Configuring L2F
Misconfiguration is the most common cause of L2F tunnel failure. Although L2F configuration is not a primary goal of this chapter, this section discusses basic L2F configuration.
The next two sections step through the configurations for the NAS and the Home Gateway.
Configuring the L2F NAS
The configuration for the NAS discussed here assumes a typical hardware configuration including either E1 or T1 ISDN Primary Rate Interfaces (PRIs), together with asynchronous digital (MICA) modems.
Configuration of the NAS involves nine basic steps, as summarized in the list that follows:
Step 1. | Configure the E1/T1 controllers. |
Step 2. | Configure global ISDN parameters. |
Step 3. | Configure the D channels. |
Step 4. | Configure parameters for asynchronous lines. |
Step 5. | Configure group asynchronous interfaces. |
Step 6. | Configure remote AAA (optional). |
Step 7. | Configure the tunnel secrets. |
Step 8. | Globally enable VPDNs. |
Step 9. | Configure the VPDN groups. |
It is worth pointing out that many possible permutations exist; however, this section concentrates on only the most common configuration.
The sections that follow discuss each step of the configuration in detail.
Step 1: Configure the E1/T1 Controllers
The first step is to configure either the E1 or T1 controllers. Configuration of the E1 or T1 controllers involves specifying the framing, line code, clock source, and timeslots.
Example 2-1 shows a sample configuration of an E1 controller.
Example 2-1. Specifying the Framing, Line Code, Clock Source, and Timeslots for an E1 Controller
controller E1 0/0 pri-group timeslots 1-31 |
Note that in this example, the framing is CRC4 (framing crc4), the linecode is HDB3 (linecode hdb3), and the clock source is line (clock source line). These are the defaults and so do not appear in the configuration.
Ensure that the E1/T1 framing, linecode, and clock source are configured per your service provider's recommendations.
Step 2: Configure Global ISDN Parameters
The next step is to configure global ISDN parameters. In Example 2-2, only the global ISDN switch-type is specified.
Example 2-2. Configuring the Global ISDN Switch-type
isdn switch-type primary-net5
|
Example 2-2 specifies the Primary-net5 ISDN switch-type. This is an ISDN switch-type used in Europe, Australia, New Zealand, and Asia. Make sure that the ISDN switch type is specified per your provider's specifications.
Step 3: Configure the D Channels
Next, you should configure the ISDN D channels to receive asynchronous modem calls. To do this, the configuration in Example 2-3 is required.
Example 2-3. Configuring ISDN Channels to Receive Asynchronous Modem Calls
interface Serial0/0:15 no ip address isdn switch-type primary-net5 isdn incoming-voice modem no cdp enable |
In Example 2-3, no IP address is applied to the physical address. This is because, in this example, no ISDN calls are being terminated on the NAS.
The ISDN primary-net5 switch type is configured next. Note that this is not strictly necessary, as it has already been configured globally.
The incoming voice-modem command is essential, and it routes any incoming voice (asynchronous modem) calls to the internal digital MICA modems.
Step 4: Configure Parameters for Asynchronous Lines
Once the configuration of the E1/T1 controllers and the D channel configuration is completed, it is time to configure the modems and their corresponding asynchronous lines.
Example 2-4 shows the configuration of the asynchronous lines.
Example 2-4. Configuring the Modem and Corresponding Asynchronous Lines
line 33 38 modem InOut modem autoconfigure type mica autoselect ppp |
The command line 33 38 allows you to configure a group of asynchronous lines together in the same way. In Example 2-4, there are six internal digital modems on asynchronous lines 33 to 38. Use the show line command to confirm line numbering.
The first command in the line configuration is the modem InOut command. This allows the modems to both receive and initiate calls. The modem autoconfigure type mica command allows the NAS to automatically configure the modems on lines 33 to 38. Finally, the autoselect ppp command allows PPP to be autodetected on the lines and PPP framing to be applied.
This line configuration is applied to all six lines without having to configure the lines individually.
Step 5: Configure Group Asynchronous Interfaces
The corresponding logical configuration is now applied to the asynchronous interfaces. It is again possible to apply this configuration individually or to a group of interfaces together. A group configuration is usually used because it saves time and ensures that all interfaces are consistently configured.
Example 2-5 shows the configuration for the asynchronous interfaces.
Example 2-5. Configuring Asynchronous Interfaces
interface Group-Async1 no ip address encapsulation ppp async mode interactive no peer default ip address no cdp enable ppp authentication chap group-range 33 38 |
The first command in the configuration is no ip address. The command no IP address is configured on the group-async interface because no PPP connections from remote access clients are being terminated locally on the NAS in this example.
The command encapsulation ppp configures the interface to use a PPP frame type.
