Beruflich Dokumente
Kultur Dokumente
Volume 1
Implementing
Broadband Aggregation
on Cisco 10000 Series
Version 1.0
Student Guide
The products and specifications, configurations, and other technical information regarding the products in this manual
are subject to change without notice. All statements, technical information, and recommendations in this manual are
believed to be accurate but are presented without warranty of any kind, express or implied. You must take full
responsibility for their application of any products specified in this manual.
LICENSE
PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE MANUAL,
DOCUMENTATION, AND/OR SOFTWARE (MATERIALS). BY USING THE MATERIALS YOU AGREE TO
BE BOUND BY THE TERMS AND CONDITIONS OF THIS LICENSE. IF YOU DO NOT AGREE WITH THE
TERMS OF THIS LICENSE, PROMPTLY RETURN THE UNUSED MATERIALS (WITH PROOF OF PAYMENT)
TO THE PLACE OF PURCHASE FOR A FULL REFUND.
Cisco Systems, Inc. (Cisco) and its suppliers grant to you (You) a nonexclusive and nontransferable license to use
the Cisco Materials solely for Your own personal use. If the Materials include Cisco software (Software), Cisco
grants to You a nonexclusive and nontransferable license to use the Software in object code form solely on a single
central processing unit owned or leased by You or otherwise embedded in equipment provided by Cisco. You may make
one (1) archival copy of the Software provided You affix to such copy all copyright, confidentiality, and proprietary
notices that appear on the original. EXCEPT AS EXPRE SSLY AUTHORIZED ABOVE, YOU SHALL NOT: COPY,
IN WHOLE OR IN PART, MATERIALS; MODIFY THE SOFTWARE; REVERSE COMPILE OR REVERSE
ASSEMBLE ALL OR ANY PORTION OF THE SOFTWARE; OR RENT, LEASE, DISTRIBUTE, SELL, OR
CREATE DERIVATIVE WORKS OF THE MATERIALS.
You agree that aspects of the licensed Materials, including the specific design and structure of individual programs,
constitute trade secrets and/or copyrighted material of Cisco. You agree not to disclose, provide, or otherwise make
available such trade secrets or copyrighted material in any form to any third party without the prior written consent
of Cisco. You agree to implement reasonable security measures to protect such trade secrets and copyrighted Material.
Title to the Materials shall remain solely with Cisco.
This License is effective until terminated. You may terminate this License at any time by destroying all copies of the
Materials. This License will terminate immediately without notice from Cisco if You fail to comply with any
provision of this License. Upon termination, You must destroy all copies of the Materials.
Software, including technical data, is subject to U.S. export control laws, including the U.S. Export Administration Act
and its associated regulations, and may be subject to export or import regulations in other countries. You agree to
comply strictly with all such regulations and acknowledge that it has the responsibility to obtain licenses to export, reexport, or import Software.
This License shall be governed by and construed in accordance with the laws of the State of California, United States
of America, as if performed wholly within the state and without giving effect to the principles of conflict of law. If
any portion hereof is found to be void or unenforceable, the remaining provisions of this License shall remain in full
force and effect. This License constitutes the entire License between the parties with respect to the use of the
Materials
Restricted Rights - Ciscos software is provided to non-DOD agencies with RESTRICTED RIGHTS and its supporting
documentation is provided with LIMITED RIGHTS. Use, duplication, or disclosure by the U.S. Government is subject
to the restrictions as set forth in subparagraph C of the Commercial Computer Software - Restricted Rights clause at
FAR 52.227-19. In the event the sale is to a DOD agency, the U.S. Governments rights in software, supporting
documentation, and technical data are governed by the restrictions in the Technical Data Commercial Items clause at
DFARS 252.227-7015 and DFARS 227.7202.
DISCLAIMER OF WARRANTY. ALL MATERIALS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND
ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,
CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR
LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF
CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event
shall Ciscos or its suppliers liability to You, whether in contract, tort (including negligence), or otherwise, exceed the
price paid by You. The foregoing limitations shall apply even if the above-stated warranty fails of its essential
purpose.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to
comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to
provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio -frequency energy and, if not installed and used in
accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this
equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the
interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual
generates and may radiate radio -frequency energy. If it is not installed in accordance with Ciscos installation
instructions, it may cause interference with radio and television reception. This equipment has been tested and found
to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules.
These specifications are designed to provide reasonable protection against such interference in a residential
installation. However, there is no guarantee that interference will not occur in a particular installation.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was
probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio
or television reception, try to correct the interference by using one or more of the following measures:
Turn the television or radio antenna until the interference stops.
Move the equipment to one side or the other of the television or radio.
Move the equipment farther away from the television or radio.
Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain
the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your
authority to operate the product.
The following third-party software may be included with your product and will be subject to the software license
agreement:
CiscoWorks software and documentation are based in part on HP OpenView under license from the Hewlett-Packard
Company. HP OpenView is a trademark of the Hewlett-Packard Company. Copyright 1992, 1993 Hewlett-Packard
Company.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of
California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved.
Copyright 1981, Regents of the University of California.
Network Time Protocol (NTP). Copyright 1992, David L. Mills. The University of Delaware makes no
representations about the suitability of this software for any purpose.
Point-to-Point Protocol. Copyright 1989, Carnegie-Mellon University. All rights reserved. The name of the
University may not be used to endorse or promote products derived from this software without specific prior written
permission.
The Cisco implementation of TN3270 is an adaptation of the TN3270, curses, and termcap programs developed by
the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system.
All rights reserved. Copyright 1981-1988, Regents of the University of California.
Cisco incorporates Fastmac and TrueView software and the RingRunner chip in some Token Ring products. Fastmac
software is licensed to Cisco by Madge Networks Limited, and the RingRunner chip is licensed to Cisco by Madge NV.
Fastmac, RingRunner, and TrueView are trademarks and in some jurisdictions registered trademarks of Madge
Networks Limited. Copyright 1995, Madge Networks Limited. All rights reserved.
XRemote is a trademark of Network Computing Devices, Inc. Copyright 1989, Network Computing Devices, Inc.,
Mountain View, California. NCD makes no representations about the suitability of this software for any purpose.
The X Window System is a trademark of the X Consortium, Cambridge, Massachusetts. All rights reserved.
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax
numbers are listed on the Cisco Web site at www.cisco.com/go/offices.
Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica Croatia Czech
Republic Denmark Dubai, UAE Finland France Germany Greece Hong Kong SAR Hungary India Indonesia Ireland
Israel Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines Poland
Portugal Puerto Rico Romania Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden
Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe
Copyright
2003, Cisco Systems, Inc. All rights reserved. AccessPath, AtmDirector, Browse with Me,
CCDA,
CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink, the Cisco Net Works logo, the
Cisco
Powered Network logo, Cisco Systems Networking Academy, Fast Step, Follow Me Browsing,
FormShare, FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the
iQ logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, Packet, RateMUX, ScriptBuilder, ScriptShare,
SlideCast, SMARTnet, TransPath, Unit y, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco
Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All Thats Possible, and Empowering the
Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco
Certified Internetwork Expert Logo, Cisco IOS, the Cisco IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco
Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream, MICA,
Network Registrar, PIX, Post -Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and
VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective
owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
(0104R)
Course Overview
Intended Audience
This course is for technical professionals who need to know how to
implement broadband aggregation on the Cisco 10000 Series router.
The following are considered the primary audience for this course:
Customer technicians
Course Level
This course is basic and intermediate training for the topics that it
covers.
Prerequisites
Students attending this course should have successfully completed the
following training:
Version 1.0
Additional Information
Cisco Systems Technical Publications
You can print technical manuals and release notes directly from the
Internet. Go to http://www.cisco.com/univercd/home/home.htm.
Find the Cisco Systems product for which you need documentation.
Then locate the specific category and model or version for your
hardware or software product. Using Adobe Acrobat Reader, you can
open the manuals and release notes, search for the sections you need,
and print them on most standard printers. You can download Acrobat
Reader free from the Adobe Systems website, www.adobe.com.
Documentation sets and CDs are available through your local Cisco
Systems sales office or account representative.
Cisco Systems Service
vi
Version 1.0
Course Agenda
Day 1
Broadband Aggregation Architectures
RBE and RFC 1483 Routing
PPPoA
Day 2
PPPoE
Cisco Aggregation Optimization Features
AAA Service
Day 3
L2TP
Cisco 10000 Series Router Hardware Overview
Cisco 10000 Series Router Software Overview
Version 1.0
vii
viii
Version 1.0
Overview
Description
This course is intended for customer technicians and system
integrators who need to implement various broadband aggregation
technologies on Cisco routers. This course also enables Cisco System
Engineers (SEs) to present and demonstrate various broadband
aggregation technologies on Cisco routers for customers. Students
learn about RBE, PPPoA, PPPoE, and L2TP, and learn how to
configure and verify operation of these technologies on Cisco routers.
This course also explains the Cisco 10000 Series router hardware
architecture and software features.
The course is instructor-led and includes hands-on lab exercises.
Lecture topics are reinforced with supporting student exercises.
This course focuses on implementing broadband aggregation
technologies on the Cisco 10000 Series router, however, most learning
experiences from this course may be applied to o ther Cisco routers
that support these technologies.
Objectives
After completing this course, you will be able to do the following:
Explain how RBE and RFC 1483 routing work, describe their
typical architectures and benefits, and configure them on Cisco
routers
Version 1.0
ix
Describe the Cisco 10000 Series router and explain the features
and functions of system-wide hardware and software components
Version 1.0
Contents
Course Overview ........................................................................................................... v
Course Agenda ............................................................................................................ vii
Version 1.0
xi
Module 4 PPPoE......................................................................................................41
Overview................................................................................................................... 41
Typical PPPoE Architecture ...................................................................................... 42
PPPoE Protocol Stack................................................................................................ 46
How Does PPPoE Discovery Work?............................................................................ 48
PPPoEoA with PTA Protocol Stack .......................................................................... 410
PPPoEoA with Tunneling Protocol Stack ................................................................. 414
How Does PPPoE Work with PTA? .......................................................................... 416
How Does PPPoE Work with Tunneling? ................................................................. 418
PPPoE IP Address Management.............................................................................. 420
PPPoEoA Configuration .......................................................................................... 422
PPPoE Advantages and Disadvantages ................................................................... 434
PPPoEoE and PPPoEo892.1q................................................................................... 438
PPPoEoE and PPPoEo892.1q Configuration ............................................................ 440
Summary ................................................................................................................ 442
Review Questions .................................................................................................... 443
xii
Version 1.0
Version 1.0
xiii
xiv
Version 1.0
Glossary .......................................................................................................................... 1
Technology Acronyms .................................................................................................... 2
Cisco 10000 Series Router Acronyms ............................................................................. 5
Version 1.0
xv
xvi
Version 1.0
Module 1
Broadband Aggregation Architectures
Overview
Description
In this module, you will learn about the various broadband aggregation
architectures available with Cisco routers.
Objectives
After completing this module, you will be able to do the following:
Version 1.0
11
Module 1
Network Segments
You can view the access and core network that serve broadband
subscribers as being divided into three segments.
12
Version 1.0
Module 1
ISP
Internet
Internet
Core
Enterprise
ATU-R
DSLAM
Aggregation
Service Selection
Termination
Service
Selection
Content
Video
Voice
CPE
NAP
NSP
Version 1.0
13
Module 1
14
Version 1.0
Module 1
ISP
Internet
Internet
Core
Enterprise
ATU-R
DSLAM
Aggregation
Service Selection
Termination
Service
Selection
Content
Video
Voice
CPE
NAP
NSP
Version 1.0
15
Module 1
Aggregation systems
Subscriber Termination
ATM switching
Bridging
PPP termination
Routing
Core Network
Typical core networks are either ATM based or IP based. If a legacy ATM
network is in place, then the NAP may continue to use it to transport data
to the NSP. NAPs are migrating to using IP cores rather than ATM
switching or building new IP cores using Gigabit Ethernet. Additionally, IP
cores are evolving to Multiprotocol Label Switching (MPLS).
16
Version 1.0
Module 1
ISP
Internet
Internet
Core
Enterprise
ATU-R
DSLAM
Aggregation
Service Selection
Termination
Service
Selection
Content
Video
Voice
CPE
NAP
NSP
Version 1.0
17
Module 1
Internet access
Access to corporations
18
Version 1.0
Module 1
ISP
Internet
Internet
Core
Enterprise
ATU-R
DSLAM
Aggregation
Service Selection
Termination
Service
Selection
Content
Video
Voice
CPE
NAP
NSP
Version 1.0
19
Module 1
110
Version 1.0
Module 1
Training Focus
ISP
Internet
Internet
Core
Enterprise
ATU-R
DSLAM
Aggregation
Service Selection
Termination
Service
Selection
Content
Video
Voice
CPE
NAP
Version 1.0
NSP
111
Module 1
112
Version 1.0
Module 1
Service
Provider
Subscriber
Version 1.0
113
Module 1
114
Version 1.0
Module 1
Subscriber
Carrier
ILEC
Service
Provider
Version 1.0
115
Module 1
VC Service
Description
A virtual circuit (VC) service is one in which the subscriber permanent
virtual circuit (PVC) is switched all the way to the ISP, NSP, or
corporation. The ISP, NSP, or corporation is responsible for terminating
the PVC, retrieving the IP data, and providing IP addressing to the
subscriber. A VC service is commonplace with NAPs who are simply
providing a wholesale service.
116
Version 1.0
Module 1
VC Service
VC Service
ISP1.com
Local Loops
BRAS
ISP1.com
Local Loops
Local Loops
ATM Access
Network
Local Loops
ATM Core
Network
ISP2.com
DSLAMs
ISP2.com
(Local
Exchanges)
Version 1.0
117
Module 1
118
Version 1.0
Module 1
Bridging
Aggregation
Device
Bridged CPE
ISP1.com
Bridge
Group
RBE
Core
Bridged CPE
DSLAM
Routing
Routing
ISP2.com
Routed CPE
Version 1.0
119
Module 1
PPP Review
Description of PPP
Point-to-Point Protocol (PPP), defined in RFC 1661, is a standard method
of encapsulating upper layer protocols, such as IP and IPX, across point-topoint links. It was originally intended for dial-up application, but it is also
suitable for applications requiring authentication of subscribers in a
broadband environment. In a dial -up environment, PPP offers several
functions, but with broadband implementations, its principle function is to
provide user authentication using Password Authentication Protocol (PAP)
or Challenge Handshake Authentication Protocol (CHAP) and additionally
support for multiple protocols.
PPP Fundamentals
The following are fundamental concepts of PPP that you should know.
Beside the RFC, there are numerous publications that explain PPP in
detail.
PPP is comprised of three main components and phases:
120
Version 1.0
Module 1
PPP Review
PPP Review
point-to-point link
Layer 3
NCP
LCP
HDLC
PHY
Layer 3 Layer 3
NCP
LCP
HDLC
PHY
ATM,
FR,
etc.
PHY
Layer 3
ATM,
FR,
Etc.
PHY
Version 1.0
121
Module 1
This phase determines the physical readiness of the link. Once the physical
layer is initialized, the link goes into the Link Establishment phase.
