Table Of Contents
Prerequisites for VRF-Aware VPDN Tunnels
Restrictions for VRF-Aware VPDN Tunnels
Information About VRF-Aware VPDN Tunnels
How VRF-Aware VPDN Tunnels Work
PPP Sessions That Are Forwarded over the VPDN Tunnel
Benefits of Using the VRF-Aware VPDN Tunnels Feature
How to Configure VRF-Aware VPDN Tunnels
Configuring VRF-Aware VPDN Tunnels Locally
Verifying VRF-Aware VPDN Tunnels
Configuration Examples for VRF-AWARE VPDN Tunnels
Locally Configuring and Verifying VRF-Aware VPDN Tunnels: Example
Cisco 7000 Series Router Examples
Feature Information for VRF-Aware VPDN Tunnels
Obtaining Documentation, Obtaining Support, and Security Guidelines
VRF-Aware VPDN Tunnels
Last Updated: April, 2007The VRF-Aware VPDN Tunnels feature provides support for VPDN tunnels that terminate on a VPN routing and forwarding (VRF) instance by allowing you to use a VRF address from a VRF routing table as the destination address. Previously, you had to specify a global IP address for the destination address for a virtual private dial-up network (VPDN) tunnel.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for VRF-Aware VPDN Tunnels" section.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•Prerequisites for VRF-Aware VPDN Tunnels
•Restrictions for VRF-Aware VPDN Tunnels
•Information About VRF-Aware VPDN Tunnels
•How to Configure VRF-Aware VPDN Tunnels
•Configuration Examples for VRF-AWARE VPDN Tunnels
•Feature Information for VRF-Aware VPDN Tunnels
•Obtaining Documentation, Obtaining Support, and Security Guidelines
Prerequisites for VRF-Aware VPDN Tunnels
Cisco 7000 Series Router Prerequisite
Because VRF instances use Cisco Express Forwarding (CEF), you must configure CEF before configuring the VRF-Aware VPDN Tunnels feature.
Note CEF is on by default on the Cisco 10000 series router and it cannot be turned off. If you attempt to enable CEF, an error message appears.
Restrictions for VRF-Aware VPDN Tunnels
Cisco 7000 Series Router Restriction
•The VRF-Aware VPDN Tunnels feature can only be used with Layer 2 Tunnel Protocol (L2TP).
Cisco 10000 Series Router Restrictions
•The VRF-Aware VPDN Tunnels feature can only be used with Layer 2 Tunnel Protocol (L2TP) on the L2TP access concentrator (LAC). The reason is that the Cisco 10000 series router can only initiate tunnels in a VRF instance; it cannot terminate tunnels that arrive in a VRF instance. Therefore, this feature does not apply to the Cisco 10000 series router when the router is acting as the L2TP network server (LNS) because, as the LNS, the Cisco 10000 series router cannot terminate tunnels that arrive in a VRF instance.
•For multihop configuration in Cisco IOS Release 12.3(7)XI7 and later releases, the ingress tunnel also needs to arrive in the global routing table, but the tunnel can be switched out into a VRF instance towards the final LNS destination.
Information About VRF-Aware VPDN Tunnels
To configure the VRF-Aware VPDN Tunnels feature, you need to understand the following concepts:
•How VRF-Aware VPDN Tunnels Work
•PPP Sessions That Are Forwarded over the VPDN Tunnel
•Benefits of Using the VRF-Aware VPDN Tunnels Feature
Note The Cisco 10000 series router supports the VRF-Aware VPDN Tunnels with the Layer 2 Tunnel Protocol (L2TP) on the L2TP access concentrator (LAC). As the LAC, the router supports the termination of tunnels in a virtual private network (VPN) routing and forwarding (VRF) instance. The Cisco 10000 series router supports the VRF-Aware VPDN Tunnels feature on the PRE2 and PRE3.
How VRF-Aware VPDN Tunnels Work
Before Cisco IOS Release 12.2(15)T, you had to specify a global IP address from a global VRF instance for the destination and sources addresses of a VPDN tunnel. The VRF-Aware VPDN Tunnels feature enhances the support of VPDN tunnels by allowing VPDN tunnels to start outside the Multiprotocol Label Switching (MPLS) VPN and terminate within the MPLS VPN. For example, this feature allows you to use a VRF address from a customer VRF instance as the destination address.
You can use the VRF-Aware VPDN Tunnels feature for dial-in and dial-out. In addition to configuring this feature on the multihop node, you can configure this feature on the L2TP access concentrator (LAC).
Note You can configure VRF-aware VPDN tunnels only on the LAC and the multihop node. The Cisco 10000 series router requires tunnels to arrive in the global routing table, not in a VRF instance. However tunnels may start (using the LAC) or re-originate (using multihop) in a VRF instance.