The next command, async mode interactive, allows remote users to start interactive mode on the lines. To prevent users from starting an interactive shell, use the async mode dedicated command.
The no peer default default ip address command configures the NAS not to supply the remote access client with an IP address (it is instead supplied by the PPP connection endpoint—the Home Gateway).
Next, ppp authentication chap configures CHAP authentication. Finally, the group-range 33-38 command causes the group-async 1 interface configuration to be applied to lines 33 to 38.
Note that the ppp authentication chap command allows the NAS to partially authenticate remote access clients. It allows the NAS to challenge the client and to use its response to match to the appropriate L2F tunnel. The CHAP response from the client is forwarded to the Home Gateway via an L2F_OPEN message (see the earlier section entitled “L2F Tunnel Establishment” for more details).
Step 6: Configure Remote AAA (Optional)
Remote AAA can be enabled next. RADIUS and Terminal Access Controller Access Control System + (TACACS+) are the two options. Because remote access client PPP connections are terminated on the Home Gateway, remote AAA is necessary on the NAS only if you are configuring per-user VPDN, if you have tunnel definitions (tunnel configuration) stored on a AAA server, or if you are also terminating some remote access client connections locally rather than tunneling them to the Home Gateway via L2F.
Although a detailed discussion of tunnel definitions stored on a AAA server is beyond the scope of this chapter, more information can be found in the case study entitled “Misconfigured L2F Tunnel Definition on the AAA Server” toward the end of the chapter.
In this particular environment, RADIUS is the more popular AAA server type.
Example 2-6 shows a simple remote AAA configuration.
Example 2-6. Sample Remote AAA Configuration
aaa new-model aaa authentication login default group radius local aaa authentication ppp default local group radius aaa authorization network default group radius aaa accounting network default start-stop group radius ! radius-server host 172.16.1.5 auth-port 1645 acct-port 1646 key cisco |
The aaa new-model command globally enables AAA.
Authentication at login is then set with the default method list (aaa authentication login default group radius local). The default method list specifies that the first method used for authentication should be radius, with the local database being used in the event that the RADIUS server cannot be contacted. Note that the aaa authentication login command is not necessary for L2F, but it is shown here as part of a complete AAA configuration.
Authentication for PPP is then enabled with the default method list (aaa authentication ppp default local group radius). This method list specifies that PPP should authenticate first against a local database, and then against a RADIUS server.
AAA authorization for network connections is then enabled (aaa authorization network default group radius). Again, authorization is controlled by the RADIUS server.
The command radius-server ip_address auth-port 1645 acct-port 1646 key key is used to configure the RADIUS server IP address and the shared key that is used to encrypt user passwords when sent between the NAS and the RADIUS server. The authentication/authorization and accounting ports are left at their defaults of UDP 1645 and 1646, respectively.
Note that these defaults work with the Cisco Access Control Server (Cisco ACS) and other early implementations of RADIUS. The official ports for authentication/authorization and accounting are, however, 1812 and 1813, respectively.
Finally, the command aaa accounting network default start-stop group radius enables start-stop accounting for network connections, with accounting messages being saved to the RADIUS server. Again, configuration of accounting is not mandatory on the L2F NAS, but it is shown for completeness.
Step 7: Configure the Tunnel Secrets
The passwords used by the NAS and the Home Gateway to authenticate each other are now configured. These can again be configured locally or on the AAA server.
To configure the tunnel secrets locally, use the following commands:
username nas_name password password username home_gateway_name password password
Step 8: Globally Enable VPDNs
The next stage of the configuration is to globally enable Virtual Private Dialup Networks (VPDNs), of which L2F is one type. This is achieved via the following command:
vpdn enable
Step 9: Configure the VPDN Groups
Finally, the VPDN groups need to be configured (that is, if their configurations are not stored on the AAA server as tunnel definitions). To enable the VPDN groups, use the sample configuration in Example 2-7.
Example 2-7. Enabling VPDN Groups on the NAS
vpdn search-order domain vpdn-group 1 request-dialin protocol l2f domain mjlnet.com initiate-to ip 172.16.2.2 |
The configuration of the VPDN groups is relatively easy. One VPDN group should be configured for each tunnel.
In Example 2-7, vpdn-group 1 is configured. The group name, in this case 1, must be unique among all VPDN groups configured on this NAS.
The second command, request dialin, configures the NAS to initiate tunnels to the Home Gateway. This will trigger the L2F_CONF or L2F_OPEN message in the event that a tunnel or session initiation event takes place (that is, when a client associated with this tunnel connects to the NAS).
The protocol L2F is specified next, followed by the domain name associated with the tunnel. In this case, the domain is mjlnet.com. This means that if a user connects with the username user@mjlnet.com, mjlnet.com is associated with the VPDN group and causes a new tunnel (and session) to be established to the Home Gateway if it is the first PPP connection. Otherwise, it causes a new session within the existing tunnel to be initiated.
