Supporting Document LNS Configuration



Similar documents
Remote Access VPN Business Scenarios

Configure Allied Telesis and Cisco routers to interoperate over L2TP

Supporting Document PPP

Provisioning Dial Access to MPLS VPN Integration

Configuring Timeout, Retransmission, and Key Values Per RADIUS Server

Configuring Remote Access to MPLS VPN

co Sample Configurations for Cisco 7200 Broadband Aggreg

Supported Platforms. Supported Standards, MIBs, and RFCs. Prerequisites. Related Features and Technologies. Related Documents. Improved Server Access

Configuring Dial Backup and Remote Management

How To Configure A Cisco Router With A Cio Router

OBJECTIVES This paper examines how NetFlow is implemented on logical interfaces. Logical interfaces can be divided into two groups:

IP Tunneling and VPNs

DSL Network Architectures

Table of Contents. Cisco Configuring the PPPoE Client on a Cisco Secure PIX Firewall

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

L2TP Dial-Out Load Balancing and Redundancy

RADIUS Server Load Balancing

Configuring a Leased Line

Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1.

External Authentication with Cisco Router with VPN and Cisco EZVpn client Authenticating Users Using SecurAccess Server by SecurEnvoy

RADIUS Server Load Balancing

Route-Switch-Controller Handover Redundancy on the Cisco AS5850

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Configuring Modem Transport Support for VoIP

Call Flows for Simple IP Users

Internet Access Setup

Switch Configuration Required to Support Cisco ISE Functions

How To Configure Apple ipad for Cyberoam L2TP

Benoit Lourdelet Cisco Systems Cisco IOS IPv6 Technical Marketing Engineer 2003, Cisco Systems, Inc. All rights reserved.

Implementation of Business Linux Routers

Overview of Dial Interfaces, Controllers, and Lines

Network Security 2. Module 6 Configure Remote Access VPN

Configuring IPsec VPN Fragmentation and MTU

BRI to PRI Connection Using Data Over Voice

Cisco Virtual Office Deployment Guide

Enabling Management Protocols: NTP, SNMP, and Syslog

MPLS. Cisco MPLS. Cisco Router Challenge 227. MPLS Introduction. The most up-to-date version of this test is at:

IOS NAT Load Balancing with Optimized Edge Routing for Two Internet Connections

Internet Access Setup

LAN-Cell to Cisco Tunneling

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham

Objectives. Background. Required Resources. CCNA Security

Using a Sierra Wireless AirLink Raven X or Raven-E with a Cisco Router Application Note

Virtual Private Network and Remote Access Setup

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

This chapter covers the following topics: ADSL Overview Cisco 6160 DSLAM Overview Cisco 6400 UAC Overview DSL Access Architectures and Protocols

Output Interpreter. SHOW RUNNING-CONFIG SECURITY Analysis SHOW RUNNING-CONFIG - FW Analysis. Back to top

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

ETHEL THE AARDVARK GOES BGP ROUTING

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

SAS3 INSTALLATION MANUAL SNONO SYSTEMS 2015

Lab QoS Classification and Policing Using CAR

APNIC elearning: BGP Basics. Contact: erou03_v1.0

Using PIX Firewall in SOHO Networks

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

Case Study for Layer 3 Authentication and Encryption

UIP1868P User Interface Guide

Firewall Authentication Proxy for FTP and Telnet Sessions

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

Understanding the Cisco VPN Client

Network Security and AAA

Juniper Networks WX Series Large. Integration on Cisco

Exam Name: BGP + MPLS Exam Exam Type Cisco Case Studies: 3 Exam Code: Total Questions: 401

LAB Configuring NAT. Objective. Background/Preparation

RADIUS Vendor-Specific Attributes (VSA)

Configuring the Cisco Secure PIX Firewall with a Single Intern

Monitoring Remote Access VPN Services

Configuring PEAP / LDAP based authentication using FreeRADIUS on Debian Sarge and Cisco AP1200, with WPA2 AES encryption

Configuring Access Service Security

Virtual Fragmentation Reassembly

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

How To Configure some basic firewall and VPN scenarios

L2F Case Study Overview

Cisco Configuring Basic MPLS Using OSPF

Configuring Global Protect SSL VPN with a user-defined port

Lab 10: Confi guring Basic Border Gateway Protocol

IPv6 and xdsl. Speaker name address

PPTP Server Access Through The

Design, Implementation and Evolution of a DNS anycast resolving service in a country-wide ISP network

What information will you find in this document?