Link Establishment Phase
During this phase, each end uses Configure Request packets to initialize
LCP and negotiate datalink layer parameters. When a Configure Ack is
received at both ends of the link, the link enters the open state and goes
into the Authentication phase. The following options may be exchanged
during this phase:
Authentication Protocol
Quality Protocol
Magic Number
During this phase, each end of the link authenticates each other using an
agreed upon protocol such as PAP or CHAP. The link does not proceed to
the Network Layer Protocol phase until authentication is successful. If
authentication fails, then the link goes to the Link Termination phase.
Network Layer Protocol Phase
During this phase, each end exchanges Configure Request and Configure
Ack packets to active any supported network layer protocols using the
appropriate NCP. Once an NCP is opened, the PPP link transports data
across the link.
Link Termination Phase
This phase terminate the PPP link, which may be caused by physical link
failure, link quality failure, configuration rejection, or authentication
failure. The network administrator can also disable the link for diagnostic
purposes. LCP uses Terminate Request packets to terminate the link and
notifies the appropriate NCPs that the link is terminating.
122
Version 1.0
Module 1
PPP Review
Authentication Phase
Authentication Packets
Authentication Packets
Data Exchange
Data
Version 1.0
123
Module 1
You will o ften see the abbreviation to PPPoX, which collectively refers to
all methods of PPP over ATM, Ethernet, and so on.
PPPoA
PPPoA works in an ATM environment. It relies on the presence of a VC
between the CPE and the aggregation device. The PPP session is between
CPE and the aggregator. The CPE is responsible for authenticating with
the aggregator.
With PPPoA, the CPE can run NAT for multiple users behind the CPE and
conserve IP addresses. However, since there is a single PPP session per
VC, the users are limited to selecting a single service, that is, a single ISP.
PPPoE
PPPoE is similar PPPoA in that it establishes a PPP session with the
aggregation device. PPPoE has the following key differences from PPPoA:
PPPoE is suitable for residential customers with multiple PCs behind the
CPE that need the flexibility to access multiple services simultaneously.
An important consideration, though, is that the PPPoE client software
needs to be installed on the PC. There are multiple variations of PPPoE
that we will learn about later:
124
PPPoEoA
PPPoEoE
PPPoEo802.1q
Version 1.0
Module 1
PPPoA
PPP Session
ISP1.com
Aggregation
Device
CPE
Core
PPPoE
Bridged CPE
DSLAM
ISP2.com
PPP Sessions
Version 1.0
125
Module 1
PTA
PPP termination and aggregation (PTA) is the point at which PPPoX
session are terminated, that is, the aggregation device. From this point,
user data is extracted from the PPP frames and forwarded to its
destination, such as an ISP or corporation.
With PTA, the service is selected based on structured domain name
(username@service.com), and it supports one service at a time. The IP
traffic is forwarded to a single routing domain.
PTA is generally used by providers for their own customer if regulations
allow it.
126
Version 1.0
Module 1
PTA
PTA
PPPoA
PPP Session
Aggregation
Device
CPE
Internet
PPPoE
Bridged CPE
DSLAM
PTA
IP Route
PPP Sessions
Version 1.0
127
Module 1
L2TP
Description
Layer 2 Tunneling Protocol (LT2P) is an extension to PPP. It was
introduced to allow use of PPP between different networks and multiple
communication links.
L2TP extends the PPP session beyond the PTA that you saw in the
previous illustration to a destination closer to the service that the user
wants to access. L2TP accomplishes this by setting up a tunnel over
multiple links and networks between an access concentrator and a network
server. The PPP session that would have been terminated at the
concentrator is then continued through the tunnel to the server.
L2TP is an important component of VPNs. Between the access
concentrator and network server, the service provider does not look at the
subscriber traffic beyond the Layer 2 information after the session is
established.
Benefits of L2TP
The following are benefits of L2TP:
Components of L2TP
The following are some o f the major components of L2TP:
128
L2TP network server (LNS) terminates the tunnel from the LAC. It
terminates the PPP session and extracts user data for further
forwarding.
L2TP Tunnel exits between the LAC and LNS. It encapsulates the
PPP traffic with header information necessary to support the tunnel.
Version 1.0
Module 1
L2TP
L2TP
PPPoA
PPP Session
LAC
LNS
ISP1.com
Aggregation
Device
CPE
IP
Core
PPPoE
Bridged CPE
DSLAM
ISP2.com
Tunnel
LNS
PPP Session
Version 1.0
129
Module 1
AAA
Authentication, authorization, and accounting (AAA) provides three
functions, provided by an AAA server that maintains a database of users.
AAA Functions
Authentication identifies the users. The user login name and password are
checked against the AAA database to determine whether a user is allowed
to access the network.
Authorization determines what the users can do. The AAA database stores
attributes that determine the users capabilities and restrictions.
Accounting tracks what the users have done. Accounting collects
information in the database about user access, traffic statistics, and
resource usage. This information can then be used for billing and network
management.
AAA Methods
Three methods ar e generally used to provide AAA services. One or more of
these may be used concurrently.
Local the router or access server consults its local database.
Username/password pairs are configured in Cisco IOS software.
Remote Authorization Dial-In User Service (RADIUS) a client (router)
and server (UNIX or NT) model. Each username and associated attributes
are stored within the RADIUS database.
Terminal Access Control Access Control Server + (TACACS+) a server
that separates authentication, authorization, and accounting functions.
The router accesses the TACACS+ servers database where user
information and capabilities are maintained.
AAA Usage
AAA plays an important role with PPP and L2TP in controlling user
sessions and tunnels. AAA services are used at the PTA, LAC, and/or LNS
and are commonly provided by means of RADIUS servers. These are some
of the important functions that AAA provides:
130
Version 1.0
Module 1
AAA
AAA
RADIUS
User
Local
AAA
AAA
PPP
L2TP
TACACS+
Authentication methods
Local
RADIUS
TACACS+
Version 1.0
131
Module 1
Managed LNS
Description
Managed LNS is a term used to identify an implementation of session
termination. It makes use of virtual routing and forwarding (VRF) at the
LNS or PTA. The LNS/PTA aggregator terminates the L2TP tunnel or PPP
sessions and places the sessions in the appropriate VRF. The sessions are
then forwarded through a separate logical and physical interface to their
respective upstream customer sites.
______________________________ Note __________________________
An earlier Cisco implementation of this function was PTA MultiDomain (PTA-MD).
_____________________________________________________________
Benefits
Some of the benefits of using a managed LNS architecture include the
following:
132
Version 1.0
Module 1
Managed LNS
Managed LNS
AAA
DHCP
AAA
Clients
LNS/PTA
Customer A
VRF
SP
Network
L2TP or PPP
DHCP
VRF
Customer B
AAA
Version 1.0
133
Module 1
Benefits
RA-MPLS offer these same benefits as managed LNS:
134
Version 1.0
Module 1
AAA
DHCP
Clients
AAA
PE
NSP
BRAS
PE
MPLS Network
Corporation
PE
AAA
Version 1.0
135
Module 1
AAA server
SSG
SSG is an Cisco IOS feature that is available on selected Cisco aggregation
routers. The following are some of the key features and functions of SSG:
SESM
SESM is a Cisco software application that runs on Windows 2000/NT or
Solaris and Linux platforms. SESM enables users to manage their service
selection experience by allowing them to perform the following functions:
Service subscription
Subaccount creation
SESM also has a service developer kit that enables third-party and
application developers to build their own applications or to integrate
directly to their existing operat ions infrastructure.
136
Version 1.0
Module 1
Directory
AAA
PC
ADSL
SESM
Leased Line
Internet
Content
Services
Gateway
(CSG)
WAP
Dial
PDA
Corporate
VPN
GGSN/PDSN
Notebook
802.11b
Open Garden
Version 1.0
137
Module 1
138
Version 1.0
Module 1
Directory
AAA
PC
ADSL
SESM
Leased Line
Internet
Content
Services
Gateway
(CSG)
WAP
Dial
PDA
Corporate
VPN
GGSN/PDSN
Notebook
802.11b
Open Garden
Version 1.0
139
Module 1
Summary
Broadband Aggregation Architectures
In this module, you learned the following:
140
Version 1.0
Module 1
Review Questions
Review Questions
Broadband Aggregation Architectures
1. List the segments that make up a broadband subscriber network
environment.
_________________________________________________________
2. A service provider that provides the access connection to the subscriber
and connects the subscriber to the NSP is characteristic of a
_________________________ service.
3. Which of the following is not characteristic of a VC service?
a. NAPs do not need to deal with IP address management.
b. The NAP determines the users encapsulation method.
c. End-to-end provisioning takes time .
d. It is a wholesale service that a NAP would provide.
e. It does not scale well.
4. Which of the following is a reason that RBE is preferred over strict
RFC 1483 bridging?
a. With RBE, the CPE is in routing mode rather than in bridging
mode.
b. The PC encapsulates Layer 3 data into Ethernet.
c. RBE is more secure and scalable than RFC1483 bridging.
d. RBE is more suitable for business applications.
5. Which of the following statements are true when comparing PPPoA to
PPPoE? Choose three.
a. The CPE functions as a router with PPPoA and as a bridge with
PPPoE.
b. The PPP session is initiated by the CPE with PPPoA and by the PC
with PPPoE.
c. The CPE is able to run NAT for both methods and conserve IP
addresses.
d. PPPoA functions only with ATM access methods and PPPoE
functions only with Ethernet access methods.
e. When there are multiple users behind the CPE, PPPoE is more
flexible than PPPoA for selection of multiple services.
2003 Cisco Systems, Inc.
Version 1.0
141
Module 1
142
Version 1.0
Module 2
RBE and RFC 1483 Routing
Overview
Description
In this module, you will learn how Routed Bridge Encapsulation (RBE) and
RFC 1483 routing work, along with their typical architectures and
benefits. You will then perform hands-on exercises to configure, test, and
verify RBE and RFC 1483 routing.
Objectives
After completing this module, you will be able to do the following:
Identify the protocol stack eleme nts associated with RBE and describe
how RBE works
Identify the protocol stack elements associated with RFC 1483 routing
and describe how RFC 1483 routing works
Version 1.0
21
Module 2
With RBE, the CPE func tions as a bridge using RFC 1483 bridging. From
the perspective of a PC and customer premises equipment (CPE), there is
no functional difference between pure RFC 1483 bridging and RBE. The
802.3 encapsulated protocol data units (PDU) are sent to the CPE, which
then encapsulates them into ATM cells and forwards them over a virtual
connection (VC) to the aggregation device.
Aggregator
At the aggregation device we see the key difference between pure RFC
1483 bridging and RBE. With RFC 1483 bridging, the aggregator receives
the Ethernet PDU into a bridge group and determines whether to bridge or
route based upon the contents of the Layer 2 and Layer 3 headers. With
RBE, the aggregator receives the Ethernet PDU into an ATM routed
bridge and makes a forwarding decision based upon the Layer 3
information.
______________________________ Note __________________________
When you configure the aggregator for RBE, part of the Cisco IOS
configuration process is to include the ATM routed bridge for IP traffic
on the ATM subinterfaces.
_____________________________________________________________
22
Version 1.0
Module 2
Bridged CPE
DSLAM
Aggregation
Device
Core
802.3
RFC 1483 bridged PDUs
Routed
Bridge
Bridged CPE
Version 1.0
23
Module 2
802.3
The IP datagram is encapsulated in the 802.3 frame, also know as the
bridge protocol data unit (BPDU), by the PC and the aggregation router.
CPE Encapsulation
The illustration shows the combination protocol stack used by the PC and
the xDSL Termination Unitremote (xTU-R). The PC takes the upper
layer protocol data, encapsulates it in the 802.3 header, and forwards it to
the xTU-R. The xTU-R provides the ATM related services and layers to
exchange ATM cells with the aggregation device, including RFC 1483,
ATM adaptation layer 5 (AAL5), ATM, and physical layer functions.
24
Version 1.0
Module 2
PVC
DSLAM
Aggregator
L3
core
Router
PC/xTU-R
IP
RFC 1483 over ATM
IP
802.3
1483
AAL5
ATM
PHY
Customer
Premises
IP
ATM
PHY
ATM
PHY
DSLAM
802.3
IP
1483
AAL5 ATM,FR,
ATM
Etc.
PHY
PHY
Aggregator
Version 1.0
IP
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
25
Module 2
For the first method, additional headers are included to identify the PDU.
A common implementation is to include the 3-byte logical link control
(LLC) and 5-byte Subnetwork Access Protocol (SNAP) header to identify
the bridged or routed PDU that follows.
With virtual connection (VC) multiplexing, each unique bridged or routed
protocol is carried over a unique VC.
______________________________ Note __________________________
It is important that you understand the two multiplexing methods. You
must choose one of the two when you configure the VC. The method you
choose must match at both ends of the VC. The VC is in this
illustration is the PVC.
_____________________________________________________________
AAL5
ATM Adaptation Layer 5 (AAL5) is a common means of encapsulating
connectionless PDUs. An 8-byte trailer is added to the PDU.
26
Version 1.0
Module 2
PVC
DSLAM
Aggregator
L3
core
Router
PC/xTU-R
IP
RFC 1483 over ATM
IP
802.3
1483
AAL5
ATM
PHY
Customer
Premises
IP
ATM
PHY
ATM
PHY
DSLAM
802.3
IP
1483
AAL5 ATM,FR,
ATM
Etc.
PHY
PHY
Aggregator
Version 1.0
IP
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
27
Module 2
The CPE encapsulates the BPDUs using RFC 1483, AAL5, and ATM
protocols.
The ATM cells are switched through the ATM network to the
aggregation router.
Incoming Frames
For frames originating from the subscriber end, the following events
happen at the aggregation device.
28
The aggregation router ignores the bridge header and examines the IP
datagram header to make a forwarding decision.
Version 1.0
Module 2
Core
Bridged CPE
DSLAM
Aggregation
Device
Version 1.0
29
Module 2
210
Version 1.0
Module 2
Core
Bridged CPE
DSLAM
Aggregation
Device
Version 1.0
211
Module 2
RBE Configuration
Configuration Methods
The configuration of the Cisco aggregation router is based on the drawing
that follows. There are four general ways that RBE can be configured on
the aggregation router.
Of these methods, the first two are the least preferred because they require
individual subnets on each ATM subinterface and waste IP address space.
The example configurations that follow show the last two methods.
212
Version 1.0
Module 2
RBE Configuration
RBE Configuration
IP=192.168.1.2
GW= 192.168.1.1
Bridged CPE
IP=192.168.1.1
DSLAM
IP=192.168.1.3
GW= 192.168.1.1
Core
Aggregation
Device
Bridged CPE
Four methods:
IP=192.168.1.4
GW= 192.168.1.1
Numbered subinterfaces
Numbered subinterfaces with DHCP
Unnumbered subinterfaces
Unnumbered subinterfaces with DHCP
Version 1.0
213
Module 2
214
Version 1.0
Module 2
RBE Configuration
2
3
4
5
6
interface Loopback0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
!
interface ATM0/0/0.132 point-to-point
ip unnumbered Loopback0
no ip directed-broadcast
atm route-bridged ip
pvc 1/32
encapsulation aal5snap
!
interface ATM0/0/0.133 point-to-point
ip unnumbered Loopback0
no ip directed-broadcast
atm route-bridged ip
pvc 1/33
encapsulation aal5snap
!
interface ATM0/0/0.134 point-to-point
ip unnumbered Loopback0
no ip directed-broadcast
atm route-bridged ip
pvc 1/34
encapsulation aal5snap
ip route 172.168.1.2 255.255.255.255 ATM0/0/0.132
ip route 172.168.1.3 255.255.255.255 ATM0/0/0.133
ip route 172.168.1.4 255.255.255.255 ATM0/0/0.134
Version 1.0
215
Module 2
216
Version 1.0
Module 2
RBE Configuration
2
3
1
4
5
6
7
8
9
Version 1.0
Mutually exclusive
217
Module 2
218
Version 1.0
Module 2
Advantages
Minimal configuration of CPE
Compared to RFC 1483 with IRB, RBE separates shared
bridging domain into individual routed interfaces which
give
Version 1.0
219
Module 2
220
Version 1.0
Module 2
Disadvantages
IP address exhaustion without unnumbered interfaces
Provisioning delays and large configurations without
DHCP
Version 1.0
221
Module 2
With RFC 1483 routing, the CPE functions as a router using RFC 1483
routing. The CPE receives PDUs from the subscriber hosts and makes a
forwarding decision based upon the upper layer protocol information, such
as IP header. The CPE encapsulates PDUs into ATM cells and forwards
them over a VC to the aggregation device.