Note that if you want to associate users to tunnels based on the DNIS, use the dnis dnis command in place of the domain domain_name command.
The initiate-to ip command is self-explanatory; it indicates the IP address of the Home Gateway to which this tunnel should be initiated.
There is one other command in Example 2-7. The vpdn search-order domain command is optional, and it configures the NAS to match the remote access client's call to a L2F tunnel based upon the domain name. The default search order is DNIS, and if that fails, it is the domain name.
A sample configuration for the NAS is shown in Example 2-8.
Example 2-8. Sample Configuration for the L2F NAS
LODI_NAS1#show running-config Building configuration... Current configuration : 1755 bytes version 12.1 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname LODI_NAS1 ! logging buffered 16384 debugging no logging console enable secret 5 $1$yD1w$LfNsZG33BvIIDWkg5ZhBq/ ! username mark password 7 030752180500 ! Configure the L2F tunnel secrets username PERRIS_HGW1 password 7 14141B180F0B username LODI_NAS1 password 7 121A0C041104 ! clock timezone GMT 0 no ip source-route ip subnet-zero no ip domain-lookup ! no ip bootp server ! Enable VPDNs (including L2F) vpdn enable ! Match the user's domain for user to tunnel assignment vpdn search-order domain ! ! Configure the VPDN group for domain mjlnet.com to 172.16.2.2 (the Home Gateway) vpdn-group 1 request-dialin protocol l2f domain mjlnet.com initiate-to ip 172.16.2.2 ! ! Configure the PRI switch type isdn switch-type primary-net5 ! ! Configure the E1 controller controller E1 0/0 pri-group timeslots 1-31 ! interface FastEthernet0/0 ip address 172.16.1.1 255.255.255.0 no ip redirects no ip proxy-arp duplex auto speed auto no cdp enable ! ! Configure the D channel interface Serial0/0:15 no ip address isdn switch-type primary-net5 isdn incoming-voice modem no cdp enable ! ! Configure the group asynchronous interface interface Group-Async1 no ip address encapsulation ppp async mode interactive no peer default ip address no cdp enable ppp authentication chap group-range 33 38 ! ! Static route for IP reachability to the Home Gateway (PERRIS_HGW1, 172.16.2.2) ip route 172.16.2.0 255.255.255.0 172.16.1.2 ! ip classless ip http server ! logging trap debugging no cdp run ! line con 0 password 7 070C285F4D06 login ! Configure parameters for asynchronous lines line 33 38 modem InOut modem autoconfigure type mica autoselect ppp line aux 0 line vty 0 4 password 7 030752180500 login ! end |
Note that a static route is used in Example 2-8 for IP reachability to the Home Gateway.
Configuring the L2F Home Gateway
Compared to that for the NAS, the configuration of the Home Gateway is pretty simple. Basic configuration of the L2F Home Gateway consists of the following six steps:
Step 1. | Configure either local authentication or remote AAA configuration. |
Step 2. | Configure the tunnel secret. |
Step 3. | Globally enable VPDNs. |
Step 4. | Configure VPDN groups. |
Step 5. | Configure virtual templates. |
Step 6. | Create IP pools and configure DNS/WINS server addresses. |
The sections that follow cover each step of the configuration in detail.
Step 1: Configure Either Local Authentication or Remote AAA Configuration
The first step is the configuration of either local authentication or remote AAA on the Home Gateway.
To configure a simple username and password database for remote access clients, use the following command:
username username password password
A more scalable solution is to use remote AAA.
Example 2-9 shows the configuration of remote AAA on the Home Gateway.
Example 2-9. Remote AAA on the Home Gateway
aaa new-model ! aaa authentication login default group radius local aaa authentication ppp default local group radius aaa authorization network default group radius aaa accounting network default start-stop group radius radius-server host 10.10.10.5 auth-port 1645 acct-port 1646 key 7 1511021F0725 |
The remote AAA configuration is largely the same as that for the NAS. Please refer to the previous section for a complete explanation.
Step 2: Configure the Tunnel Secret
To configure the tunnel secret locally, use the following commands:
username nas_name password password username home_gateway_name password password
These passwords should be the same as those on the NAS.
Step 3: Globally Enable VPDNs
The next part of the configuration again follows that for the NAS.
To enable VPDNs globally, use the following command:
vpdn enable
Step 4: Configure VPDN Groups
Configuration of the VPDN groups is slightly different than that on the NAS.
Configuration of the VPDN groups on the Home Gateway can be accomplished as follows:
vpdn-group 1 accept-dialin protocol l2f virtual-template 1 terminate-from hostname LODI_NAS1
The VPDN group is enabled using the vpdn-group 1 command. Again, the name of the group must be locally unique.