Felix Rohrer. PT Activity 7.5.3: Troubleshooting Wireless WRT300N. Topology Diagram

Testing Juniper Networks M40 Router MPLS Interoperability with Cisco Systems 7513 and Routers


RA-MPLS VPN Services. Kapil Kumar Network Planning & Engineering Data. Kapil.Kumar@relianceinfo.com

7.1. Remote Access Connection

Using the Border Gateway Protocol for Interdomain Routing

LAB II: Securing The Data Path and Routing Infrastructure

Application Note 45. Main Mode IPSec VPN from Digi WR44 to a Cisco Using GRE over IPSec with the Cisco configured for VTI. UK Support June 2011

Overview of Access VPNs and Tunneling Technologies

Multihomed BGP Configurations

Configuring a Cisco 2509-RJ Terminal Router

DSL-G604T Install Guides

Cisco Which VPN Solution is Right for You?

Module 6 Configure Remote Access VPN

Chapter 1 Connecting Your Router to the Internet

Dynamic Host Configuration Protocol for IPv6

Configuring Tunnel Default Gateway on Cisco IOS EasyVPN/DMVPN Server to Route Tunneled Traffic

Transcription:

Supporting Document LNS Configuration Swisscom (Schweiz) AG Version 1-0 15.112010

Inhalt 1 General... 3 1.1 Appendix A: Load Balancing between POPs... 3 1.2 Appendix B: Examples of LNS and BGP Configurations... 3 1.2.1 LNS Basic... 3 1.2.2 LNS Basic AAA... 4 1.2.3 BGP Load Balancing... 7 Page 2 von 7

1 General This document describes the scripts used for configuring a CISCO L2TP Network Server (LNS). 1.1 Appendix A: Load Balancing between POPs For more details, please refer to document [13] Technical Specification Connectivity. 1.2 Appendix B: Examples of LNS and BGP Configurations The ISP must configure its LNS router to enable it to transmit L2TP. The configurations below are only examples: FWS declines all responsibility for the correctness of this information. 1.2.1 LNS Basic Configuration for a basic LNS to connect to BBCS 27.4.2002 only absolutely necessary features and config statements included The router should be configured and protected according to the (I)SP s policy IOS release 12.2(7) and newer provides the possibility for MTU adaptive, which dynamically assigns the MTU as negotiated between PPPoX client and LAC per every individual PPP session. (1492 for PPPoE, 1500 for PPPoA) PPP clients are locally authenticated without any AAA server. IP addresses need to be adapted for the real-life, IP addresses for the L2TP tunnels need to be out of the (I)SP's public address range IOS used in this example: IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(7), RELEASE SOFTWARE (fc1) cisco 7204VXR (NPE400) processor (revision A) with 114688K/16384K bytes of memory. hostname LNS-A users are localy administered, no AAA server in this example aaa new-model aaa authorization network default local usernames and passwords for ppp clients username usr1@lnsa.ch password pwd1 username usr2@lnsa.ch password pwd2 username usr3@lnsa.ch password pwd3 username usr4@lnsa.ch password pwd4 username usr5@lnsa.ch password pwd5 enable secret cisco ip cef this enables the whole show vpdn enable statements for the local L2TP tunnel settings the tunnelname (local name statement) is seen on the Swisscom LAC and should allow to easily identify the (I)SP and LNS vpdn-group lnsa Default L2TP VPDN group accept-dialin protocol l2tp Page 3 von 7

