Hi all Just wanted to throw lights on VPDN as a follow up to my previous mail on l2tp. I think, this mail will useful for your CCIE preparation.
Following are three l2 tunneling protocols - L2F (layer 2 forwarding) - Cisco's proprietary - PPTP (Point to point tunneling protocol - Microsoft proprietary - L2TP (layer 2 tunneling protocol) - Both Cisco and Microsoft made this with best of l2tp and pptp L2F uses udp port 1701. PPTP uses tcp port 1723 for control session and GRE for tunneling the data. L2TP uses udp port 1701. None of above does encryption. PPTP uses MPPE (Microsoft Point to Point Encryption) for encryption. L2TP can be encrypted using IPSec which is L2TP over IPSec. The working for all the three is same. A client dials to NAS (Network Access server) and sends PPP packet to the it. NAC sends the PPP packet to tunnel server using one of the tunneling protocol across the internet. For each tunneling protocol, the components are the same but the names are different. - Client - NAS - Tunneling server Following are the names used: Generic Term L2F Term L2TP Term PPTP Term NAS NAS L2TP access concentrator (LAC) PPTP access concentrator (PAC) Tunnel server Home gateway L2TP network server (LNS) PPTP network server (PNS) *VPDNs* VPDN is Virtual Private Dial Network that extends the remote user to a private network across internet. Dial user can use ISDN, Analog modem that carries the PPP. VPDN support PPPoE, L2TP, PPTP and L2F With respect to CCIE Security, the scope is L2TP. But the configuration and functionality are almost similar. *L2TP* Client initiated is where the client PC initiates the l2tp tunnel directly to the LNS. LAC doesn't participate in the tunnel negotiation and establishment. This is also known as voluntary tunneling NAS initiated is where the LAC initaites the l2tp tunnel. This is also known as compulsory tunneling *Working* When the client PC initiates a PPP session to the LAC, the LAC searches VPDN groups to see if the PPP packets is from a l2tp user. If yes, the LAC initiates the l2tp tunnel to the LNS across the internet. The LAC searches the domain name or DNIS (Dialed Number Information Service) or multihop name. You can configure vdpn search order using the following command on the LAC. The default is to search for the DNIS first and then domain-name, if the following is not configured. "vpdn search-order domain dnis" DNIS is the ISDN or Analog Modem calling party number. Domain name is domain name that is found along with the uername used for CHAP or PAP authentication. You can also use AAA with VPDN. *Multihop tunneling* Multihop tunneling is where l2tp tunnels are cascaded. Multihop VPDN can be used to configure a router as a tunnel switch. A tunnel switch is a device that is configured as both a NAS and a tunnel server. A tunnel switch is able to receive packets from an incoming VPDN tunnel and send them out over an outgoing VPDN tunnel. Multihop VPDN can be used to configure a router as a tunnel switch. A tunnel switch is a device that is configured as both a NAS and a tunnel server. A tunnel switch is able to receive packets from an incoming VPDN tunnel and send them out over an outgoing VPDN tunnel. VDPN submode dial commands accept-dialin : Configures the VPDN on Tunnel server to accept requests from NAS accept-dialout : Configures the VPDN on ANS to accept requests from Tunnel server request-dialin : Configures the VPDN on NAS to request tunnel establishment to Tunnel Server request-dialout : Configures the VPDN on Tunnel server to request tunnel establishment to NAS router(config)#vpdn-group king router(config-vpdn)#? VPDN group configuration commands: accept-dialin VPDN accept-dialin group configuration accept-dialout VPDN accept-dialout group configuration default Set a command to its defaults description Description for this VPDN group dsl-line-info-forwarding Forward DSL Line Info attributes exit Exit from VPDN group configuration mode ip IP settings for tunnel no Negate a command or set its defaults redirect Call redirection options request-dialin VPDN request-dialin group configuration request-dialout VPDN request-dialout group configuration source Configuration source for this vpdn-group source-ip Set source IP address for this vpdn-group vpn VPN ID/VRF name With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
