- multihop-hostname
- pool-member
- pptp flow-control receive-window
- pptp flow-control static-rtt
- pptp tunnel echo
- protocol (VPDN)
- radius-server attribute 31 remote-id
- radius-server attribute 87 circuit-id
- radius-server domain-stripping
- redirect identifier
- request-dialin
- request-dialout
- resource-pool profile vpdn
- service vpdn group
- session-limit (VPDN)
- set identifier (control policy-map class)
- set variable (control policy-map class)
- show interfaces virtual-access
- show l2tp class
- show l2tp counters
- show l2tp memory
- show l2tp redundancy
- show l2tp session
- show l2tp tunnel
- show ppp mppe
- show resource-pool vpdn
- show vpdn
- show vpdn dead-cache
- show vpdn domain
- show vpdn group
- show vpdn group-select
- show vpdn group-select keys
- show vpdn history failure
- show vpdn multilink
- show vpdn redirect
- show vpdn redundancy
- show vpdn session
- show vpdn tunnel
- show vtemplate
- show vtemplate redundancy
- snmp-server enable traps vpdn dead-cache
- source-ip
- source vpdn-template
- sso enable
- substitute (control policy-map class)
- tacacs-server domain-stripping
- terminate-from
multihop-hostname
To enable a tunnel switch to initiate a tunnel based on the hostname or tunnel ID associated with an ingress tunnel, use the multihop-hostname command in VPDN request-dialin subgroup configuration mode. To disable this option, use the no form of this command.
multihop-hostname ingress-tunnel-name
no multihop-hostname ingress-tunnel-name
Syntax Description
ingress-tunnel-name |
Network access server (NAS) hostname or ingress tunnel ID. |
Command Default
No multihop hostname is configured.
Command Modes
VPDN request-dialin subgroup configuration
Command History
Usage Guidelines
Use the multihop-hostname command only on a device configured as a tunnel switch.
The ingress-tunnel-name argument must specify either the hostname of the device initiating the tunnel that is to be to be switched, or the tunnel ID of the ingress tunnel that is to be switched.
Removing the request-dialin subgroup configuration will remove the multihop-hostname configuration.
Examples
The following example configures a Layer 2 Tunnel Protocol (L2TP) virtual private dialup network (VPDN) group on a tunnel switch to forward ingress sessions from the host named LAC-1 through an outgoing tunnel to IP address 10.3.3.3:
vpdn-group 11
request-dialin
protocol l2tp
multihop-hostname LAC-1
initiate-to ip 10.3.3.3
local name tunnel-switch
Related Commands
pool-member
To assign a request-dialout virtual private dialup network (VPDN) subgroup to a dialer pool, use the pool-member command in VPDN request-dialout configuration mode. To remove the request-dialout VPDN subgroup from a dialer pool, use the no form of this command.
pool-member pool-number
no pool-member [pool-number]
Syntax Description
pool-number |
Dialer pool to which this VPDN group belongs. |
Defaults
Command is disabled.
Command Modes
VPDN request-dialout configuration
Command History
|
|
---|---|
12.0(5)T |
This command was introduced. |
Usage Guidelines
Before you can enable the pool-member command, you must first enable the protocol l2tp command on the request-dialout VPDN subgroup. Removing the protocol l2tp command will remove the pool-member command from the request-dialout VPDN subgroup.
You can only configure one dialer profile pool (using the pool-member command) or dialer rotary group (using the rotary-group command). If you attempt to configure a second dialer resource, you will replace the first dialer resource in the configuration.
Examples
The following example configures VPDN group 1 to request L2TP dial-out to IP address 172.16.4.6 using dialer profile pool 1 and identifying itself using the local name "user1."
vpdn-group 1
request-dialout
protocol l2tp
pool-member 1
initiate-to ip 172.16.4.6
local name user1
Related Commands
pptp flow-control receive-window
To specify how many packets the Point-to-Point Tunnel Protocol (PPTP) client can send before it must wait for acknowledgment from the tunnel server, use the pptp flow-control receive-window command in VPDN group or VPDN template configuration mode. To restore the default value, use the no form of this command.
pptp flow-control receive-window packets
no pptp flow-control receive-window
Syntax Description
packets |
Number of packets the client can send before it has to wait for acknowledgment from the tunnel server. Valid values range from 1 to 64 packets. The default value is 16 packets. |
Command Default
The PPTP client may send up to 16 packets before it must wait for acknowledgment.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
|
|
---|---|
12.0(5)XE5 |
This command was introduced |
12.1(5)T |
This command was integrated into Cisco IOS Release 12.1(5)T. |
Examples
The following example shows how to fine-tune PPTP by specifying that a client associated with the virtual private dialup network (VPDN) group named group1 can send 20 packets before it must wait for acknowledgment from the tunnel server:
vpdn-group group1
accept-dialin
protocol pptp
virtual-template 1
!
pptp flow-control receive-window 20
Related Commands
pptp flow-control static-rtt
To specify the timeout interval of the Point-to-Point Tunnel Protocol (PPTP) tunnel server between sending a packet to the client and receiving a response, use the pptp flow-control static-rtt command in VPDN group or VPDN template configuration mode. To restore the default value, use the no form of this command.
pptp flow-control static-rtt seconds
no pptp flow-control static-rtt
Syntax Description
Command Default
The tunnel server will wait 1500 ms for a response before timing out.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
|
|
---|---|
12.0(5)XE5 |
This command was introduced. |
12.1(5)T |
This command was integrated into Cisco IOS Release 12.1(5)T. |
Usage Guidelines
If the session times out, the tunnel server does not retry or resend the packet. Instead the flow control alarm is set off, and stateful mode is automatically switched to stateless.
Examples
The following example shows how to fine-tune PPTP by increasing the timeout interval for tunnels associated with the virtual private dialup network (VPDN) group named group1 on the tunnel server to 2000 ms:
vpdn-group group1
accept-dialin
protocol pptp
virtual-template 1
!
pptp flow-control static-rtt 2000
Related Commands
pptp tunnel echo
To specify the period of idle time on the Point-to-Point Tunnel Protocol (PPTP) tunnel that will trigger an echo message from the tunnel server to the client, use the pptp tunnel echo command in VPDN group or VPDN template configuration mode. To restore the default value, use the no form of this command.
pptp tunnel echo seconds
no pptp tunnel echo
Syntax Description
seconds |
Echo packet interval, in seconds. Valid values range from 0 to 1000. The default value is 60. |
Command Default
The tunnel server will send an echo message after a 60-second idle interval.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
|
|
---|---|
12.0(5)XE5 |
This command was introduced. |
12.1(5)T |
This command was integrated into Cisco IOS Release 12.1(5)T. |
Usage Guidelines
Use the pptp tunnel echo command to set the idle time that the tunnel server will wait before sending an echo message to the client.
If the tunnel server does not receive a reply to the echo message within 20 seconds, it will tear down the tunnel. This 20-second interval is hard coded.
Examples
The following example shows how to fine-tune PPTP on the tunnel server by increasing the idle time interval for the tunnels associated with the virtual private dialup network (VPDN) group named group1 to 90 seconds:
vpdn-group group1
accept-dialin
protocol pptp
virtual-template 1
!
pptp tunnel echo 90
Related Commands
protocol (VPDN)
To specify the tunneling protocol that a virtual private dialup network (VPDN) subgroup will use, use the protocol command in the appropriate VPDN subgroup configuration mode. To remove the protocol-specific configurations from a VPDN subgroup, use the no form of this command.
protocol {any |l2f | l2tp | pppoe | pptp}
no protocol {any | l2f | l2tp | pppoe | pptp}
Syntax Description
Command Default
No protocol is specified.
Command Modes
VPDN accept-dialin group configuration (config-vpdn-acc-in)
VPDN accept-dialout group configuration (config-vpdn-acc-out)
VPDN request-dialin group configuration (config-vpdn-acc-in)
VPDN request-dialout group configuration (config-vpdn-req-out)
Command History
Usage Guidelines
This command is required for any VPDN subgroup configuration.
L2TP is the only protocol that can be used for dialout subgroup configurations.
Removal of l2f Keyword
The l2f keyword was removed from Cisco IOS Release 12.4(11)T. It is available in releases prior to Release 12.4(11)T.
Changing the protocol will remove all the commands from the VPDN subgroup configuration, and any protocol-specific commands from the VPDN group configuration.
Note Users must first enter the vpdn enable command to configure the PPP over Ethernet discovery daemon.
The show running-config command does not display the configured domain name and virtual template, unless you configure the protocol l2tp command.
When you unconfigure the protocol l2tp command, the configured domain name and virtual template are automatically removed. When you reconfigure the protocol l2tp command, the domain name and virtual template need to be explicitly added again.
Examples
The following example configures VPDN group 1 to accept dial-in calls using L2F and to request dial-out calls using L2TP:
Router> enable
Router# configure terminal
Router(config)# vpdn enable
Router(config)# vpdn-group 1
Router(config-vpdn)# accept-dialin
Router(config-vpdn-acc-in)# protocol l2f
Router(config-vpdn-acc-in)# virtual-template 1
Router(config-vpdn-acc-in)# exit
Router(config-vpdn)# request-dialout
Router(config-vpdn-req-out)# protocol l2tp
Router(config-vpdn-req-out)# pool-member 1
Router(config-vpdn-acc-in)# exit
Router(config-vpdn)# local name router1
Router(config-vpdn)# terminate-from hostname router2
Router(config-vpdn)# initiate-to ip 10.3.2.1
Router(config-vpdn)# l2f ignore-mid-sequence
Router(config-vpdn)# l2tp ip udp checksum
If you then use the no protocol command in VPDN request-dialout group configuration mode, the configuration will be changed to this:
vpdn enable
!
vpdn-group 1
accept-dialin
protocol l2f
virtual-template 1
terminate-from hostname router2
local name router1
l2f ignore-mid-sequence
The following example shows how to set VPDN group 1 to request dial-in calls using PPTP:
Router> enable
Router# configure terminal
Router(config)# vpdn enable
Router(config)# vpdn-group 1
Router(config-vpdn)# request-dialin
Router(config-vpdn-req-in)# protocol pptp
The domain name command configures the domain name of the users that will be forwarded to the L2TP tunnel server. The virtual-template command selects the default virtual template from which to clone the virtual access interfaces for the L2TP tunnel. The following example shows how to configure the protocol l2tp, virtual-template, and domain name commands:
Router(config)# vpdn enable
Router(config)# vpdn-group l2tp
Router(config-vpdn)# request-dialin
Router(config-vpdn-req-in)# protocol l2tp
Router(config-vpdn-req-in)# virtual-template 1
Router(config-vpdn-req-in)# domain example.com
Router(config-vpdn-req-in)# exit
If you then use the no protocol command in VPDN request-dialout group configuration mode, the configuration will be changed to this:
vpdn enable
!
vpdn-group l2tp
The following example shows the output from the show running-config command, if you reconfigure the protocol l2tp command:
vpdn enable
!
vpdn-group l2tp
request-dialin
protocol l2tp
Related Commands
radius-server attribute 31 remote-id
To override the calling-station-id attribute with remote-id in RADIUS AAA messages, use the radius-server attribute 31 remote-id command in global configuration mode. To disable the command function (default), use the no form of this command.
radius-server attribute 31 remote-id
no radius-server attribute 31 remote-id
Syntax Description
This command has no arguments or keywords.
Command Default
Command function is disabled.
Command Modes
Global configuration mode
Command History
|
|
---|---|
12.4(6th)T |
This command was introduced. |
Usage Guidelines
Configure the radius-server attribute 31 remote-id command on the LNS.
Examples
The following example shows the configuration on the LNS:
LNS(config)# radius-server attribute 31 remote-id
Related Commands
radius-server attribute 87 circuit-id
To override the nas-port-id attribute with Circuit_ID in RADIUS AAA messages, use the radius-server attribute 87 circuit-id command in global configuration mode. To disable the command function (default), use the no form of this command.
radius-server attribute 87 circuit-id
no radius-server attribute 87 circuit-id
Syntax Description
This command has no arguments or keywords.
Command Default
The command function is disabled.
Command Modes
Global configuration
Command History
|
|
---|---|
12.4(15)T |
This command was introduced. |
Usage Guidelines
Configure the radius-server attribute 87 circuit-id command on the Line Network Server (LNS).
Examples
The following example shows the configuration on the LNS:
LNS(config)# radius-server attribute 87 circuit-id
Related Commands
radius-server domain-stripping
To configure a network access server (NAS) to strip suffixes, or to strip both suffixes and prefixes from the username before forwarding the username to the remote RADIUS server, use the radius-server domain-stripping command in global configuration mode. To disable a stripping configuration, use the no form of this command.
Note The ip vrf default command must be configured in global configuration mode before the radius-server domain-stripping command is configured to ensure that the default VRF name is a NULL value until the defaulf vrf name is configured.
radius-server domain-stripping [[right-to-left] [prefix-delimiter character [character2...character7]] [delimiter character [character2...character7]] | strip-suffix suffix] [vrf vrf-name]
no radius-server domain-stripping [[right-to-left] [prefix-delimiter character [character2...character7]] [delimiter character [character2...character7]] | strip-suffix suffix] [vrf vrf-name]
Syntax Description
Command Default
Stripping is disabled. The full username is sent to the RADIUS server.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use the radius-server domain-stripping command to configure the NAS to strip the domain from a username before forwarding the username to the RADIUS server. If the full username is user1@cisco.com, enabling the radius-server domain-stripping command results in the username "user1" being forwarded to the RADIUS server.
