Configuring L2TP Tunnel Switch Profiles

You can use the l2tp switch-profile command to create an L2TP tunnel switch profile. An L2TP tunnel switch profile is a set of characteristics that defines the behavior of L2TP tunnel switching for the interfaces to which the profile is assigned.

Within the L2TP tunnel switch profile, you configure a particular tunnel switching behavior for a specified L2TP AVP. For example, you can configure the router to preserve the value of (relay) a specified AVP type across the LNS/LAC boundary in an L2TP tunnel-switched network.

Applying the L2TP Tunnel Switch Profile

Configuring an L2TP tunnel switch profile has no effect by itself. To use the tunnel switch profile in an L2TP tunnel-switched network, you must apply it to an L2TP outbound LAC session by using one of the following methods:

• Authentication, authorization, and accounting (AAA) domain maps
• AAA tunnel groups
• RADIUS Access-Accept messages

If none of these methods are used, you can apply the L2TP tunnel switch profile as an AAA default tunnel parameter. The default tunnel switch profile has lower precedence than the other methods for applying the tunnel switch profile.

For more information about the methods for applying L2TP tunnel switch profiles, see Configuration Tasks .

Configuration Guidelines

The following rules apply when you configure L2TP tunnel switch profiles:

• L2TP tunnel switching must be enabled for tunnel switch profiles to take effect. For information, see Enabling Tunnel Switching .
• L2TP tunnel switch profiles have no effect when they are assigned to a LAC session that is not tunnel switched.
• The router can relay only those AVPs that are accepted at the LNS. Malformed AVPs are never relayed.
• If a tunnel grant response specifies a named tunnel switch profile that has not been configured on the router, the router prohibits connection of the L2TP tunnel-switched session.
• If you remove a tunnel switch profile, the router also disconnects all associated L2TP switched sessions using that profile.
• In some cases, attributes configured in a tunnel switch profile take precedence over similar attributes configured globally on the router.

  For example, configuring L2TP Calling Number AVP 22 for relay overrides the l2tp disable calling-number-avp command issued from Global Configuration mode to prevent the router from sending AVP 22 in incoming-call-request (ICRQ) packets. In this scenario, the router relays the Calling Number AVP.

Configuring L2TP AVPs for Relay

Previously, the router did not preserve the values of incoming L2TP AVPs across the LNS/LAC boundary in an L2TP tunnel-switched network. The router regenerated most incoming AVPs, such as L2TP Calling Number AVP 22, based on the local policy in effect. However, some AVPs, such as Cisco NAS Port Info AVP 100, were dropped.

In an L2TP tunnel switch profile, you can define the types of AVPs that the router can relay unchanged across the LNS/LAC boundary. You can specify that the router relay one or more of the following AVP types:

• L2TP Bearer Type AVP 18
• L2TP Calling Number AVP 22
• Cisco NAS Port Info AVP 100

When you configure any of these AVP types for relay in an L2TP tunnel-switched network, the router preserves the value of an incoming AVP of this type when packets are switched between the inbound LNS session and the outbound LAC session.

Configuration Tasks

To configure and use an L2TP tunnel switch profile in an L2TP tunnel-switched network:

1. Ensure that L2TP tunnel switching is enabled on the router.
2. Configure the L2TP tunnel switch profile.
3. Apply the L2TP tunnel switch profile to the tunnel in one of the following ways:
   • To apply a named tunnel switch profile through an AAA domain map, use the switch-profile command from Domain Map Tunnel Configuration mode. For details, see Applying L2TP Tunnel Switch Profiles by Using AAA Domain Maps .
   • To apply a named tunnel switch profile through an AAA tunnel group, use the switch-profile command from Tunnel Group Tunnel Configuration mode. For details, see Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel Groups .
   • To apply a named tunnel switch profile through RADIUS, include the Tunnel-Switch-Profile RADIUS attribute (VSA 26-91) in RADIUS Access-Accept messages. For details, see Applying L2TP Tunnel Switch Profiles by Using RADIUS .
   • To apply a default tunnel switch profile to a virtual router, use the aaa tunnel switch-profile command from Global Configuration mode. For details, see Applying Default L2TP Tunnel Switch Profiles .