The VRF-Aware VPDN Tunnels feature is sometimes referred to as VRF-Aware VPDN Multihop. Unlike a LAC/LNS deployment where the LAC initiates a tunnel that is terminated by an LNS, multihop allows an intermediate node to switch a tunnel. This means that the tunnel is terminated and forwarded to its final LNS destination. The VRF awareness of the feature allows the tunnel to be switched out into a VRF instance. Therefore, the final destination LNS is found in a VRF instance, instead of the global routing table. For example, wholesale providers can switch the tunnel received from the first-level Internet service provider (ISP) to their customers and the LNS is found using an MPLS cloud of the wholesale provider's ISP.
Note Because the Cisco 10000 series router is a PXF-based platform, all tunnel switching is done without route processor (RP) involvement. However, tunnel establishment is done by the RP.
PPP Sessions That Are Forwarded over the VPDN Tunnel
When the VRF-Aware VPDN Tunnels feature has been configured on an LNS that has VPN knowledge and acts as a PE, the PPP sessions that are being forwarded over the VPDN tunnel to the LNS do not necessarily need to belong to the VPN routing table to which the VPDN tunnel belongs. The PPP peer at the other end negotiating IP will eventually be placed in a certain routing table, depending on the VRF instance specified when the ip vrf forwarding command has been entered for authentication. If no VRF command is received during the authorization and authentication of the forwarded PPP session, the host route for the PPP session will be inserted into the global routing table.
Note If the Cisco 10000 series router is acting as the LNS (which is terminating the tunnel that arrives in a VRF instance), the VRF-Aware VPDN Tunnels feature cannot be applied because the Cisco 10000 series router requires tunnels to arrive in the global routing table. The router supports VRF-aware VPDN tunnels only on the LAC.
For more information on remote access to MPLS VPN and how to insert your PPP session in a certain VPN, refer to the "Overview of Dial Access to MPLS VPN Integration" chapter of the Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide, at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/vpn/solution/rampls2/ovprov/ra_op_02.htm
Benefits of Using the VRF-Aware VPDN Tunnels Feature
The ability to use VRF addresses for destination and source addresses matches current network design. For instance, Internet service providers (ISPs) support VRF and have one VRF routing table per customer. The VRF-Aware VPDN Tunnels features allows for the creation of VPDN tunnels that use the customer VRF address as the tunnel endpoint.
How to Configure VRF-Aware VPDN Tunnels
You can configure VRF-aware VPDN tunnels either in a local VPDN group or by updating the RADIUS server profile definitions for VPDN tunnel attributes. This section contains the following tasks:
•Configuring VRF-Aware VPDN Tunnels Locally
•Verifying VRF-Aware VPDN Tunnels
Configuring VRF-Aware VPDN Tunnels Locally
To configure VRF-Aware VPDN Tunnels locally, perform these steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. vpdn-group name
4. request-dialin
5. protocol [l2f | l2tp| pptp]
6. domain domain-name
7. exit
8. vpn {vrf vrf-name | id vpn-id}
9. source-ip ip-address
10. initiate-to ip ip-address [limit limit-number] [priority priority-number]
11. exit
Note For Cisco IOS Release 12.2(31)SB5 and later releases, when configuring VRF-aware VPDN tunnels on the Cisco 10000 series router, different tunnels can have overlapping IP addresses across VRF instances.
DETAILED STEPS
Troubleshooting Tips
For information on troubleshooting, refer to the Layer 2 Tunnel Protocol Technology Brief document at the following URL:
http://www.cisco.com/warp/public/cc/pd/iosw/tech/l2pro_tc.htm
Configuring VRF-Aware VPDN Tunnels by Updating the RADIUS Server Profile Definitions for the VPDN Tunnel Attributes
You can configure the VRF-Aware VPDN Tunnels feature by updating the VPDN tunnel attributes within the RADIUS server profile.
Note For the Cisco 10000 series router, remotely configured VPDN groups can be used when you are configuring the LAC and not the LNS. When you terminate sessions, you can retrieve a VPDN group configuration from the RADIUS server.
You can specify the VPDN group either by its VPN ID or by the name of the associated VRF as follows:
cisco-avpair "vpdn:vpn-id=<vpn-id>"
cisco-avpair "vpdn:vpn-vrf=<vrf-name>"
For an example of an updated RADIUS record, see the "AAA RADIUS: Examples" section.
Verifying VRF-Aware VPDN Tunnels
To verify the configuration of the VRF-Aware VPDN Tunnels feature, use the following commands:
SUMMARY STEPS
1. enable
2. show ip route vrf vrf-name
3. show vpdn session
4. show vpdn tunnel
DETAILED STEPS
Configuration Examples for VRF-AWARE VPDN Tunnels
This section provides the following configuration examples to show how the VRF-Aware VPDN Tunnels feature might be configured:
•Locally Configuring and Verifying VRF-Aware VPDN Tunnels: Example
Locally Configuring and Verifying VRF-Aware VPDN Tunnels: Example
The following two sets of platform-specific examples show the VRF-Aware VPDN Tunnels feature configured on a multihop PE router that connects a LAC to a remote customer edge (CE) router and LNS.