Use the right-to-left keyword to specify that the username should be parsed for a delimiter from right to left, rather than from left to right. This allows strings with two instances of a delimiter to strip the username at either delimiter. For example, if the username is user@cisco.com@cisco.net, the suffix could be stripped in two ways. The default direction (left to right) would result in the username "user" being forwarded to the RADIUS server. Configuring the right-to-left keyword would result in the username "user@cisco.com" being forwarded to the RADIUS server.
Use the prefix-delimiter keyword to enable prefix stripping and to specify the character or characters that will be recognized as a prefix delimiter. The first configured character that is parsed will be used as the prefix delimiter, and any characters before that delimiter will be stripped.
Use the delimiter keyword to specify the character or characters that will be recognized as a suffix delimiter. The first configured character that is parsed will be used as the suffix delimiter, and any characters after that delimiter will be stripped.
Use strip-suffix suffix to specify a particular suffix to strip from usernames. For example, configuring the radius-server domain-stripping strip-suffix cisco.net command would result in the username user@cisco.net being stripped, while the username user@cisco.com will not be stripped. You may configure multiple suffixes for stripping by issuing multiple instances of the radius-server domain-stripping command. The default suffix delimiter is the @ character.
Note Issuing the radius-server domain-stripping strip-suffix suffix command disables the capacity to strip suffixes from all domains. Both the suffix delimiter and the suffix must match for the suffix to be stripped from the full username. The default suffix delimiter of @ will be used if you do not specify a different suffix delimiter or set of suffix delimiters using the delimiter keyword.
To apply a domain-stripping configuration only to a specified VRF, use the vrf vrf-name option.
The interactions between the different types of domain stripping configurations are as follows:
•You may configure only one instance of the radius-server domain-stripping [right-to-left] [prefix-delimiter character [character2...character7]] [delimiter character [character2...character7]] command.
•You may configure multiple instances of the radius-server domain-stripping [right-to-left] [prefix-delimiter character [character2...character7]] [delimiter character [character2...character7]] [vrf vrf-name] command with unique values for vrf vrf-name.
•You may configure multiple instances of the radius-server domain-stripping strip-suffix suffix [vrf per-vrf] command to specify multiple suffixes to be stripped as part of a global or per-VRF ruleset.
•Issuing any version of the radius-server domain-stripping command automatically enables suffix stripping using the default delimiter character @ for that ruleset, unless a different delimiter or set of delimiters is specified.
•Configuring a per-suffix stripping rule disables generic suffix stripping for that ruleset. Only suffixes that match the configured suffix or suffixes will be stripped from usernames.
Examples
The following example configures the router to parse the username from right to left and sets the valid suffix delimiter characters as @, \, and $. If the full username is cisco/user@cisco.com$cisco.net, the username "cisco/user@cisco.com" will be forwarded to the RADIUS server because the $ character is the first valid delimiter encountered by the NAS when parsing the username from right to left.
radius-server domain-stripping right-to-left delimiter @\$
The following example configures the router to strip the domain name from usernames only for users associated with the VRF instance named abc. The default suffix delimiter @ will be used for generic suffix stripping.
radius-server domain-stripping vrf abc
The following example enables prefix stripping using the character / as the prefix delimiter. The default suffix delimiter character @ will be used for generic suffix stripping. If the full username is cisco/user@cisco.com, the username "user" will be forwarded to the RADIUS server.
radius-server domain-stripping prefix-delimiter /
The following example enables prefix stripping, specifies the character / as the prefix delimiter, and specifies the character # as the suffix delimiter. If the full username is cisco/user@cisco.com#cisco.net, the username "user@cisco.com" will be forwarded to the RADIUS server.
radius-server domain-stripping prefix-delimiter / delimiter #
The following example enables prefix stripping, configures the character / as the prefix delimiter, configures the characters $, @, and # as suffix delimiters, and configures per-suffix stripping of the suffix cisco.com. If the full username is cisco/user@cisco.com, the username "user" will be forwarded to the RADIUS server. If the full username is cisco/user@cisco.com#cisco.com, the username "user@cisco.com" will be forwarded.
radius-server domain-stripping prefix-delimiter / delimiter $@#
radius-server domain-stripping strip-suffix cisco.com
The following example configures the router to parse the username from right to left and enables suffix stripping for usernames with the suffix cisco.com. If the full username is cisco/user@cisco.net@cisco.com, the username "cisco/user@cisco.net" will be forwarded to the RADIUS server. If the full username is cisco/user@cisco.com@cisco.net, the full username will be forwarded.
radius-server domain-stripping right-to-left
radius-server domain-stripping strip-suffix cisco.com
The following example configures a set of global stripping rules that will strip the suffix cisco.com using the delimiter @, and a different set of stripping rules for usernames associated with the VRF named myvrf:
radius-server domain-stripping strip-suffix cisco.com
!
radius-server domain-stripping prefix-delimiter # vrf myvrf
radius-server domain-stripping strip-suffix cisco.net vrf myvrf
Related Commands
redirect identifier
To configure a virtual private dialup network (VPDN) redirect identifier to use for Layer 2 Tunneling Protocol (L2TP) call redirection on a network access server (NAS), use the redirect identifier command in VPDN group or VPDN template configuration mode. To remove the name of the redirect identifier from the NAS, use the no form of this command.
redirect identifier identifier-name
no redirect identifier identifier-name
Syntax Description
identifier-name |
Name of the redirect identifier to use for call redirection. |
Command Default
No redirect identifier is configured.
Command Modes
VPDN group configuration
VPDN template configuration
Command History
|
|
---|---|
12.2(8)B |
This command was introduced. |
12.2(13)T |
This command was integrated into Cisco IOS Release 12.2(13)T. |
Usage Guidelines
The redirect identifier command is used only on the NAS. To configure the name of the redirect identifier on the stack group tunnel server, use the vpdn redirect identifier command in global configuration mode.
The NAS compares the redirect identifier with the one received from the stack group tunnel server to determine authorization information to redirect the call.
Configuring the redirect identifier is not necessary to perform redirects. If the redirect identifier is not configured, the NAS uses the redirect IP address in order to get authorization information to redirect the call. In that case, the IP address of the new redirected tunnel server must be present in the initiate-to command configuration of the VPDN group on the NAS.
The redirect identifier allows new stack group members to be added without the need to update the NAS configuration with their IP addresses. With the redirect identifier configured, a new stack group member can be added and given the same redirect identifier as the rest of the stack group.
If the authorization information for getting to the new redirected tunnel server is different, then you will need to configure the authorization information via RADIUS using tagged attributes:
Cisco:Cisco-Avpair = :0:"vpdn:vpdn-redirect-id=identifier name"
The NAS will choose the correct tagged parameters to get authorization information for the new redirected tunnel server by first trying to match the redirect identifier (if present) or else by matching the Tunnel-Server-Endpoint IP address.
Examples
The following example configures the redirect identifier named lns1 on the NAS for the VPDN group named group1:
vpdn-group group1
redirect identifier lns1
Related Commands
request-dialin
To create a request dial-in virtual private dialup network (VPDN) subgroup that configures a network access server (NAS) to request the establishment of a dial-in tunnel to a tunnel server, and to enter request dial-in VPDN subgroup configuration mode, use the request-dialin command in VPDN group configuration mode. To remove the request dial-in VPDN subgroup configuration from a VPDN group, use the no form of this command.
request-dialin
no request-dialin
Syntax Description
This command has no arguments or keywords.
Defaults
No request dial-in VPDN subgroups are configured.
Command Modes
VPDN group configuration
Command History
Usage Guidelines
Use the request-dialin command on a NAS to configure a VPDN group to request the establishment of dial-in VPDN tunnels to a tunnel server.
For a VPDN group to request dial-in calls, you must also configure the following commands:
•The initiate-to command in VPDN group configuration mode
•The protocol command in request dial-in VPDN subgroup configuration mode
•At least one dnis or domain command in request dial-in VPDN subgroup configuration mode
The NAS can also be configured to accept requests for Layer 2 Tunnel Protocol (L2TP) dial-out VPDN tunnels from the tunnel server using the accept-dialout command. Dial-in and dial-out calls can use the same L2TP tunnel.
Examples
The following example requests an L2TP dial-in tunnel to a remote peer at IP address 172.17.33.125 for a user in the domain named cisco.com:
Router(config)# vpdn-group 1
Router(config-vpdn)# request-dialin
Router(config-vpdn-req-in)# protocol l2tp
Router(config-vpdn-req-in)# domain cisco.com
!
Router(config-vpdn)# initiate-to ip 172.17.33.125
Related Commands
request-dialout
To create a request dial-out virtual private dialup network (VPDN) subgroup that configures a tunnel server to request the establishment of dial-out Layer 2 Tunnel Protocol (L2TP) tunnels to a network access server (NAS), and to enter request dial-out VPDN subgroup configuration mode, use the request-dialout command in VPDN group configuration mode. To remove the request dial-out VPDN subgroup configuration from a VPDN group, use the no form of this command.
request-dialout
no request-dialout
Syntax Description
This command has no arguments or keywords.
Command Default
No request dial-out VPDN subgroups are configured.
Command Modes
VPDN group configuration
Command History
|
|
---|---|
12.0(5)T |
This command was introduced. |
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
Usage Guidelines
Use the request-dialout command on a tunnel server to configure a VPDN group to request the establishment of dial-out VPDN tunnels to a NAS. L2TP is the only tunneling protocol that can be used for dial-out VPDN tunnels.
For a VPDN group to request dial-out calls, you must also configure the following commands:
•The initiate-to command in VPDN group configuration mode
•The protocol l2tp command in request dial-out VPDN subgroup configuration mode
•Either the pool-member command or the rotary-group command in request dial-out VPDN subgroup configuration mode, depending on the type of dialer resource to be used by the VPDN subgroup
•The dialer vpdn command in dialer interface configuration mode
If the dialer pool or dialer rotary group that the VPDN group is in contains physical interfaces, the physical interfaces will be used before the VPDN group configuration.
The tunnel server can also be configured to accept requests to establish dial-in VPDN tunnels from a NAS using the accept-dialin command. Dial-in and dial-out calls can use the same L2TP tunnel.
Cisco 10000 Series Router
The Cisco 10000 series router does not support Large-Scale Dial-Out (LSDO). The request-dialout command is not implemented.
Examples
The following example configures VPDN group 1 to request an L2TP tunnel to the peer at IP address 10.3.2.1 for tunneling dial-out calls from dialer pool 1:
Router(config)# vpdn-group 1
Router(config-vpdn)# request-dialout
Router(config-vpdn-req-ou)# protocol l2tp
Router(config-vpdn-req-ou)# pool-member 1
Router(config-vpdn-req-ou)# exit
Router(config-vpdn)# initiate-to ip 10.3.2.1
Router(config-vpdn)# exit
Router(config)# interface Dialer2
Router(config-if)# ip address 172.16.2.3 255.255.128
Router(config-if)# encapsulation ppp
Router(config-if)# dialer remote-name dialer32
Router(config-if)# dialer string 5550100
Router(config-if)# dialer vpdn
Router(config-if)# dialer pool 1
Router(config-if)# dialer-group 1
Router(config-if)# ppp authentication chap
Related Commands
resource-pool profile vpdn
To create a virtual private dialup network (VPDN) profile and to enter VPDN profile configuration mode, use the resource-pool profile vpdn command in global configuration mode. To disable this function, use the no form of this command.
resource-pool profile vpdn name
no resource-pool profile vpdn name
Syntax Description
name |
VPDN profile name. |
Defaults
No VPDN profiles are set up.
Command Modes
Global configuration
Command History
|
|
---|---|
12.0(4)XI |
This command was introduced. |
12.0(5)T |
Support for this command was integerated into Cisco IOS Release 12.0(5)T. |
Usage Guidelines
Use the resource-pool profile vpdn command to create a VPDN profile and enter VPDN profile configuration mode, or to enter VPDN profile configuration mode for a VPDN profile that already exists.
VPDN groups can be associated with a VPDN profile using the vpdn group command in VPDN profile configuration mode. A VPDN profile will count VPDN sessions across all associated VPDN groups.
VPDN session limits for the VPDN groups associated with a VPDN profile can be configured in VPDN profile configuration mode using the limit base-size command.
Examples
The following example createss the VPDN groups named l2tp and l2f, and associates both VPDN groups with the VPDN profile named profile32:
Router(config)# vpdn-group l2tp
Router(config-vpdn)#
!
Router(config)# vpdn-group l2f
Router(config-vpdn)#
!