Aggregator
222
Version 1.0
Module 2
Routed CPE
DSLAM
Aggregation
Device
Core
802.3
RFC 1483 Routed PDUs
Routing
Routed CPE
Version 1.0
223
Module 2
IP
The IP datagram is encapsulated into a PDU, by the PC and the
aggregation router. The PDUs are then encapsulated into Layer 2 frames,
typically Ethernet, when sent between the PC and CPE. Notice that the
Ethernet header is removed before the PDU is encapsulated by the RFC
1483 process.
RFC 1483
The RFC 1483 standard describes two encapsulation methods for
multiplexing and transporting datalink and network layer protocols over
AAL5 over ATM:
For the first method, additional headers are included to identify the PDU.
A common implementation is to include the LLC and SNAP header to
identify the bridged or routed PDU that follows.
With VC multiplexing, each unique bridged or routed protocol is carried
over a unique VC.
______________________________ Note __________________________
It is important that you understand the two multiplexing methods. You
must choose one of the two when you configure the VC. The method you
choose must match at both ends of the VC. The VC is in this
illustration is the PVC.
_____________________________________________________________
AAL5
ATM Adaptation Layer 5 (AAL5) is a common means of encapsulating
connectionless PDUs. An 8-byte trailer is added to the PDU.
Version 1.0
Module 2
PVC
DSLAM
Aggregator
L3
core
Router
PC/xTU-R
IP
RFC 1483 over ATM
IP
1483
AAL5
ATM
PHY
Customer
Premises
IP
ATM
PHY
ATM
PHY
DSLAM
IP
1483
AAL5 ATM,FR,
ATM
Etc.
PHY
PHY
Aggregator
Version 1.0
IP
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
225
Module 2
The reassembled datagrams are received at the ATM interface and are
forwarded based upon information in the routing table.
Other features that are possible using RFC 1483 routing include the
following:
226
The CPE may use Network Address Translation (NAT) or Port Address
Translation (PAT) between the subscriber network and the aggregation
device.
Version 1.0
Module 2
Core
Routed CPE
DSLAM
Aggregation
Device
Version 1.0
227
Module 2
Of these methods, the first two are the least preferred as they require
individual subnets on each subinterface and wastes IP address space. The
example configuration that follows shows the last method.
Additional Considerations
228
The CPE may use DHCP to subscriber devices beyond the CPE.
Additionally, the CPE may use NAT for private addresses in the
subscriber network.
Version 1.0
Module 2
IP=192.168.1.2
GW= 192.168.1.1
Routed CPE
IP=192.168.1.1
DSLAM
Core
Aggregation
Device
Routed CPE
IP=192.168.1.3
GW= 192.168.1.1
Two methods:
Numbered subinterfaces
Unnumberedsubinterfaces
Version 1.0
229
Module 2
230
Version 1.0
Module 2
1
2
3
4
5
interface Loopback1
ip address 192.168.2.1 255.255.255.0
!
interface ATM2/0/0.132 point- to-point
ip unnumbered Loopback1
pvc 1/32
encapsulation aal5snap
!
interface ATM2/0/0.133 point- to-point
ip unnumbered Loopback1
pvc 1/33
encapsulation aal5snap
!
interface ATM2/0/0.134 point- to-point
ip unnumbered Loopback1
pvc 1/34
encapsulation aal5snap
ip route 172.168.2.2 255.255.255.255 ATM0/0/0.132
ip route 172.168.2.3 255.255.255.255 ATM0/0/0.133
ip route 172.168.2.4 255.255.255.255 ATM0/0/0.134
Version 1.0
231
Module 2
Disadvantages
232
Version 1.0
Module 2
Advantages
CPE becomes manageable
CPE may have more than one PVC configured
CPE can implement NAT or PAT
Well suited for enterprise or business customers
Disadvantages
Lack of accounting for subscriber traffic
Cannot authenticate subscribers
Routing configuration required on CPE adds a level of
complexity
Version 1.0
233
Module 2
Summary
RBE and RFC 1483 Routing
In this module, you learned the following:
234
With RBE, the CPE functions in bridging mode, and the subscriber
connections terminate into a routed bridge function on the aggregation
device
RBE and RFC 1483 routing may be configured using either numbered
or unnumbered interfaces, but unnumbered interfaces are preferred
because they preserve IP addresses
RFC 1483 routing uses encapsulation methods similar to those used for
RFC 1483 bridging, however, the CPE and aggregator function as
routers
RFC 1483 routing is well suited for business customers replacing leased
lines
Version 1.0
Module 2
Review Questions
Review Questions
RBE and RFC 1483 Routing
1. How does the CPE function differently between RFC 1483 bridging and
RBE?
a. The CPE functions as a bridge with RFC 1483 bridging and as a
router with RBE.
b. The CPE performs LLC/SNAP or VC multiplexing with RFC 1483
bridging but not with RBE.
c. The CPE will route IP data and bridge all other data.
d. The is no difference.
2. What is the functional difference at the aggregation device between
RFC 1483 bridging and RBE?
a. The aggregator functions as a bridge with RFC 1483 bridging and
as a router with RBE.
b. The aggregator performs LLC/SNAP or VC multiplexing with RFC
1483 bridging but not with RBE.
c. For incoming subscriber data, RBE makes forwarding decisions
based on the frame header, and RFC 1483 Routing forwards packets
based upon the Layer 3 header.
d. The is no difference.
3. List two RFC 1483 encapsulation methods for multiplexing and
transporting datalink and network layer protocols over ATM AAL5.
a. __________________________
b. __________________________
4. Which of the following ATM interfaces can be used with RBE?
a. Numbered point-to-point subinterfaces
b. Numbered multipoint subinterfaces
c. Unnumbered point-to-point subinterfaces
d. Unnumbered multipoint subinterfaces
5. What must be added to the aggregation router configuration when
using unnumbered interfaces with statically assigned subscriber host
addresses?
_________________________________________________________________
2003 Cisco Systems, Inc.
Version 1.0
235
Module 2
236
Version 1.0
Module 2
Review Questions
11. Which of the following configuration methods is preferred for RFC 1483
routing?
a. Numbered interfaces
b. Numbered interfaces with DHCP
c. Unnumbered interfaces
d. Unnumbered interfaces with DHCP
12. List three parameters that must be configured under the ATM
subinterface to support unnumbered RFC 1483 routing interfaces.
a. _________________________________
b. _________________________________
c. _________________________________
13. List four advantages of RFC 1483 routing.
a. _________________________________________________________
b. _________________________________________________________
c. _________________________________________________________
d. _________________________________________________________
14. List four disadvantages of RFC 1483 routing.
a. _________________________________________________________
b. _________________________________________________________
c. _________________________________________________________
d. _________________________________________________________
Version 1.0
237
238
Module 2
Version 1.0
Module 3
PPPoA
Overview
Description
In this module, you will learn about Point to Point Protocol over ATM
(PPPoA). You will learn how it works, examine a typical architecture, and
understand its bene fits. You will perform hands-on exercises to configure,
verify operation, and test PPPoA.
Objectives
After completing this module, you will be able to do the following:
Version 1.0
31
PPPoA
Module 3
Session Initiation
With PPPoA, the CPE initiates a PPP session on behalf of the users
connected to the CPE. When the CPE is first powered on, it begins sending
link control protocol (LCP) configuration requests to the aggregation
router. The aggregation router, with the PVCs configured, also sends out
the LCP configuration requests on a Virtual Access Interface associated
with the PVC. When both the CPE and aggregation router see each others
configuration request, they acknowledge the requests, and the LCP state is
opened.
User Authentication
For the authentication stage, the CPE sends an authentication request to
the aggregation router. Depending on its configuration, the router either
authenticates the user based on the domain name (if supplied), or the
username using its local database or RADIUS servers. User
authentication, authorization and accounting (AAA) in this scenario is best
handled by using an industry-standard RADIUS server, which can
authenticate a user based on username or on the virtual path
identifier/virtual channel identifier (VPI/VCI) being used.
32
Version 1.0
Module 3
PPP Session
CPE
DSLAM
ISP1.com
Aggregation
Device
IP Route
Core
Tunnel
CPE
ISP2.com
AAA
PPP Session
Version 1.0
33
PPPoA
Module 3
With tunneling, the user can access only one destination at a time. With
SSG, the user can access many services.
34
Version 1.0
Module 3
PPP Session
CPE
DSLAM
ISP1.com
Aggregation
Device
IP Route
Core
Tunnel
CPE
ISP2.com
AAA
PPP Session
Version 1.0
35
PPPoA
Module 3
CPE Encapsulation
The illustration shows the combination protocol stack used by the PC and
the xDSL Termination Unitremote (xTU-R). The PC takes the upper
layer protocol data, encapsulates it in the 802.3 header, and forwards it to
the xTU-R. The xTU-R provides the PPP services and encapsulation and
establishes PPP sessions with the aggregation device. The xTU-R also
provides the ATM related services and layers to exchange ATM cells with
the aggregation device, including RFC 1483, AAL5, ATM, and physical
layer functions.
PPP
The PPP layer performs user AAA. User identification with PPP
termination and aggregation (PTA) is based on the username , which is
configured on the CPE. The CPE encapsulates the IP data before it is
handed off to the ATM adaptation process. The aggregator terminates the
PPP session and performs AAA functions either locally or by using a
RADIUS server
36
Version 1.0
Module 3
PVC
DSLAM
IP Route
Aggregator
PTA
L3
core
ISP/Corp
Router
PC/xTU-R
IP
PPPoA
IP
PPP
1483
AAL5
ATM
PHY
Customer
Premises
IP
ATM
PHY
ATM
PHY
DSLAM
PPP
IP
1483
AAL5 ATM,FR,
Etc.
ATM
PHY
PHY
Aggregator
Version 1.0
IP
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
37
PPPoA
Module 3
For the first method, additional headers are included to identify the
protocol data unit (PDU). A common implementation is to include the
3-byte logical link control (LLC) and 5-byte Subnetwork Access Protocol
(SNAP) header to identify the bridged or routed PDU that follows.
With virtual connection (VC) multiplexing, each unique bridged or routed
protocol is carried over a unique VC.
______________________________ Note __________________________
It is important that you understand the two multiplexing methods. You
must choose one of the two when you configure the VC. The method you
choose must match at both ends of the VC. The VC is in this
illustration is the PVC.
_____________________________________________________________
AAL5
ATM Adaptation Layer 5 (AAL5) is a common means of encapsulating
connectionless PDUs. An 8-byte trailer is added to the PDU.
38
Version 1.0
Module 3
PVC
DSLAM
IP Route
Aggregator
PTA
L3
core
ISP/Corp
Router
PC/xTU-R
IP
PPPoA
IP
PPP
1483
AAL5
ATM
PHY
Customer
Premises
IP
ATM
PHY
ATM
PHY
DSLAM
PPP
IP
1483
AAL5 ATM,FR,
Etc.
ATM
PHY
PHY
Aggregator
Version 1.0
IP
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
39
PPPoA
Module 3
CPE Encapsulation
The PC and xTU-R perform the same functions when the PPP session is
tunneled to the NSP as it does when the session terminates on the
aggregation device with PTA. The tunnel is transparent to the CPE and
subscriber.
PPP
The PPP layer performs user AAA. User identification with tunneling is
based upon the username@domainname which is configured on the CPE.
The CPE performs the encapsulation of IP data before it is handed off to
the ATM adaptation process.
Tunnel Protocol
If the request from the subscriber is in the form of
username@domainname, the aggregation server will try to create a tunnel
to the destination, if a tunnel does not already exit. After the tunnel is
created, the aggregation server forwards the PPP requests from the
subscriber to the destination. The destination authenticates the user,
typically using a RADIUS server. If the request from the subscriber does
not include the domain name, the user is authenticated by the local
database.
L2TP and remote access to Multiprotocol Label Switching (MPLS) Virtual
Private Network (VPN) are two examples of tunneling protocols used in
this scenario.
310
Version 1.0
Module 3
PVC
DSLAM
Tunnel
Aggregator
LAC
LNS
Router
L3
core
PC/xTU-R
PPP
Tunnel Protocol
PPPoA
IP
IP
PPP
1483
AAL5
ATM
PHY
Customer
Premises
IP
ATM
PHY
ATM
PHY
DSLAM
PPP
PPP
Tunnel
1483 Protocol
AAL5 ATM,FR,
Etc.
ATM
PHY
PHY
Aggregator
Version 1.0
IP
PPP
Tunnel
Protocol
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
311
PPPoA
Module 3
312
Version 1.0
Module 3
PPPoA
DSLAM
IP Route
PTA
ISP1.com
CPE
Core
AAA
Version 1.0
313
PPPoA
Module 3
314
Version 1.0
Module 3
PPPoA
Tunnel
DSLAM
LAC
ISP1.com
CPE
Core
AAA
AAA
Version 1.0
315
PPPoA
Module 3
DHCP server
Although not commonly used, the ISP may provide a set of static IP
addresses to the subscriber and may not assign IP addresses dynamically
when the subscriber initiates the PPP session. In this scenario, the service
provider uses only the RADIUS server to authenticate the user.
If the subscriber session is terminated at the NAS and the user data is
routed from there, then the aggregation service assigns the address.
316
Version 1.0
Module 3
DSLAM
CPE
NAP
NSP
LAC
LNS
Core
NAT or
IPCP subnet negotiation
RADIUS
DHCP
IP Pool
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
RADIUS
DHCP
local pool
DHCP
RADIUS
Version 1.0
317
PPPoA
Module 3
PPPoA Configuration
Two essential elements of creating subscriber connections on the
aggregation router for PPPoA sessions include creating an ATM
subinterface with a PVC and a virtual access interface to which this PVC
connects. The PPPoA session terminates on the virtual access interface.
