CH01i.book Page 776 Friday, April 30, 2004 8:58...

CH01i.book Page 776 Friday, April 30, 2004 8:58 AM

I N D E X

Symbols% VPDN-3-NORESOURCE error message, 128% VPDN-4-MIDERROR error message, 128% VPDN-4-REFUSED error message, 128% VPDN-5-NOIDB error message, 128% VPDN-5-UNREACH error message, 129% VPDN-6-CLOSED error message, 127% VPDN-6-DOWN error message, 129% VPDN-6-MAX_SESS_EXCD error message, 128% VPDN-6-RESIZE error message, 129% VPDN-6-SOFTSHUT error message, 129% VPDN-6-TIMEOUT error message, 129%VPDN-6-AUTHENERR error message, 127%VPDN-6-AUTHENFAIL error message, 127%VPDN-6-AUTHORERR error message, 127%VPDN-6-AUTHORFAIL error message, 127

Numerics3DES (Triple DES), 658

AAAA (authentication, authorization, and accounting)

configuration, 683IKE, 686L2F tunnel establishment, 19L2TP misconfiguration, 312–322remote

authentication failure, 322–326authorization failure, 326, 331case studies, 98–114configuration, 39, 44L2TP, 241LNS, 249

servers, 331–342aaa new-model command, 241, 683AAL5 over MPLS configuration, 594access. See also connections

Internetinterfaces, 440

VPNs, 439remote clients, 293

access listsAH, 733AToM, 615crypto

asymmetric, 726configuration, 673misconfiguration, 699reconfiguration, 700

deleting, 706, 735ESP, 733external interfaces, 705L2TPv3, 395LDP, 622modifying, 729split tunneling, 684

ACCM (Asynchronous Control Character Map), 59, 227

ACFC (Address & Control Field Compression), 59, 268

activation of MP-BGP, 452active lines, verifying, 266adding

default routes, 697preshared keys, 702

additive keyword, 529Address & Control Field Compression (ACFC), 59,

268addresses

configuration, 46DNS, 248IP

misconfigurations, 704mismatches, 644overlapping, 430PPTP, 158virtual templates, 97

MDT, 442peer misconfigurations, 700WINS

configuration, 46L2TP, 248

adjacencies, PIM, 442Administrator subfields, 431Advanced Encryption Standard (AES), 658


778

advertisementsconditional label, 506, 631IS-IS, 496labels

bindings, 502, 628verifying tunnels, 626

PE to CE route, 534VPNs, 511–536

AES (Advanced Encryption Standard), 658aggressive mode negotiation, 665–666AH (Authentication Header), 657, 733alarms, remote, 54algorithms

CSPF, 429encryption, 671hash, 671

modification of MD5, 712reconfiguration of, 724

any keyword, 730Any Transport over MPLS. See AToMapplying crypto maps to external interfaces, 674, 686architecture

IPSec, 656. See also IPSecLayer 3 MPLS VPNs, 421

AS (autonomous system) numbers, 431Assigned Number subfields, 431Assigned Tunnel ID AVP, 218assignments, 508asymmetric crypto access lists, 726asymmetric payload types, L2TPv3, 405Asynchronous Control Character Map (ACCM), 59,

227asynchronous interfaces, L2TP, 240asynchronous lines

L2TP, 239parameters, 37

ATM (asynchronous transfer mode)cell relay, 594–596control words, 582VP cell relay, 380

ATM AAL5 CPCS-SDU control words, 581AToM (Any Transport over MPLS), 577

CEF, 588commands, 645–652configuration, 588Layer 2 PDU transport, 578LDP

Router ID, 589specifying, 589

loopback interfaces, 588MPLS

backbone IGPs, 590–591core interfaces, 589

MTU issues, 602pseudowires, 591–597sample configurations, 597–605technical overview of, 577troubleshooting, 605VC label exchanges, 582–586, 636–645

attachment circuitsAToM

Layer 2 PDU transports, 578, 582pseudowires, 591–597

configuration, 378, 381attributes, RT, 434attribute-value-pairs. See AVPsauthentication, 713

aggressive mode, 665–666AVPs, 226CAs, 680, 736certificates, 714CHAP, 18. See also CHAPIKE, 713L2TPv3, 397LDP

mismatches, 499peers, 499troubleshooting, 624

LNS, 249local

configuration, 44LNS, 249PAC, 158partial, 228

partial PPP failures, 64, 273PPP, 176–180, 301preshared key, 663remote AAA

failure, 322–326troubleshooting, 105–109

RSA signature, 664SHA-1, 253troubleshooting, 713tunneling, 74, 285

advertisements


779

Authentication Header (AH), 657, 733authentication protocol (AuthProtocol), 63authentication, authorization, and accounting. See