Router(config)# resource-pool profile vpdn profile32
Router(config-vpdn-profile)# vpdn group l2tp
Router(config-vpdn-profile)# vpdn group l2f
Related Commands
service vpdn group
To provide virtual private dialup network (VPDN) service for the Subscriber Service Switch policy, use the service vpdn group command in subscriber profile configuration mode. To remove VPDN service, use the no form of this command.
service vpdn group vpdn-group-name
no service vpdn group vpdn-group-name
Syntax Description
vpdn-group-name |
Provides the VPDN service by obtaining the configuration from a predefined VPDN group. |
Defaults
This command is disabled by default.
Command Modes
Subscriber profile configuration
Command History
|
|
---|---|
12.3(4)T |
This command was introduced. |
Usage Guidelines
The service vpdn group command provides VPDN service by obtaining the configuration from a predefined VPDN group for the SSS policy defined with the subscriber profile command.
Examples
The following example provides VPDN service to users in the domain cisco.com, and uses VPDN group 1 to obtain VPDN configuration information:
!
subscriber profile cisco.com
service vpdn group 1
The following example provides VPDN service to dialed number identification service (DNIS) 1234567, and uses VPDN group 1 to obtain VPDN configuration information:
!
subscriber profile dnis:1234567
service vpdn group 1
The following example provides VPDN service using a remote tunnel (used on the multihop node), and uses VPDN group 1 to obtain VPDN configuration information:
!
subscriber profile host:lac
service vpdn group 1
Related Commands
session-limit (VPDN)
To limit the number of simultaneous virtual private dialup network (VPDN) sessions allowed for a specified VPDN group, use the session-limit command in VPDN group configuration mode. To remove a configured session limit restriction, use the no form of this command.
session-limit number
no session-limit number
Syntax Description
number |
The number of sessions allowed through a specified VPDN group. Valid values range from 0 to 32767. |
Command Default
No session limit exists for a VPDN group.
Command Modes
VPDN group configuration
Command History
Usage Guidelines
Use this command to limit the number of allowed sessions for the specified VPDN group. If the session-limit command is configured to 0, no sessions are allowed on the VPDN group.
You must configure the VPDN group as either an accept dial-in or request dial-out VPDN subgroup before you can issue the session-limit command.
The maximum number of VPDN sessions can be configured globally using the vpdn session-limit command, at the level of a VPDN group using the session-limit command, or for all VPDN groups associated with a particular VPDN template using the group session-limit command.
The hierarchy for the application of VPDN session limits is as follows:
•Globally configured session limits take precedence over session limits configured for a VPDN group or in a VPDN template. The total number of sessions on a router may not exceed a configured global session limit.
•Session limits configured for a VPDN template are enforced for all VPDN groups associated with that VPDN template. The total number of sessions for all of the associated VPDN groups may not exceed the configured VPDN template session limit.
•Session limits configured for a VPDN group are enforced for that VPDN group.
Examples
The following example configures an accept dial-in VPDN group named group1 and restricts the VPDN group to a maximum of three simulataneous sessions:
Router(config)# vpdn-group group1
Router(config-vpdn)# accept-dialin
Router(config-vpdn-acc-in)# protocol l2tp
Router(config-vpdn-acc-in)# virtual-template 5
Router(config-vpdn-acc-in)# exit
Router(config-vpdn)# terminate-from hostname host1
Router(config-vpdn)# session-limit 3
Related Commands
set identifier (control policy-map class)
To create a temporary memory to hold the value of identifier types received by policy manager, use the set identifier command in configuration-control-policymap-class mode. To remove a temporary memory to hold the value of identifier types received by policy manager, use the no form of this command.
action number set varname identifier type
no action number set varname identifier type
Syntax Description
Command Modes
Configuration-control-policymap-class
Command History
|
|
---|---|
12.2(31)SB2 |
This command was introduced. |
Usage Guidelines
The set identifier command allows you to create a temporary memory to hold the value of identifier types received by policy manager.
Examples
The following example shows the policy map with the set identifier statement shown in bold:
policy-map type control REPLACE_WITH_example.com
class type control always event session-start
1 collect identifier unauthenticated-username
2 set NEWNAME identifier unauthenticated-username
3 substitute NEWNAME "(.*@).*" "\1example.com"
4 authenticate variable NEWNAME aaa list EXAMPLE
5 service-policy type service name example
policy-map type service abc
service vpdn group 1
bba-group pppoe global
virtual-template 1
!
interface Virtual-Template1
service-policy type control REPLACE_WITH_example.com
Related Commands
set variable (control policy-map class)
To create a temporary memory to hold the value of identifier types received by the policy manager, use the set variable command in configuration-control-policymap-class configuration mode. To remove a temporary memory to hold the value of identifier types received by the policy manager, use the no form of this command.
action-number set variable identifier type
no action-number set variable identifier type
Syntax Description
Command Default
The control policy is not affected.
Command Modes
Configuration-control-policymap-class configuration
Command History
|
|
---|---|
12.2(31)SB2 |
This command was introduced. |
Usage Guidelines
The set variable command allows you to create a temporary memory to hold the value of identifier types received by the policy manager.
Examples
The following example shows the policy map with the set variable statement shown in bold:
policy-map type control REPLACE_WITH_example.com
class type control always event session-start
1 collect identifier unauthenticated-username
2 set NEWNAME identifier unauthenticated-username
3 substitute NEWNAME "(.*@).*" "\1example.com"
4 authenticate variable NEWNAME aaa list EXAMPLE
5 service-policy type service name example
policy-map type service abc
service vpdn group 1
bba-group pppoe global
virtual-template 1
!
interface Virtual-Template1
service-policy type control REPLACE_WITH_example.com
Related Commands
show interfaces virtual-access
To display status, traffic data, and configuration information about a specified virtual access interface, use the show interfaces virtual-access command in privileged EXEC mode.
show interfaces virtual-access number [configuration]
Syntax Description
number |
Number of the virtual access interface. |
configuration |
(Optional) Restricts output to configuration information. |
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
To identify the number of the vty on which the virtual access interface was created, enter the show users command.
The counts of output packet bytes as reported by the L2TP access server (LAC) to the RADIUS server in the accounting record do not match those of a client. The following paragraphs describe how the accounting is done and how you can determine the correct packet byte counts.
Packet counts for client packets in the input path are as follows:
•For packets that are process-switched, virtual access input counters are incremented by the coalescing function by the PPP over Ethernet (PPPoE) payload length.
•For packets that are fast-switched, virtual access input counters are incremented by the fast-switching function by the formula:
PPPoE payload length + PPP address&control bytes = = PPPoE payload length + 2
•For packets that are Cisco Express Forwarding switched, virtual access input counters are incremented by the Cisco Express Forwarding switching function by the formula:
IP length + PPP encapbytes (4) = = PPPoE payload length + 2
Packet counts for client packets in the output path are as follows:
•For packets that are process-switched by protocols other than PPP, virtual access output counters are incremented in the upper layer protocol by the entire datagram, as follows:
Size = PPPoE payload + PPPoE hdr (6) + Eth hdr (14) + SNAP hdr (10) + media hdr (4 for ATM)
•For packets process-switched by PPP Link Control Protocol (LCP) and Network Control Protocol (NCP), virtual access output counters are incremented by PPP, as follows:
PPP payload size + 4 bytes of PPP hdr
•For packets that are Cisco Express Forwarding fast-switched, virtual access counters are incremented by the PPPoE payload size.
Accounting is done for PPPoE, PPPoA PPP Termination Aggregation (PTA), and L2X as follows:
•For PPPoE PTA, the PPPoE payload length is counted for all input and output packets.
•For PPPoE L2X on a LAC, the PPPoE payload length is counted for all input packets. On an L2TP Network Server (LNS), the payload plus the PPP header (address + control + type) are counted.
•For PPP over ATM (PPPoA) PTA i/p packets, the payload plus the PPP address plus control bytes are counted. For PPPoA PTA o/p packets, the payload plus PPP address plus control plus ATM header are counted.
•For PPPoA L2X on a LAC for i/p packets, the payload plus PPP addr plus cntl bytes are counted. For PPPoA L2X on a LNS, the payload plus PPP header (address + control + type) are counted.
In Cisco IOS Release 12.2(33)SB and later releases, the router no longer allows you to specify a virtual access interface (VAI) as vix.y in the show pxf cpu queue and show interfaces commands. Instead, you must spell out the VAI as virtual-access.
For example, when you enter the following commands, the router accepts the command:
Router# show interfaces virtual-access 2.1
In releases prior to Cisco IOS Release 12.2(33)SB, the router accepts the abbreviated form of the VAI. For example, the router accepts the following commands:
Router# show interfaces vi2.1
Examples
The following is sample output from the show interfaces virtual-access command:
Router# show interfaces virtual-access 3
Virtual-Access3 is up, line protocol is up
Hardware is Virtual Access interface
MTU 1500 bytes, BW 149760 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open, multilink Open
Link is a member of Multilink bundle Virtual-Access4
PPPoATM vaccess, cloned from Virtual-Template1
Vaccess status 0x44
Bound to ATM4/0.10000 VCD:16, VPI:15, VCI:200, loopback not set
DTR is pulsed for 5 seconds on reset
Last input never, output never, output hang never
Last clearing of "show interfaces" counters 00:57:37
Input queue:0/75/0/0 (size/max/drops/flushes); Total output drops:0
Queueing strategy:fifo
Output queue:0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
676 packets input, 12168 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
676 packets output, 10140 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
Table 5 describes the significant fields shown in the display.
Related Commands
show l2tp class
To display information about Layer 2 Tunneling Protocol (L2TP) class, use the show l2tp class command in privileged EXEC mode.
show l2tp class
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
To use the show l2tp class command, you must configure the following commands:
•The vpdn enable command in global configuration mode
•The vpdn-group command in global configuration mode
•The request-dialin command in VPDN group configuration mode
•The protocol command in request dial-in VPDN subgroup configuration mode
•The domain command in request dial-in VPDN subgroup configuration mode
•The initiate-to command in VPDN group configuration mode
•The local name command in VPDN group configuration mode
•The l2tp tunnel password command in VPDN group configuration mode
•The l2tp attribute clid mask-method command in VPDN group configuration mode
Examples
The following example shows how to configure an L2TP class using the preceding commands:
Router> enable
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# vpdn enable
Router(config)# vpdn-group l2tp
Router(config-vpdn)# request-dialin
Router(config-vpdn-req-in)# protocol l2tp
Router(config-vpdn-req-in)# domain cisco.com
Router(config-vpdn-req-in)# domain cisco.com#184
Router(config-vpdn-req-in)# exit
Router(config-vpdn)# initiate-to ip 10.168.1.4
Router(config-vpdn)# local name router32
Router(config-vpdn)# l2tp tunnel password 0 cisco
Router(config-vpdn)# l2tp attribute clid mask-method remove match #184
Router(config-vpdn)# exit
Router(config)# l2tp-class test
Router(config-l2tp-class)# exit
Router(config)# exit
The following is sample output from the show l2tp class command:
Router# show l2tp class
class [l2tp_default_class]
is a statically configured class
is not to be shown on running config
is locked by: "Exec" (1 time)
"Internal" (1 time)
configuration:
l2tp-class l2tp_default_class
!
class [test]
is a statically configured class
configuration:
l2tp-class test
!
Table 6 describes the significant fields shown in the display.
|
|
---|---|
l2tp_default_class |
Name of the default L2TP class. |
test |
Name of the L2TP class. |
Related Commands
show l2tp counters
To display information about Layer 2 Tunneling Protocol (L2TP) counters and tunnel statistics, use the show l2tp counters command in privileged EXEC mode.
Cisco IOS Release 12.4(24)T and Later Releases
show l2tp counters tunnel [all | authentication | id local-tunnel-id]
Cisco IOS Release 12.2(33)SRC, Cisco IOS XE Release 2.1, and Later Releases
show l2tp counters {session fsm {event | state {current | transition}} [icrq | manual | ocrq] | tunnel [all | authentication | id local-tunnel-id]}
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
To use the show l2tp counters command, you must configure the following commands:
•The vpdn enable command in global configuration mode
•The vpdn-group command in global configuration mode
•The request-dialin command in VPDN group configuration mode
•The protocol command in appropriate VPDN subgroup configuration mode
•The domain command in request dial-in VPDN subgroup configuration mode
•The initiate-to command in VPDN group configuration mode
•The local name command in VPDN group configuration mode
•The l2tp tunnel password command in VPDN group configuration mode
•The l2tp attribute clid mask-method command in VPDN group configuration mode
Examples
The following is sample output from the show l2tp counters command:
Router# show l2tp counters tunnel
Global L2TP tunnel control message statistics:
XMIT RE-XMIT RCVD DROP
========== ========== ========== ==========
ZLB 0 0 0 0
SCCRQ 6 10 0 0
SCCRP 0 0 1 0
SCCCN 1 0 0 0
StopCCN 5 5 0 0
Hello 0 0 0 0
OCRQ 0 0 0 0
OCRP 0 0 0 0
OCCN 0 0 0 0
ICRQ 2 0 0 0
ICRP 0 0 2 0
ICCN 2 0 0 0
CDN 0 0 0 0
WEN 0 0 0 0
SLI 2 0 4 0
EXP ACK 0 0 0 0
SRRQ 0 0 0 0
SRRP 0 0 0 0
CiscoACK 4 0 5 5
Total 32 25 22 15
Table 6 describes the significant fields shown in the display.
