Sessions per tunnel limiting – Cisco 10000 User Manual

5-5

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server

Layer 2 Access Concentrator

Static Tunnel Selection

The static tunnel selection feature specifies a domain name for a PVC on an ATM interface. The LAC
uses the specified domain name to select a tunnel for all PPP sessions originating from the PVC. This
feature ignores the domains subscribers indicate in their usernames and forces the subscribers to a
specific destination.

The vpn service domain-name command in ATM VC configuration mode configures the domain-name
on the specified PVC. The vpn service domain-name command in ATM VC class configuration mode
configures the domain-name on all virtual circuits in the VC class.

Per User Tunnel Selection

The per user tunnel selection feature specifies that the LAC use the entire structured PPP username to
select a tunnel for forwarding an incoming session. Instead of sending the domain name, the LAC sends
the entire structured PPP username to the authentication, authorization, and accounting (AAA) server.
The AAA server provides the VPDN tunnel attributes for the user, indicating which tunnel the LAC can
use to forward the session.

The authen-before-forward command in VPDN group configuration mode configures the per user
tunnel selection feature.

Note

When tunneling from a LAC to an LNS using L2TP, when you use the authen-before-forward
command to configure the LAC to authenticate the user to RADIUS before negotiating a tunnel with the
LNS, the user is authenticated and the LAC uses RADIUS information to determine if it should terminate
a PPPoX session as PPP terminated aggregation (PTA) or forward the session to the LNS.

Dynamic Tunnel Selection

The dynamic tunnel selection feature enables the LAC to use the client-supplied domain in the PPP
username to select a tunnel for forwarding an incoming session. You must configure a VPDN group on
the LAC for each possible domain that a user might indicate.

Note

You can restrict a user from certain domains by using domain preauthorization and tunnel service
authorization. For more information, see the

“Tunnel Service Authorization” section on page 5-4

.

Sessions per Tunnel Limiting

The sessions per tunnel limiting feature specifies the maximum number of sessions initiated within an
L2TP tunnel. The initiate-to ip command in VPDN group configuration mode configures the session per
tunnel limiting feature. The command syntax is:

initiate-to

ip ipaddress [limit limit-number] [priority priority-number]

Because the sessions per tunnel limiting feature enables you to specify the maximum number of VPDN
sessions terminating at any L2TP network server (LNS), you can keep corporate router utilization at a
more predictable level.