As part of my preparation for the written I wanted to get a better grip on the practical configuration side of L2TP. This is something I dabble with at work on a regular basis but I never go around configuring vpdn-groups and the likes.
Just a basic topology, no need to try an do anything too fancy, just want to make L2TP tunnels between the LNS/LAC and have the CPE authenticate while receiving an IP address. A handy little way of not needing a RADIUS inside the Dynamips environment is to turn AAA on in the local mode. This allows for the domain/username to be configured locally. If you use the ppp keyword it will also not affect your vty authentication etc.
aaa new-model
aaa authentication ppp default local
The CPE configuration needs simply to use ppp encapsulation and send a username/password. There are many ways to do the CPE depending on the underlying technology but I doubt we will see DSLAMs in the lab exam anytime soon.. maybe if it were a Huawei CCIE lab 😛
CPE
interface Serial1/0
ip address negotiated
encapsulation ppp
no fair-queue
ppp pap sent-username john@cisco.com password 0 cisco
The LAC and LNS configuration are very similar for the actual L2TP parts. Other than the vpdn-group we just need to ensure that the LAC will pick up the attempts by using “pap callin” on the layer two interface facing the imaginary DSLAM/ISDN infrastructure.
LAC
vpdn enable
vpdn search-order domain
vpdn-group PPPCustomers
request-dialin
protocol l2tp
domain cisco.com
initiate-to ip 10.0.0.0
l2tp tunnel password 123
interface Serial1/0
no ip address
encapsulation ppp
ppp authentication pap callin
Now that the LNS is receiving and de-encapsulating L2TP packets (after the very similar vpdn-group) we just need to pick up the PPP packets on a virtual-template interface, again I’ve used “pap callin” is used to do this. There is also a pool to dynamically assign an address to the CPE router and the peer command actually passes it in IPCP.
LNS
vpdn enable
vpdn-group PPPCustomers
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname LAC
l2tp tunnel password 123
username john@cisco.com password 0 cisco
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool NetBlock
ppp authentication pap callin
ip local pool NetBlock 172.0.0.1 172.0.0.253
Some output of the IPCP process is displayed and below that you can see the session has the loopback of the LNS at one end and the /32 from the pool at the other. Debugging ppp/l2tp is extremely useful in production environments so I could imagine its good to have a handle on it for the lab also.
*Mar 1 01:45:56.771: Vi2.1 IPCP: Address 172.0.0.254 (0x0306AC0000FE)
*Mar 1 01:45:57.007: Vi2.1 IPCP: Pool returned 172.0.0.1
*Mar 1 01:45:57.007: Vi2.1 IPCP: Address 172.0.0.1 (0x0306AC000001)
*Mar 1 01:45:57.099: Vi2.1 IPCP: Install route to 172.0.0.1
LNS#show caller user john@cisco.com
User: john@cisco.com, line Vi2.1, service PPPoVPDN
Connected for 00:00:05, Idle for 00:00:04
Timeouts: Limit Remaining Timer Type
– – –
PPP: LCP Open, PAP (<-), IPCP
IP: Local 172.0.0.254, remote 172.0.0.1
Counts: 6 packets input, 82 bytes
7 packets output, 97 bytes
I think its important to identify that the 7200 image in the lab exam is not capable of any VPDN features. I’ve used “(C3660-IS-M), Version 12.3(23)” for this lab, which is the authorized image on the Cisco website.
GNS3 .net file (rename to *.rar)
WARNING!! Configurations in the “.rar” file are missing the command “l2tp tunnel password 123” on both the LAC & LNS