Hide Navigation Pane
Show Navigation Pane
Download
SHA1
Mapping a User Domain Name to an L2TP Tunnel Overview
The router uses either the local database related to the domain name or a RADIUS server to determine whether to terminate or tunnel PPP connections.
For information about setting up RADIUS to provide this mapping, see the Configuring Remote Access chapter.
For a given domain map, you can choose one of two methods to map the domain to an L2TP tunnel locally on the router:
- Configure tunnels for a domain map and then define tunnel attributes from Domain Map Tunnel configuration mode.
- Configure a tunnel group and then define the attributes
for its tunnels from Tunnel Group Tunnel Configuration mode. Use this
method only when no tunnels are currently defined for the domain map
from Domain Map Tunnel configuration mode. By default, tunnel groups
are not assigned to the domain map.
After configuring a tunnel group and the attributes for its tunnels, you can assign the tunnel group to the domain map from Domain Map mode. The tunnel group reference in the domain map is used instead of tunnel definitions configured from Domain Map Tunnel configuration mode.
The RADIUS server can reference tunnel groups through the RADIUS Tunnel Group [26-64] attribute. The advantages of RADIUS support for tunnel groups are:
- The RADIUS server can maintain a single tunnel group attribute associated with each user instead of sets of tunnel attributes for each user.
- The RADIUS server can authenticate users before attempting to establish tunnels.
You can configure up to 31 tunnel definitions for an L2TP subscriber using either AAA domain maps or RADIUS returned values. Each tunnel definition contains both fixed-length and variable-length tunnel attributes. All tunnel definitions and their attributes that are stored in AAA are mirrored in a single transaction. When the size of the mirrored storage transaction exceeds 9866 bytes, the router disables stateful SRP switchover (high availability).
The size of the transaction can exceed 9866 bytes when you configure all the variable length tunnel attributes of more than 17 tagged tunnel definitions, using either RADIUS or domain maps, to their maximum values. When the size of a transaction exceeds 9866 bytes, the router now mirrors the tunnel definitions in a different transaction. As a result, stateful SRP switchover is not disabled when you configure all the variable length tunnel attributes of all 31 tunnel definitions to their maximum values or when the RADIUS server sends tunnel attributes whose length exceeds the maximum length.