AAAauthorization (remote AAA)

failure, 326, 331troubleshooting, 109–114

autodetection, PPP, 239autonomous system (AS) numbers, 431AVPs (attribute-value-pairs), 214

authentication, 226calls

management, 225status, 227

control connection management, 224hiding, 215L2TP encoding formats, 221L2TPv3, 362–363

circuit status, 368control connection management, 366control messages, 364Layer 2 Specific Sublayer, 371session management, 367

Result Code, 222

Bbackbones

IGP, 449, 479–481L2F, 11. See also L2FMDT, 444MPLS, 590–591. See also AToM; MPLSMVPNs, 465VPNs, 437. See also VPNs

baselining networks, 3basic discovery, LDP, 582BGP (Border Gateway Protocol), 451

MP-BGPactivating, 452redistributing routes, 458route redistribution, 518

PIM, 467tables, 520updating, 447

bindingslabels

advertisements, 502

blocking, 631peer LSR, 628verifying, 626

VC label exchanges, 586bits

DF, 689Flags field, 581

bits per second (bps), 236blocking

IPSec traffic, 735ISAKMP firewalls, 705label bindings, 631LDP, 622troubleshooting access lists, 395

Border Gateway Protocol. See BGPbottom-up troubleshooting, 5bps (bits per second), 236

CC (Command / Response) bit, 582cabling, 767calculations

keys, 16MD5, 19

call management AVPs, 225call reception, 228, 260–265

NAS, 52verifying, 56

call sessions, 163. See also sessionscall setup, verifying, 55call status AVPs, 227Call-Disconnect-Notify (CDN) message, 233, 364carrier’s carrier topologies, 419CAs (certificate authorities)

authentication, 680declaring, 679enrollment, 680, 736

case studiesIPSec, 736–746L2F tunnel failures from offload servers, 114L2TP, 311

AAA server unreachable, 331–342authentication, 322–326authorization, 326, 331misconfiguration, 312–322

case studies


780

MPLS VPNs, 536–560PPTP

MPPE attributes not returned, 197–203split tunnels, 203–204

remote AAA, 98–114, 322–331CBC (cipher block chaining), 722CCP (Compression Control Protocol), 93, 184CDN (Call-Disconnect-Notify), 233

LNS, 293messages, 223

CDP (CRL distribution point), 718CE (customer edge) devices, 358

advertisements, 512, 534configuration, 446MVPNs, 464

CEF (Cisco Express Forwarding)AToM

enabling, 588troubleshooting, 608

disabling, 483, 633enabling, 376, 447tables, 424verifying, 509

cell relay, ATM, 594, 596cell-mode, MPLS, 423cells, VP relay, 380certificate revocation list (CRL), 680certificates

authentication, 714CAs. See CAsdigital, 664, 666responders, 707server maps, 678

Challenge Handshake Authentication Protocol. See CHAP

channelscontrol, 137. See also control channelsD, 238

CHAP (Challenge Handshake Authentication Protocol)

configuration, 240L2F tunnel establishment, 18

cipher block chaining (CBC), 722circuit status AVPs, 368circuits, configuration, 378, 381Cisco Express Forwarding. See CEF

classesL2TPv3, 377pseudowire, 377, 380

clear crypto isakmp command, 723clear crypto sa command, 723clear vpdn tunnel command, 34, 120, 348clear vpdn tunnel pptp remote access client/PNS_name

