Tunnel sharing, Tunnel service authorization, Tunnel selection – Cisco 10000 User Manual

5-4

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server

Layer 2 Access Concentrator

Tunnel Sharing

The tunnel sharing feature enables sessions that are authorized with different domains to share the same
tunnel. Tunnel sharing reduces the number of tunnels required from the LAC. When used with the L2TP
multihop feature, tunnel sharing also reduces the number of tunnels to an LNS. While improving tunnel
management, tunnel sharing helps to reduce the number of tunnel establishment messages that are sent
after interface dropouts, reducing dropout recovery time.

Note

The session per tunnel limiting feature, when configured, limits the number of PPP sessions from
multiple domain names that can be forwarded in a single tunnel.

The domain domain-name command in request-dialin or virtual private dial network (VPDN) group
configuration mode requests that the LAC tunnel PPP sessions from a specific domain-name. Applying
multiple instances of this command in a VPDN group or subgroup enables the LAC to forward PPP
sessions from any of the specified domains in the same tunnel.

Tunnel Service Authorization

The tunnel service authorization feature allows the service provider to limit the number of destinations
a subscriber can choose and to charge a fee for each destination allowed. The LAC can conduct static or
dynamic tunnel service authorization.

A static domain name on an ATM PVC port overrides the domain name that the client session supplies.
Static tunnel service authorization does not support switched virtual circuits (SVCs).

If a static domain is not configured, the LAC conducts dynamic tunnel service authorization. During
dynamic tunnel service authorization, the LAC performs the following steps:

1.

Domain Preauthorization—Checks the client-supplied domain name (in the PPP username) against
an authorized list configured on the RADIUS server for each PVC.

If the domain name is on the authorized list, the LAC proceeds to tunnel service authorization.

If the domain name is not on the authorized list, the LAC attempts PPP authentication and
authorization for local termination. The vpdn authorize domain command configures the domain
preauthorization feature.

2.

Tunnel Service Authorization—Checks the client-supplied domain name against a list of domains
provided in the user profile on the RADIUS server to determine the domains accessible to the user.
Enables tunnel service authorization and establishes an L2TP tunnel.

The following sections discuss tunnel selection as it relates to tunnel service authorization.

Tunnel Selection

When configured as the LAC, the Cisco 10000 series router selects a tunnel for an incoming PPP session
using the following features:

•

Static tunnel selection

•

Per user tunnel selection

•

Dynamic tunnel selection