The following is sample output from the show l2tp counters session command:
Router# show l2tp counter session fsm state transition manual
Counters shown are for non-signaled, manual sessions only:
Old State New State
Idl Wt Wt est Dead
Soc Loc bli
l hed
===== ===== ===== ===== =====
Init - - - - -
Idle - - - - -
Wt-Sock - - - - -
Wt-Local - - - - -
establish - - - - -
Dead - - - - -
Table 8 describes the significant fields shown in the display.
Related Commands
show l2tp memory
To display information about Layer 2 Tunneling Protocol (L2TP) memory, use the show l2tp memory command in privileged EXEC mode.
show l2tp memory [detail]
Syntax Description
detail |
(Optional) Displays details about L2TP memory usage. |
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use the show l2tp memory command to display information about L2TP memory.
To use the show l2tp memory command, you must configure the following commands:
•The vpdn enable command in global configuration mode
•The vpdn-group command in global configuration mode
•The request-dialin command in VPDN group configuration mode
•The protocol command in request dial-in VPDN subgroup configuration mode
•The domain command in request dial-in VPDN subgroup configuration mode
•The initiate-to command in VPDN group configuration mode
•The local name command in VPDN group configuration mode
•The l2tp tunnel password command in VPDN group configuration mode
•The l2tp attribute clid mask-method command in VPDN group configuration mode
Examples
The following is sample output from the show l2tp memory command:
Router# show l2tp memory
Allocator-Name In-use/Allocated Count
----------------------------------------------------------------------------
L2TP AVP chunk : 16960/18232 ( 93%) [ 212] Chunk
L2TP AVP vendor+type : 24/76 ( 31%) [ 1]
L2TP AVP vendor+type+app : 24/76 ( 31%) [ 1]
L2TP AVPs : 52/104 ( 50%) [ 1]
L2TP CC Author DB : 0/32820 ( 0%) [ 0] Chunk
L2TP CC ID : 24/76 ( 31%) [ 1]
L2TP CC ublock : 0/65588 ( 0%) [ 0] Chunk
L2TP CLID mask match : 44/96 ( 45%) [ 1]
L2TP DB : 36/65640 ( 0%) [ 1] Chunk
L2TP Event Msg chunks : 0/65588 ( 0%) [ 0] Chunk
L2TP ISSU Session : 532/792 ( 67%) [ 5]
L2TP L2X CC DB : 65780/65936 ( 99%) [ 3]
L2TP L2X SESSION DB : 83764/83920 ( 99%) [ 3]
L2TP L2X cc chunk : 0/65588 ( 0%) [ 0] Chunk
L2TP L2X sn chunk : 0/65588 ( 0%) [ 0] Chunk
L2TP SN ID : 0/65588 ( 0%) [ 0] Chunk
L2TP SN INT ID : 0/65588 ( 0%) [ 0] Chunk
L2TP SN V2 ID : 24/76 ( 31%) [ 1]
L2TP SN V3 ID : 36/88 ( 40%) [ 1]
L2TP Socket Msg chunks : 0/4304 ( 0%) [ 0] Chunk
L2TP mgd timer chunk : 0/65588 ( 0%) [ 0] Chunk
L2TP v3 L3VPN Session ID : 96/148 ( 64%) [ 1]
L2TUN DISC DB : 0/32820 ( 0%) [ 0] Chunk
L2TUN discovery sess chun : 0/576 ( 0%) [ 0] Chunk
L2TUN discovery sess chun : 0/1552 ( 0%) [ 0] Chunk
L2X CC ublock : 88/140 ( 62%) [ 1]
L2X Hash Table : 2097152/2097204 ( 99%) [ 1]
L2X SN ublock : 88/140 ( 62%) [ 1]
L2X Sn DB entries chunk : 0/65588 ( 0%) [ 0] Chunk
L2X Sw Sn chunk : 0/65588 ( 0%) [ 0] Chunk
L2X author chunk : 0/65588 ( 0%) [ 0] Chunk
L2X author ctx : 212/264 ( 80%) [ 1]
L2X author hdr chunk : 0/18232 ( 0%) [ 0] Chunk
L2X cc author db : 32/84 ( 38%) [ 1]
Total allocated: 2.936 Mb, 3007 Kb, 3079276 bytes
Table 6 describes the significant fields shown in the display.
Related Commands
show l2tp redundancy
To display information about a Layer 2 Tunneling Protocol (L2TP) high availability (HA) stateful switchover (SSO) session, including its state, use the show l2tp redundancy command in privileged EXEC mode.
show l2tp redundancy [all | [detail] [id local-tunnel-ID [local-session-ID]]]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
The show l2tp redundancy command displays the same information as the show vpdn redundancy command.
During the time frame immediately after a switchover and before the resynchronization starts, if you enter the show l2tp redundancy command, the last line of the command output is "Resync not yet started." Once the resynchronization starts, the line "L2TP Resynced Tunnels: 0/0 (success/fail)" is shown. When the resynchronization completes, the "Resync duration 0.0 secs (complete)" is shown.
Examples
The following example shows how to display the global status of L2TP redundancy information:
Router# show l2tp redundancy
L2TP HA support: Silent Failover
L2TP HA Status:
Checkpoint Messaging on: TRUE
Standby RP is up: TRUE
Recv'd Message Count: 189
L2TP Tunnels: 2/2/2/0 (total/HA-enabled/HA-est/resync)
L2TP Sessions: 20/20/20 (total/HA-enabled/HA-est)
L2TP Resynced Tunnels: 2/0 (success/fail)
Resync duration 0.63 secs (complete)
The following example shows how to display a summary of all L2TP redundancy information:
Router# show l2tp redundancy all
L2TP HA support: Silent Failover
L2TP HA Status:
Checkpoint Messaging on: FALSE
Standby RP is up: TRUE
Recv'd Message Count: 0
L2TP Active Tunnels: 1/1 (total/HA-enable)
L2TP Active Sessions: 2/2 (total/HA-enable)
L2TP HA CC Check Point Status:
State LocID RemID Remote Name Class/Group Num/Sessions
est 44233 51773 LNS VPDN Group 1 10.1.1.1 2
L2TP HA Session Status:
LocID RemID TunID Waiting for Waiting for
VPDN app? L2TP proto?
2 2 44233 No No
2 3 44233 No No
The following example shows how to limit the displayed redundancy information to only the sessions associated with a specified tunnel ID:
Router# show l2tp redundancy id 44233
L2TP HA Session Status:
LocID RemID TunID Waiting for Waiting for
VPDN app? L2TP proto?
2 2 44233 No No
2 3 44233 No No
Table 9Table 10 describes the significant fields shown in the show l2tp redundancy, show l2tp redundancy all, show l2tp redundancy id, and in the show l2tp redundancy detail command outputs.
The following example shows how to limit the information displayed by providing a tunnel ID:
Router# show l2tp redundancy id 44233
L2TP HA Session Status:
LocID RemID TunID Waiting for Waiting for
VPDN app? L2TP proto?
2 2 44233 No No
The following example shows how to limit the information displayed by providing a session ID:
Router# show l2tp redundancy detail id 44233 3
Local session ID : 3
Remote session ID : 3
Local CC ID : 44233
Local UDP port : 1701
Remote UDP port : 1701
Waiting for VPDN application : No
Waiting for L2TP protocol : No
The following example shows the detailed information displayed on a router newly active after a failover:
Router# show l2tp redundancy detail
L2TP HA Status:
Checkpoint Messaging on: TRUE
Standby RP is up: TRUE
Recv'd Message Count: 219
L2TP Tunnels: 1/1/1/0 (total/HA-enabled/HA-est/resync)
L2TP Sessions: 1/1/1 (total/HA-enabled/HA-est)
L2TP Resynced Tunnels: 1/0 (success/fail)
Resync duration 3.0 secs (complete)
Our Ns checkpoints: 0, our Nr checkpoints: 0
Peer Ns checkpoints: 0, peer Nr checkpoints: 0
Packets received before entering resync phase: 0
Nr0 adjusts during resync phase init: 0
Nr learnt from peer during resync phase: 0
Tunnels destroyed during tunnel resync phase
Poisoned: 1
Failed to transmit the initial probe: 2
Cleared by peer: 3
Cleared due to excessive retransmits: 4
Cleared because unestablished: 5
Cleared by us, other: 6
Total: 21
Sessions destroyed during tunnel resync phase
Poisoned: 7
Unestablished: 8
Missing application session: 9
Cleared by peer: 10
Attempted before or during resync: 11
Tunnel poisoned: 12
Tunnel failed to transmit initial probe: 13
Tunnel cleared by peer: 14
Tunnel cleared due to excessive retransmits: 15
Tunnel cleared because unestablished: 16
Tunnel cleared by us, other: 17
Sessions cleared, other: 18
Total: 134
Related Commands
show l2tp session
To display information about Layer 2 Tunneling Protocol (L2TP) sessions, use the show l2tp session command in privileged EXEC mode.
show l2tp session [all | packets [ipv6] | sequence | state | [brief | circuit | interworking] [hostname]] [ip-addr ip-addr [vcid vcid] | tunnel {id local-tunnel-id local-session-id | remote-name remote-tunnel-name local-tunnel-name} | username username | vcid vcid]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
To use the show l2tp session command, you must configure the following commands:
•The vpdn enable command in global configuration mode
•The vpdn-group command in global configuration mode
•The request-dialin command in VPDN group configuration mode
•The protocol command in request dial-in VPDN subgroup configuration mode
•The domain command in request dial-in VPDN subgroup configuration mode
•The initiate-to command in VPDN group configuration mode
•The local name command in VPDN group configuration mode
•The l2tp tunnel password command in VPDN group configuration mode
•The l2tp attribute clid mask-method command in VPDN group configuration mode
Examples
The following is sample output from the show l2tp session command:
Router# show l2tp session packets
L2TP Session Information Total tunnels 1 sessions 2
LocID RemID TunID Pkts-In Pkts-Out Bytes-In Bytes-Out
18390 313101640 4059745793 0 0 0 0
25216 4222832574 4059745793 15746 100000 1889520 12000000
Related Commands
show l2tp tunnel
To display details about Layer 2 Tunneling Protocol (L2TP) tunnels, use the show l2tp tunnel command in privileged EXEC mode.
show l2tp tunnel [all | packets [ipv6] | state | summary | transport] [id local-tunnel-id | local-name local-tunnel-name remote-tunnel-name | remote-name remote-tunnel-name local-tunnel-name]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
To use the show l2tp tunnel command, you must configure the following commands:
•The vpdn enable command in global configuration mode
•The vpdn-group command in global configuration mode
•The request-dialin command in VPDN group configuration mode
•The protocol command in request dial-in VPDN subgroup configuration mode
•The domain command in request dial-in VPDN subgroup configuration mode
•The initiate-to command in VPDN group configuration mode
•The local name command in VPDN group configuration mode
•The l2tp tunnel password command in VPDN group configuration mode
•The l2tp attribute clid mask-method command in VPDN group configuration mode
Depending on the keywords or arguments entered, the show l2tp tunnel command displays information such as packet or byte count, state, transport, local or remote names, and summary information for L2TP tunnels.
Examples
The following is sample output from the show l2tp tunnel command:
Router# show l2tp tunnel all
L2TP Tunnel Information Total tunnels 1 sessions 1 Tunnel id 746420372 is up, remote id is 2843347489, 1 active sessions
Remotely initiated tunnel
Tunnel state is established, time since change 00:30:16 Tunnel transport is IP (115)
Remote tunnel name is 7604-AA1705
Internet Address 12.27.17.86, port 0
Local tunnel name is 7606-AA1801
Internet Address 12.27.18.86, port 0
L2TP class for tunnel is l2tp_default_class
Counters, taking last clear into account:
598 packets sent, 39 received
74053 bytes sent, 15756 received
Last clearing of counters never
Counters, ignoring last clear:
598 packets sent, 39 received
74053 bytes sent, 15756 received
Control Ns 3, Nr 35
Local RWS 1024 (default), Remote RWS 1024
Control channel Congestion Control is disabled
Tunnel PMTU checking disabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 1
Total resends 0, ZLB ACKs sent 33
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
Related Commands
show ppp mppe
To display Microsoft Point-to-Point Encryption (MPPE) information for an interface, use the show ppp mppe command in privileged EXEC mode.
show ppp mppe {serial | virtual-access} [number]
Syntax Description
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.0(5)XE5 |
This command was introduced. |
12.1(5)T |
This command was integrated into Cisco IOS Release 12.1(5)T. |
Usage Guidelines
None of the fields in the output from the show ppp mppe command are fatal errors. Excessive packet drops, misses, out of orders, or CCP-Resets indicate that packets are getting lost. If you see such activity and have stateful MPPE configured, you may want to consider switching to stateless mode.