virtual-template 1 local name (I)SPa.zh01 l2tp tunnel password tunnel_pw the interface to bind the L2TP tunnel interface Loopback0 ip address 172.16.101.1 255.255.255.255 L2TP packets are sourced by loopback0 vpdn source-ip 172.16.101.1 the interface towards the internet "ip tcp adjust-mss 1400" allows to intercept TCP syn packets and change the TCP MSS size on the fly. As a result TCP packets get smaller and once the L2TP headers are added still fit unfragmented on the FastEthernet interface towards IPSS, thus allowing much higher throughput and saving CPU resources. This should also solve other MTU issues with PC's behind PPPoE Routers. ip tcp mss is currently not in 12.2(7). 12.2.8T already supports it. interface FastEthernet0/0 ip tcp adjust-mss 1400 ip address 172.16.1.2 255.255.255.0 interface towards IPSS interface FastEthernet4/0 ip address 172.16.60.2 255.255.255.0 duplex full each PPP subscriber gets a virtual-access interface cloned out of virtual-template 1 keepalives are important to detect ungracefully disconnected PPP peers subscribers get there addresses out of a local ip-pool MTU automatically adjusted for PPPoA or PPPoE no need to specify CHAP here, as this is already enforced by the LAC interface Virtual-Template1 ip unnumbered Loopback0 keepalive 11 peer default ip address pool pool_(i)spa ppp mtu adaptive ppp ipcp dns <dns1> <dns2> ip local pool pool_(i)spa 2.2.2.1 2.2.2.254 ip classless route towards IPSS to reach all LAC's ip route 138.187.22.0 255.255.254.0 172.16.60.1 line con 0 line aux 0 line vty 0 4 end 1.2.2 LNS Basic AAA Configuration for a basic LNS to connect to BBCS, users are administered on a AAA server 27.4.2002 only absolutely necessary features and config statements included The router should be configured and protected according to the (I)SP s policy Page 4 von 7

IOS release 12.2(7) and newer provides the possibility for MTU adaptive, which dynamically assigns the MTU as negotiated between PPPoX client and LAC per every individual PPP session. (1492 for PPPoE, 1500 for PPPoA) PPP clients are locally authenticated without any AAA server. PPP clients are authenticated on a RADIUS server. accounting data is sent to the same RADIUS server IP addresses need to be adapted for the real-life, IP addresses for the L2TP tunnels need to be out of the (I)SP's public address range IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(7), RELEASE SOFTWARE (fc1) cisco 7204VXR (NPE400) processor (revision A) with 114688K/16384K bytes of memory. hostname LNS-A authentication and accounting on AAA server in this example aaa new-model aaa authentication ppp default group radius aaa accounting delay-start aaa accounting network default start-stop group radius radius-server host <radius_server> auth-port <radius_auth_port> acct-port <radius_acc_port> key <key> enable secret cisco ip cef this enables the whole show vpdn enable statements for the local L2TP tunnel settings the tunnelname (local name statement) is seen on the Swisscom LAC and should allow to easily identify the (I)SP and LNS vpdn-group lnsa Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 local name (I)SPa.zh01 l2tp tunnel password tunnel_pw the interface to bind the L2TP tunnel interface Loopback0 ip address 172.16.101.1 255.255.255.255 L2TP packets are sourced by loopback0 vpdn source-ip 172.16.101.1 the interface towards the internet "ip tcp adjust-mss 1400" allows to intercept TCP syn packets and change the TCP MSS size on the fly. As a result TCP packets get smaller and once the L2TP headers are added still fit unfragmented on the FastEthernet interface towards IPSS, thus allowing much higher throughput and saving CPU resources. This should also solve other MTU issues with PC's behind PPPoE Routers. ip tcp mss is currently not in 12.2(7). 12.2.8T already supports it. interface FastEthernet0/0 ip tcp adjust-mss 1400 ip address 172.16.1.2 255.255.255.0 interface towards IPSS Page 5 von 7

interface FastEthernet4/0 ip address 172.16.60.2 255.255.255.0 duplex full each PPP subscriber gets a virtual-access interface cloned out of virtual-template 1 keepalives are important to detect ungracefully disconnected PPP peers subscribers get there addresses out of a local ip-pool MTU automatically adjusted for PPPoA or PPPoE no need to specify CHAP here, as this is already enforced by the LAC interface Virtual-Template1 ip unnumbered Loopback0 keepalive 11 peer default ip address pool pool_(i)spa ppp mtu adaptive ppp ipcp dns <dns1> <dns2> ip local pool pool_(i)spa 2.2.2.1 2.2.2.254 ip classless route towards IPSS to reach all LAC's ip route 138.187.22.0 255.255.254.0 172.16.60.1 line con 0 line aux 0 line vty 0 4 end Page 6 von 7

1.2.3 BGP Load Balancing Configuration for prepending the AS path for selected routes router bgp 1234 neighbor 9.1.0.10 remote-as 65501 neighbor 9.1.0.10 password ipss neighbor 9.1.0.10 timers 5 15 neighbor 9.1.0.10 route-map more-as out no auto-summary route-map more-as permit 10 match ip address more-as set as-path prepend 65502 route-map more-as permit 20 ip access-list standard more-as permit 1.1.1.0 0.0.0.255 Page 7 von 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information