.715: Tnl 8173 L2TP: O SCCCN to SER-LNS-1 tnlid 15991
*May 16 21:35:56.715: Tnl 8173 L2TP: SM State established
*May 16 21:35:56.719: As8 VPDN: Forwarding...
*May 16 21:35:56.719: As8 VPDN: Bind interface direction=1
*May 16 21:35:56.719: Tnl/Cl 8173/6 L2TP: Session FS enabled
*May 16 21:35:56.719: Tnl/Cl 8173/6 L2TP: Session state change from idle to wait-for-tunnel
*May 16 21:35:56.719: As8 Tnl/Cl 8173/6 L2TP: Create session
*May 16 21:35:56.719: Tnl 8173 L2TP: SM State established
ISP-LAC-1 sends an Incoming-Call-Request (ICRQ) message to L2TP tunnel 15991 on SER-LNS-1, which begins L2TP session negotiation. ISP-LAC-1 assigns local session ID 6 to this session:
*May 16 21:35:56.719: As8 Tnl/Cl 8173/6 L2TP: O ICRQ to SER-LNS-1 15991/0
*May 16 21:35:56.719: As8 Tnl/Cl 8173/6 L2TP: Session state change from wait-for-tunnel
to wait-reply
ISP-LAC-1 has received an Incoming-Call-Reply (ICRP) message from SER-LNS-1 (not shown in the debug output), which indicates that it has accepted the ICRQ message:
*May 16 21:35:56.719: As8 VPDN: ser-test-1@service.com is forwarded
ISP-LAC-1 sends an Incoming-Call-Connected (ICCN) message to SER-LNS-1, which completes the L2TP session negotiation. SER-LNS-1 has assigned the local session ID 4 to this session:
*May 16 21:35:56.723: As8 Tnl/Cl 8173/6 L2TP: O ICCN to SER-LNS-1 15991/4
The L2TP session is now established, and the line protocol on asynchronous interface 8 is brought up.
*May 16 21:35:56.723: As8 Tnl/Cl 8173/6 L2TP: Session state change from wait-reply to
established
*May 16 21:35:57.719: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async8, changed state to up
*May 16 21:35:57.823: Mica Modem(1/7): State Transition to Steady State Speedshg
*May 16 21:35:59.083: Mica Modem(1/7): State Transition to Steady State
ISP-LAC-1#
Debug Output on SER-LNS-1
To view the following debug output, enable the following debug commands on SER-LNS-1 and dial in to ISP-LAC-1 using username ser-test-1@service.com and password pass2me:
•debug vpdn events
•debug vpdn l2x-events
•debug ppp negotiation
•debug ppp authentication
•debug vtemplate
SER-LNS-1 receives an SCCRQ message from ISP-LAC-1, which identifies the tunnel with ID 8173. SER-LNS-1 considers ID 8173 to be the remote ID and ISP-LAC-1 considers it to be the local ID:
May 16 21:38:02.313: L2TP: I SCCRQ from ISP-LAC-1 tnl 8173
SER-LNS-1 identifies this tunnel with the local ID 15991:
May 16 21:38:02.313: Tnl 15991 L2TP: Got a challenge in SCCRQ, ISP-LAC-1
May 16 21:38:02.313: Tnl 15991 L2TP: New tunnel created for remote ISP-LAC-1, address 172.22.16.1
SER-LNS-1 replies to ISP-LAC-1 with a SCCRP message:
May 16 21:38:02.313: Tnl 15991 L2TP: O SCCRP to ISP-LAC-1 tnlid 8173
May 16 21:38:02.313: Tnl 15991 L2TP: Tunnel state change from idle to wait-ctl-reply
SER-LNS-1 receives an SCCN message from ISP-LAC-1 containing its L2TP tunnel password. SER-LNS-1 successfully authenticates the tunnel and changes the tunnel state to established:
May 16 21:38:02.317: Tnl 15991 L2TP: I SCCCN from ISP-LAC-1 tnl 8173
May 16 21:38:02.317: Tnl 15991 L2TP: Got a Challenge Response in SCCCN from ISP-LAC-1
May 16 21:38:02.321: Tnl 15991 L2TP: Tunnel Authentication success
May 16 21:38:02.321: Tnl 15991 L2TP: Tunnel state change from wait-ctl-reply to established
May 16 21:38:02.321: Tnl 15991 L2TP: SM State established
SER-LNS-1 receives an ICRQ message from ISP-LAC-1. SER-LNS-1 assigns local session ID 4 to this session:
May 16 21:38:02.321: Tnl 15991 L2TP: I ICRQ from ISP-LAC-1 tnl 8173
May 16 21:38:02.321: Tnl/Cl 15991/4 L2TP: Session FS enabled
May 16 21:38:02.321: Tnl/Cl 15991/4 L2TP: Session state change from idle to wait-for-tunnel
May 16 21:38:02.321: Tnl/Cl 15991/4 L2TP: New session created
SER-LNS-1 replies with an ICRP message to ISP-LAC-1, and then receives an ICCN message confirming the session establishment:
May 16 21:38:02.321: Tnl/Cl 15991/4 L2TP: O ICRP to ISP-LAC-1 8173/6
May 16 21:38:02.325: Tnl/Cl 15991/4 L2TP: I ICCN from ISP-LAC-1 tnl 8173, cl 6
May 16 21:38:02.325: Tnl/Cl 15991/4 L2TP: Session state change from wait-connect to established
May 16 21:38:02.325: ser-test-1@service.comTnl/Cl 15991/4 L2TP: Session sequencing
SER-LNS-1 now creates a virtual access interface for the L2TP session. Virtual access interface 1 is reused:
May 16 21:38:02.325: Vt1 VTEMPLATE: Unable to create and clone vaccess
May 16 21:38:02.325: Vi1 VTEMPLATE: Reuse Vi1, recycle queue size 0
Virtual access interface 1 is assigned the MAC address 0090.ab09.c000:
May 16 21:38:02.325: Vi1 VTEMPLATE: Hardware address 0090.ab09.c000
VPDN acknowledges the creation of the virtual access interface for ser-test-1@service.com. SER-LNS-1 designates virtual access interface 1 as an asynchronous interface and clones the configuration from virtual template 1:
May 16 21:38:02.325: Vi1 VPDN: Virtual interface created for ser-test-1@service.com
May 16 21:38:02.325: Vi1 VPDN: Set to Async interface
May 16 21:38:02.325: Vi1 PPP: Phase is DOWN, Setup
May 16 21:38:02.325: Vi1 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking
May 16 21:38:02.325: Vi1 VTEMPLATE: Has a new cloneblk vtemplate, now it has vtemplate
May 16 21:38:02.325: Vi1 VTEMPLATE: ************* CLONE VACCESS1 ***************
May 16 21:38:02.329: Vi1 VTEMPLATE: Clone from Virtual-Template1
interface Virtual-Access1
default ip address
no ip address
encap ppp
ip unnumbered Serial2/0
peer default ip address pool default
ppp authentication chap
ip unnum fas 0/0
peer default ip address pool default
end
The following message indicates that SER-LNS-1 first erroneously attempted to configure the ip unnumbered serial 2/0 command, which is not allowed because serial interface 2/0 is also unnumbered. Instead, virtual access interface is configured with the ip unnumbered fastethernet 0/0 command:
May 16 21:38:02.385: Vi1 VTEMPLATE: Messages from (un)cloning ...