Examples
The following example displays MPPE information for virtual-access interface 3:
Router# show ppp mppe virtual-access 3
Interface Virtual-Access3 (current connection)
Hardware (ISA5/1, flow_id=13) encryption, 40 bit encryption, Stateless mode
packets encrypted = 0 packets decrypted = 1
sent CCP resets = 0 receive CCP resets = 0
next tx coherency = 0 next rx coherency = 0
tx key changes = 0 rx key changes = 0
rx pkt dropped = 0 rx out of order pkt= 0
rx missed packets = 0
To update the key change information, reissue the show ppp mppe virtual-access 3 command:
Router# show ppp mppe virtual-access 3
Interface Virtual-Access3 (current connection)
Hardware (ISA5/1, flow_id=13) encryption, 40 bit encryption, Stateless mode
packets encrypted = 0 packets decrypted = 1
sent CCP resets = 0 receive CCP resets = 0
next tx coherency = 0 next rx coherency = 0
tx key changes = 0 rx key changes = 1
rx pkt dropped = 0 rx out of order pkt= 0
rx missed packets = 0
Table 11 describes the significant fields shown in the displays.
Related Commands
show resource-pool vpdn
To display information about a specific virtual private dialup network (VPDN) group or specific VPDN profile, use the show resource-pool vpdn command in EXEC mode.
show resource-pool vpdn {group | profile} [name]
Syntax Description
group |
All the VPDN groups configured on the router. |
profile |
All the VPDN profiles configured on the router. |
name |
(Optional) Specific VPDN group or profile. |
Command Modes
EXEC
Command History
|
|
---|---|
12.0(4)XI |
This command was introduced. |
Examples
Use the show resource-pool vpdn group command to display information about a specific VPDN group.
Example 1
This example displays specific information about the VPDN group named vpdng2:
Router# show resource-pool vpdn group vpdng2
VPDN Group vpdng2 found under Customer Profiles: customer2
Tunnel (L2TP)
--------
dnis:customer2-calledg
cisco.com
Endpoint Session Limit Priority Active Sessions Status Reserved Sessions
-------- ------------- -------- --------------- ------ -----------------
172.21.9.97 * 1 0 OK
------------- --------------- -----------------
Total * 0 0
Example 2
The following example displays information about all the VPDN groups configured on the router:
Router# show resource-pool vpdn group
List of VPDN Groups under Customer Profiles
Customer Profile customer1: vpdng1
Customer Profile customer2: vpdng2
List of VPDN Groups under VPDN Profiles
VPDN Profile profile1: vpdng1
VPDN Profile profile2: vpdng2
Table 12 describes the significant fields shown in the displays.
Example 3
The following example displays a list of all VPDN profiles configured on the router:
Router# show resource-pool vpdn profile
% List of VPDN Profiles:
profile1
profile2
profile3
Example 4
The following example displays details about a specific VPDN profile named vpdnp1:
Router# show resource-pool vpdn profile vpdnp1
0 active connections
0 max number of simultaneous connections
0 calls rejected due to profile limits
0 calls rejected due to resource unavailable
0 overflow connections
0 overflow states entered
0 overflow connections rejected
3003 minutes since last clear command
Table 13 describes the significant fields shown in the displays.
Related Commands
show vpdn
To display basic information about all active virtual private dialup network (VPDN) tunnels, use the show vpdn command in user EXEC mode.
show vpdn
Syntax Description
This command has no arguments or keywords.
Command Modes
User EXEC
Command History
Usage Guidelines
Use the show vpdn command to display information about all active tunnels using Layer 2 Tunnel Protocol (L2TP), Layer 2 Forwarding (L2F), and Point-to-Point Tunnel Protocol (PPTP).
Note Effective with Cisco Release 12.4(11)T, the L2F protocol is not available in Cisco IOS software.
The output of the show vpdn session command also displays PPPoE session information. PPPoE is supported on ATM permanent virtual connections (PVCs) compliant with RFC 1483 only. PPPoE is not supported on Frame Relay and any other LAN interfaces such as FDDI and Token Ring.
Examples
The following is sample output from the show vpdn command on a device with active L2F and L2TP tunnels:
Router> show vpdn
Active L2F tunnels
NAS Name Gateway Name NAS CLID Gateway CLID State
nas gateway 4 2 open
L2F MIDs
Name NAS Name Interface MID State
router1@cisco.com nas As7 1 open
router2@cisco.com nas As8 2 open
%No active PPTP tunnels
The following is sample output from the show vpdn command on a device with an active PPPoE tunnels:
Router> show vpdn
%No active L2TP tunnels
%No active L2F tunnels
PPPoE Tunnel and Session Information Total tunnels 1 sessions 1
PPPoE Tunnel Information
Session count:1
PPPoE Session Information
SID RemMAC LocMAC Intf VASt OIntf VC
1 0010.7b01.2cd9 0090.ab13.bca8 Vi4 UP AT6/0 0/104
The following is sample output from the show vpdn command on a device with an active PPPoE session on an actual Ethernet interface:
Router> show vpdn
%No active L2TP tunnels
%No active L2F tunnels
PPPoE Tunnel and Session Information Total tunnels 1 sessions 1
PPPoE Tunnel Information
Session count:1
PPPoE Session Information
SID RemMAC LocMAC Intf VASt OIntf
1 0090.bf06.c870 00e0.1459.2521 Vi1 UP Eth1
Table 14 describes the significant fields shown in the displays.
Related Commands
show vpdn dead-cache
To display a list of dead-cache (DOWN) state Local Network Servers (LNSs), use the show vpdn dead-cache command in user or privileged EXEC mode.
show vpdn dead-cache {group <group-name> | all}
Syntax Description
group <group-name> |
Displays all entries in the dead-cache for the specified VPDN group. |
all |
Displays all entries in the dead-cache for all VPDN groups. |
Command Modes
User EXEC
Privileged EXEC
Command History
|
|
---|---|
12.2(31)ZV |
This command was introduced. |
Usage Guidelines
Use the show vpdn dead-cache command in global configuration mode on the L2TP Access Concentrator (LAC) gateway to display a list of LNS entries in a dead-cache state, including the IP address of the LNS and how long, in seconds, the entry has been in a dead-cache state.
Use the clear vpdn dead-cache command in global configuration mode on the LAC gateway to clear the list of LNS entries in the dead-cache. Once the LNS is cleared, the LNS is active and can establish new sessions.
Use the vpdn logging dead-cache command in global configuration mode on the LAC gateway to trigger either a syslog or SNMP event when an LNS enters or exits a dead-cache state.
To display an SNMP or system message log (syslog) event when an LNS enters or exits a dead-cache state, you must configure the vpdn logging dead-cache command.
Examples
The following example shows how to display the status of the dead-cache for a particular VPDN group:
Router> enable
Router# show vdpn dead-cache group example
vpdn-group ip address down time
exampleA 192.168.2.2 00:01:23
exampleB 192.168.2.3 00:01:16
The following example shows how to display the status of the dead-cache for all VPDN groups:
Router> enable
Router# show vdpn dead-cache all
vpdn-group ip address down time
exampleA 192.168.2.2 00:01:23
exampleB 192.168.2.3 00:01:16
Table 15 describes the significant fields shown in the displays.
Related Commands
|
|
---|---|
clear vpdn dead-cache |
Clears the entries in the dead-cache for VPDN groups. |
vpdn logging dead-cache |
Enables the logging of VPDN events. |
show vpdn domain
To display all virtual private dialup network (VPDN) domains and DNIS groups configured on the network access server, use the show vpdn domain command in privileged EXEC mode.
show vpdn domain
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.0(4)XI |
This command was introduced. |
Examples
The following is sample output from the show vpdn domain command:
Router# show vpdn domain
Tunnel VPDN Group
------ ----------
dnis:cg2 vgdnis (L2F)
domain:twu-ultra test (L2F)
Table 16 describes the significant fields shown in the display.
|
|
---|---|
Tunnel |
The assigned name of the tunnel endpoint. |
VPDN Group |
The assigned name of the VPDN group using the tunnel. |
Related Commands
show vpdn group
With resource manager enabled
When resource manager is enabled, to display a summary of the relationships among virtual private dialup network (VPDN) groups and customer/VPDN profiles, or to summarize the configuration of a VPDN group including DNIS/domain, load sharing information, and current session information, use the show vpdn group command in EXEC mode.
With or without resource manager enabled
To display group session-limit information on an LNS, use the show vpdn group command in EXEC mode.
show vpdn group [name] [domain | endpoint]
Syntax Description
name |
(Optional) VPDN group name summarizes the configuration of the specified group. |
domain |
(Optional) DNIS/domain information. |
endpoint |
(Optional) Endpoint session information. |
Command Modes
EXEC
Command History
Usage Guidelines
The following usage guidelines apply only to the Cisco AS5300, AS5400, and AS5800 access servers. If the resource manager has been disabled by the resource-pool disable global configuration command, the show vpdn group command only displays a message stating that the resource-pool is disabled. If you enter the show vpdn group name command when the resource-pool disable command is enabled, the router will display the message stating that the resource-pool is disabled followed by a summary of active VPDN sessions.
If you enter the show vpdn group command without a group name, the display includes session-limit information for all groups on the LNS. If you enter the show vpdn group command with a group name, the display includes session-limit information for the specified group on the LNS. Session-limit information is not displayed on the LAC.
Examples
Examples of the show vpdn group command output (with resource manager enabled)
The following is sample output from the show vpdn group command summarizing all VPDN group and profile relationships:
Router# show vpdn group
VPDN Group Customer Profile VPDN Profile
---------- ---------------- ------------
1 - -
2 - -
3 - -
lisun cp1 -
outgoing-2 - -
test - -
*vg1 cpdnis -
*vg2 cpdnis -
vgdnis +cp1 vp1
vgnumber - -
vp1 - -
* VPDN group not configured
+ VPDN profile under Customer profile
Note VPDN group is marked with "*" if it does not exist, but is used under customer/VPDN profile.
Note Customer profiles are marked with "+" if the corresponding VPDN group is not directly configured under a customer profile. Instead, the corresponding VPDN profile is configured under the customer profile.
The following is sample output from the show vpdn group command for a VPDN group named vgdnis (when resource manager is enabled):
Router # show vpdn group vgdnis
Tunnel (L2TP)
------
dnis:cg1
dnis:cg2
dnis:jan
cisco.com
Endpoint Session Limit Priority Active Sessions Status Reserved Sessions
-------- ------------- -------- --------------- ------ -----------------
172.21.9.67 * 1 0 OK -
--------------- ------------- --------------- -----------------
Total * 0 0
Note Tunnel section lists all domain/DNIS ("dnis" appears before DNIS).
The session limit endpoint is the sum of the session limits of all endpoints and is marked with "*" if there is no limit (indicated by "*") for any endpoint.
If the endpoint has no session limit, reserved sessions are marked with "-".
The following is sample output from the show vpdn group command (when resource manager is configured):
Router# show vpdn group
VPDN Group Customer Profile VPDN Profile
---------- ---------------- ------------
customer1-vpdng customer1 customer1-profile
customer2-vpdng customer2 -
Router# show vpdn group customer1-vpdng
Tunnel (L2TP)
--------
cisco.com
cisco1.com
dnis:customer1-calledg
Endpoint Session Limit Priority Active Sessions Status Reserved Sessions
-------- ------------- -------- --------------- ------ -----------------
172.21.9.67 * 1 0 OK
172.21.9.68 100 1 0 OK
172.21.9.69 * 5 0 OK
------------- --------------- -----------------
Total * 0 0
The following is sample output from the show vpdn group command on a Cisco AS5300 access server when the resource-pool disable command is configured:
Router # show vpdn group
% Resource-pool disabled
The following is sample output from the show vpdn group vpdnis command on a Cisco AS5300 access server when the resource-pool disable command is configured. The summary of tunnel information is only displayed if there is an active VPDN session.
Router # show vpdn group vgdnis
% Resource-pool disabled
Tunnel (L2TP)
------
dnis:cg1
cisco.com
Endpoint Session Limit Priority Active Sessions Status Reserved Sessions
-------- ------------- -------- --------------- ------ -----------------
172.21.9.67 * 1 1 OK -
--------------- ------------- --------------- -----------------
Table 15 describes the significant fields shown in the displays.
Example of the show vpdn group command output for session-limit information on an LNS (with or without resource manager enabled)
The following is sample output from the show vpdn group command after configuring the client, the LAC, and the LNS, and after establishing sessions for two domains.
The show vpdn group command displays the group session-limit information only on the LNS (not on the LAC):
Router# show vpdn group
VPDN group vg1
Group session limit 65535 Active sessions 1 Active tunnels 1
VPDN group vg2
Group session limit 65535 Active sessions 1 Active tunnels 1
Related Commands
show vpdn group-select
To display a summary of the relationships among virtual private dialup network (VPDN) groups and customer or VPDN profiles, or to summarize the configuration of the default VPDN group including DNIS or domain, load sharing information, and current session information, use the show vpdn group-select command in user EXEC or privileged EXEC mode.
show vpdn group-select {summary | default}
Syntax Description
summary |
Displays details of a VPDN group. |
default |
Displays details of a default VPDN group. |
Command Modes
EXEC
Privileged EXEC
Command History
|
|
---|---|
12.4(20)T |
This command was introduced. |
Usage Guidelines
Use the show vpdn group-select command in user or privileged EXEC mode to see a summary of the relationships among VPDN groups and customer or VPDN profiles, or to summarize the configuration of the default VPDN group including domain or DNIS, load sharing information, and current session information.
