Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring L2TP Tunnel Switch Profiles

    You can use the l2tp switch-profile command to create an L2TP tunnel switch profile. An L2TP tunnel switch profile is a set of characteristics that defines the behavior of L2TP tunnel switching for the interfaces to which the profile is assigned.

    Within the L2TP tunnel switch profile, you configure a particular tunnel switching behavior for a specified L2TP AVP. For example, you can configure the router to preserve the value of (relay) a specified AVP type across the LNS/LAC boundary in an L2TP tunnel-switched network.

    Applying the L2TP Tunnel Switch Profile

    Configuring an L2TP tunnel switch profile has no effect by itself. To use the tunnel switch profile in an L2TP tunnel-switched network, you must apply it to an L2TP outbound LAC session by using one of the following methods:

    • Authentication, authorization, and accounting (AAA) domain maps
    • AAA tunnel groups
    • RADIUS Access-Accept messages

    If none of these methods are used, you can apply the L2TP tunnel switch profile as an AAA default tunnel parameter. The default tunnel switch profile has lower precedence than the other methods for applying the tunnel switch profile.

    For more information about the methods for applying L2TP tunnel switch profiles, see Configuration Tasks.

    Configuration Guidelines

    The following rules apply when you configure L2TP tunnel switch profiles:

    • L2TP tunnel switching must be enabled for tunnel switch profiles to take effect. For information, see Enabling Tunnel Switching .
    • L2TP tunnel switch profiles have no effect when they are assigned to a LAC session that is not tunnel switched.
    • The router can relay only those AVPs that are accepted at the LNS. Malformed AVPs are never relayed.
    • If a tunnel grant response specifies a named tunnel switch profile that has not been configured on the router, the router prohibits connection of the L2TP tunnel-switched session.
    • If you remove a tunnel switch profile, the router also disconnects all associated L2TP switched sessions using that profile.
    • In some cases, attributes configured in a tunnel switch profile take precedence over similar attributes configured globally on the router.

      For example, configuring L2TP Calling Number AVP 22 for relay overrides the l2tp disable calling-number-avp command issued from Global Configuration mode to prevent the router from sending AVP 22 in incoming-call-request (ICRQ) packets. In this scenario, the router relays the Calling Number AVP.

    Configuring L2TP AVPs for Relay

    Previously, the router did not preserve the values of incoming L2TP AVPs across the LNS/LAC boundary in an L2TP tunnel-switched network. The router regenerated most incoming AVPs, such as L2TP Calling Number AVP 22, based on the local policy in effect. However, some AVPs, such as Cisco NAS Port Info AVP 100, were dropped.

    In an L2TP tunnel switch profile, you can define the types of AVPs that the router can relay unchanged across the LNS/LAC boundary. You can specify that the router relay one or more of the following AVP types:

    • L2TP Bearer Type AVP 18
    • L2TP Calling Number AVP 22
    • Cisco NAS Port Info AVP 100

    When you configure any of these AVP types for relay in an L2TP tunnel-switched network, the router preserves the value of an incoming AVP of this type when packets are switched between the inbound LNS session and the outbound LAC session.

    Configuration Tasks

    To configure and use an L2TP tunnel switch profile in an L2TP tunnel-switched network:

    1. Ensure that L2TP tunnel switching is enabled on the router.
    2. Configure the L2TP tunnel switch profile.
    3. Apply the L2TP tunnel switch profile to the tunnel in one of the following ways:

    The following sections describe how to perform each of these tasks.

    Enabling Tunnel Switching on the Router

    To enable L2TP tunnel switching on the router, use the l2tp tunnel-switching command. By default, tunnel switching is disabled.

    • To enable L2TP tunnel switching:
      host1(config)#l2tp tunnel-switching

    For more information, see Enabling Tunnel Switching .

    Configuring L2TP Tunnel Switch Profiles

    To configure an L2TP tunnel switch profile:

    1. Create the L2TP tunnel switch profile and assign it a name. The l2tp switch-profile command accesses L2TP Tunnel Switch Profile Configuration mode.
      host1(config)#l2tp switch-profile concord host1(config-l2tp-tunnel-switch-profile)#
    2. Configure the L2TP tunnel switching behavior for the interfaces to which this profile is assigned. Use the avp command with the relay keyword to cause the router to preserve the value of an incoming AVP of this type when packets are switched between an inbound LNS session and an outbound LAC session.

      You can use any of the following keywords to specify the AVPs for the router to relay:

      • bearer-type—L2TP Bearer Type AVP 18; by default, the router regenerates this AVP at the outbound LAC session, based on the local policy in effect
      • calling-number—L2TP Calling Number AVP 22; by default, the router regenerates this AVP at the outbound LAC session, based on the local policy in effect
      • cisco-nas-port—Cisco NAS Port Info AVP 100; by default, the router drops this AVP

      Use the no version to restore the default L2TP tunnel switching behavior (regenerate or drop) for incoming AVPs of the specified type.