318
Version 1.0
Module 3
PPPoA Configuration
PPPoA Configuration
Create
virtual access
interface
Virtual
Template
Interface
PVCs
PPPoA
Sessions
Cloning
ATM
Interface
Virtual
VirtualAccess
VirtualAccess
Interface
VirtualAccess
Interface 5
VirtualAccess
Interface 4
Access
Interface 3
Interface 2
1
Version 1.0
319
PPPoA
Module 3
320
Version 1.0
Module 3
PPPoA Configuration
IP=192.168.1.2
GW= 192.168.1.1
PPPoA CPE
IP=192.168.1.1
DSLAM
IP=192.168.1.3
GW= 192.168.1.1
Core
Aggregation
Device
PPPoA CPE
IP=192.168.1.4
GW= 192.168.1.1
Version 1.0
321
PPPoA
Module 3
322
Version 1.0
Module 3
PPPoA Configuration
8
9
10
11
4
5
6
7
3
Version 1.0
323
PPPoA
Module 3
324
Version 1.0
Module 3
PPPoA Configuration
7
8
9
10
3
4
5
6
Version 1.0
325
PPPoA
Module 3
Version 1.0
Module 3
PPPoA Configuration
4
3
10
11
12
5
6
7
8
9
Version 1.0
327
PPPoA
Module 3
Advantages
328
Version 1.0
Module 3
Advantages
Per session authentication based on PAP or CHAP
Per session accounting is possible
IP address conservation at the CPE
NAPs and NSPs provide access without managing endto-end PVCs
Version 1.0
329
PPPoA
Module 3
330
Only a single session per CPE on one virtual channel (VC). Since the
username and password are configured on the CPE, all users behind
the CPE for that particular VC can access only one set of services.
Users cannot select different sets of services, although using multiple
VCs and establishing different PPP sessions on different VCs is
possible.
Version 1.0
Module 3
Disadvantages
Single session per CPE on one VC limits access
to single service selection
Version 1.0
331
PPPoA
Module 3
Summary
PPPoA
In this module, you learned the following:
332
The protocol stack elements associated with PPPoA and how PPPoA
works in both a PTA and tunneling environment
Version 1.0
Module 3
Review Questions
Review Questions
PPPoA
1. What are the two locations that terminate PPPoA sessions?
a. _____________________________________
b. _____________________________________
2. With PPPoA, which device in the network initiates the PPP session?
Choose two.
a. Subscriber host
b. Subscriber CPE
c. DSLAM
d. Aggregation router (not in PPP passive mode)
e. NSPs router
3. When using PPPoA with PTA, which two devices terminate the PPP
session?
_______________________________________________________________
4. When using PPPoA with tunneling, which two devices terminate the
PPP session?
_______________________________________________________________
5. Put the following events in the correct order in which they would occur
when PPPoA is used with PTA. Use numbers to indicate the correct
order.
a. The NAPs aggregation device or RADIUS server authenticates the
subscriber.
b. The subscribe r CPE initiates the PPP session.
c. The NAPs aggregation device, RADIUS server, or DHCP server
allocates IP address to the CPE.
d. The user data is routed to the service destination.
Version 1.0
333
PPPoA
Module 3
6. Put the following events in the correct order in which they would occur
when PPPoA is used with tunneling. Use numbers to indicate the
correct order.
a. The NAPs aggregation device or RADIUS server authenticates the
subscribers domain name .
b. The subscriber CPE initiates the PPP session.
c. The NSPs aggregation device, RADIUS server, or DHCP server
allocates IP address to the CPE.
d. The PPP session is tunneled from NAP router to NSP router.
e. The NSPs aggregation device or RADIUS server authenticates the
subscribers domain and user names.
f. The User data is routed to the service destination.
7. List the three methods for allocating IP addresses to the subscriber
CPE.
a. _________________________________
b. _________________________________
c. _________________________________
8. Which of the following is not a characteristic of virtual access
interfaces?
a. Virtual access interfaces are cloned from parameters configured on
a virtual template interface.
b. Once created, virtual access interfaces are created permanently.
c. With PPPoA, a VC is bound to a virtual access interface.
d. With PPPoA, the virtual access interface is created when the PPP
session is initiated.
9. Which of the following are preferred ways to configure the aggregation
router for PPPoA? Choose two.
a. Using unnumbered loopback interfaces with virtual template
interfaces
b. Using multipoint ATM interfaces
c. Using point-to-point ATM interfaces
d. Configuring the username database on the router, especially when
many unique subscriber name are required
334
Version 1.0
Module 3
Review Questions
10. Which of the following are true statements about PPPoA? Choose four.
a. Users can be authenticated using PAP or CHAP.
b. IP addresses can be conserved at the CPE using NAT.
c. High scaling can be achieved using RADIUS for AAA services.
d. PPPoA is limited to one user host per CPE.
e. Service providers need to maintain a database of usernames when
PPP sessions are terminated at the aggregation router.
f. Oversubscription is not possible with PPPoA.
Version 1.0
335
PPPoA
336
Module 3
Version 1.0
Module 4
PPPoE
Overview
Description
In this module, you will learn about Point to Point Protocol over Ethernet
(PPPoE). You will learn how it works, examine a typical architecture, and
learn about its benefits. You will perform hands-on exercises to configure,
verify operation, and test PPPoE.
Objectives
After completing this module, you will be able to do the following:
Version 1.0
41
PPPoE
Module 4
PPPoE overview
PPPoE has two distinct phases:
Because the host and access concentrator initiate the PPPoE and PPP
sessions, the CPE in this environment is transparent and functions as a
bridge. There is no need to perform complex configurations of the CPE.
The combination of peer MAC addresses and unique PPPoE session
identifiers permits multiple users on the shared Ethernet LAN access to
service providers.
PPPoE Environments
PPPoE is utilized in the following environments.
42
Module 4
PPPoE
ISP1.com
Aggregation
Device
IP Route
ATM or Ethernet
Transport
Core
Tunnel
CPE
ISP2.com
AAA
PPP Session
PPPoE provides point-to-point connection over Ethernet
Uses PPP dial in function on client
Architectures include PPPoEoA, PPPoEoE, PPPoEo802.1q
Version 1.0
43
PPPoE
Module 4
User Authentication
For the authentication stage, the host sends the authentication request to
the aggregation router. Depending on its configuration, the router
authenticates the user on the basis of the domain name (if supplied), or on
the basis of the username using its local database or RADIUS servers.
User authentication, authorization, and accounting (AAA) in this scenario
is best handled by using an industry standard RADIUS server.
With tunneling, the user can access only one destination at a time. With
SSG, the user can access many services.
44
Version 1.0
Module 4
PPP Session
ISP1.com
Aggregation
Device
IP Route
CPE
ATM or Ethernet
Transport
Core
Tunnel
CPE
ISP2.com
AAA
PPP Session
Version 1.0
45
PPPoE
Module 4
Transport
Ethernet/802.3
PPPoE
PPP
The additional protocol layer for PPPoE is used during the discovery stage
and PPP session stage. It contains codes for identifying the packet types
used during the discovery stage and the session identifier. The peers rely
on the session identifier, along with the source and destination MAC
addresses in the Ethernet header, to identify the unique PPPoE session.
MTU considerations
Because of the additional PPPoE header, you may need to configure the
MTU size. To accommodate the 6-byte PPPoE header and 2-byte PPP
header, the maximum MTU should be 1492 bytes.
46
Version 1.0
Module 4
ATM or Ethernet
Transport
Aggregator
Host
IP
IP
PPP
PPPoE
Ethernet
PPP
PPPoE
Ethernet
Physical
Physical
Physical
Host
ATM or Ethernet
Aggregator
Version 1.0
47
PPPoE
Module 4
Session Initiation
1. The host sends a PPPoE Active Discovery Initiation (PADI) packet with
a broadcast destination Ethernet address. The PADI packet includes
the service that the host is requesting.
2. One or more access concentrators may reply with a PPPoE Active
Discovery Offer (PADO) packet containing one or more services that it
offers. The server replies directly to the client by using the clients MAC
address as the destination Ethernet address.
3. Because the host may receive more than one PADO, it looks through
the PODO packets it receives and chooses one. The choice can be based
on the access concentrator name or the services offered. The host then
sends a PPPoE Active Discovery Request (PADR) to the access
concentrator that it has chosen, along with the service it is requesting.
4. When the access concentrator receive s the PADR packet, it generates a
unique session identifier for the PPPoE session and replies to the host
with a PPPoE Active Discovery Session-confirmation (PADS) packet.
The PADS contains the session identifier and the service name.
After the discovery stage is completed, the PPP session stage begins with
the peers exchanging LCP and NCP configuration information.
Session Termination
The PPPoE session may be terminated by either peer by sending a PPPoE
Active Discovery Termination (PADT) packet.
The access concentrator may terminate the session based on an inactivity
timer, so as not the leave the session open continuously. Using inactivity
timers enables oversubscription of subscribers on the access concentrator.
48
Version 1.0
Module 4
ATM or Ethernet
Transport
Aggregator
Host
PPPoE Discovery Stage
1
Version 1.0
49
PPPoE
Module 4
CPE Encapsulation
The drawing shows the combination protocol stack used by the PC and the
xDSL Termination Unitremote (xTU-R). The PC takes the upper layer
protocol data and encapsulates it in the PPP, PPPoE, and 802.3 headers,
and then forwards it to the xTU-R. The xTU-R then provides the ATM
related services and layers to exchange ATM cells with the aggregation
device, including RFC 1483, ATM adaptation layer 5 (AAL5), ATM, and
physical layer functions.
PPP
The PPP layer performs user AAA. User identification with PPP
termination and aggregation (PTA) is based on the username that the user
provides during login. The aggregator terminates the PPP session and
performs AAA functions locally or using a RADIUS server
410
Version 1.0
Module 4
PVC
DSLAM
IP Route
Aggregator
PTA
L3
core
ISP/Corp
Router
PC/xTU-R
IP
PPPoEoA
IP
PPP
PPPoE
802.3
1483
AAL5
ATM
PHY
Customer
Premises
IP
ATM
PHY
ATM
PHY
DSLAM
PPP
PPPoE
802.3
IP
1483
AAL5 ATM,FR,
Etc.
ATM
PHY
PHY
Aggregator
Version 1.0
IP
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
411
PPPoE
Module 4
For the first method, additional headers are included to identify the
protocol data unit (PDU). A common implementation is to include the
3-byte logical link control (LLC) and 5-byte Subnetwork Access Protocol
(SNAP) header to identify the bridged or routed PDU that follows.
With virtual connection (VC) multiplexing, each unique bridged or routed
protocol is carried over a unique VC.
______________________________ Note __________________________
It is important that you understand the two multiplexing methods. You
must choose one of the two when you configure the VC. The method you
choose must match at both ends of the VC. The VC is in this
illustration is the PVC.
_____________________________________________________________
AAL5
ATM Adaptation Layer 5 (AAL5) is a common means of encapsulating
connectionless PDUs. An 8-byte trailer is ad ded to the PDU.
412
Version 1.0
Module 4
PVC
DSLAM
IP Route
Aggregator
PTA
L3
core
ISP/Corp
Router
PC/xTU-R
IP
PPPoEoA
IP
PPP
PPPoE
802.3
1483
AAL5
ATM
PHY
Customer
Premises
IP
ATM
PHY
ATM
PHY
DSLAM
PPP
PPPoE
802.3
IP
1483
AAL5 ATM,FR,
Etc.
ATM
PHY
PHY
Aggregator
Version 1.0
IP
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
413
PPPoE
Module 4
CPE Encapsulation
The PC and xTU-R perform the same functions when the PPP session is
tunneled to the NSP as it does when the session terminates on the
aggregation device with PTA. The tunnel is transparent to the CPE and
subscriber.
PPP
The PPP layer performs user AAA. User identification with tunneling is
based on the username@domainname that the user provides during login.
Tunnel Protocol
If the request from the subscriber is in the form of
username@domainname, the aggregation server will try to create a tunnel
to the destination, if a tunnel does not already exit. After the tunnel is
created, the aggregation server forwards the PPP requests from the
subscriber to the destination. The destination authenticates the user,
typically using a RADIUS server. If the request from the subscriber does
not include the domain name, the user is authenticated by the local
database.
L2TP and remote access to Multiprotocol Label Switching (MPLS) Virtual
Private Network (VPN) are two examples of tunneling protocols used in
this scenario.
414
Version 1.0
Module 4
PVC
DSLAM
Tunnel
Aggregator
LAC
LNS
Router
L3
core
PC/xTU-R
IP
PPP
PPPoEoA
IP
PPP
IP
PPPoE
PPP
802.3
1483
AAL5
ATM
PHY
Customer
Premises
Tunnel Protocol
IP
ATM
PHY
ATM
PHY
DSLAM
IP
PPP
PPP
PPPoE
802.3 Tunnel
1483 Protocol
AAL5 ATM,FR,
Etc.
ATM
PHY
PHY
Aggregator
Version 1.0
IP
PPP
Tunnel
Protocol
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
415
PPPoE
Module 4
416
Version 1.0
Module 4
PPPoEoA
IP Route
DSLAM
PTA
ISP1.com
CPE
Core
AAA
Version 1.0
417
PPPoE
Module 4
418
Version 1.0
Module 4
PPPoEoA
Tunnel
DSLAM
LAC
ISP1.com
CPE
Core
AAA
AAA
Version 1.0
419
PPPoE
Module 4
DHCP server
RADIUS server
Although not commonly used, the ISP may provide a set of static IP
addresses to the subscriber and may not assign IP addresses dynamically
when the subscriber initiates the PPP session. In this scenario, the service
provider uses only the RADIUS server to authenticate the user.
420
If the subscriber session is terminated at the NAS and the user data is
routed from there, then the aggregation service assigns the address.
Version 1.0
Module 4
DSLAM
CPE
NAP
NSP
LAC
LNS
Core
RADIUS
DHCP
IP Pool
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
RADIUS
DHCP
local pool
DHCP
RADIUS
Version 1.0
421
PPPoE
Module 4
PPPoEoA Configuration
Three essential elements o f creating subscriber connections on the
aggregation router for PPPoE sessions include creating a virtual private
dial-up network (VPDN) group, creating an ATM subinterface with a PVC,
and creating a virtual access interface to which this PVC connects. The
user session is then terminated on the virtual access interface.
422
Version 1.0
Module 4
PPPoEoA Configuration
PPPoEoA Configuration
VPDN
Group
Create
virtual access
interface
Virtual
Template
Interface
PVCs
Cloning
PPPoE
Sessions
ATM
Interface
Virtual
VirtualAccess
VirtualAccess
Interface
VirtualAccess
Interface 5
VirtualAccess
Interface 4
Access
Interface 3
Interface 2
1
Version 1.0
423
PPPoE
Module 4
424
Version 1.0
Module 4
PPPoEoA Configuration
VPDN
Group
Create
virtual access
interface
Virtual
Template
Interface
PVCs
Cloning
PPPoE
Sessions
ATM
Interface
Virtual
VirtualAccess
VirtualAccess
Interface
VirtualAccess
Interface 5
VirtualAccess
Interface 4
Access
Interface 3
Interface 2
1
Version 1.0
425
PPPoE
Module 4
426
Version 1.0
Module 4
PPPoEoA Configuration
IP=192.168.1.2
GW= 192.168.1.1
CPE
IP=192.168.1.1
DSLAM
IP=192.168.1.3
GW= 192.168.1.1
Core
Aggregation
Device
CPE
IP=192.168.1.4
GW= 192.168.1.1
Version 1.0
427
PPPoE
Module 4
Version 1.0
Module 4
PPPoEoA Configuration
8
9
10
11
12
2
13
14
15
16
4
5
6
7
3
Version 1.0
429
PPPoE
Module 4
430
Version 1.0
Module 4
PPPoEoA Configuration
7
8
9
10
11
2
12
13
14
15
3
4
5
6
Version 1.0
431
PPPoE
Module 4
To circumvent denial -of-service attacks from subscriber PCs, you can limit
the number of PPPoE sessions on a p er-MAC and/or per-VC basis.