Examples
The following is sample output from the show vpdn group-select default command summarizing all VPDN group and profile relationships:
Router> show vpdn group-select default
Default VPDN Group Protocol
vgdefault l2tp
None pptp
The following is sample output from the show vpdn group-select summary command:
Router> show vpdn group-select summary
VPDN Group Vrf Remote Name Source-IP Protocol Direction vg_ip2 10.1.1.2 l2tp accept-dialin vg_ip3 10.1.1.3 l2tp accept-dialin vg_lts lts 0.0.0.0 l2tp accept-dialin vg_lts1 lts1 0.0.0.0 l2tp accept-dialin vg_lts1_ip2 lts1 10.1.1.2 l2tp accept-dialin vgdefault 0.0.0.0 l2tp accept-dialin
Table 18 describes the significant fields shown in the displays.
Related Commands
show vpdn group-select keys
To display a summary of the relationships among virtual private dialup network (VPDN) groups and customer or VPDN profiles, or to summarize the configuration of a VPDN group including DNIS or domain, load sharing information, and current session information, use the show vpdn group-select keys command in user EXEC or privileged EXEC mode.
show vpdn group-select keys hostname hostname source-ip ip- address [vpn {id vpn-id | vrf vrf-name}]
Syntax Description
Command Modes
User EXEC (>)
Privileged EXEC (#)
Command History
|
|
---|---|
12.4(20)T |
This command was introduced. |
Examples
The following is sample output from the show vpdn group-select keys command for a host with the name lac-1 and an IP address of 10.0.0.1:
Router# show vpdn group select key vrf vrf-blue hostname lac-1 source-ip 10.0.0.1
VPDN Group Vrf Hostname Source Ip
vg1 vrf-blue lac-1 10.0.0.1
The following is sample output from the show vpdn group-select keys command for a host with the name lac-5 and an IP address of 10.1.1.0, and VRF name vrf-red:
Router# show vpdn group select key vrf vrf-red hostname lac-5 source-ip 10.1.1.0
VPDN Group Vrf Hostname Source Ip
Vg2 vrf-red lac-5 10.1.1.0
Related Commands
show vpdn history failure
To display the content of the failure history table, use the show vpdn history failure command in EXEC mode.
show vpdn history failure [user-name]
Syntax Description
user-name |
(Optional) Username, which displays only the entries mapped to that particular user. |
Command Modes
EXEC
Command History
|
|
---|---|
11.3 T |
This command was introduced. |
Usage Guidelines
If a username is specified, only the entries mapped to that username are displayed; when the username is not specified, the whole table is displayed.
You can obtain failure results for the output of the show vpdn history failure command by referencing
RFC 2661, Section 4.4.2, L2TP Result and Error Codes.
Examples
The following is sample output from the show vpdn history failure command, which displays the failure history table for a specific user:
Router# show vpdn history failure
Table size: 20
Number of entries in table: 1
User: example@example.com, MID = 1
NAS: isp, IP address = 172.21.9.25, CLID = 1
Gateway: hp-gw, IP address = 172.21.9.15, CLID = 1
Log time: 13:08:02, Error repeat count: 1
Failure type: The remote server closed this session
Failure reason: Administrative intervention
Table 19 describes the significant fields shown in the display.
Related Commands
show vpdn multilink
To display the multilink sessions authorized for all virtual private dialup network (VPDN) groups, use the show vpdn multilink command in EXEC mode.
show vpdn multilink
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
|
|
---|---|
12.0(4)XI |
This command was introduced. |
Examples
Following is sample output comparing the show vpdn tunnel command with the show vpdn multilink command:
Router# show vpdn tunnel
L2F Tunnel and Session Information (Total tunnels=1 sessions=1)
NAS CLID HGW CLID NAS Name HGW Name State
24 10 centi3_nas twu253_hg open
172.21.9.46 172.21.9.67
CLID MID Username Intf State
10 1 twu@twu-ultra.cisco.com Se0:22 open
Router# show vpdn multilink
Multilink Bundle Name VPDN Group Active links Reserved links Bundle/Link Limit
--------------------- ---------- ------------ -------------- -----------------
twu@twu-ultra.cisco.com vgdnis 1 0 */*
Table 20 describes the significant fields shown in the display.
Related Commands
|
|
---|---|
multilink |
Limits the total number MLP sessions for all VPDN multilink users. |
show vpdn redirect
To display statistics for Layer 2 Tunneling Protocol (L2TP) redirects and forwards, use the show vpdn redirect command in privileged EXEC mode.
show vpdn redirect
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Statistics about the number of L2TP forwards and redirects that were done by the router as an L2TP network access server (NAS) or L2TP tunnel server are displayed when you enter the show vpdn redirect command. To clear the redirect counters, use the clear vpdn redirect command.
Examples
The following example displays statistics for redirects and forwards for a router configured as an L2TP NAS:
Router# show vpdn redirect
vpdn redirection enabled
sessions redirected as access concentrator: 2
sessions redirected as network server: 0
sessions forwarded: 2
Table 21 describes the significant fields shown in the display.
Related Commands
show vpdn redundancy
To display information about the state of the virtual private dialup network (VPDN), use the show vpdn redundancy command in user or privileged EXEC mode.
show vpdn redundancy [all | [detail] [id local-tunnel-ID [local-session-ID]]]
Syntax Description
Command Modes
User EXEC (>)
Privileged EXEC (#)
Command History
Usage Guidelines
Use the show vpdn redundancy all command to display the status of VPDN redundancy information.
The show vpdn redundancy command displays the same information as the show l2tp redundancy command.
During the time frame immediately after a switchover and before the resynchronization starts, if you enter the show l2tp redundancy command, the last line of the command output is "Resync not yet started." Once the resynchronization starts, the line "L2TP Resynced Tunnels: 0/0 (success/fail)" is shown. When the resynchronization completes, the "Resync duration 0.0 secs (complete)" is shown.
Examples
The following example shows how to display the status of VPDN redundancy information:
Router# show vpdn redundancy
L2TP HA support: Silent Failover
L2TP HA Status:
Checkpoint Messaging on: TRUE
Standby RP is up: TRUE
Recv'd Message Count: 189
L2TP Tunnels: 2/2/2/0 (total/HA-enabled/HA-est/resync)
L2TP Sessions: 20/20/20 (total/HA-enabled/HA-est)
L2TP Resynced Tunnels: 2/0 (success/fail)
Resync duration 0.63 secs (complete)
The following example shows how to display the global status of all VPDN redundancy information:
Router# show vpdn redundancy all
L2TP HA support: Silent Failover
L2TP HA Status:
Checkpoint Messaging on: FALSE
Standby RP is up: TRUE
Recv'd Message Count: 0
L2TP Active Tunnels: 1/1 (total/HA-enable)
L2TP Active Sessions: 2/2 (total/HA-enable)
L2TP HA CC Check Point Status:
State LocID RemID Remote Name Class/Group Num/Sessions
est 44233 51773 LNS VPDN Group 1 10.1.1.1 2
L2TP HA Session Status:
LocID RemID TunID Waiting for Waiting for
VPDN app? L2TP proto?
2 2 44233 No No
2 3 44233 No No
The following example shows how to limit the displayed redundancy information to only the sessions associated with a specified tunnel ID:
Router# show vpdn redundancy id 44233
L2TP HA Session Status:
LocID RemID TunID Waiting for Waiting for
VPDN app? L2TP proto?
2 2 44233 No No
2 3 44233 No No
Table 10 describes the significant fields shown in the show vpdn redundancy, show vpdn redundancy all, show vpdn redundancy id, and in the show vpdn redundancy detail command outputs.
The following example shows how to limit the information displayed by providing a tunnel ID:
Router# show vpdn redundancy id 44233
L2TP HA Session Status:
LocID RemID TunID Waiting for Waiting for
VPDN app? L2TP proto?
2 2 44233 No No
The following example shows how to limit the information displayed by providing a session ID:
Router# show vpdn redundancy detail id 44233 3
Local session ID : 2
Remote session ID : 2
Local CC ID : 44233
Local UDP port : 1701
Remote UDP port : 1701
Waiting for VPDN application : No
Waiting for L2TP protocol : No
The following example shows the detailed information displayed on a router newly active after a failover:
Router# show vpdn redundancy detail
L2TP HA Status:
Checkpoint Messaging on: TRUE
Standby RP is up: TRUE
Recv'd Message Count: 219
L2TP Tunnels: 1/1/1/0 (total/HA-enabled/HA-est/resync)
L2TP Sessions: 1/1/1 (total/HA-enabled/HA-est)
L2TP Resynced Tunnels: 1/0 (success/fail)
Resync duration 3.0 secs (complete)
Our Ns checkpoints: 0, our Nr checkpoints: 0
Peer Ns checkpoints: 0, peer Nr checkpoints: 0
Packets received before entering resync phase: 0
Nr0 adjusts during resync phase init: 0
Nr learnt from peer during resync phase: 0
Tunnels destroyed during tunnel resync phase
Poisoned: 1
Failed to transmit the initial probe: 2
Cleared by peer: 3
Cleared due to excessive retransmits: 4
Cleared because unestablished: 5
Cleared by us, other: 6
Total: 21
Sessions destroyed during tunnel resync phase
Poisoned: 7
Unestablished: 8
Missing application session: 9
Cleared by peer: 10
Attempted before or during resync: 11
Tunnel poisoned: 12
Tunnel failed to transmit initial probe: 13
Tunnel cleared by peer: 14
Tunnel cleared due to excessive retransmits: 15
Tunnel cleared because unestablished: 16
Tunnel cleared by us, other: 17
Sessions cleared, other: 18
Total: 134
Related Commands
show vpdn session
To display session information about active Layer 2 sessions for a virtual private dialup network (VPDN), use the show vpdn session command in privileged EXEC mode.
show vpdn session [l2f | l2tp | pptp] [all | packets [ipv6] | sequence | state [filter]]
Syntax Description
l2f |
(Optional) Displays information about Layer 2 Forwarding (L2F) calls only. |
l2tp |
(Optional) Displays information about Layer 2 Tunnel Protocol (L2TP) calls only. |
pptp |
(Optional) Displays information about Point-to-Point Tunnel Protocol (PPTP) calls only. |
all |
(Optional) Displays extensive reports about active sessions. |
packets |
(Optional) Displays information about packet and byte counts for sessions. |
ipv6 |
(Optional) Displays IPv6 packet and byte-count statistics. |
sequence |
(Optional) Displays sequence information for sessions. |
state |
(Optional) Displays state information for sessions. |
filter |
(Optional) One of the filter parameters defined in Table 23. |
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use the show vpdn session command to display information about all active sessions using L2TP, L2F, and PPTP.
The output of the show vpdn session command displays PPPoE session information as well. PPPoE is supported on ATM permanent virtual connections (PVCs) compliant with RFC 1483 only. PPPoE is not supported on Frame Relay and any other LAN interfaces such as FDDI and Token Ring.
Reports and options for this command depend upon the configuration in which it is used. Use the command-line question mark (?) help function to display options available with the show vpdn session command.
Table 23 defines the filter parameters available to refine the output of the show vpdn session command. You may use any one of the filter parameters in place of the filter argument.
The show vpdn session command provides reports on call activity for all active sessions. The following output is from a device carrying active L2TP, L2F, and PPPoE sessions:
Router# show vpdn session
L2TP Session Information Total tunnels 1 sessions 4
LocID RemID TunID Intf Username State Last Chg Uniq ID
4 691 13695 Se0/0 nobody2@cisco.com est 00:06:00 4
5 692 13695 SSS Circuit nobody1@cisco.com est 00:01:43 8
6 693 13695 SSS Circuit nobody1@cisco.com est 00:01:43 9
3 690 13695 SSS Circuit nobody3@cisco.com est 2d21h 3
L2F Session Information Total tunnels 1 sessions 2
CLID MID Username Intf State Uniq ID
1 2 nobody@cisco.com SSS Circuit open 10
1 3 nobody@cisco.com SSS Circuit open 11
%No active PPTP tunnels
PPPoE Session Information Total tunnels 1 sessions 7
PPPoE Session Information
UID SID RemMAC OIntf Intf Session
LocMAC VASt state
3 1 0030.949b.b4a0 Fa2/0 N/A CNCT_FWDED
0010.7b90.0840
6 2 0030.949b.b4a0 Fa2/0 Vi1.1 CNCT_PTA
0010.7b90.0840 UP
7 3 0030.949b.b4a0 Fa2/0 Vi1.2 CNCT_PTA
0010.7b90.0840 UP
8 4 0030.949b.b4a0 Fa2/0 N/A CNCT_FWDED
0010.7b90.0840
9 5 0030.949b.b4a0 Fa2/0 N/A CNCT_FWDED
0010.7b90.0840
10 6 0030.949b.b4a0 Fa2/0 N/A CNCT_FWDED
0010.7b90.0840
11 7 0030.949b.b4a0 Fa2/0 N/A CNCT_FWDED
0010.7b90.0840
Table 24 describes the significant fields shown in the show vpdn session display.