PAC_name command, 210CLID (Client ID), L2F, 15clients

PPP negotiation failures, 84–98remote access

CONFACK, 269disconnections, 293LCP negotiation, 266PPTP, 137

remote VPN, 740VPN group policy profiles, 684

clock set command, 678, 717clock timezone command, 678clocks

configuration, 678troubleshooting, 716–717

cloningvirtual access interfaces, 297virtual interfaces, 168–169virtual templates, 85

commands, 122–126, 413, 651, 67912tp hidden, 229aaa new-model, 241, 683AToM, 645–652clear crypto isakmp, 723clear crypto sa, 723clear vpdn tunnel, 34, 120, 348clear vpdn tunnel pptp remote access client/

ONS_namePac_name, 210clock set, 678, 717clock timezone, 678crl optional, 680, 718(crl) query, 718crypto ca authenticate name, 680crypto ca enroll name, 680crypto ca identity, 679crypto ipsec transform-set, 667crypto isakmp key key address peer_address, 670crypto isakmp policy, 663

CBC (cipher block chaining)


781

crypto isakmp sa, 714crypto map, 674–675crypto transform-set, 671debug, 6–8

IPSec, 750–751L2F, 129–130L2TP, 351MPLS VPNs, 569–571PPTP, 210

debug aaa authentication, 105debug aaa authorization, 99debug acircuit [error | event], 651debug crypto ipsec, 749debug crypto isakmp, 692, 702, 723debug frame-relay events, 650debug isdn q931, 55, 263debug modem, 264debug mpls 12transport packet {data | error}, 650debug mpls 12transport signaling, 649debug mpls 12transport vc event, 640debug mpls atm-ldp api, 501debug mpls ldp advertisements, 567debug mpls ldp bindings, 568debug mpls ldp messages, 567debug mpls ldp transport events, 566debug mppe packet, 207debug ppp authentication, 65, 91, 300debug ppp mppe detailed, 208debug ppp mppe event, 207debug ppp negotiation, 62, 65, 87, 181, 267debug radius, 106, 315debug vpdn 12-data, 345debug vpdn 12-errors, 294debug vpdn 12-packets, 346debug vpdn 12tp-sequencing, 414debug vpdn 12x-errors, 81debug vpdn 12x-events, 69, 279, 281debug vpdn 12x-packets, 124, 416debug vpdn error, 123, 209, 344debug vpdn event, 123, 209, 275debug vpdn packet, 126, 347, 415debug vpdn 12x-data, 124debug vtemplate, 85, 168, 298debug xconnect event, 414enrollment mode ra, 679ip dfbit set, 388ip domain-name, 678

ip local pool, 683ip ospf network point-to-point, 447ip pim sparse-dense-mode, 465ip pmtu, 388ip unnumbered, 310IPSec, 747–751L2F, 122–126L2TP, 342–348L2TPv3, 410–417lcp renegotiation, 297mpls id, 589mpls ip, 449, 611mpls label protocol ldp, 589mpls ldp advertise-labels, 630MPLS VPNs, 560–571mtu, 248no auto-summary, 453no mpls ldp advertise-labels, 504no vpdn softshut, 296ping, 6–8, 117, 704

MPLS VPNs, 476–479tunnel LSP location, 607

PPTP, 204–210protocol none, 381redistribute, 533redistribute ip, 458router isis, 450router ospf 100, 451service password-encryption, 79show, 6–8

IPSec, 750–751L2F, 129–130L2TP, 351MPLS VPNs, 569–571PPTP, 210

show 12tun session all, 411show adjacency detail, 561show atm vc, 565show caller user, 64, 90, 97, 267, 311show clock, 716show controller e1, 262show crypto ca certificates, 716show crypto engine connections active, 747show crypto ipsec dynamic-map, 748show crypto ipsec sa, 726show crypto ipsec security-association lifetime,