1. On the VPDN group, limit the number of PPPoE sessions that can be
sourced from a MAC address.
2. On the VPDN group, limit the number of PPPoE sessions that can be
permitted on all VCs.
MTU Consideration
PPPoE along with PPP uses 8 bytes of the Ethernet payload; therefore, you
may need to limit the MTU size of the PDU.
3. On the virtual template interface, set the size of the MTU to 1492.
Or
4. On the virtual template interface, set the interface to adapt to the
peers MTU. This assumes that the peers set their MTU to 1492 or less.
432
Version 1.0
Module 4
PPPoEoA Configuration
1
2
or
4
vpdn-group PPPoE
accept-dialin
protocol pppoe
virtual-template 1
pppoe limit per-mac 1
pppoe limit per-vc 1
!
!
interface Virtual-Template1
ip unnumbered Loopback0
ip mtu 1492
peer default ip address pool PPPoEpool
ppp mtu adaptive
ppp authentication chap
Version 1.0
433
PPPoE
Module 4
Advantages
434
Version 1.0
Module 4
Advantages
Version 1.0
435
PPPoE
Module 4
436
Version 1.0
Module 4
Disadvantages
Requires PPPoE client software on PC
Service provider needs to maintains a database
of usernames and passwords for all subscribers
Version 1.0
437
PPPoE
Module 4
Usage
PPPoEoE and PPPoEo802.1q are used as an alternative to PPPoEoA. This
is a solution in metro Ethernet deployments when users need to be
connected to service providers and PPP authentication is important.
Operation
PPPoEoE and PPPoEo802.1q function similarly to PPPoEoA.
With PPPoEoE and PPPoEo802.1q, multiple hosts on shared Ethernet
segments establish PPP sessions using a PPPoE software adapter as they
would in a PPPoEoA environment.
The connection between the client and server routers is an Ethernet or
VLAN link with PPPoE enabled on the link. Consequently, PPPoE sessions
initiated by the hosts are forwarded over the PPPoE enabled link, and they
terminate at the aggregation router. The PPP session may be terminated
at the aggregation router or may be tunneled to an LNS router.
The frame level encapsulation on the PPPoE enable link is standard
Ethernet framing with PPPoEoE, or Ethernet with VLAN information with
PPPoEo802.1q.
438
Version 1.0
Module 4
PPPoE
ISP1.com
Aggregation
Device
IP Route
Ethernet
Transport
Core
Tunnel
CPE
ISP2.com
PPPoE enabled
Ethernet links
AAA
PPP Session
Version 1.0
439
PPPoE
Module 4
PPPoEoE
To enable PPPoEoE on the aggregation router, you enable PPPoE on the
Ethernet interface that connects directly or indirectly to the CPE router.
PPPoEo802.1q
To enable PPPoEo802.1q on the aggregation router, you enable PPPoE on
the Ethernet subinterface that has the VLAN over which hosts connect to
the aggregation router.
The VLAN type must be IEEE 802.1q.
______________________________ Note __________________________
Cisco routers support PPPoEoE and PPPoEo892.1q on Ethernet, Fast
Ethernet, and Gigabit Ethernet interfaces.
_____________________________________________________________
440
Version 1.0
Module 4
PPPoEoE
PPPoEo802.1q
Version 1.0
441
PPPoE
Module 4
Summary
PPPoE
In this module, you learned the following:
442
The protocol stack elements associated with PPPoE and describe how
PPPoE works in both a PTA and tunneling environment
Version 1.0
Module 4
Review Questions
Review Questions
PPPoE
1. At what two locations are PPPoE sessions terminated?
a. _____________________________________
b. _____________________________________
2. With PPPoE, which device in the network usually initiates the PPP
session?
a. Subscriber host
b. Subscriber CPE
c. DSLAM
d. Aggregation router
e. NSPs router
3. When using PPPoE with PTA, which two devices terminate the PPP
session?
_______________________________________________________________
4. When using PPPoE with tunneling, which two devices terminate the
PPP session?
_______________________________________________________________
5. List the four messages types that are exchanged between the host and
aggregation device during PPPoE discovery.
a. ______________________
b. ______________________
c. ______________________
d. ______________________
6. Put the following events in the correct order in which they would occur
when PPP session is used with PTA after PPPoE discovery is
completed. Use numbers to indicate the correct order.
a. The NAPs aggregation device or RADIUS server authenticates the
subscriber.
b. The subscriber host initiates the PPP session.
c. The NAPs aggregation device, RADIUS server, or DHCP server
allocates IP address to the host.
d. The user data is routed to the service destination.
2003 Cisco Systems, Inc.
Version 1.0
443
PPPoE
Module 4
7. Put the following events in the correct order in which they would occur
when PPP is used with tunneling after PPPoE discovery is completed.
Use numbers to indicate the correct order.
a. The NAPs aggregation device or RADIUS server authenticates the
subscribers domain name .
b. The subscriber host initiates the PPP session.
c. The NSPs aggregation device, RADIUS server, or DHCP server
allocates IP address to the host.
d. The PPP session is tunneled from NAP router to NSP router.
e. The NSPs aggregation device or RADIUS server authenticates the
subscribers domain and user names.
f. The user data is routed to the service destination.
8. List the four methods that IP addresses can be allocated to the
subscriber host.
a. _________________________________
b. _________________________________
c. _________________________________
9. Which of the following is not a characteristic of virtual access
interfaces?
a. Virtual access interfaces are cloned from parameters configured on
a virtual template interface.
b. Once created, virtual access interfaces are created permanently.
c. With PPPoE, a session is bound to a virtual access interface.
d. With PPPoE, the virtual access interface is created when the PPP
session is initiated.
10. Which of the following are preferred ways to configure the aggregation
router for PPPoEoA? Choose two.
a. Using unnumbered loopback interfaces with virtual access
interfaces
b. Using multipoint ATM interfaces
c. Using point-to-point ATM interfaces
d. Configuring the username database on the router, especially when
many unique subscriber name are required
444
Version 1.0
Module 4
Review Questions
11. Which of the following are true statements about PPPoE? Choose four.
a. Users can be authenticated using PAP or CHAP.
b. Each subscriber connected to the CPE can be authenticated
individually.
c. High scaling can be achieved using RADIUS for AAA services.
d. PPPoE is limited to one user host per CPE.
e. Service providers need to maintain a database of user names when
PPP sessions are terminated at the aggregation router.
f. Oversubscription is not possible with PPPoE.
Version 1.0
445
PPPoE
446
Module 4
Version 1.0
Module 5
Cisco Aggregation Optimization Features
Overview
Description
In this module you will learn how to utilize features of the Cisco router
that help optimize broadband aggregation functions. The se features are
designed to minimize Cisco IOS configuration and improve router
performance.
Objectives
After completing this module, you will be able to do the following:
Version 1.0
51
Module 5
52
Version 1.0
Module 5
Version 1.0
53
Module 5
PVC range
54
Improved troubleshooting
Version 1.0
Module 5
Version 1.0
55
Module 5
PVC Range
Description
In a digital subscriber line (DSL) environment, many applications require
the configuration of a large number of ATM PVCs. The ATM PVC Range
and Routed Bridge Encapsulation (RBE) Subinterface Grouping feature
lets you group a number of PVCs into a PVC range in order to configure
them all at once.
The benefits of using this feature are
56
Version 1.0
Module 5
PVC Range
PVC Range
atm1/0/0.1
PVC Range
VC 1/32
PVC
1/32
PVC
1/33
VC 1/34
PVC
1/34
VC 1/35
PVC
1/35
PPPoA
or
PPPoE
or
RBE
PVC
1/36
VC 1/37
PVC
1/37
Version 1.0
57
Module 5
58
Version 1.0
Module 5
PVC Range
3/0/0.432
3/0/0.432
3/0/0.432
3/0/0.432
VCD Name
1
2
!
!
99
100
101
!
!
199
VPI
1
1
VCI
100
101
Type
PVC
PVC
Encaps
MUX
MUX
SC
UBR
UBR
Sts
UP
UP
1
2
2
199
100
101
PVC
PVC
PVC
MUX
MUX
MUX
UBR
UBR
UBR
UP
UP
UP
199
PVC
MUX
UBR
UP
Version 1.0
59
Module 5
510
Version 1.0
Module 5
PVC Range
Example 1 PPPoX
1
2
3
Example 2 PPPoX
1
2
3
4
5
Example 3 RBE
1
2
3
Version 1.0
511
Module 5
512
Version 1.0
Module 5
PVC Range
Example 1 PPPoX
1
2
3
Example 2 PPPoX
1
2
3
4
5
Example 3 RBE
1
2
3
Version 1.0
513
Module 5
VC Class
Description
A VC class is a set of preconfigured VC parameters that you configure and
apply to a particular VC or ATM interface. You may apply a VC class to an
ATM main interface, subinterface, PVC range, PVC, or SVC. For example,
you can create a VC class that contains VC parameter configurations that
you will apply to a particular PVC or SVC. You might create another VC
class that contains VC parameter configurations that you will apply to all
VCs configured on a particular ATM main interface or subinterface.
VC Class Parameters
The following parameters may be configured on a VC class.
514
Version 1.0
Module 5
VC Class
VC Class
Without VC Class
With VC Class
ATM int/subinterface
PVC
encapsulation
QoS parameters
PVC
encapsulation
QoS parameters
Version 1.0
515
Module 5
VC Class (continued)
VC Class Configuration
The illustration shows the configuration of VC class.
Step 1 and Step 2 show the configuration of the VC class. Step 3, Step 4,
and Step 5 show the application of the class to a ATM subinterface, PVC
range, and PVC-in-range, respectively.
1. Create an ATM VC class and assign a name to the class. The names
used in this example reflect the subscription services.
2. Define the parameters that apply to the class.
3. To assign the class to an interface, use the class-int vc-class-name
command.
4. To assign the class to a PVC range, use the class-range vc-classname command.
5. To assign the class to a PVC-in-range, use the class-vc vc-class-name
command.
516
Version 1.0
Module 5
VC Class
VC Class Configuration
1
2
1
2
1
2
4
5
multipoint
multipoint
Version 1.0
517
Module 5
Operation
Incoming traffic on the VPI/VCI pair triggers virtual circuit (VC) creation.
The Cisco router does not create the on-demand VC until incoming traffic
arrives. For example:
If you reload the Cisco 10000 router, the router does not establish the
on-demand VCs until incoming traffic triggers VC creation.
Version 1.0
Module 5
atm1/0/0.1
PVC Range
VC 1/32
PVC
1/32
VC 1/34
PVC
1/34
VC 1/35
PVC
1/35
VC 1/37
PVC
1/37
PPPoA
or
PPPoE
or
RBE
Version 1.0
519
Module 5
520
Version 1.0
Module 5
!
interface atm8/0/0.132 multipoint
atm autovc retry 2
range pvc 1/32 2/4095
encapsulation aal5mux ppp virtual-template1
create on-demand
idle -timeout 300 10
Autoprovisioning on a VC class
1
2
3
6
4
5
!
vc-class atm auto-pvc
encapsulation aal5mux ppp virtual-template1
create on-demand
idle-timeout 300 10
!
interface atm8/0/0.132 multipoint
atm autovc retry 2
range pvc 1/32 2/4095
class-range auto-pvc
Version 1.0
521
Module 5
Benefits
The feature provides resource allocation on demand. When PVCs are
configured for PPPoA or PPPoE, certain resources (including one virtualaccess interface) are allocated, regardless of the presence of a PPPoA or
PPPoE session on the PVC. With this feature, resources are allocated for
PPPoA and PPPoE sessions only when a client initiates a session, thus
reducing overhead on the network access server (NAS).
This feature also saves configuration time by eliminating the need to
specify the encapsulation type when provisioning ATM PVCs and by
eliminating the need to manually provision ATM PVCs each time the
encapsulation type changes.
Restrictions
522
This feature supports ATM PVCs. Switched virtual circuits (SVCs) are
not supported.
Version 1.0
Module 5
PVC Range
PPPoA
PPPoA
PPPoE
PPPoE
PVC
Virtual
Template
1
PVC
PVC
PVC
VPDN
Group
2
Virtual
Template
2
Vi1
Vi2
Vi3
Vi4
Version 1.0
523
Module 5
524
Version 1.0
Module 5
3
4
1
2
5
vpdn enable
!
vpdn-group 1
accept dialin
protocol pppoe
virtual-template 1
!
interface atm8/0/0.132 multipoint
range pvc 1/32 1/4095
encapsulation aal5autoppp Virtual-Template2
!
interface virtual-template 1
ip unnumbered loopback 0
ip mtu 1492
ppp authentication chap
!
interface virtual-template 2
ip unnumbered loopback 0
ppp authentication chap
Version 1.0
525
Module 5
526
Version 1.0
Module 5
5
6
1
2
3
4
7
vpdn enable
!
vpdn- group 1
accept dialin
protocol pppoe
virtual-template 1
!
vc-class atm autoppp
encapsulation aal5autoppp Virtual-Template2
!
interface atm8/0/0.132 multipoint
range pvc 1/32 1/4095
class-range autoppp
!
interface virtual -template 1
ip unnumbered loopback 0
ip mtu 1492
ppp authentication chap
!
interface virtual -template 2
ip unnumbered loopback 0
ppp authentication chap
Version 1.0
527
Module 5
PPPoE Profiles
Description
PPPoE profiles contain configuration information for PPPoE sessions.
After a profile has been defined, it can be assigned to a PPPoE port
(Ethernet interface, VLAN, or PVC), a VC class, or an ATM PVC range.
PPPoE profiles can also be used for PPPoE sessions established by
PPPoA/PPPoE autosense.
Multiple PPPoE profiles can be created, allowing different virtual
templates and other PPPoE configuration parameters to be assigned to
different Ethernet interfaces, VLANs, and ATM PVCs. A global PPPoE
profile can also be created to serve as the default profile for any port that
has not been assigned a specific PPPoE profile.
528
Version 1.0
Module 5
PPPoE Profiles
PPPoE Profiles
PVC Range
PPPoE
PPPoE
PPPoE
PPPoE
PVC
PVC
BBA
Group
global
Virtual
Template
1
BBA
Group
1
Virtual
Template
2
PVC
PVC
Vi1
Vi2
Vi3
Vi4
Version 1.0
529
Module 5
530
Version 1.0
Module 5
PPPoE Profiles
1
2
3
4
5
6
8
10
or
10
7
7
Version 1.0
531
Module 5
Summary
Cisco Aggregation Optimization Features
In this module, you learned the following:
532
Version 1.0
Module 5
Review Questions
Review Questions
Cisco Aggregation Optimization Features
1. You may use PVC range with which of the following access methods?
Choose three.
a. RBE
b. RFC 1483 routing
c. PPPoA
d. PPPoEoA
e. PPPoEoE
2. Give the command syntax for creating a PVC range for the following
VCs: 1/1 through 1/127, 2/1 though 2/127, and 3/1 through 3/127.
_________________________________________________________________
3. How would you temporarily shut down PVC 2/55 in the range from the
previous question?