Cannot use an unnumbered interface: Serial2/0
Virtual access interface 1 is brought up:
3w0d: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
May 16 21:38:02.385: Vi1 PPP: Treating connection as a dedicated line
May 16 21:38:02.385: Vi1 PPP: Phase is ESTABLISHING, Active Open
May 16 21:38:02.385: Vi1 LCP: O CONFREQ [Closed] id 1 len 25
May 16 21:38:02.385: Vi1 LCP: ACCM 0x000A0000 (0x0206000A0000)
May 16 21:38:02.385: Vi1 LCP: AuthProto CHAP (0x0305C22305)
May 16 21:38:02.385: Vi1 LCP: MagicNumber 0xFD07FFBB (0x0506FD07FFBB)
May 16 21:38:02.385: Vi1 LCP: PFC (0x0702)
May 16 21:38:02.385: Vi1 LCP: ACFC (0x0802)
May 16 21:38:02.385: Vi1 VPDN: Bind interface direction=2
May 16 21:38:02.389: Vi1 PPP: Treating connection as a dedicated line
ISP-LAC-1 has forwarded information from the LCP negotiation with the client, and SER-LNS-1 then forces this information onto virtual access interface 1:
May 16 21:38:02.389: Vi1 LCP: I FORCED CONFREQ len 21
May 16 21:38:02.389: Vi1 LCP: ACCM 0x000A0000 (0x0206000A0000)
May 16 21:38:02.389: Vi1 LCP: AuthProto CHAP (0x0305C22305)
May 16 21:38:02.389: Vi1 LCP: MagicNumber 0x28C9DAF1 (0x050628C9DAF1)
May 16 21:38:02.389: Vi1 LCP: PFC (0x0702)
May 16 21:38:02.389: Vi1 LCP: ACFC (0x0802)
May 16 21:38:02.389: Vi1 VPDN: PPP LCP accepted rcv CONFACK
May 16 21:38:02.389: Vi1 VPDN: PPP LCP accepted sent CONFACK
May 16 21:38:02.389: Vi1 PPP: Phase is AUTHENTICATING, by this end
SER-LNS-1 sends a CHAP challenge to ser-test-1@service.com which replies with a CHAP response. SER-LNS-1 then authenticates the CHAP response and sends a CHAP success:
May 16 21:38:02.389: Vi1 CHAP: O CHALLENGE id 2 len 30 from "SER-LNS-1"
May 16 21:38:02.389: Vi1 CHAP: I RESPONSE id 1 len 40 from "ser-test-1@service.com"
May 16 21:38:02.389: Vi1 CHAP: O SUCCESS id 1 len 4
May 16 21:38:02.389: Vi1 PPP: Phase is UP
May 16 21:38:02.389: Vi1 IPCP: O CONFREQ [Closed] id 1 len 10
May 16 21:38:02.389: Vi1 IPCP: Address 192.168.48.1 (0x0306C0A83001)
May 16 21:38:02.501: Vi1 IPCP: I CONFREQ [REQsent] id 1 len 40
May 16 21:38:02.501: Vi1 IPCP: CompressType VJ 15 slots CompressSlotID (0x02)
May 16 21:38:02.501: Vi1 IPCP: Address 0.0.0.0 (0x030600000000)
May 16 21:38:02.501: Vi1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
May 16 21:38:02.501: Vi1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
May 16 21:38:02.501: Vi1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
May 16 21:38:02.501: Vi1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
May 16 21:38:02.501: Vi1 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 0.0.0.0
May 16 21:38:02.501: Vi1 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 0.0.0.0
SER-LNS-1 assigns the IP address 192.168.49.1 to the client from the default IP address pool:
May 16 21:38:02.501: Vi1 IPCP: Pool returned 192.168.49.1
May 16 21:38:02.501: Vi1 IPCP: O CONFREJ [REQsent] id 1 len 10
May 16 21:38:02.501: Vi1 IPCP: CompressType VJ 15 slots CompressSlotID (0x02)
May 16 21:38:02.501: Vi1 CCP: I CONFREQ [Not negotiated] id 1 len 15
May 16 21:38:02.501: Vi1 CCP: MS-PPC supported bits 0x00000001 (0x1206000000)
May 16 21:38:02.501: Vi1 CCP: Stacker history 1 check mode EXTENDED (0x11050)
May 16 21:38:02.501: Vi1 LCP: O PROTREJ [Open] id 2 len 21 protocol CCP