749

commands


782

show crypto ipsec transform-set, 724show crypto isakmp key, 701show crypto isakmp sa, 695show crypto key mypubkey rsa, 747show crypto key pubkey-chain rsa, 748show crypto map tag, 698–699show ip access-lists, 490, 530, 615, 706, 734show ip bgp neighbors, 522show ip bgp vpn4 vrf vrf-name, 524show ip bgp vpnv4 vrf vrf_name, 518show ip bgp vpnv4 vrf vrf_name labels, 565show ip cef, 481, 609show ip cef summary, 509show ip interface, 705show ip rip database vrf, 532show ip route, 535, 697show ip route vrf vrf_name static, 515show ip vrf detail vrf-name, 526show ip vrf interfaces, 513show isdn status, 53–54, 261show mpls 12transport binding, 648show mpls 12transport hw-capability

interface_name, 647show mpls 12transport summary, 647show mpls 12transport vc, 642show mpls 12transport vc vcid detail, 636, 646show mpls atm-ldp capability, 564show mpls forwarding-table, 504, 627show mpls idp bindings, 628show mpls idp discovery, 489show mpls interfaces, 609show mpls ldp bindings, 503, 630–631show mpls ldp discovery, 613show mpls ldp neighbor, 494, 618, 639show mpls ldp parameters, 563show ppp mpe virtual-access number, 206show ppp multilink, 116, 121show route-map, 528show running-config, 67, 283show user, 63show vpdn, 204show vpdn history failure, 122, 342show vpdn session, 81, 205, 292show vpdn session all, 179, 343show vpdn tunnel, 120, 205show vpdn tunnel all, 68, 70, 79, 167, 277show12tun tunnel all, 410

tools, 6–8traceroute, 6–8, 476–479tunnel path-mtu-discovery, 689tunnel protection, 675vpdn domain-delimiter, 19vpdn multihop, 120vpdn search-order domain, 243vpdn session-limit sessions, 297 vpdn softshut, 84, 296xconnect, 393

Common Part Convergence Sublayer-Service Data Units (CPCS-SDUs), 581

compressionACFC, 268MS-PPC, 93PFC, 268

Compression Control Protocol (CCP), 93compulsory tunnel modes, 135

IPSec, 252–254L2TP, 237, 245

conditional label advertisements, 506, 631–632CONFACK (Configure-Ack), 59, 269configuration

AAA, 44, 683asynchronous group interfaces, 38asynchronous interfaces, 240asynchronous lines


AToM, 588CEF, 588LDP Router ID, 589loopback interfaces, 588MPLS backbone IGPs, 590–591MPLS core interfaces, 589–590pseudowires, 591–597sample configurations, 597–605specifying LDP, 589troubleshooting, 605, 635VC label exchanges, 636–645

attachment circuits, 378, 381backbones, 449CE routes, 446CHAP, 240classes, 377clocks, 678control channels, 138–142

commands


783

core interfaces, 467crypto access list, 673crypto maps, 674D channels, 238DNS addresses, 46dynamic crypto maps, 685dynamic sessions, 376–380E1/T1 controllers, 36, 238EBGP, 457EIGRP, 455Frame Relay trunks, 379gateways, 687global BGP parameters, 451global ISDN parameters, 37HDL, 596IKE policies, 670, 681, 683IP pools, 46IPSec VPNs, 668

MTU issues, 689–690remote access, 682–688site-to-site, 669–681transform sets, 685troubleshooting, 690–692

ISDN D channels, 37IS-IS, 590L2F

Home Gateways, 43–48maintenance, 32management messages, 17–18NAS, 35–43PPP negotiation, 84–98PPP on NAS, 58–69sessions, 25–31, 80–84teardown, 34–35technical overview of, 12–17troubleshooting, 48–58tunneling, 18–25, 69–80

L2TPcall reception, 260–265case studies, 311compulsory tunnel mode, 237, 245IPSec, 252–255LNS, 246, 252negotiation, 297–311PPP on LAC, 266–278sessions, 290–297troubleshooting, 255, 260

tunnels, 278–290voluntary tunnel mode, 252

L2TPv3, 375–388MTU issues, 387–388sample configurations, 382–387troubleshooting, 389–410

LAC, 237, 243LDP, 448LNS, 245loading, 767–771local authentication, 44, 249local username databases, 682MDTs, 466Microsoft CA servers, 679MPLS, 451MPLS Layer 3 VPNs, 445–459

P routers, 462–464PE routers, 459–462

MVPNs, 464–468OSPF, 456P routers, 465PAC, 158PE routers, 446, 450PE-CE routing protocols, 454PFS, 667PIM, 467PPTP, 155–159

