Configuring L2TP Tunnel Switch Profiles

You can use the l2tp switch-profile command to create an L2TP tunnel switch profile. An L2TP tunnel switch profile is a set of characteristics that defines the behavior of L2TP tunnel switching for the interfaces to which the profile is assigned.

Within the L2TP tunnel switch profile, you configure a particular tunnel switching behavior for a specified L2TP AVP. For example, you can configure the router to preserve the value of (relay) a specified AVP type across the LNS/LAC boundary in an L2TP tunnel-switched network.

Applying the L2TP Tunnel Switch Profile

Configuring an L2TP tunnel switch profile has no effect by itself. To use the tunnel switch profile in an L2TP tunnel-switched network, you must apply it to an L2TP outbound LAC session by using one of the following methods:

If none of these methods are used, you can apply the L2TP tunnel switch profile as an AAA default tunnel parameter. The default tunnel switch profile has lower precedence than the other methods for applying the tunnel switch profile.

For more information about the methods for applying L2TP tunnel switch profiles, see Configuration Tasks.

Configuration Guidelines

The following rules apply when you configure L2TP tunnel switch profiles:

Configuring L2TP AVPs for Relay

Previously, the router did not preserve the values of incoming L2TP AVPs across the LNS/LAC boundary in an L2TP tunnel-switched network. The router regenerated most incoming AVPs, such as L2TP Calling Number AVP 22, based on the local policy in effect. However, some AVPs, such as Cisco NAS Port Info AVP 100, were dropped.

In an L2TP tunnel switch profile, you can define the types of AVPs that the router can relay unchanged across the LNS/LAC boundary. You can specify that the router relay one or more of the following AVP types:

When you configure any of these AVP types for relay in an L2TP tunnel-switched network, the router preserves the value of an incoming AVP of this type when packets are switched between the inbound LNS session and the outbound LAC session.

Configuration Tasks

To configure and use an L2TP tunnel switch profile in an L2TP tunnel-switched network:

  1. Ensure that L2TP tunnel switching is enabled on the router.
  2. Configure the L2TP tunnel switch profile.
  3. Apply the L2TP tunnel switch profile to the tunnel in one of the following ways:

The following sections describe how to perform each of these tasks.

Enabling Tunnel Switching on the Router

To enable L2TP tunnel switching on the router, use the l2tp tunnel-switching command. By default, tunnel switching is disabled.

For more information, see Enabling Tunnel Switching .

Configuring L2TP Tunnel Switch Profiles

To configure an L2TP tunnel switch profile:

  1. Create the L2TP tunnel switch profile and assign it a name. The l2tp switch-profile command accesses L2TP Tunnel Switch Profile Configuration mode.
    host1(config)#l2tp switch-profile concord host1(config-l2tp-tunnel-switch-profile)#
  2. Configure the L2TP tunnel switching behavior for the interfaces to which this profile is assigned. Use the avp command with the relay keyword to cause the router to preserve the value of an incoming AVP of this type when packets are switched between an inbound LNS session and an outbound LAC session.

    You can use any of the following keywords to specify the AVPs for the router to relay:

    • bearer-type—L2TP Bearer Type AVP 18; by default, the router regenerates this AVP at the outbound LAC session, based on the local policy in effect
    • calling-number—L2TP Calling Number AVP 22; by default, the router regenerates this AVP at the outbound LAC session, based on the local policy in effect
    • cisco-nas-port—Cisco NAS Port Info AVP 100; by default, the router drops this AVP

    Use the no version to restore the default L2TP tunnel switching behavior (regenerate or drop) for incoming AVPs of the specified type.

    The following commands configure the router to relay the Bearer Type, Calling Number, and Cisco NAS Port Info AVP types across the LNS/LAC boundary.

    host1(config-l2tp-tunnel-switch-profile)#avp bearer-type relay host1(config-l2tp-tunnel-switch-profile)#avp calling-number relay host1(config-l2tp-tunnel-switch-profile)#avp cisco-nas-port relay
  3. (Optional) Use the show l2tp switch-profile command to verify configuration of the tunnel switch profile.
    host1(config-l2tp-tunnel-switch-profile)# run show l2tp switch-profile
    L2TP tunnel switch profile concord
    L2TP tunnel switch profile myProfile
    2 L2TP tunnel switch profiles found
    host1(config-l2tp-tunnel-switch-profile)# run show l2tp switch-profile concord
    L2TP tunnel switch profile concord
      AVP bearer type action is relay
      AVP calling number action is relay
      AVP Cisco nas port info action is relay
    

Applying L2TP Tunnel Switch Profiles by Using AAA Domain Maps

To apply an L2TP tunnel switch profile to sessions associated with an AAA domain map:

  1. Access Domain Map Tunnel Configuration mode.
    host1(config)#aaa domain-map westford.com host1(config-domain-map)#router-name default host1(config-domain-map)#tunnel 3 host1(config-domain-map-tunnel)#

    For more information about how to map a domain to an L2TP tunnel from Domain Map Tunnel Configuration mode, see Mapping a User Domain Name to an L2TP Tunnel Overview.