The following sections describe how to perform each of these tasks.

Enabling Tunnel Switching on the Router

To enable L2TP tunnel switching on the router, use the l2tp tunnel-switching command. By default, tunnel switching is disabled.

• To enable L2TP tunnel switching:
  host1(config)#l2tp tunnel-switching

For more information, see Enabling Tunnel Switching .

Configuring L2TP Tunnel Switch Profiles

To configure an L2TP tunnel switch profile:

1. Create the L2TP tunnel switch profile and assign it a name. The l2tp switch-profile command accesses L2TP Tunnel Switch Profile Configuration mode.
   host1(config)#l2tp switch-profile concord host1(config-l2tp-tunnel-switch-profile)#
2. Configure the L2TP tunnel switching behavior for the interfaces to which this profile is assigned. Use the avp command with the relay keyword to cause the router to preserve the value of an incoming AVP of this type when packets are switched between an inbound LNS session and an outbound LAC session.

   You can use any of the following keywords to specify the AVPs for the router to relay:

   • bearer-type—L2TP Bearer Type AVP 18; by default, the router regenerates this AVP at the outbound LAC session, based on the local policy in effect
   • calling-number—L2TP Calling Number AVP 22; by default, the router regenerates this AVP at the outbound LAC session, based on the local policy in effect
   • cisco-nas-port—Cisco NAS Port Info AVP 100; by default, the router drops this AVP

   Use the no version to restore the default L2TP tunnel switching behavior (regenerate or drop) for incoming AVPs of the specified type.

   The following commands configure the router to relay the Bearer Type, Calling Number, and Cisco NAS Port Info AVP types across the LNS/LAC boundary.

   host1(config-l2tp-tunnel-switch-profile)#avp bearer-type relay host1(config-l2tp-tunnel-switch-profile)#avp calling-number relay host1(config-l2tp-tunnel-switch-profile)#avp cisco-nas-port relay
3. (Optional) Use the show l2tp switch-profile command to verify configuration of the tunnel switch profile.

   host1(config-l2tp-tunnel-switch-profile)# run show l2tp switch-profile
   L2TP tunnel switch profile concord
   L2TP tunnel switch profile myProfile
   2 L2TP tunnel switch profiles found
   host1(config-l2tp-tunnel-switch-profile)# run show l2tp switch-profile concord
   L2TP tunnel switch profile concord
     AVP bearer type action is relay
     AVP calling number action is relay
     AVP Cisco nas port info action is relay
   

Applying L2TP Tunnel Switch Profiles by Using AAA Domain Maps

To apply an L2TP tunnel switch profile to sessions associated with an AAA domain map:

1. Access Domain Map Tunnel Configuration mode.
   host1(config)#aaa domain-map westford.com host1(config-domain-map)#router-name default host1(config-domain-map)#tunnel 3 host1(config-domain-map-tunnel)#

   For more information about how to map a domain to an L2TP tunnel from Domain Map Tunnel Configuration mode, see Mapping a User Domain Name to an L2TP Tunnel Overview .

2. From Domain Map Tunnel Configuration mode, issue the switch-profile command to apply the specified L2TP switch profile to the sessions associated with this domain map.
   host1(config-domain-map-tunnel)#switch-profile concord
3. (Optional) Use the show aaa domain-map command to verify application of the tunnel switch profile.

   host1(config-domain-map-tunnel)#run show aaa domain-map
   

   Domain: westford.com; router-name: default; ipv6-router-name: default
                                                                    Tunnel
   Tunnel   Tunnel   Tunnel   Tunnel   Tunnel    Tunnel    Tunnel   Client
    Tag      Peer    Source    Type    Medium   Password     Id      Name
   ------   ------   ------   ------   ------   --------   ------   ------
   3        <null>   <null>   l2tp     ipv4     <null>     <null>   <null>

