Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4085
Views
0
Helpful
1
Replies

Issue with LNS terminating L2TP session within VRFs

dennis.hayes
Level 1
Level 1

‎02-16-2011 02:03 PM - edited ‎03-01-2019 02:24 PM

Hi,

I'm having an issue with a Cisco 7200 configured as an LNS to terminate L2TP session from the wholesaler on two separate interfaces, each within their own VRF. The wholesaler has many LACs, so I need to be able to use generic VPDN groups, and I want the return traffic back to the LAC to go out the interface it came in on.  I also want the PPP sessions to be within the global routing table. 

The issue I'm having is the wholesaler is sending requests to both LNS IP addresses from the same LAC (round robin for redundancy), but the default VPDN group is being applied and the LNS forces the LAC to switch to the IP address configured for the default VPDN group. I've tried removing the source-ip, but that doesn't work and originally I only had one VPDN group but I needed to specify the VRF with the VPN option in order to bring up the tunnel; I was getting VPDN-5-UNREACH error until I added the VPN option.  Is what I'm trying to do achievable and does anyone have suggestions on how to fix this?

I'm running ISO 12.4(4)XD4 and my configuration looks like this.

Building configuration...

Current configuration : 8270 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LNS01
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$IAoP$sWGMQKq5nkR/IVb40gjs91
!
aaa new-model
!
!
aaa group server radius default
server-private 3.3.3.1 auth-port 1812 acct-port 1813 key 7 XXXXXXX
server-private 3.3.3.2 auth-port 1812 acct-port 1813 key 7 XXXXXXX
!
aaa authentication login default local
aaa authentication ppp default group default
aaa authorization exec default local
aaa authorization network default group default
aaa authorization network vpdn local
aaa accounting delay-start
aaa accounting update newinfo
aaa accounting exec default none
aaa accounting network default start-stop group default
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip cef
ip tcp path-mtu-discovery
!
!
!
!
ip vrf L2TP1-VRF
!
ip vrf L2TP2-VRF
!
ip domain name someone.net
ip name-server 3.3.3.3
ip name-server 3.3.3.4
ip ssh time-out 15
ip ssh version 2
vpdn enable
vpdn logging
vpdn logging local
vpdn logging tunnel-drop
!
!
vpdn-group L2TP1
! Default L2TP VPDN group
accept-dialin
  protocol l2tp
  virtual-template 1
vpn vrf L2TP1-VRF
source-ip 10.10.10.2
lcp renegotiation always
l2tp tunnel password 7 XXXXXXXX
!
vpdn-group L2TP2
accept-dialin
  protocol l2tp
  virtual-template 1
vpn vrf L2TP2-VRF
source-ip 10.10.11.2
lcp renegotiation always
l2tp tunnel password 7 XXXXXXXX
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 XXXXXXXXXX
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/1
mtu 1622
no ip address
duplex auto
speed auto
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1.910
encapsulation dot1Q 910
ip address 2.2.2.2 255.255.255.224
ip mtu 1500
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 XXXXXXXXX
ip ospf 1 area 0.0.0.0
no snmp trap link-status
!
interface GigabitEthernet0/1.1312
encapsulation dot1Q 1312
ip vrf forwarding L2TP1-VRF
ip address 10.10.10.2 255.255.255.248
no snmp trap link-status
!
interface FastEthernet0/2
duplex auto
speed auto
!
interface GigabitEthernet0/2
mtu 1622
no ip address
duplex auto
speed auto
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2.1631
encapsulation dot1Q 1631
ip vrf forwarding L2TP2-VRF
ip address 11.11.11.2 255.255.255.248
no snmp trap link-status
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
negotiation auto
!
interface Virtual-Template1
ip unnumbered Loopback0
ip mtu 1460
ip tcp adjust-mss 1420
no logging event link-status
timeout absolute 10080 0
peer default ip address pool Default-Pool
ppp authentication pap
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
area 0.0.0.0 authentication message-digest
redistribute connected subnets
redistribute static subnets
passive-interface default
no passive-interface GigabitEthernet0/1.910
!
!
ip local pool Default-Pool 5.5.5.0 5.5.5.255
ip classless
ip route vrf L2TP1-VRF 12.12.12.0 255.255.254.0 10.10.10.1
ip route vrf L2TP2-VRF 12.12.12.0 255.255.254.0 11.11.11.1
no ip http server
no ip http secure-server
!
!
!
!
!
ip radius source-interface Loopback0
logging alarm informational
!
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
session-timeout 15
transport input ssh
line vty 5 15
session-timeout 15
transport input ssh
!
!
end

Any help would be greatly appreciated.

Thanks,

-Dennis

Labels:
0 Helpful
1 Reply 1

Cassio Luis Reis Gomes
Cisco Employee
Cisco Employee

‎02-18-2012 10:49 AM

Hello Dennis,

I did a test using CPE, LAC and LNS under VRF and it worked fine. basically we need to have connectivity between LNS and LAC inside of VRF, in my case I configured an specific interface for each VRF between LAC and LNS and then it worked .

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftvpdnmh.html

Please, I put the logs of CPE, LAC and LNS in this link

http://www.clrgomes.com.br/books/LOG-LNS-LAC-CPE.txt

Best regards,

Cassio Gomes

0 Helpful
Customers Also Viewed These Support Documents