      The following commands configure the router to relay the Bearer Type, Calling Number, and Cisco NAS Port Info AVP types across the LNS/LAC boundary.

      host1(config-l2tp-tunnel-switch-profile)#avp bearer-type relay host1(config-l2tp-tunnel-switch-profile)#avp calling-number relay host1(config-l2tp-tunnel-switch-profile)#avp cisco-nas-port relay
    3. (Optional) Use the show l2tp switch-profile command to verify configuration of the tunnel switch profile.
      host1(config-l2tp-tunnel-switch-profile)# run show l2tp switch-profile
      L2TP tunnel switch profile concord
      L2TP tunnel switch profile myProfile
      2 L2TP tunnel switch profiles found
      host1(config-l2tp-tunnel-switch-profile)# run show l2tp switch-profile concord
      L2TP tunnel switch profile concord
        AVP bearer type action is relay
        AVP calling number action is relay
        AVP Cisco nas port info action is relay
      

    Applying L2TP Tunnel Switch Profiles by Using AAA Domain Maps

    To apply an L2TP tunnel switch profile to sessions associated with an AAA domain map:

    1. Access Domain Map Tunnel Configuration mode.
      host1(config)#aaa domain-map westford.com host1(config-domain-map)#router-name default host1(config-domain-map)#tunnel 3 host1(config-domain-map-tunnel)#

      For more information about how to map a domain to an L2TP tunnel from Domain Map Tunnel Configuration mode, see Mapping a User Domain Name to an L2TP Tunnel Overview.

    2. From Domain Map Tunnel Configuration mode, issue the switch-profile command to apply the specified L2TP switch profile to the sessions associated with this domain map.
      host1(config-domain-map-tunnel)#switch-profile concord
    3. (Optional) Use the show aaa domain-map command to verify application of the tunnel switch profile.
      host1(config-domain-map-tunnel)#run show aaa domain-map
      
      Domain: westford.com; router-name: default; ipv6-router-name: default
                                                                       Tunnel
      Tunnel   Tunnel   Tunnel   Tunnel   Tunnel    Tunnel    Tunnel   Client
       Tag      Peer    Source    Type    Medium   Password     Id      Name
      ------   ------   ------   ------   ------   --------   ------   ------
      3        <null>   <null>   l2tp     ipv4     <null>     <null>   <null>

      Tunnel Tunnel Tunnel Tunnel Tunnel Server Tunnel Max Virtual Switch Tag Name Preference Sessions Tunnel RWS Router Profile ------ ------ ---------- -------- -------------- ------- ------- 3 <null> 2000 0 system chooses <null> concord

    Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel Groups

    To apply an L2TP tunnel switch profile to sessions associated with an AAA tunnel group:

    1. Access Tunnel Group Tunnel Configuration mode.
      host1(config)#aaa tunnel-group sunnyvale host1(config-tunnel-group)#tunnel 3 host1(config-tunnel-group-tunnel)#

      For more information about how to map a domain to an L2TP tunnel from Tunnel Group Tunnel Configuration mode, see Mapping a User Domain Name to an L2TP Tunnel Overview.

    2. From Tunnel Group Tunnel Configuration mode, issue the switch-profile command to apply the specified L2TP switch profile to the sessions associated with this tunnel group.
      host1(config-tunnel-group-tunnel)#switch-profile sanjose
    3. (Optional) Use the show aaa tunnel-group command to verify application of the tunnel switch profile.
      host1(config-tunnel-group-tunnel)#run show aaa tunnel-group
      
      Tunnel Group: sunnyvale
                                                                       Tunnel
      Tunnel   Tunnel   Tunnel   Tunnel   Tunnel    Tunnel    Tunnel   Client
       Tag      Peer    Source    Type    Medium   Password     Id      Name
      ------   ------   ------   ------   ------   --------   ------   ------
      3        <null>   <null>   l2tp     ipv4     <null>     <null>   <null>
      
      Tunnel Tunnel Tunnel Tunnel Tunnel Server Tunnel Max Virtual Switch Tag Name Preference Sessions Tunnel RWS Router Profile ------ ------ ---------- -------- -------------- ------- ------- 3 <null> 2000 0 system chooses <null> sanjose

    Applying Default L2TP Tunnel Switch Profiles

    You can apply a default L2TP tunnel switch profile to a virtual router by issuing the aaa tunnel switch-profile command from Global Configuration mode. The router uses the default tunnel switch profile if the tunnel attributes returned from an AAA domain map or tunnel group or from a RADIUS authentication server do not include a named tunnel switch profile. The router ignores the default tunnel switch profile if the tunnel attributes returned from an AAA domain map or tunnel group or from a RADIUS authentication server do include a named tunnel switch profile.

    The default L2TP tunnel switch profile applies to a specific virtual router. You can apply a different default tunnel switch profile to each virtual router configured.

    To apply a default L2TP tunnel switch profile to a virtual router:

    1. Create the virtual router to which you want to apply the default tunnel switch profile.
      host1(config)#virtual-router east host1:east(config)#
    2. Issue the aaa tunnel switch-profile command to apply the default L2TP tunnel switch profile in the context of this virtual router.
      host1:east(config)#aaa tunnel switch-profile boston
    3. (Optional) Use the show aaa tunnel-parameters command to verify application of the default tunnel switch profile.
      host1:east(config)#run show aaa tunnel-parameters
      Tunnel password is <NULL>
      Tunnel client-name is <NULL>
      Tunnel nas-port-method is none
      Tunnel switch-profile is boston
      Tunnel nas-port ignore disabled
      Tunnel nas-port-type ignore disabled
      Tunnel assignmentId format is assignmentId
      Tunnel calling number format is descriptive

    Applying L2TP Tunnel Switch Profiles by Using RADIUS

    On the LAC, the router can receive tunnel configuration attributes through a RADIUS authentication server. To use RADIUS to apply an L2TP tunnel switch profile to a session, you can configure RADIUS to include the Tunnel-Switch-Profile RADIUS attribute (VSA 26-91) in RADIUS Access-Accept messages.

    For more information about RADIUS Access-Accept messages, see Subscriber AAA Access Messages Overview. For more information about the Tunnel-Switch-Profile attribute, see RADIUS IETF Attributes.

    Published: 2014-08-20