The show vpdn session packets command provides reports on call activity for all the currently active sessions. The following output is from a device carrying an active PPPoE session:
Router# show vpdn session packets
%No active L2TP tunnels
%No active L2F tunnels
PPPoE Session Information Total tunnels 1 sessions 1
PPPoE Session Information
SID Pkts-In Pkts-Out Bytes-In Bytes-Out
1 202333 202337 2832652 2832716
Table 25 describes the significant fields shown in the show vpdn session packets command display.
The show vpdn session all command provides extensive reports on call activity for all the currently active sessions. The following output is from a device carrying active L2TP, L2F, and PPPoE sessions:
Router# show vpdn session all
L2TP Session Information Total tunnels 1 sessions 4
Session id 5 is up, tunnel id 13695
Call serial number is 3355500002
Remote tunnel name is User03
Internet address is 10.0.0.63
Session state is established, time since change 00:03:53
52 Packets sent, 52 received
2080 Bytes sent, 1316 received
Last clearing of "show vpdn" counters never
Session MTU is 1464 bytes
Session username is nobody@cisco.com
Interface
Remote session id is 692, remote tunnel id 58582
UDP checksums are disabled
SSS switching enabled
No FS cached header information available
Sequencing is off
Unique ID is 8
Session id 6 is up, tunnel id 13695
Call serial number is 3355500003
Remote tunnel name is User03
Internet address is 10.0.0.63
Session state is established, time since change 00:04:22
52 Packets sent, 52 received
2080 Bytes sent, 1316 received
Last clearing of "show vpdn" counters never
Session MTU is 1464 bytes
Session username is nobody@cisco.com
Interface
Remote session id is 693, remote tunnel id 58582
UDP checksums are disabled
SSS switching enabled
No FS cached header information available
Sequencing is off
Unique ID is 9
Session id 3 is up, tunnel id 13695
Call serial number is 3355500000
Remote tunnel name is User03
Internet address is 10.0.0.63
Session state is established, time since change 2d21h
48693 Packets sent, 48692 received
1947720 Bytes sent, 1314568 received
Last clearing of "show vpdn" counters never
Session MTU is 1464 bytes
Session username is nobody2@cisco.com
Interface
Remote session id is 690, remote tunnel id 58582
UDP checksums are disabled
SSS switching enabled
No FS cached header information available
Sequencing is off
Unique ID is 3
Session id 4 is up, tunnel id 13695
Call serial number is 3355500001
Remote tunnel name is User03
Internet address is 10.0.0.63
Session state is established, time since change 00:08:40
109 Packets sent, 3 received
1756 Bytes sent, 54 received
Last clearing of "show vpdn" counters never
Session MTU is 1464 bytes
Session username is nobody@cisco.com
Interface Se0/0
Remote session id is 691, remote tunnel id 58582
UDP checksums are disabled
IDB switching enabled
FS cached header information:
encap size = 36 bytes
4500001C BDDC0000 FF11E977 0A00003E
0A00003F 06A506A5 00080000 0202E4D6
02B30000
Sequencing is off
Unique ID is 4
L2F Session Information Total tunnels 1 sessions 2
MID: 2
User: nobody@cisco.com
Interface:
State: open
Packets out: 53
Bytes out: 2264
Packets in: 51
Bytes in: 1274
Unique ID: 10
Last clearing of "show vpdn" counters never
MID: 3
User: nobody@cisco.com
Interface:
State: open
Packets out: 53
Bytes out: 2264
Packets in: 51
Bytes in: 1274
Unique ID: 11
Last clearing of "show vpdn" counters never
%No active PPTP tunnels
PPPoE Session Information Total tunnels 1 sessions 7
PPPoE Session Information
SID Pkts-In Pkts-Out Bytes-In Bytes-Out
1 48696 48696 681765 1314657
2 71 73 1019 1043
3 71 73 1019 1043
4 61 62 879 1567
5 61 62 879 1567
6 55 55 791 1363
7 55 55 795 1363
The significant fields shown in the show vpdn session all command display are similar to those defined in Table 24 and Table 25.
Related Commands
show vpdn tunnel
To display information about active Layer 2 tunnels for a virtual private dialup network (VPDN), use the show vpdn tunnel command in privileged EXEC mode.
show vpdn tunnel [l2f | l2tp | pptp] [all [filter] | packets [ipv6] [filter] | state [filter] | summary [filter] | transport [filter]]
Syntax Description
l2f |
(Optional) Specifies that only information about Layer 2 Forwarding (L2F) tunnels will be displayed. |
l2tp |
(Optional) Specifies that only information about Layer 2 Tunnel Protocol (L2TP) tunnels will be displayed. |
pptp |
(Optional) Specifies that only information about Point-to-Point Tunnel Protocol (PPTP) tunnels will be displayed. |
all |
(Optional) Displays summary information about all active tunnels. |
filter |
(Optional) One of the filter parameters defined in Table 26. |
packets |
(Optional) Displays packet numbers and packet byte information. |
ipv6 |
(Optional) Displays IPv6 packet and byte-count statistics. |
state |
(Optional) Displays state information for a tunnel. |
summary |
(Optional) Displays a summary of tunnel information. |
transport |
(Optional) Displays tunnel transport information. |
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the show vpdn tunnel command to display detailed information about L2TP, L2F, and PPTP VPDN tunnels.
Table 26 defines the filter parameters available to refine the output of the show vpdn tunnel command. You may use any one of the filter parameters in place of the filter argument.
Cisco 10000 Series Router Usage Guidelines
In Cisco IOS Release 12.2(33)SB, the show vpdn tunnel summary command no longer displays the active PPPoE sessions. Instead, use the show pppoe sessions command to display the active sessions.
In Cisco IOS Release 12.2(31)SB, the show vpdn tunnel summary command does display the active PPPoE sessions.
Examples
The following is sample output from the show vpdn tunnel command for L2F and L2TP sessions:
Router# show vpdn tunnel
L2TP Tunnel Information (Total tunnels=1 sessions=1)
LocID RemID Remote Name State Remote Address Port Sessions
2 10 router1 est 172.21.9.13 1701 1
L2F Tunnel
NAS CLID HGW CLID NAS Name HGW Name State
9 1 nas1 HGW1 open
172.21.9.4 172.21.9.232
%No active PPTP tunnels
Table 27 describes the significant fields shown in the display.
The following example shows L2TP tunnel activity, including information about the L2TP congestion avoidance:
Router# show vpdn tunnel l2tp all
L2TP Tunnel Information Total tunnels 1 sessions 1
Tunnel id 30597 is up, remote id is 45078, 1 active sessions
Tunnel state is established, time since change 00:08:27
Tunnel transport is UDP (17)
Remote tunnel name is LAC1
Internet Address 172.18.184.230, port 1701
Local tunnel name is LNS1
Internet Address 172.18.184.231, port 1701
Tunnel domain unknown
VPDN group for tunnel is 1
L2TP class for tunnel is
4 packets sent, 3 received
194 bytes sent, 42 received
Last clearing of "show vpdn" counters never
Control Ns 2, Nr 4
Local RWS 1024 (default), Remote RWS 256
In Use Remote RWS 15
Control channel Congestion Control is enabled
Congestion Window size, Cwnd 3
Slow Start threshold, Ssthresh 256
Mode of operation is Slow Start
Tunnel PMTU checking disabled
Retransmission time 1, max 2 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 1
Total resends 0, ZLB ACKs sent 2
Current nosession queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Sessions disconnected due to lack of resources 0
Control message authentication is disabled
Table 28 describes the significant fields shown in the display.
Related Commands
show vtemplate
To display information about all configured virtual templates, use the show vtemplate command in privileged EXEC mode.
show vtemplate
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Examples
The following is sample output from the show vtemplate command:
Router# show vtemplate
Virtual access subinterface creation is globally enabled
Active Active Subint Pre-clone Pre-clone Interface
Interface Subinterface Capable Available Limit Type
--------- ------------ ------- --------- --------- ---------
Vt1 0 0 Yes -- -- Serial
Vt2 0 0 Yes -- -- Serial
Vt4 0 0 Yes -- -- Serial
Vt21 0 0 No -- -- Tunnel
Vt22 0 0 Yes -- -- Ether
Vt23 0 0 Yes -- -- Serial
Vt24 0 0 Yes -- -- Serial
Usage Summary
Interface Subinterface
--------- ------------
Current Serial in use 1 0
Current Serial free 0 3
Current Ether in use 0 0
Current Ether free 0 0
Current Tunnel in use 0 0
Current Tunnel free 0 0
Total 1 3
Cumulative created 8 4
Cumulative freed 0 4
Base virtual access interfaces: 1
Total create or clone requests: 0
Current request queue size: 0
Current free pending: 0
Maximum request duration: 0 msec
Average request duration: 0 msec
Last request duration: 0 msec
Maximum processing duration: 0 msec
Average processing duration: 0 msec
Last processing duration: 0 msec
Last processing duration:0 msec
Table 29 describes the significant fields shown in the example.
Related Commands
show vtemplate redundancy
To display the virtual template redundancy counters in redundant systems that support broadband remote access server (BRAS) High Availability (HA), that are operating in Stateful Switchover (SSO) mode, use the show vtemplate redundancy command in privileged EXEC mode.
show vtemplate redundancy
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.2(32)SR |
This command was introduced. |
Usage Guidelines
Use the show vtemplate redundancy command to ensure the virtual templates information is successfully synchronizing from the Active to the Standby RP.
Use the clear vtemplate redundancy counters command on either the Active or Standby route processor (RP), to clear all counters.
Examples
The following is sample output from the show vtemplate redundancy command on the Active RP:
Router# show vtemplate redundancy
Global state : Active - Dynamic Sync
ISSU state : Compatible
Vaccess dynamic sync send : 0
Vaccess dynamic sync send failed : 0
Vaccess bulk sync send : 24
Vaccess bulk sync send failed : 0
Vaccess sync rcvd on standby : 24
Vaccess recreate error on standby : 0
The following is sample output from the show vtemplate redundancy command on the Standby RP:
Router-stdby# show vtemplate redundancy
Global state : Active - Collecting
ISSU state : Compatible
Vaccess dynamic sync send : 0
Vaccess dynamic sync send failed : 0
Vaccess bulk sync send : 0
Vaccess bulk sync send failed : 0
Vaccess sync rcvd on standby : 24
Vaccess recreate error on standby : 0
On the Standby RP, the first four counters do not increment. The value for Vaccess sync rcvd on the Standby RP should match the sum of the Vaccess bulk sync send and Vaccess dynamic sync send on the Active RP. Any synchronization errors between the Active and Standby RPs will increment the "failed" or "error" counters.
Table 30 describes significant fields shown in this output.
Table 30
show vtemplate redundancy Field Descriptions
Related Commands
|
|
---|---|
clear vtemplate redundancycounters |
Clears synchronization counters between the Active and Standby RPs. |
snmp-server enable traps vpdn dead-cache
To enable the sending of a Simple Network Management Protocol (SNMP) message notification when an L2TP Network Server (LNS) enters or exits a dead-cache (DOWN) state, use the snmp-server enable traps vpdn dead-cache command in global configuration mode. To disable the SNMP notifications, use the no form of this command.
snmp-server enable traps vpdn dead-cache
no snmp-server enable traps vpdn dead-cache
Syntax Description
This command has no arguments or keywords.
Command Default
SNMP notification is disabled.
Command Modes
Global configuration
Command History
|
|
---|---|
12.2(31)ZV |
This command was introduced. |
Usage Guidelines
SNMP notifications can be sent as traps or inform requests. This command enables SNMP trap events.
This command controls (enables or disables) an SNMP message notification when an LNS exits or enters the dead-cache state. SNMP are status notification messages that are generated by the routing device during operation. These messages are typically logged to a destination (such as the terminal screen, to a system buffer, or to a remote host).
You can use the show vpdn dead-cache command to view an LNS entry in the dead-cache state.
You can use the clear vpdn dead-cache command to clear an LNS entry in the dead-cache state.
Examples
The following example enables the router to send an SNMP message when an LNS enters or exits a dead-cache state:
Router(config)# snmp-server enable traps vpdn dead-cache
Related Commands
|
|
---|---|
clear vpdn dead-cache |
Clears an LNS entry in a dead-cache state. |
show vpdn dead-cache |
Displays LNS entries in a dead-cache state. |
source-ip
To specify an IP address that is different from the physical IP address used to open a virtual private dialup network (VPDN) tunnel for the tunnels associated with a VPDN group, use the source-ip command in VPDN group configuration mode. To remove the alternate IP address, use the no form of this command.
source-ip ip-address
no source-ip
Syntax Description
ip-address |
Alternate IP address. |
Command Default
No alternate IP address is specified.
Command Modes
VPDN group configuration
Command History
|
|
---|---|
12.0(5)T |
This command was introduced. |
Usage Guidelines
Use the source-ip command in VPDN group configuration mode to configure an alternate IP address to be used for only those tunnels associated with that VPDN group. Each VPDN group on a router can be configured with a unique source-ip command.
Use the vpdn source-ip command to specify a single alternate IP address to be used for all tunnels on the device. A single source IP address can be configured globally per device.
The VPDN group-level configuration will override the global configuration.