_________________________________________________________________
4. What command enables PVCs to be autoprovisioned?
_________________________________________________________________
5. Using autosense of the encapsulation method permits distinguishing
between which of the following connection types?
a. PPPoA MUX and RBE SNAP
b. PPPoE MUX and RBE SNAP
c. PPPoA MUX and PPPoE MUX
d. PPPoA SNAP and PPPoE SNAP
e. PPPoA MUX and PPPoE SNAP
6. When using PPPoE profiles, users who do not get their profile from a
named BBA group get their profile from the ________________ group.
Version 1.0
533
Module 5
7. Which of the following are true with respect to using BBA groups?
Choose three.
a. BBA groups o vercome the limitations of a single VPDN group .
b. BBA groups allow use of multiple virtual templates.
c. BBA groups may be used concurrently with a VPDN group used for
PPPoE.
d. PPPoA connections get their profile from the VPDN group .
e. Session limits may be configured on the BBA group .
534
Version 1.0
Module 6
AAA Services
Overview
Description
This module provides an overview of how AAA services work on Cisco routers with an emphasis on
PPP authentication using default method lists in an ADSL broadband environment. Students perform
hands-on exercises to configure and verify RADIUS authentication services on a Cisco router.
Objectives
After completing this module, you will be able to do the following:
Version 1.0
61
AAA Services
Module 6
Introduction to AAA
What Is It?
Authentication, authorization, and accounting (AAA) is an architectural
framework for configuring a set of three independent security and
management functions in a consistent manner. Adopting the AAA
framework ensures that all users are treated in a consistent manner when
they access the network. The AAA features provide for systematic access
security of sensitive network devices and services.
Increased Flexibility
By using a centralized AAA server, a network administrator can maintain
security in the network while allowing the flexibility and scalability for
adding and removing users, without having to change the configuration on
the peripheral devices (for example, the access server or router).
62
Version 1.0
Module 6
Introduction to AAA
Introduction to AAA
What is it?
An architectural framework for consistently configuring
three independent security and management functions
Version 1.0
63
AAA Services
Module 6
Authentication requires users to prove that they really are who they
say they are, by providing a username and password, exchanging
challenge and response, using token cards, and other methods.
Accounting records what the users actually did, what they accessed,
and how long they accessed it, for accounting and auditing purposes.
Accounting keeps track of how network resources are used.
64
Version 1.0
Module 6
Introduction to AAA
Authentication
Authorization
Accounting
Version 1.0
65
AAA Services
Module 6
66
Lines console, aux, tty, vty lines, ISDN and async interfaces
Version 1.0
Module 6
Introduction to AAA
Version 1.0
67
AAA Services
Module 6
Authentication
What Is It?
Authentication is the process of validating the claimed identity of a user or
a device, such as a host, server, switch, router. Authentication is one of the
most important and difficult parts of network security. Different methods
are available which vary in the amount of secrecy and protection they offer:
Token cards
How Is It Used?
Authentication can be configured on a per-line or per-service basis.
Multiple authentication methods can be configured for each instance to
provide a fallback mechanism. Authentication profiles can be created for
different user groups, enabling flexibility and scalability in the network.
Authentication method lists can be created and then applied to specific
lines or interfaces.
68
Version 1.0
Module 6
Authentication
Authentication
Version 1.0
69
AAA Services
Module 6
Authorization
What Is It?
Authorization is the act of granting access rights to a user, groups of users,
a system, or a process. It specifies what level of privilege the user is
entitled to and what network resources he or she can use.
How Is It Used?
Authorization can be configured on a per-line or per-service basis.
Authorization can be configured so that different authorization profiles are
created. Each profile may have multiple authorization options, providing a
fallback mechanism. The fallback capability is achieved by creating
authorization method lists, and then applying these method lists to specific
lines or interfaces.
Ciscos IOS software supports authorization not only for IP but also for
authorization requests from services using other protocols, such as IPX and
AppleTalk.
AAA authorization works by assembling a set of attributes that describe
what a user is authorized to perform. These attributes are compared to the
information contained in a database for the user, and the result is returned
to AAA to determine the users capabilities and restrictions. The database
can be located on the local access server or router, or it can be hosted
remotely on a RADIUS or TACACS+ security server.
Remote security servers, such as RADIUS and TACACS+, authorize users
for specific rights by associating attribute-value (AV) pairs, which define
those rights, with the appropriate user.
610
Version 1.0
Module 6
Authorization
Authorization
One-time authorization
Per-service authorization
Account lists and profiles
User group support
IP, IPX, ARA and Telnet support
What can the user do? What can the user access?
User Bill can access router P1R2 with Telnet
Version 1.0
611
AAA Services
Module 6
Accounting
What Is It?
Accounting establishes who, or what, performed a certain action, such as
tracking user connection and logging system users. This information is
required for billing, auditing, and reporting.
The information that is logged may include the users identity, start and
stop times, commands issued, number of packets, number of bytes, and so
forth.
612
Version 1.0
Module 6
Accounting
Accounting
User identities
Start and stop times
Commands executed
Number of packets
Number of bytes
What did the user do? For how long? How often?
User Bill accessed router P1R2 with Telnet 10 times
Version 1.0
613
AAA Services
Module 6
AAA-Supported Protocols
Overview
The AAA standardized security protocols are as follows:
Kerberos
614
Version 1.0
Module 6
AAA-Supported Protocols
TACACS+
RADIUS
Kerberos
IP
NAS
Security
Server
Version 1.0
615
AAA Services
Module 6
RADIUS Attributes
Attribute-Value (AV) Pairs
AAA uses attribute-value (AV) pairs to maintain information such as
usernames, passwords, IP-addresses, and port numbers.
Each AV pair consists of a type of identifier associated with one or more
assignable values.
AV pairs specified in user and group profiles define the authentication and
authorization characteristics for their respective users and groups.
RADIUS implements an array of AV pairs, each with separate type
definitions and characteristics.
Since RADIUS is a fully open protocol, distributed in source code format, it
can be modified to work with any security system currently available.
Many versions of RADIUS attributes are in use today. The IETF RADIUS
AV pair definitions are standards based. Some vendors have extended the
RADIUS attribute set in a unique way to support their products; their
implementations are referred to as vendor-specific attributes (VSAs).
616
Version 1.0
Module 6
RADIUS Attributes
RADIUS Attributes
Version 1.0
617
AAA Services
Module 6
Vendor-Specific Attributes
RADIUS vendor-specific attributes (VSAs) are derived from one IETF
attributevendor-specific (attribute 26). Attribute 26 allows a vendor to
create an additional 255 attributes however the vendor wishes. That is, a
vendor can create an attribute that does not match the data of any IETF
attribute and then encapsulate it behind attribute 26; thus, the newly
created attribute is accepted if the user accepts attribute 26.
618
Version 1.0
Module 6
RADIUS Attributes
IETF Attributes
Version 1.0
619
AAA Services
Module 6
Radius Files
Overview
Understanding the types of files used by RADIUS is important for
communicating AAA information from a client to a server. Each file defines
a level of authentication or authorization for the user:
620
Clients file defines which clients (NAS) are allowed to make requests
to the RADIUS server
Users files defines which user requests the RADIUS server will
authenticate based on security and configuration data
Version 1.0
Module 6
Radius Files
RADIUS Files
Version 1.0
621
AAA Services
Module 6
vendor - octet #0 is zero, then three octets IANA #, then the rest
date 32-bit value in big endian order - the number of seconds since
00:00:00 GMT, Jan. 1, 1970
A sample dictionary is shown on the opposite page . It includes integerbased attributes and corresponding values.
622
Version 1.0
Module 6
Radius Files
Dictionary File
#
default strings ATTRIBUTE and VALUE.
#
ATTRIBUTE
User-Name
1
string # comment
ATTRIBUTE
User-Password 2
string
ATTRIBUTE
CHAP-Password 3
string
ATTRIBUTE
NAS-IP-Address 4
ipaddr
ATTRIBUTE
NAS-Port
5
integer
ATTRIBUTE
Service-Type
6
integer (1, 0)
#
# dictionary sample of integer entry
ATTRIBUTE
Service-Type
6
Integer
VALUE
Service-Type
Login
1
VALUE
Service-Type
Framed
2
VALUE
Service-Type
Callback-Login
3
VALUE
Service-Type
Callback-Framed
4
VALUE
Service-Type
Outbound
5
VALUE
Service-Type
Administrative
6
VALUE
Service-Type
NAS-Prompt
7
Version 1.0
623
AAA Services
Module 6
624
Version 1.0
Module 6
Radius Files
Clients File
# The four entries are for the NAS clients (Cisco 10000)
#
#Client Name
Key
[type]
[version] [prefix]
# ---------------- -------------------------------------------52.20.0.12
lab
type=Cisco:NAS
52.20.0.22
lab
type= Cisco:NAS
52.20.0.32
lab
type= Cisco:NAS
52.20.0.42
lab
type= Cisco:NAS
Hollywood
0u812
type= Cisco:PROXY
NAS port
IP
NAS
AAA
Server
User
Version 1.0
625
AAA Services
Module 6
626
Password is lab
Protocol is PPP
Version 1.0
Module 6
Radius Files
Users File
Version 1.0
627
AAA Services
Module 6
AAA Implementations
There are two methods for implementing AAA: local-based on the NAS or
server-based on an external server.
Local-Based AAA
In local-based AAA, a local security database runs in the NAS for a small
group of network users.
If the network consists of a single NAS, and there are few users accessing
the NAS, it may be desirable to store username and password security
information directly on the Cisco NAS. This is referred to as local
authentication using a local security database.
Local authentication characteristics are as follows:
628
Version 1.0
Module 6
AAA Implementations
NAS
AAA negotiation is performed
internally by Cisco IOS software
Local authentication
characteristics:
IP
NAS
PSTN
NAS
Local-based dial access
IP
NAS
Version 1.0
629
AAA Services
Module 6
630
TACACS+
RADIUS
Kerberos
Version 1.0
Module 6
AAA Implementations
or Kerberos as
communications protocol
between the NAS and
remote server
IP
NAS
AAA
Server
Server-based console access
IP
NAS
AAA
Server
Server-based VTY access
IP
PSTN
NAS
AAA
Server
Version 1.0
631
AAA Services
Module 6
RADIUS Protocol
Overview
RADIUS is a distributed client/server system that secures networks
against unauthorized access.
The RADIUS authentication and authorization specification (RFC 2865) is
a standard protocol. The RADIUS accounting specification (RFC 2866) is
informational.
Transactions between the client and RADIUS AAA server are
authenticated through the use of a shared secret, which is never sent over
the network. In addition, any user passwords are sent encrypted between
the client and RADIUS server, to eliminate the possibility that someone
snooping on an unsecured network could determine a users password.
632
Version 1.0
Module 6
RADIUS Protocol
Version 1.0
633
AAA Services
Module 6
634
Version 1.0
Module 6
RADIUS Protocol
Version 1.0
635
AAA Services
Module 6
636
Code The code field is one octet; it identifies one of the following
types of RADIUS packets:
Access-Request (1)
Access-Accept (2)
Access-Reject (3)
Accounting-Request (4)
Accounting-Response (5)
Access-Challenge (11)
Reserved (255)
Length The length field is two octets; it specifies the length of the
entire packet.
Version 1.0
Module 6
RADIUS Protocol
32
Code
Identifier
Length
Authenticator
Attributes
Code
Access-Request
Access-Accept
Access-Reject
Accounting-Request
Accounting-Response
Version 1.0
(1)
(2)
(3)
(4)
(5)
637
AAA Services
Module 6
638
Version 1.0
Module 6
RADIUS Protocol
NAS
(Client)
Security
Server
Access-Request
Access-Accept
Access-Reject
Access-Challenge
Accounting-Request
Accounting-Response
Version 1.0
639
AAA Services
Module 6
640
Version 1.0
Module 6
RADIUS Protocol
NAS
IP
PSTN
AAA
Server
1
2
3
3. User replies
Version 1.0
641
AAA Services
Module 6
The Extensible Authentication Protocol-Message Digest 5 (EAPMD5), a rather new Internet Engineering Task Force (IETF)
authentication protocol that is implemented, for example, in
Windows 2000
6. The RADIUS client acts upon services and services parameters bundled
with the RADIUS accept or reject packets.
642
Version 1.0
Module 6
RADIUS Protocol
NAS
IP
PSTN
AAA
Server
4
6
Version 1.0
643
AAA Services
Module 6
Enabling AAA
The first step in deploying AAA on a Cisco network device is to enable the
AAA process. In the privileged EXEC mode, enable AAA with following
command:
(config)#aaa new-model
644
Version 1.0
Module 6
Method Lists
Defines an ordered list of authentication
methods to authenticate users
Version 1.0
645
AAA Services
Module 6
In this example, default is the name of the method list. The protocol(s)
included in this method list are listed after the name, in the order in which
they are to be queried. The default list is automatically applied to all
interfaces.
AAA Group
To create the list of RADIUS servers named radservers, use the following
commands:
(config)#aaa group server radius radservers
(config-sg-radius)#server AAA-1
(config-sg-radius)#server AAA-2
When a remote user attempts to dial into the network, the network access
server (P1R2) first queries AAA-1 (this examples assumes that a name
resolution protocol is in use) for authentication information. If AAA-1
authenticates the user, it issues a PASS response to the network access
server, and the user is allowed to access the network. If AAA-1 returns a
FAIL response, the user is denied access and the session is terminated. If
AAA-1 does not respond, then the network access server processes that as
an ERROR and queries AAA-2 for authentication information. This pattern
continue s through the remaining designated methods until the user is
either authenticated or rejected, or until the session is terminated.
646
Version 1.0
Module 6
AAA-1
ATM
CPE
AAA-2
ATM
DSLAM
P1R2
(config)#aaa new-model
(config)#aaa authentication ppp default group radservers local
(config)#aaa group server radius radservers
(config-sg-radius)#server AAA-1
(config-sg-radius)#server AAA-2
(config)#radius-key lab
Note: Host name resolution is needed for this example.
Version 1.0
647
AAA Services
Module 6
The NAS and the RADIUS daemon (server process) uses an encryption key
for all communications that passes between them. If the keys do no t match
then communications will fail. The key is defined in the RADIUS server
using the clients file. To configured the key in the NAS use the following
command:
(config)#radius-server key lab
648
Version 1.0
Module 6
AAA-1
ATM
CPE
AAA-2
ATM
DSLAM
P1R2
(config)#aaa new-model
(config)#aaa authentication ppp default group radservers local
(config)#aaa group server radius radservers
(config-sg-radius)#server AAA-1
(config-sg-radius)#server AAA-2
(config)#radius-key lab
Note: Host name resolution is needed for this example.
Version 1.0
649
AAA Services
Module 6
In this example, the first command uses the default AAA authentication
method list for PPP connections and defines two protocol methods; group
radius and local in the command. In this command group radius defines
radius as the first authentication protocol, and if a radius server does not
respond, then local, as the second means of communications, uses the
username & password parameters defined on the router.
Since there isnt a named list of servers, you need to identify the specific
RADIUS server by using the second command. Optionally, you can specify
the authentication and account ports to use (default values are shown).
The port numbers are defined in the UNIX etc/services file, or they can be
declared when the daemon is started by using the appropriate switch
parameters.
The last command is the encrypted key that is used for all RADIUS
communications between the NAS and the RADIUS daemon.
______________________________ Note __________________________
This module presents only basic information concerning AAA
authentication and authentication method lists. For more information,
please refer to the appropriate documentation found on Cisco.com.