  2. From Domain Map Tunnel Configuration mode, issue the switch-profile command to apply the specified L2TP switch profile to the sessions associated with this domain map.
    host1(config-domain-map-tunnel)#switch-profile concord
  3. (Optional) Use the show aaa domain-map command to verify application of the tunnel switch profile.
    host1(config-domain-map-tunnel)#run show aaa domain-map
    
    Domain: westford.com; router-name: default; ipv6-router-name: default
                                                                     Tunnel
    Tunnel   Tunnel   Tunnel   Tunnel   Tunnel    Tunnel    Tunnel   Client
     Tag      Peer    Source    Type    Medium   Password     Id      Name
    ------   ------   ------   ------   ------   --------   ------   ------
    3        <null>   <null>   l2tp     ipv4     <null>     <null>   <null>

    Tunnel Tunnel Tunnel Tunnel Tunnel Server Tunnel Max Virtual Switch Tag Name Preference Sessions Tunnel RWS Router Profile ------ ------ ---------- -------- -------------- ------- ------- 3 <null> 2000 0 system chooses <null> concord

Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel Groups

To apply an L2TP tunnel switch profile to sessions associated with an AAA tunnel group:

  1. Access Tunnel Group Tunnel Configuration mode.
    host1(config)#aaa tunnel-group sunnyvale host1(config-tunnel-group)#tunnel 3 host1(config-tunnel-group-tunnel)#

    For more information about how to map a domain to an L2TP tunnel from Tunnel Group Tunnel Configuration mode, see Mapping a User Domain Name to an L2TP Tunnel Overview.

  2. From Tunnel Group Tunnel Configuration mode, issue the switch-profile command to apply the specified L2TP switch profile to the sessions associated with this tunnel group.
    host1(config-tunnel-group-tunnel)#switch-profile sanjose
  3. (Optional) Use the show aaa tunnel-group command to verify application of the tunnel switch profile.
    host1(config-tunnel-group-tunnel)#run show aaa tunnel-group
    
    Tunnel Group: sunnyvale
                                                                     Tunnel
    Tunnel   Tunnel   Tunnel   Tunnel   Tunnel    Tunnel    Tunnel   Client
     Tag      Peer    Source    Type    Medium   Password     Id      Name
    ------   ------   ------   ------   ------   --------   ------   ------
    3        <null>   <null>   l2tp     ipv4     <null>     <null>   <null>
    
    Tunnel Tunnel Tunnel Tunnel Tunnel Server Tunnel Max Virtual Switch Tag Name Preference Sessions Tunnel RWS Router Profile ------ ------ ---------- -------- -------------- ------- ------- 3 <null> 2000 0 system chooses <null> sanjose

Applying Default L2TP Tunnel Switch Profiles

You can apply a default L2TP tunnel switch profile to a virtual router by issuing the aaa tunnel switch-profile command from Global Configuration mode. The router uses the default tunnel switch profile if the tunnel attributes returned from an AAA domain map or tunnel group or from a RADIUS authentication server do not include a named tunnel switch profile. The router ignores the default tunnel switch profile if the tunnel attributes returned from an AAA domain map or tunnel group or from a RADIUS authentication server do include a named tunnel switch profile.

The default L2TP tunnel switch profile applies to a specific virtual router. You can apply a different default tunnel switch profile to each virtual router configured.

To apply a default L2TP tunnel switch profile to a virtual router:

  1. Create the virtual router to which you want to apply the default tunnel switch profile.
    host1(config)#virtual-router east host1:east(config)#
  2. Issue the aaa tunnel switch-profile command to apply the default L2TP tunnel switch profile in the context of this virtual router.
    host1:east(config)#aaa tunnel switch-profile boston
  3. (Optional) Use the show aaa tunnel-parameters command to verify application of the default tunnel switch profile.
    host1:east(config)#run show aaa tunnel-parameters
    Tunnel password is <NULL>
    Tunnel client-name is <NULL>
    Tunnel nas-port-method is none
    Tunnel switch-profile is boston
    Tunnel nas-port ignore disabled
    Tunnel nas-port-type ignore disabled
    Tunnel assignmentId format is assignmentId
    Tunnel calling number format is descriptive

Applying L2TP Tunnel Switch Profiles by Using RADIUS

On the LAC, the router can receive tunnel configuration attributes through a RADIUS authentication server. To use RADIUS to apply an L2TP tunnel switch profile to a session, you can configure RADIUS to include the Tunnel-Switch-Profile RADIUS attribute (VSA 26-91) in RADIUS Access-Accept messages.

For more information about RADIUS Access-Accept messages, see Subscriber AAA Access Messages Overview. For more information about the Tunnel-Switch-Profile attribute, see RADIUS IETF Attributes.

Related Documentation