The accept dialin command is used to specify that the Home Gateway accepts L2F tunnels. Next, the virtual-template 1 command is used to specify that client PPP connections are terminated on virtual access interfaces with configuration cloned (copied) from virtual template 1. These virtual access interfaces are dynamically created (one per client) as the remote access clients connect to the Home Gateway. Finally, the terminate-from command specifies the hostname of the NAS from which tunnels are accepted.
Step 5: Configure Virtual Templates
The virtual template specified in the VPDN group must be configured next.
Example 2-10 shows a sample configuration of the virtual template on the Home Gateway.
Example 2-10. Configuring the Virtual Template
interface Virtual-Template1 ip unnumbered FastEthernet1/0 peer default ip address pool PERRIS_POOL ppp authentication chap ppp multilink |
Most of the configuration in Example 2-10 is fairly self-explanatory.
The virtual template is not configured with a specific IP address but instead borrows the IP address on interface fast Ethernet 1/0 (ip unnumbered FastEthernet1/0). Note that in this example the Home Gateway has only two physical interfaces (see Example 2-11). If the Home Gateway has more physical interfaces, it is a good idea to borrow the IP address from a loopback interface (a loopback interface is always in an UP state).
The command peer default ip address pool PERRIS_POOL specifies that the remote access client should be assigned an IP address from address pool PERRIS_POOL.
CHAP authentication is then specified, together with multilink PPP using the ppp authentication chap and ppp multilink commands. Note that the ppp multilink command is optional.
It is also possible to store user-specific interface configuration on a AAA server (this configuration is downloaded to the Home Gateway as remote access clients connect). Configuration of user-specific interface configuration on a AAA server is beyond the scope of this book, but for more information refer to the document entitled “Configuring Virtual Profiles” on www.cisco.com.
Note that two other commands that you may want to configure are mtu (on the virtual template interface) and lcp renegotiation (under the VPDN group). This allows the Home Gateway to negotiate the PPP Maximum Receive Unit (MRU) with the remote access client. This can be important to prevent fragmentation of large packets when they are sent over the L2F tunnel. Reassembly of the resulting fragments can cause a high processor overhead on the Home Gateway.
NOTE
For more information on the configuration of MTU tuning, see the article entitled “MTU Tuning for L2TP” on the Cisco Web site (www.cisco.com). Although this article focuses on L2TP, all of the principles discussed are equally applicable to L2F.
An alternative (or complementary) solution to fragmentation issues in an L2F environment is to reduce the MTU size on the remote access client. See the following articles for more information on this subject:
Microsoft Knowledge Base articles 159211 and 314825, available at the Microsoft Web site (www.microsoft.com)
“Adjusting IP MTU, TCP MSS, and PMTUD on Windows and Sun Systems,” available at the Cisco Web site (www.cisco.com)
Cloning of virtual access interfaces on the Home Gateway can also cause high CPU overhead. The virtual-template template_number pre-clone number command can be used to preclone virtual access interfaces and substantially reduce processor overhead during remote access client connection setup.
Step 6: Create IP Pools and Configure DNS/WINS Server Addresses
The final step is to configure the IP address pool on the Home Gateway. At the same time, any DNS and WINS (NetBios Name) server addresses can be configured.
The IP address pool called PERRIS_POOL, together with DNS and WINS server addresses, are configured as follows:
ip local pool PERRIS_POOL 10.10.10.50 10.10.10.59 async-bootp dns-server 10.10.10.99 async-bootp nbns-server 10.10.10.100
The pool has ten addresses in it, with the first address being 10.10.10.50 and the last address being 10.10.10.59.
When a remote client connects to the Home Gateway, an IP address is assigned to the client from PERRIS_POOL. At the same time, the DNS and WINS server addresses are provided to the client.
Example 2-11 shows a sample configuration for the Home Gateway.
Example 2-11. Sample Configuration for the L2F Home Gateway
Building configuration... Current configuration : 1714 bytes ! version 12.1 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname PERRIS_HGW1 ! logging buffered 16384 debugging no logging console enable secret 5 $1$jZXl$awSeGWo.H88fjh46OjAoj1 ! username mark password 7 121A0C041104 ! Configure the L2F tunnel secrets, as well as the remote access client usernames and |
passwordsYou will notice in Example 2-11 that a static route is again configured for IP connectivity to the NAS.
To avoid simple misconfiguration errors, you should always incrementally configure and test your NAS and Home Gateway. This means that the dial configuration of the NAS should be completed first, then tested. Then the VPDN groups should be configured with local authentication and tested. And finally, the NAS/Home Gateway should be configured to use a remote AAA server, if required.