May 16 21:38:02.501: Vi1 LCP: (0x80FD0101000F12060000000111050001)
May 16 21:38:02.501: Vi1 LCP: (0x04)
May 16 21:38:02.517: Vi1 IPCP: I CONFACK [REQsent] id 1 len 10
May 16 21:38:02.517: Vi1 IPCP: Address 192.168.48.1 (0x0306C0A83001)
The line protocol on virtual access interface 1 is brought up:
3w0d: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
May 16 21:38:04.385: Vi1 LCP: TIMEout: State Open
May 16 21:38:04.389: Vi1 IPCP: TIMEout: State ACKrcvd
May 16 21:38:04.389: Vi1 IPCP: O CONFREQ [ACKrcvd] id 2 len 10
May 16 21:38:04.389: Vi1 IPCP: Address 192.168.48.1 (0x0306C0A83001)
May 16 21:38:04.821: Vi1 IPCP: I CONFACK [REQsent] id 2 len 10
May 16 21:38:04.821: Vi1 IPCP: Address 192.168.48.1 (0x0306C0A83001)
The client requests IP addresses for DNS and WINS servers:
May 16 21:38:05.477: Vi1 IPCP: I CONFREQ [ACKrcvd] id 2 len 34
May 16 21:38:05.477: Vi1 IPCP: Address 0.0.0.0 (0x030600000000)
May 16 21:38:05.477: Vi1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
May 16 21:38:05.477: Vi1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
May 16 21:38:05.477: Vi1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
May 16 21:38:05.477: Vi1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
May 16 21:38:05.477: Vi1 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 192.168.49.1
May 16 21:38:05.477: Vi1 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 192.168.49.1
SER-LNS-1 replies with the IP addresses of the DNS and WINS servers:
May 16 21:38:05.477: Vi1 IPCP: O CONFNAK [ACKrcvd] id 2 len 34
May 16 21:38:05.477: Vi1 IPCP: Address 192.168.49.1 (0x0306C0A83101)
May 16 21:38:05.477: Vi1 IPCP: PrimaryDNS 172.23.1.10 (0x8106AC17010A)
May 16 21:38:05.477: Vi1 IPCP: PrimaryWINS 172.23.1.11 (0x8206AC17010B)
May 16 21:38:05.477: Vi1 IPCP: SecondaryDNS 172.23.2.10 (0x8306AC17020A)
May 16 21:38:05.481: Vi1 IPCP: SecondaryWINS 172.23.2.11 (0x8406AC17020B)
May 16 21:38:05.589: Vi1 IPCP: I CONFREQ [ACKrcvd] id 3 len 34
May 16 21:38:05.589: Vi1 IPCP: Address 192.168.49.1 (0x0306C0A83101)
May 16 21:38:05.589: Vi1 IPCP: PrimaryDNS 172.23.1.10 (0x8106AC17010A)
May 16 21:38:05.589: Vi1 IPCP: PrimaryWINS 172.23.1.11 (0x8206AC17010B)
May 16 21:38:05.589: Vi1 IPCP: SecondaryDNS 172.23.2.10 (0x8306AC17020A)
May 16 21:38:05.589: Vi1 IPCP: SecondaryWINS 172.23.2.11 (0x8406AC17020B)
May 16 21:38:05.589: Vi1 AAA/AUTHOR/IPCP: Start. Her address 192.168.49.1, we want 192.168.49.1
May 16 21:38:05.589: Vi1 AAA/AUTHOR/IPCP: Reject 192.168.49.1, using 192.168.49.1
May 16 21:38:05.589: Vi1 AAA/AUTHOR/IPCP: Done. Her address 192.168.49.1, we want 192.168.49.1
SER-LNS-1 receives positive acknowledgment that the client received the IP addresses for the DNS and WINS servers:
May 16 21:38:05.593: Vi1 IPCP: O CONFACK [ACKrcvd] id 3 len 34
May 16 21:38:05.593: Vi1 IPCP: Address 192.168.49.1 (0x0306C0A83101)
May 16 21:38:05.593: Vi1 IPCP: PrimaryDNS 172.23.1.10 (0x8106AC17010A)
May 16 21:38:05.593: Vi1 IPCP: PrimaryWINS 172.23.1.11 (0x8206AC17010B)
May 16 21:38:05.593: Vi1 IPCP: SecondaryDNS 172.23.2.10 (0x8306AC17020A)
May 16 21:38:05.593: Vi1 IPCP: SecondaryWINS 172.23.2.11 (0x8406AC17020B)
May 16 21:38:05.593: Vi1 IPCP: State is Open
SER-LNS-1 installs the route to 192.168.49.1, the IP address of the client:
May 16 21:38:05.593: Vi1 IPCP: Install route to 192.168.49.1
SER-LNS-1#