_____________________________________________________________
650
Version 1.0
Module 6
AAA-1
ATM
CPE
ATM
DSLAM
P1R2
(config)#aaa new-model
(config)#aaa authentication ppp default group radius local
(config)#radius-server host AAA 1 auth-port 1645 acct-port 1646
(config)#radius-key lab
Version 1.0
651
AAA Services
Module 6
When you create a named method list, you define a particular list of
authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces
before any of the defined methods will be performed. The only exception is
the default method list (which is named default). If the aaa
authorization command for a particular authorization type is issued
without a named method list specified, the default method list is
automatically applied to all interfaces or lines except those that have a
named method list explicitly defined. (A defined method list overrides the
default method list.) If no default method list is defined, local authorization
takes place by default.
652
Version 1.0
Module 6
Version 1.0
653
AAA Services
Module 6
Authorization Example
A PPPoE user is authenticated and then authorized to receive an IP
address from an IP local pool named pool1, while all other users connecting
through this virtual interface receive an IP address from a different IP
local pool. In addition, this user has been denied the ability to send ICMP
echo requests to a particular IP address via an extended input ACL
downloaded via his user profile.
Shown in the illustration on the opposite page is a partial Cisco IOS
interface configuration and a user profile in Merit RADIUS format. PPPoE
users accessing the network using virtual-template 4 will be assigned an
IP address from a local pool on the NAS name d PPPoEPTAPool, whose
address range is from 192.168.37.2 to 192.168.37.254. When user p2user6
conne cts via this interface, the NAS reads the user profile and sees that
this user is authorized to receive an IP address from a local pool on the
NAS named pool1 that falls within the range of 192.168.80.2 to
192.168.80.254. In addition, this user is denied pinging 192.168.38.1, but is
permitted to send UDP or TCP packets to IP address 192.168.38.1.
______________________________ Note __________________________
The previous explanation and example of AAA authorization are just
one scenario among numerous authorization possibilities.
_____________________________________________________________
654
Version 1.0
Module 6
Authorization Example
interface Virtual-Template4
ip unnumbered Loopback7
peer default ip address pool PPPoEPTAPpool
no keepalive
ppp mtu adaptive
ppp authentication chap
!
ip local pool PPPoEPTApool 192.168.37.2 192.168.37.254
ip local pool pool1 192.168.80.2 192.168.80.254
Merit RADIUS
user profile
Cisco IOS
interface
config
Version 1.0
655
AAA Services
Module 6
Troubleshooting Aids
Questions
When attempting to troubleshoot any problem, you need to ask yourself
several questions:
1. Did it work before? If so, what has changed?
2. Is it a new installation or configuration?
When attempting to troubleshoot an authentication problem, you need to
consider the sequence of events that must take place before a user can be
authenticated and what tools you have available to you to aid in isolating
the problem.
UNIX commands
snoop V
tail f radius.debug
tail f logfile.<date>
656
Version 1.0
Module 6
Troubleshooting Aids
Troubleshooting Aides
Questions
show users
debug ppp negotiation
debug ppp authentication
debug radius
UNIX Commands
snoop V
tail f radius.debug
tail f logfile.<date>
Version 1.0
657
AAA Services
Module 6
658
Version 1.0
Module 6
show users
P2R2#sh users
Line
User
* 2 vty 0 p2user1
Interface
Vi1.1
Vi1.2
Vi1.3
Vi1.4
Vi1.5
Vi1.6
Vi2.1
P2R2#
User
p2user1
p2user4
p2user5
p2user3
p2user2
p2user7
p2user8
Host(s)
idle
Idle
00:00:00
Mode
PPPoATM
PPPoATM
PPPoATM
PPPoATM
PPPoATM
PPPoATM
PPPoE
Location
52.10.10.20
Idle
00:07:29
00:07:29
00:07:29
00:07:18
00:07:18
06:31:25
00:00:05
Version 1.0
Peer Address
192.168.35.4
192.168.35.6
192.168.36.18
192.168.35.5
192.168.35.2
192.168.36.8
192.168.38.21
659
AAA Services
Module 6
Link Dead This is the beginning and ending phase for a PPP link.
This phase indicates that the physical layer is ready to be used; from
here, PPP proceeds to the Link Establishment phase.
The debug display of the first four phases of a successful PPP negotiation is
shown on the opposite page.
660
Version 1.0
Module 6
Version 1.0
661
AAA Services
Module 6
662
Version 1.0
Module 6
Version 1.0
663
AAA Services
Module 6
664
Version 1.0
Module 6
Version 1.0
665
AAA Services
Module 6
666
Version 1.0
Module 6
Version 1.0
667
AAA Services
Module 6
668
Version 1.0
Module 6
debug radius
P2R2#debug radius
Radius protocol debugging is on
Radius packet protocol debugging is on
P2R2#
*Sep 9 20:21:10.216: RADIUS: AAA Unsupported [151] 10
*Sep 9 20:21:10.216: RADIUS: 33 2F 30 2F 30 2F 34 2E
]
*Sep 9 20:21:10.216: RADIUS(0003537A): Storing nasport 0 in rad_db
*Sep 9 20:21:10.216: RADIUS(0003537A): Config NAS IP: 0.0.0.0
*Sep 9 20:21:10.216: RADIUS/ENCODE(0003537A): acct_session_id: 217978
*Sep 9 20:21:10.216: RADIUS(0003537A): sending
*Sep 9 20:21:10.216: RADIUS/ENCODE: Best Local IP-Address 52.20.0.22 for Radiu1
*Sep 9 20:21:10.216: RADIUS(0003537A): Send Access-Request to 52.20.0.101:16458
*Sep 9 20:21:10.216: RADIUS: authenticator E5 AC 72 1F EC E9 58 10 - E8 FF 2C7
*Sep 9 20:21:10.216: RADIUS: Framed-Protocol [7] 6 PPP
]
*Sep 9 20:21:10.220: RADIUS: User-Name
[1] 9 "p2user1"
*Sep 9 20:21:10.220: RADIUS: CHAP-Password [3] 19 *
*Sep 9 20:21:10.220: RADIUS: NAS-Port-Type
[61] 6 Virtual
]
*Sep 9 20:21:10.220: RADIUS: NAS-Port
[5] 6 0
*Sep 9 20:21:10.220: RADIUS: Service-Type
[6] 6 Framed
]
*Sep 9 20:21:10.220: RADIUS: NAS-IP-Address [4] 6 52.20.0.22
*Sep 9 20:21:10.220: RADIUS: AAA Unsupported [151] 10
*Sep 9 20:21:10.220: RADIUS: 33 2F 30 2F 30 2F 34 2E
]
Version 1.0
669
AAA Services
Module 6
UNIX Commands
Overview
Although numerous UNIX commands could be used for troubleshooting
AAA and RADIUS-related problems, this module describes just two very
useful commands, snoop and tail.
snoop -V
The snoop command captures packets from the network and displays their
contents. The V switch indicates verbose summary mode. It displays a
summary line for each protocol layer in the packet.
In the display, notice the exchange between IP host 52.20.0.22 (P2R2) and
RADIUS1. You should also note the use of UDP and port 1645, the
authentication port. This packet exchange verifies that the NAS and the
AAA server are indeed exchanging RADIUS packets.
670
Version 1.0
Module 6
UNIX Commands
snoop -V
# snoop -V
Using device /dev/hme (promiscuous mode)
________________________________
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
________________________________
RADIUS1 -> (broadcast) ETHER Type=0806 (ARP), size = 42 bytes
RADIUS1 -> (broadcast) ARP C Who is 52.20.0.22, 52.20.0.22 ?
________________________________
52.20.0.22 -> RADIUS1
ETHER Type=0800 (IP), size = 120 bytes
52.20.0.22 -> RADIUS1
IP D=52.20.0.101 S=52.20.0.22 LEN=106, ID=6426
52.20.0.22 -> RADIUS1
UDP D=1645 S=21724 LEN=86
________________________________
52.20.0.22 -> RADIUS1
ETHER Type=0806 (ARP), size = 60 bytes
52.20.0.22 -> RADIUS1
ARP R 52.20.0.22, 52.20.0.22 is 0:5:dc:39:c:60
________________________________
RADIUS1 -> 52.20.0.22 ETHER Type=0800 (IP), size = 83 bytes
RADIUS1 -> 52.20.0.22 IP D=52.20.0.22 S=52.20.0.101 LEN=69, ID=42629
RADIUS1 -> 52.20.0.22 UDP D=21724 S=1645 LEN=49
________________________________
Version 1.0
671
AAA Services
Module 6
672
Version 1.0
Module 6
UNIX Commands
tail f radius.debug
# tail -f radius.debug
CHAP-Password = "\0x01%\0xda\0x10\0xfa\0xbf\0xc9\0x88@\0xf9\0xf4\0x83@\0x9a]
NAS-Port-Type = Virtual [flags = 0x00004500]
NAS-Port = 0 [flags = 0x00004500]
Service-Type = Framed-User [flags = 0x00004600]
NAS-IP-Address = 52.20.0.22 [flags = 0x00004500]
get_radrequest: Request from 34140016 (52.20.0.22[21724]) access, id = 167, len8
User-Id = "p2user2" [flags = 0x00000400]
Service-Type = Framed-User [flags = 0x00004600]
Framed-Protocol = PPP [flags = 0x00004600]
send_reply: Authentication: 167/76 'p2user2' from 52.20.0.22 port 0 PPP
Framed-Protocol = PPP [flags = 0x00004600]
User-Name = "p2user1" [flags = 0x00004500]
CHAP-Password = "\0x01\0xb7\0x06?2\0xe41\0x91\0x1b@\0xa3\0xa3\0x9d\0x1e4|\0]
NAS-Port-Type = Virtual [flags = 0x00004500]
NAS-Port = 0 [flags = 0x00004500]
Service-Type = Framed-User [flags = 0x00004600]
NAS-IP-Address = 52.20.0.22 [flags = 0x00004500]
Version 1.0
673
AAA Services
Module 6
674
Version 1.0
Module 6
UNIX Commands
tail f logfile.<date>
# tail -f logfile.030910
Wed Sep 10 01:16:49 2003: Authentication: 169/78 'p2user4' from 52.20.0.22 port0
Wed Sep 10 01:16:49 2003: Original-Authentication: 170/0 'p2user5' from 52.20.0P
Wed Sep 10 01:16:49 2003: Received-Authentication: 170/79 'p2user5' from 52.20.P
Wed Sep 10 01:16:49 2003: Authentication: 170/79 'p2user5' from 52.20.0.22 port0
Wed Sep 10 01:16:49 2003: Original-Authentication: 171/0 'p2user3' from 52.20.0P
Wed Sep 10 01:16:49 2003: Received-Authentication: 171/80 'p2user3' from 52.20.P
Wed Sep 10 01:16:49 2003: Authentication: 171/80 'p2user3' from 52.20.0.22 port0
Wed Sep 10 01:16:49 2003: Original-Authentication: 172/0 'p2user2' from 52.20.0P
Wed Sep 10 01:16:49 2003: Received-Authentication: 172/81 'p2user2' from 52.20.P
Wed Sep 10 01:16:49 2003: Authentication: 172/81 'p2user2' from 52.20.0.22 port0
Wed Sep 10 01:19:12 2003: Original-Authentication: 173/0 'p2user1' from 52.20.0P
Wed Sep 10 01:19:12 2003: Received-Authentication: 173/82 'p2user1' from 52.20.P
Wed Sep 10 01:19:12 2003: Authentication: 173/82 'p2user1' from 52.20.0.22 port0
Wed Sep 10 01:19:12 2003: Original-Authentication: 174/0 'p2user4' from 52.20.0P
Wed Sep 10 01:19:12 2003: Received-Authentication: 174/83 'p2user4' from 52.20.P
Wed Sep 10 01:19:12 2003: Authentication: 174/83 'p2user4' from 52.20.0.22 port0
Wed Sep 10 01:19:12 2003: Original-Authentication: 175/0 'p2user5' from 52.20.0P
Wed Sep 10 01:19:12 2003: Received-Authentication: 175/84 'p2user5' from 52.20.P
Wed Sep 10 01:19:12 2003: Authentication: 175/84 'p2user5' from 52.20.0.22 port0
^C#
Version 1.0
675
AAA Services
Module 6
Summary
AAA Services
In this module, you learned the following:
676
Version 1.0
Module 6
Review Questions
Review Questions
AAA Services
1. Within the Cisco IOS software, AAA can be configured on which one of
the following?
a. console
b. aux console
c. tty
d. vty lines
e. all of the above
2. What new file is automatically created every 24 hours to contain
RADIUS log information?
a. clients file
b. users file
c. dictionary file
d. radius.debug
e. logfile.yymmdd
3.
What are the distinct phases that a PPP link undergoes? Choose four.
a. Link Establishment
b. authentication
c. Link Alive
d. Network Control Protocol
e. Link Terminate
Version 1.0
677
AAA Services
Module 6
678
Version 1.0
Module 7
L2TP
Overview
Description
In this module, you will learn about Layer 2 Tunneling Protocol (L2TP).
You will learn how it works, examine a typical architecture, and learn
about its benefits. You will perform hands-on exercises to configure, verify
operation, and test L2TP
Objectives
After completing this module, you will be able to do the following:
Version 1.0
71
L2TP
Module 7
L2TP Overview
The Layer 2 Tunneling Protocol (L2TP) provides a mechanism for
aggregation of multiple Layer 2 connections across packet-oriented data
networks. These Layer 2 connections are typically PPP sessions.
PPP Encapsulation
PPP encapsulation allows for transport of multiprotocol packets across
Layer 2 point-to-point links. With digital subscriber line (DSL), a user
obtains a Layer 2 connection to a network access server (NAS) over a DSL
connection and then runs PPP over that connection. The Layer 2
termination point and PPP session endpoint both reside on the NAS.
Termination Benefits
The benefit of this separation is that the Layer 2 connection can terminate
on a local concentrator, which then extends the logical PPP session over a
shared infrastructure, such as the Internet, to the remote access server. To
the remote server, the user appears to be directly connected.
72
Version 1.0
Module 7
L2TP Overview
L2TP Overview
DLSAM
NAS
Layer 2 Endpoint
PPP
CPE
PPP Session
Endpoint
Layer 2 Link
PPP Session
DLSAM
LAC
Tunnel
L2TP
Layer 2 Endpoint
CPE
Layer 2 Link
PPP Session
Endpoint
PPP Session
Version 1.0
73
L2TP
Module 7
L2TP Components
The following section describes the fundamental components of L2TP and
explains how they work together to tunnel data across a shared network.
Session
A single, tunneled PPP session. A session is also referred to as a call.
Tunnel
A tunnel is a virtual pipe between the LAC and the LNS that carries
multiple PPP sessions. It consists of user traffic and header information
necessary to support the tunnel.
AAA Server
An authentication, authorization, and accounting (AAA) server stores
domain and user information. At the LAC, the AAA server stores domain
information that is necessary for identifying and establishing the tunnel to
the remote LNS. At the LNS, the AAA server stores user information
needed for authenticating the tunnel user.