Examples
The following example configures a network access server (NAS) to accept Layer 2 Tunnel Protocol (L2TP) dial-out calls using the alternate IP address 172.23.33.7, which is different from the physical IP address used to open the L2TP tunnel:
vpdn-group 3
accept-dialout
protocol l2tp
dialer 2
terminate-from hostname router21
source-ip 172.23.33.7
Related Commands
source vpdn-template
To associate a virtual private dialup network (VPDN) group with a VPDN template, use the source vpdn-template command in VPDN group configuration mode. To disassociate a VPDN group from a VPDN template, use the no form of this command.
source vpdn-template [name]
no source vpdn-template [name]
Syntax Description
name |
(Optional) The name of the VPDN template to be associated with the VPDN group. |
Command Default
Global VPDN template settings are applied to individual VPDN groups if a global VPDN template has been defined. If no global VPDN template has been defined, system default settings are applied to individual VPDN groups.
Command Modes
VPDN group configuration
Command History
Usage Guidelines
Use the source vpdn-template command to associate a VPDN group with a VPDN template. By default, VPDN groups are associated with the global VPDN template if one is defined. A VPDN group can be associated with only one VPDN template. Associating a VPDN group with a named VPDN template automatically disassociates it from the global VPDN template.
The hierarchy for the application of VPDN parameters to a VPDN group is as follows:
•VPDN parameters configured for the individual VPDN group are always applied to that VPDN group.
•VPDN parameters configured in the associated VPDN template are applied for any settings not specified in the individual VPDN group configuration.
•System default settings for VPDN parameters are applied for any settings not configured in the individual VPDN group or the associated VPDN template.
Disassociating a VPDN group from the global VPDN template using the no source vpdn-template command results in the following hierarchy for the application of VPDN parameters to that VPDN group:
•VPDN parameters configured for the individual VPDN group are always applied to that VPDN group.
•System default settings for VPDN parameters are applied for any settings not configured in the individual VPDN group.
If you disassociate a VPDN group from a named VPDN template, the VPDN group will be associated with the global VPDN template if one is defined.
Examples
The following example configures the VPDN group named group1 to ignore the global VPDN template settings and use the system default settings for all unspecified VPDN parameters:
Router(config)# vpdn-group group1
Router(config-vpdn)# no source vpdn-template
The following example creates a VPDN template named l2tp, enters VPDN template configuration mode, configures two VPDN parameters in the VPDN template, and associates the VPDN group named l2tptunnels with the VPDN template:
Router(config)# vpdn-template l2tp
Router(config-vpdn-templ)# l2tp tunnel busy timeout 65
Router(config-vpdn-templ)# l2tp tunnel password 7 tunnel4me
!
Router(config)# vpdn-group l2tptunnels
Router(config-vpdn)# source vpdn-template l2tp
The following example disassociates the VPDN group named l2tptunnels from the VPDN template named l2tp. The VPDN group will be associated with the global VPDN template if one has been defined.
Router(config)# vpdn-group l2tptunnels
Router(config-vpdn)# no source vpdn-template l2tp
Related Commands
|
|
---|---|
vpdn-group |
Creates a VPDN group and enters VPDN group configuration mode. |
vpdn-template |
Creates a VPDN template and enters VPDN template configuration mode. |
sso enable
To enable the Layer 2 Tunneling Protocol (L2TP) high-availability (HA) operability on virtual private dial-in network (VPDN) groups, use the sso enable command in VPDN group mode. To disable L2TP HA operability, use the no form of this command.
sso enable
no sso enable
Syntax Description
This command has no arguments or keywords.
Command Default
SSO is enabled.
Command Modes
VPDN group (config-vpdn)
Command History
|
|
---|---|
Cisco IOS XE Release 2.2 |
This command was introduced. |
Usage Guidelines
This command is enabled by default and is hidden from the output of the show running-config command.
Use the no sso enable command to disable L2TP HA for any VPDN group. If you disable L2TP HA using the no l2tp sso enable command, L2TP HA functionality will also be disabled for all VPDN groups.
Use the debug l2tp redundancy and debug vpdn redundancy commands in privileged EXEC mode to display a list L2TP HA checkpointed events and errors.
Use the show l2tp redundancy command in privileged EXEC mode to display L2TP checkpointed status information.
Examples
The following example shows how to disable L2TP HA functionality for the VPDN group named example:
Router# configure terminal
Router(conf)# vpdn enable
Router(conf-vpdn)# vpdn-group example
Router(conf-vpdn)# no sso enable
Related Commands
substitute (control policy-map class)
To match the contents, stored in temporary memory of identifier types received by the policy manager, against a specified matching-pattern and perform the substitution defined in a rewrite-pattern, use the substitite command in configuration-control-policymap-class configuration mode. To disable the substitution of regular expressions, use the no form of this command.
action-number substitute variable matching-pattern rewrite-pattern
no action-number substitute variable matching-pattern rewrite-pattern
Syntax Description
Command Default
The control policy will not initiate substitution.
Command Modes
Configuration-control-policymap-class configuration
Command History
|
|
---|---|
12.2(31)SB2 |
This command was introduced. |
Usage Guidelines
The substitute command allows you to match the contents of a variable using a matching-pattern value and perform the substitution defined in a rewrite-pattern. This command is rejected if variable value is not present in a preceding set action in the same control-policy class map, or if the matching-pattern value violates any regular expression syntax rules.
Examples
The following example shows the policy map with the substitute statement shown in bold:
policy-map type control REPLACE_WITH_example.com
class type control always event session-start
1 collect identifier unauthenticated-username
2 set NEWNAME identifier unauthenticated-username
3 substitute NEWNAME "(.*@).*" "\1example.com"
4 authenticate variable NEWNAME aaa list EXAMPLE
5 service-policy type service name example
policy-map type service abc
service vpdn group 1
bba-group pppoe global
virtual-template 1
!
interface Virtual-Template1
service-policy type control REPLACE_WITH_example.com
Related Commands
tacacs-server domain-stripping
To configure a network access server (NAS) to strip suffixes, or to strip both suffixes and prefixes from the username before forwarding the username to the remote TACACS+ server, use the tacacs-server domain-stripping command in global configuration mode. To disable a stripping configuration, use the no form of this command.
tacacs-server domain-stripping [[right-to-left] [prefix-delimiter character [character2...character7]] [delimiter character [character2...character7]] | strip-suffix suffix] [vrf vrf-name]
no tacacs-server domain-stripping [[right-to-left] [prefix-delimiter character [character2...character7]] [delimiter character [character2...character7]] | strip-suffix suffix] [vrf vrf-name]
Syntax Description
Command Default
Stripping is disabled. The full username is sent to the TACACS+ server.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use the tacacs-server domain-stripping command to configure the NAS to strip the domain from a username before forwarding the username to the TACACS+ server. If the full username is user1@cisco.com, enabling the tacacs-server domain-stripping command results in the username "user1" being forwarded to the TACACS+ server.
Use the right-to-left keyword to specify that the username should be parsed for a delimiter from right to left, rather than from left to right. This allows strings with two instances of a delimiter to strip the username at either delimiter. For example, if the username is user@cisco.com@cisco.net, the suffix could be stripped in two ways. The default direction (left to right) would result in the username "user" being forwarded to the TACACS+ server. Configuring the right-to-left keyword would result in the username "user@cisco.com" being forwarded to the TACACS+ server.
Use the prefix-delimiter keyword to enable prefix stripping and to specify the character or characters that will be recognized as a prefix delimiter. The first configured character that is parsed will be used as the prefix delimiter, and any characters before that delimiter will be stripped.
Use the delimiter keyword to specify the character or characters that will be recognized as a suffix delimiter. The first configured character that is parsed will be used as the suffix delimiter, and any characters after that delimiter will be stripped.
Use strip-suffix suffix to specify a particular suffix to strip from usernames. For example, configuring the tacacs-server domain-stripping strip-suffix cisco.net command would result in the username user@cisco.net being stripped, while the username user@cisco.com will not be stripped. You may configure multiple suffixes for stripping by issuing multiple instances of the tacacs-server domain-stripping command. The default suffix delimiter is the @ character.
Note Issuing the tacacs-server domain-stripping strip-suffix suffix command disables the capacity to strip suffixes from all domains. Both the suffix delimiter and the suffix must match for the suffix to be stripped from the full username. The default suffix delimiter of @ will be used if you do not specify a different suffix delimiter or set of suffix delimiters using the delimiter keyword.
Note Issuing the no tacacs-server host command reconfigures the TACACS server host information. You can view the contents of the current running configuration file using the show running-config command.
To apply a domain-stripping configuration only to a specified VRF, use the vrf vrf-name option.
The interactions between the different types of domain stripping configurations are as follows:
•You may configure only one instance of the tacacs-server domain-stripping [right-to-left] [prefix-delimiter character [character2...character7]] [delimiter character [character2...character7]] command.
•You may configure multiple instances of the tacacs-server domain-stripping [right-to-left] [prefix-delimiter character [character2...character7]] [delimiter character [character2...character7]] [vrf vrf-name] command with unique values for vrf vrf-name.
•You may configure multiple instances of the tacacs-server domain-stripping strip-suffix suffix [vrf per-vrf] command to specify multiple suffixes to be stripped as part of a global or per-VRF ruleset.
•Issuing any version of the tacacs-server domain-stripping command automatically enables suffix stripping using the default delimiter character @ for that ruleset, unless a different delimiter or set of delimiters is specified.
•Configuring a per-suffix stripping rule disables generic suffix stripping for that ruleset. Only suffixes that match the configured suffix or suffixes will be stripped from usernames.
Examples
The following example shows how to configure the router to parse the username from right to left and set the valid suffix delimiter characters as @, \, and $. If the full username is cisco/user@cisco.com$cisco.net, the username "cisco/user@cisco.com" will be forwarded to the TACACS+ server because the $ character is the first valid delimiter encountered by the NAS when parsing the username from right to left.
tacacs-server domain-stripping right-to-left delimiter @\$
The following example shows how to configure the router to strip the domain name from usernames only for users associated with the VRF instance named abc. The default suffix delimiter @ will be used for generic suffix stripping.
tacacs-server domain-stripping vrf abc
The following example shows how to enable prefix stripping using the character / as the prefix delimiter. The default suffix delimiter character @ will be used for generic suffix stripping. If the full username is cisco/user@cisco.com, the username "user" will be forwarded to the TACACS+ server.
tacacs-server domain-stripping prefix-delimiter /
The following example shows how to enable prefix stripping, specify the character / as the prefix delimiter, and specify the character # as the suffix delimiter. If the full username is cisco/user@cisco.com#cisco.net, the username "user@cisco.com" will be forwarded to the TACACS+ server.
tacacs-server domain-stripping prefix-delimiter / delimiter #
The following example shows how to enable prefix stripping, configure the character / as the prefix delimiter, configure the characters $, @, and # as suffix delimiters, and configure per-suffix stripping of the suffix cisco.com. If the full username is cisco/user@cisco.com, the username "user" will be forwarded to the TACACS+ server. If the full username is cisco/user@cisco.com#cisco.com, the username "user@cisco.com" will be forwarded.
tacacs-server domain-stripping prefix-delimiter / delimiter $@#
tacacs-server domain-stripping strip-suffix cisco.com
The following example shows how to configure the router to parse the username from right to left and enable suffix stripping for usernames with the suffix cisco.com. If the full username is cisco/user@cisco.net@cisco.com, the username "cisco/user@cisco.net" will be forwarded to the TACACS+ server. If the full username is cisco/user@cisco.com@cisco.net, the full username will be forwarded.
tacacs-server domain-stripping right-to-left
tacacs-server domain-stripping strip-suffix cisco.com
The following example shows how to configure a set of global stripping rules that will strip the suffix cisco.com using the delimiter @, and a different set of stripping rules for usernames associated with the VRF named myvrf:
tacacs-server domain-stripping strip-suffix cisco.com
!
tacacs-server domain-stripping prefix-delimiter # vrf myvrf
tacacs-server domain-stripping strip-suffix cisco.net vrf myvrf
Related Commands
terminate-from
To specify the hostname of the remote L2TP access concentrator (LAC) or L2TP network server (LNS) that will be required when accepting a virtual private dialup network (VPDN) tunnel, use the terminate-from command in VPDN group configuration mode. To remove the hostname from the VPDN group, use the no form of this command.
terminate-from hostname host-name
no terminate-from [hostname host-name]
Syntax Description
hostname host-name |
Hostname from which this VPDN group will accept connections. |
Defaults
Disabled
Command Modes
VPDN group configuration
Command History
|
|
---|---|
12.0(5)T |
This command was introduced. |
Usage Guidelines
Before you can use this command, you must have already enabled one of the two accept VPDN subgroups by using either the accept-dialin or accept-dialout command.
Each VPDN group can only terminate from a single hostname. If you enter a second terminate-from command on a VPDN group, it will replace the first terminate-from command.
Examples
The following example configures a VPDN group to accept L2TP tunnels for dial-out calls from the LNS cerise by using dialer 2 as its dialing resource:
vpdn-group 1
accept-dialout
protocol l2tp
dialer 2
terminate-from hostname host1