Cisco 7000 Series Router Examples
LAC Configuration
interface loopback 0ip address 172.1.45.6 255.255.255.255!vpdn enablevpdn group V1.40request-dialinprotocol l2tpdomain V1.40.cominitiate-to 10.10.104.9local name lac-V1.40source-ip 172.1.45.6l2tp tunnel password westMultihop PE Configuration
ip vrf v1.40.comvpn id 22:4444interface loopback 0ip address 10.10.104.22 255.255.255.255interface loopback 40ip vrf forwarding V1.40.comip address 172.1.40.241 255.255.255.255!vpdn enablevpdn multihopvpdn group V1.40accept-dialinprotocol l2tpvirtual-template 4terminate-from hostname lac-V1.40source-ip 10.10.104.9l2tp tunnel password westvpdn group V1.40_2request-dialinprotocol l2tpdomain V1.40.comvpn vrf V1.40.cominitiate-to ip 172.1.45.6source-ip 172.1.40.241local name multihop-V1.40l2tp tunnel password testRemote CE or LNS Configuration
interface loopback 0ip address 172.1.45.6 255.255.255.255vpdn enablevpdn group V1.40_2accept-dialinprotocol l2tpvirtual-template 1terminate-from hostname multihop-V1.40source-ip 172.1.45.6local name remote-LNS-V1.40l2tp tunnel password testWhen the show vpdn tunnel command is entered, the output shows the tunnel information as follows:
Router# show vpdn tunnell2tp Tunnel Information Totals tunnels 2 sessionsLocID RemID Remote Name State Remote Address Port Sessions VPDN Group9390 3222 lac-V1.40 est 10.10.104.10 1701 1 V1.4053273 52035 remote-LNS-V1.40 est 172.1.45.6 1701 1 V1.40_2
AAA RADIUS: Examples
The following examples show the VRF-Aware VPDN Tunnels feature being configured for a service provider network. The AAA RADIUS server has a user profile that defines VPDN tunnel attributes. By either defining the VRF name or the VPN ID, you can specify that the source and destination IP addresses belong to the VPN.
RADIUS Users File with VRF Name Defined
For the following example, the VRF name "vpn-first" has been defined to specify the source and destination IP addresses that belong to the VPN.
west.com Password = "west"Service-Type = Outbound-User,cisco-avpair = "vpdn:tunnel-id=LAC",cisco-avpair = "vpdn:tunnel-type=l2tp",cisco-avpair = "vpdn:ip-addresses=10.0.0.1",cisco-avpair = "vpdn:source-ip=10.0.0.9",cisco-avpair = "vpdn:vpn-vrf=vpn-first"cisco-avpair = "vpdn:l2tp-tunnel-password=labtunnel"RADIUS Users File with VRF ID Defined
For the following example, the VPN ID "A1:3F6C" has been defined to specify the source and destination IP addresses that belong to the VPN.
west.com Password = "west"Service-Type = Outbound-User,cisco-avpair = "vpdn:tunnel-id=LAC",cisco-avpair = "vpdn:tunnel-type=l2tp",cisco-avpair = "vpdn:ip-addresses=10.0.0.1",cisco-avpair = "vpdn:source-ip=10.0.0.9",cisco-avpair = "vpdn:vpn-id=A1:3F6C"cisco-avpair = "vpdn:l2tp-tunnel-password=labtunnel"Additional References
The following sections provide references related to the VRF-Aware VPDN Tunnels feature.
Related Documents
Standards
MIBs
MIBs MIBs LinkNone
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
This section documents the following new command:
•vpn
vpn
To specify that the source and destination IPv4 addresses of a given virtual private dialup network (VPDN) group belong to a specified Virtual Private Network (VPN) routing and forwarding (VRF) instance, use the vpn command in VPDN group or VPDN template configuration mode. To disassociate all IPv4 addresses in a VPDN group from a VRF, use the no form of this command.
vpn {vrf vrf-name | id vpn-id}
no vpn
Syntax Description
vrf vrf-name
Name of the VRF instance to be associated with the IPv4 addresses of the VPDN group.
id vpn-id
VPN ID of the VRF to be associated with the IPv4 addresses of the VPDN group.
Command Default
VPDN groups are not associated with a VRF.
Command Modes
VPDN group configuration
VPDN template configurationCommand History
Usage Guidelines
Use the vpn command to configure the Cisco IOS software to look up a VPDN source or destination IPv4 address in a specific VPN routing table instead of the global routing table.
Before you can issue the vpn command, a VRF instance must be created using the ip vrf command.
The vpn command can be used with both dial-in and dial-out VPDN scenarios.
Examples
The following example associates the IP addresses configured in the VPDN group named group1 with the VRF named vrf-second:
vpdn-group group1
request-dialinprotocol l2tp!vpn vrf vrf-secondsource-ip 172.16.1.9initiate-to ip 172.16.1.1The following example associates the IP addresses configured in the VPDN group named group2 with the VPN ID 11:2222:
vpdn-group group2request-dialinprotocol l2tp!vpn id 11:2222source-ip 172.16.1.9initiate-to ip 172.16.1.1Related Commands
Feature Information for VRF-Aware VPDN Tunnels
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0704R)
Copyright © 2007 Cisco Systems, Inc. All rights reserved.