   
           Tunnel               Tunnel                 Tunnel    Tunnel
   Tunnel  Server    Tunnel      Max                   Virtual   Switch
    Tag     Name   Preference  Sessions  Tunnel RWS    Router    Profile
   ------  ------  ----------  --------  -------------- -------   -------
   3       <null>   2000         0       system chooses <null>    concord

Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel Groups

To apply an L2TP tunnel switch profile to sessions associated with an AAA tunnel group:

1. Access Tunnel Group Tunnel Configuration mode.
   host1(config)#aaa tunnel-group sunnyvale host1(config-tunnel-group)#tunnel 3 host1(config-tunnel-group-tunnel)#

   For more information about how to map a domain to an L2TP tunnel from Tunnel Group Tunnel Configuration mode, see Mapping a User Domain Name to an L2TP Tunnel Overview .

2. From Tunnel Group Tunnel Configuration mode, issue the switch-profile command to apply the specified L2TP switch profile to the sessions associated with this tunnel group.
   host1(config-tunnel-group-tunnel)#switch-profile sanjose
3. (Optional) Use the show aaa tunnel-group command to verify application of the tunnel switch profile.

   host1(config-tunnel-group-tunnel)#run show aaa tunnel-group
   

   Tunnel Group: sunnyvale
                                                                    Tunnel
   Tunnel   Tunnel   Tunnel   Tunnel   Tunnel    Tunnel    Tunnel   Client
    Tag      Peer    Source    Type    Medium   Password     Id      Name
   ------   ------   ------   ------   ------   --------   ------   ------
   3        <null>   <null>   l2tp     ipv4     <null>     <null>   <null>
   
            Tunnel             Tunnel                  Tunnel    Tunnel
   Tunnel   Server   Tunnel     Max                    Virtual   Switch
    Tag     Name  Preference  Sessions  Tunnel RWS     Router    Profile
   ------  ------ ----------  --------  -------------- -------   -------
   3       <null>   2000         0      system chooses  <null>   sanjose

Applying Default L2TP Tunnel Switch Profiles

You can apply a default L2TP tunnel switch profile to a virtual router by issuing the aaa tunnel switch-profile command from Global Configuration mode. The router uses the default tunnel switch profile if the tunnel attributes returned from an AAA domain map or tunnel group or from a RADIUS authentication server do not include a named tunnel switch profile. The router ignores the default tunnel switch profile if the tunnel attributes returned from an AAA domain map or tunnel group or from a RADIUS authentication server do include a named tunnel switch profile.

The default L2TP tunnel switch profile applies to a specific virtual router. You can apply a different default tunnel switch profile to each virtual router configured.

To apply a default L2TP tunnel switch profile to a virtual router:

1. Create the virtual router to which you want to apply the default tunnel switch profile.
   host1(config)#virtual-router east host1:east(config)#
2. Issue the aaa tunnel switch-profile command to apply the default L2TP tunnel switch profile in the context of this virtual router.
   host1:east(config)#aaa tunnel switch-profile boston
3. (Optional) Use the show aaa tunnel-parameters command to verify application of the default tunnel switch profile.

   host1:east(config)#run show aaa tunnel-parameters
   Tunnel password is <NULL>
   Tunnel client-name is <NULL>
   Tunnel nas-port-method is none
   Tunnel switch-profile is boston
   Tunnel nas-port ignore disabled
   Tunnel nas-port-type ignore disabled
   Tunnel assignmentId format is assignmentId
   Tunnel calling number format is descriptive

Applying L2TP Tunnel Switch Profiles by Using RADIUS

On the LAC, the router can receive tunnel configuration attributes through a RADIUS authentication server. To use RADIUS to apply an L2TP tunnel switch profile to a session, you can configure RADIUS to include the Tunnel-Switch-Profile RADIUS attribute (VSA 26-91) in RADIUS Access-Accept messages.

For more information about RADIUS Access-Accept messages, see Subscriber AAA Access Messages Overview. For more information about the Tunnel-Switch-Profile attribute, see RADIUS IETF Attributes.