74
Version 1.0
Module 7
L2TP Components
L2TP Components
Home Network
LAC/
Router
bill@cisco.com
ATM
Network
LNS/
Router
Tunnel Sessions
DLSAM
CPE
Domain
Information
Cisco.com
AAA
User
Information
bill
AAA
Cisco
Network
Version 1.0
75
L2TP
Module 7
Session ID
Multiple PPP connections can share the same L2TP tunnel using
independent sessions. L2TP sessions within the tunnel are distinguished
from each other using session identifiers that are assigned during the
session setup process. Like tunnel IDs, session IDs have local significance.
The session ID sent in a message is that of the recipient, not that of the
sender.
76
Version 1.0
Module 7
LAC
User C
Provider
Network
LNS
Servers
F
User E
L2TP Tunnel
Tunnel-ID A
Session-ID C
Session
Tunnel-ID B
Session-ID D
Session-ID E
Session
Session-ID F
Version 1.0
77
L2TP
Module 7
Encapsulations Supported
PPP Session Types
L2TP can support either PPPoA or PPPoE encapsulation on the PVC
coming from the CPE.
The LAC accepts the PPP session and establishes the link. After the Link
Control Protocol (LCP) has been negotiated, the LAC partially
authenticates the end user with Challenge Handshake Authentication
Protocol (CHAP) or Password Authentication Protocol (PAP) but does not
process PPP packets.
Session Authentication
The username@domain name is used to verify that the user is a virtual
private dial-up network (VPDN) client and to provide a mapping to a
specific endpoint LNS. This information may be stored in the local
configuration or on an AAA server. The tunnel endpoints (LAC and LNS)
now authenticate each other and the tunnel is open.
Once the tunnel exists, an L2TP session is created for the end user.
Authentication of the user is done on the LNS at which the call terminates.
Information necessary to identify the remote user can be stored in the AAA
server or can be entered directly into the configuration of the LNS. The
LAC propagates the LCP-negotiated options and the partially
authenticated CHAP or PAP information to the LNS.
78
Version 1.0
Module 7
Encapsulations Supported
Encapsulations Supported
AAA
AAA
NAP
Network
Tunnel Sessions
DLSAM
LAC
LNS
CPE
PPPoA
L2TP
PPPoE
L2TP
PPP
PPPoE or PPPoA
Version 1.0
79
L2TP
Module 7
L2TP Header This header c ontains L2TP control and data message
codes, tunnel and session identifiers, and optional message-sequencing
identifiers.
710
Version 1.0
Module 7
DSLAM
Aggregator
LAC
L3
core
LNS
Router
PC/xTU-R
IP
PPP
PPPoX
L2TP
IP
IP
IP
PPP
IP
PPPoX
1483
AAL5
ATM
PHY
Customer
Premises
ATM
PHY
ATM
PHY
DSLAM
PPP
L2TP
PPP
PPPoX UDP
IP
1483
AAL5 ATM,FR,
Etc.
ATM
PHY
PHY
Aggregator
Version 1.0
IP
PPP
L2TP
UDP
IP
ATM,FR,
Etc.
PHY
NSP/Corporate
Network
711
L2TP
Module 7
LNS IP address
Tunnel ID
4. The LAC accepts the connection, and the PPP link is established. The
LAC partially authenticates the end user with CHAP or PAP.
5. The tunnel endpoints the LAC and the LNS must first authenticate
each other before any sessions are attempted within the tunnel. The
LAC sends a Start-Control-Connection-Request (SCCRQ) message
containing the following parameters:
Version 1.0
Module 7
LAC RADIUS
Cisco.com
Access Request 2
Access Accept
L2TP Parameters
LNS
Tunnel
bill@cisco.com
LAC
CPE
Call Setup
Tunnel Setup
1 Call Request
4 Call Accept
Version 1.0
SCCRQ
SCCRP
SCCRN
713
L2TP
Module 7
Tx connect speed
The result is that the exchange process appears to take place between the
dial-up user and the remote LNS exclusively, as if no intermediary device
(the LAC) is involved.
714
Version 1.0
Module 7
LAC RADIUS
LNS RADIUS
Access
Request
LAC
Tunnel
CPE
10
Access
Accept
LNS
Session Setup
8
ICRQ
11
ICRP
12 ICCN
PPP Session
Version 1.0
715
L2TP
Module 7
716
Version 1.0
Module 7
Server
LAC
LNS
Tunnel
CPE
Tunnel Session
PPP frame
L2TP Frame
Version 1.0
PPP frame
717
L2TP
Module 7
Assigned session ID
4. To shut down the tunnel, the LAC now issues a Stop-ControlConnection-Notification (StopCCN). The StopCCN notifies the LNS
that the tunnel is being shut down and the control connection should be
closed. In addition, all active sessions are implicitly cleared without the
sending of additional CDN messages.
The following parameters are present in the StopCCN message:
Assigned tunnel ID
718
Version 1.0
Module 7
LAC
LNS
Tunnel
CPE
1 Call Disconnect
CDN
ZLB ACK
StopCCN
ZLB ACK
Shutdown Tunnel
Version 1.0
719
L2TP
Module 7
720
Version 1.0
Module 7
Dial-in
Users
Service
Provider
Network
LNS
Router
ISP Network
PSTN
L2TP Tunnel
LAC
Version 1.0
Forwarding
Router
721
L2TP
Module 7
The enterprise customer has the following motivations for establishing the
access VPDN:
722
Version 1.0
Module 7
Router
LAC
ISP Network
LNS
L2TP Tunnel
Small Office/
Home Office
Enterprise
Network
Router
Access VPN
Version 1.0
723
L2TP
Module 7
Limited backup
724
Scales better
Version 1.0
Module 7
LAC
Tunnel
LNS
ISP1.com
PPPoA
Aggregation
Device
CPE
PPPoE
IP
Core
CPE
RADIUS
DSLAM
RADIUS
ISP2.com
LNS
Without RADIUS
With RADIUS
Version 1.0
725
L2TP
Module 7
Tunnel password
These three attributes must match at both the LAC and LNS in order to
successfully create the tunnel.
The following attributes are also needed at the LAC and LNS:
726
Using a VPDN group to store the tunnel attributes is suitable for small
networks that support a single or few tunnels.
Version 1.0
Module 7
NAP
Network
LAC
LNS
RADIUS
RADIUS
LAC Attributes
LNS Attributes
Version 1.0
727
L2TP
Module 7
On the LAC
1. Configure authentication for PPP sessions.
2. Enable VPDN.
3. Define a VPDN group, to which you will apply all VPDN attributes for
the LAC.
4. Enable the LAC to request L2TP tunnels.
On the LNS
1. Configure Authentication for PPP sessions.
2. Enable VPDN.
3. Define a VPDN group, to which you will apply all VPDN attributes for
the LNS.
4. Enable the LNS to receive L2TP tunnels.
5. Define the virtual template interface for the tunnel.
Additional VPDN and L2TP commands can be applied as needed to fine tune p arameters to suit your network.
728
Version 1.0
Module 7
LAC
Tunnel
LNS
ISP1.com
PPPoA
Aggregation
Device
CPE
PPPoE
IP
Core
CPE
DSLAM
ISP2.com
LNS
On the LAC
On the LNS
1.
2.
3.
4.
1.
2.
3.
4.
5.
Configure authentication
Enable VPDN
Define a VPDN group
Enable the LAC to request L2TP tunnels
Configure authentication
Enable VPDN
Define a VPDN group
Enable the LNS to receive L2TP tunnels
Define the virtual template for the VPDN group
Version 1.0
729
L2TP
Module 7
730
Version 1.0
Module 7
12
2
3
4
5
6
7
8
9
10
11
Version 1.0
731
L2TP
Module 7
732
Version 1.0
Module 7
1
12
2
3
4
5
6
7
8
9
10
11
13
14
15
16
17
18
Version 1.0
733
L2TP
Module 7
734
Version 1.0
Module 7
1
12
2
3
4
5
6
7
8
9
10
11
13
14
15
16
17
18
Version 1.0
735
L2TP
Module 7
On RADIUS
1. Configure user profiles for the domain and the PPP user.
2. Configure client p rofiles for the LAC and the LNS.
3. Configure a service profile for the L2TP tunnel.
On the LAC
1. Configure authentication for PPP sessions.
2. Enable VPDN.
3. Configure the RADIUS server.
On the LNS
1. Configure authentication for PPP sessions.
2. Configure the RADIUS server.
3. Enable VPDN.
4. Define a VPDN group to which you will apply all VPDN attributes for
the LNS.
5. Enable the LNS to receive L2TP tunnels.
6. Define the virtual template interface for the tunnel.
Additional VPDN and L2TP commands can be applied as needed to fine tune parameters to suit your network.
736
Version 1.0
Module 7
Home Network
LAC/
Router
bill@cisco.com
ATM
Network
LNS/
Router
Tunnel Sessions
DLSAM
CPE
Domain
Info
On RADIUS
1. Configure user profiles for the
domain and the PPP user
2. Configure client profiles for the
LAC and LNS
3. Configure an L2TP service profile
On the LAC
1. Configure authentication
2. Enable VPDN
3. Configure the RADIUS server
Cisco.com
User
Information
AAA
bill
AAA
Cisco
On the LNS
Network
1. Configure authentication
2. Configure the RADIUS server
3. Enable VPDN
4. Define a VPDN group
5. Enable the LNS to receive L2TP tunnels
6. Define the virtual template for the tunnel
Version 1.0
737
L2TP
Module 7
738
Version 1.0
Module 7
LAC/
Router
LNS/
Router
Tunnel Sessions
bill@cisco.com
cisco.com
Domain
Information
cisco.com
User
Information
AAA
bill
AAA
Version 1.0
739
L2TP
Module 7
740
Version 1.0
Module 7
Configuring Clients
LAC/
Router
Tunnel Sessions
Client Profiles
LAC
Domain
Information
LNS/
Router
cisco.com
User
Information
AAA
Client Profiles
LNS
bill
AAA
Version 1.0
741
L2TP
Module 7
742
Version 1.0
vpdn:tunnel-id=cisconet
vpdn:tunnel-type=l2tp
vpdn:ip-addresses=200.0.0.13
vpdn:l2tp-tunnel-password=cisco
Module 7
LAC/
Router
LNS/
Router
Tunnel Sessions
cisco.com
User
Information
AAA
bill
AAA
Version 1.0
743
L2TP
Module 7
744
Version 1.0
Module 7
1
2
13
5
6
7
8
9
10
11
12
3
4
aaa new-model
aaa authentication login default local
aaa authentication ppp default group radius local
!
username LAC1 password 0 cisco
!
vpdn enable
!
vpdn- group l2tp
request-dialin
protocol l2tp
domain isp1.com
optional
initiate-to ip 200.0.0.13
local name LAC1
l2tp tunnel password 0 cisco
!
radius-server host 52.20.0.101 auth-port 1645 acct-port 1646
radius-server key cisco
Version 1.0
745
L2TP
Module 7
746
Version 1.0
Module 7
13
1
2
5
6
7
8
9
10
11
12
14
15
16
17
18
19
3
4
Version 1.0
747
L2TP
Module 7
748
Version 1.0
Module 7
13
1
2
5
6
7
8
9
10
11
12
14
15
16
17
18
19
3
4
Version 1.0
749
L2TP
Module 7
Tunnel Verification
Several Cisco IOS commands are available to verify that the tunnel has
been created and to check for proper tunnel operation. These commands
include:
750
show vpdn
debug radius
Version 1.0
Module 7
Tunnel Verification
Tunnel Verification
show vpdn
debug vpdn events
debug radius
Version 1.0
751
L2TP
Module 7
752
Field
Description
LocID
RemID
TunID
Intf
Username
State
Last Chg
Version 1.0
Module 7
Tunnel Verification
show VPDN
P1R2#show vpdn
L2TP Tunnel and Session Information Total tunnels 1 sessions 1
LocID RemID Remote Name
78
51792 P1R3
State
est
Remote Address
200.0.0.13
Username
p1user8@isp1.com
Port
1701
State
est
Port
ATM3/0/0.732
VC: 13/34
Version 1.0
VT
4
VA
VA-s t
N/A
State
FWDED
753
L2TP
Module 7
754
Version 1.0
Module 7
Tunnel Verification
P1R2#show debug
VPN:
VPDN call event debugging is on
VPDN events debugging is on
*VPDN CALL [uid:470]: Requesting connection
*VPDN CALL [uid:470]: Call request sent
*VPDN MGR [uid:470]: Initiating compulsory connection to 200.0.0.13
*uid:470 Tnl/Sn 78/1451 L2TP: VPDN session up
*VPDN MGR [uid:470]: Succeed to forward p1user8@isp1.com
*VPDN MGR [uid:470]: accounting start sent
*VPDN CALL [uid:470]: Connection succeeded
Version 1.0
755
L2TP
Module 7
756
Version 1.0
Module 7
Tunnel Verification
Debug RADIUS
RADIUS/ENCODE(0000057D): acct_session_id: 65
RADIUS(0000057D): sending
RADIUS/ENCODE: Best Local IP-Address 200.1.1.13 for Radius-Server 52.30.0.101
RADIUS(0000057D): Send Access-Request to 52.30.0.101:1645 id 21645/64, len 87
RADIUS: authenticator E1 27 CB 35 8B A5 51 B1 - CB A6 50 93 C3 61 89 41
RADIUS: Framed-Protocol
[7]
6
PPP
[1]
RADIUS: User-Name
[1]
18 "p1user8@isp1.com"
CHAP-Password
[3]
19 *
RADIUS: NAS-Port-Type
[61] 6
Virtual
[5]
RADIUS: NAS-Port
[5]
6
394
RADIUS: Service-Type
[6]
6
Framed
[2]
RADIUS: NAS-IP-Address
[4]
6
200.1.1.13
RADIUS: Received from id 21645/64 52.30.0.101:1645, Access-Accept, len 56
RADIUS: authenticator 5C 46 3E EE 6B F0 BF 9E - C2 2F 9F 4D 86 18 F9 E4
RADIUS: Service-Type
[6]
6
Framed
[2]
RADIUS: Framed-Protocol
[7]
6
PPP
[1]
RADIUS: Framed-Routing
[10] 6
0
RADIUS: Framed-MTU
[12] 6
1500
RADIUS: Framed-Compression [13] 6
VJ TCP/IP Header Compressi[1]
RADIUS(0000057D): Received from id 21645/64
Version 1.0
757
L2TP
Module 7
Summary
In this module, you learned the following:
758
Version 1.0
Module 7
Review Questions
Review Questions
L2TP
1. True or False. L2TP allows the Layer 2 and the PPP endpoints to
reside on different networks.
a. True
b. False
2. Select all that apply to L2TP tunneling:
a. Supports only registered IP addresses
b. Separates the Layer 2 and the PPP session endpoints
c. Allows end user to appear directly connected to remote servers
d. Supports a single tunnel between LAC and LNS
3. True or False. Tunnel identifiers are at each end of the tunnel must be
identical.
a. True
b. False
4. Which of the following statements apply to the L2TP call setup process?
Choose two.
a. A call request from the user will be processed only if a tunnel
already exists.
b. Tunnel setup must be completed before an L2TP session can be
initiated.
c. The Start-Control-Connection-Reply message indicates the
completion of tunnel establishment.
d. The LAC must wait for the Incoming-Call-Reply message from the
LNS before answering the incoming call request.
e. The Incoming-Call-Connected message completes the session setup
process.
5. True or False. Sequence numbers are present on all data message s
passing through the L2TP tunnel.
a. True
b. False
Version 1.0
759
L2TP
Module 7
760
Version 1.0