PPP negotiation, 146–148sessions, 142–146

preshared keys, 670pseudowires

classes, 377, 380troubleshooting AtoM, 636

remote AAA, 39case studies, 98–114L2TP, 241LNS, 249

routers, 767–771SKYDANCE_POOL, 249split tunneling access lists, 684static routes, 454, 458static sessions, 380–382TDP/LDP router IDs, 448TE tunnels

between P routers, 472MPLS VPNs, 468–473

transform sets, 253, 671

configuration


784

tunneling, 40, 44VFRs, 454virtual templates, 45, 247VPDNs

groups, 40, 44L2TP, 242LNS, 246

WIN addresses, 46Configure-Ack (CONFACK), 59, 269Configure-Reject (CONFREJ), 60, 270Configure-Request (CONFREQ), 59, 170connections

cabling, 767control, 371–373, 390DLCI-to-DLCI, 593Frame Relay, 379IP, 117, 419. See also VPNsIPSec peers, 704L2TPv3, 390LDP neighbor discovery failures, 611port-to-port, 593PPP teardown, 89. See also PPPPVP, 380SAs, 660

IKE, 660–668transports, 583

conservative label retention, 427constrained shortest path (CSPF) algorithms, 429Constraint-based Routed Label Distribution Protocol

(CR-LDP), 424control channels

configuration, 138–142messages, 216PPTP

maintenance, 148–150messages, 154termination, 150–153

troubleshooting, 163–168Control Connection IDs, L2TPv3, 361control connections, 371–372

maintenance, 373management AVPs, 224, 366teardown, 374troubleshooting, 390

control messagesL2TP, 215, 220–227L2TPv3, 359, 362, 364

control planes, MPLS, 425control VC mismatches, 616control words, 579–580

ATM AAL5 CPCS-SDU, 581Frame Relay, 580

controllers, E1/T1, 36, 238cookies, values, 370copying configuration files, 771core interfaces. See also interfaces

MPLS, 448, 589–590, 610PIM, 467

CPCS-SDUs (Common Part Convergence Sublayer- Service Data Units), 581

Create New VPN Connection Entry Wizard, 685CRL (certificate revocation list), 680CRL distribution point (CDP), 718crl optional command, 680, 718(crl) query command, 718CR-LDP (Constraint-based Routed Label Distribution

Protocol), 424crypto access lists. See also access lists

asymmetric, 726configuration, 673misconfiguration, 699reconfiguration of, 700

crypto ca authenticate name command, 680crypto ca enroll name command, 680crypto ca identity command, 679crypto ipsec transform-set command, 667crypto isakmp key key address peer_address

command, 670crypto isakmp policy command, 663crypto isakmp sa command, 714crypto map command, 674–675crypto maps

configuration, 674deleting, 698DN, 730identity lists, 731interfaces, 674, 686troubleshooting, 698

crypto transform-set command, 671CSPF (constrained shortest path) algorithms, 429customer edge (CE) devices, 358

configuration


785

DD channels


Data Encryption Standard (DES), 658data MDTs, configuration, 466. See also MDTdata messages

L2TP, 215L2TPv3, 369

data planes, MPLS, 425data tunnels, 137databases

local username, 682SAD, 660SPD, 660

dCEF (distributed CEF)AToM, 588enabling, 376

debug aaa authentication command, 105debug aaa authorization command, 99debug commands, 6–8

IPSec, 750–751L2F, 129–130L2TP, 351MPLS VPNs, 569–571

debug crypto ipsec command, 749debug crypto isakmp command, 692, 702, 723debug frame-relay events command, 650debug isdn q931 command, 55, 263debug modem command, 264debug mpls atm-ldp api command, 501debug mpls l2transport packet {data | error} command,

650debug mpls l2transport signaling command, 649debug mpls l2transport vc event command, 640debug mpls ldp advertisements command, 567debug mpls ldp bindings command, 568debug mpls ldp messages command, 567debug mpls ldp transport events command, 566debug mppe packet command, 207debug ppp authentication command, 65, 91, 300debug ppp mppe detailed command, 208debug ppp mppe event command, 207debug ppp negotiation command, 62, 65, 87, 181, 267,

273–274, 300debug radius command, 106, 315

debug vpdn error command, 123, 209, 344debug vpdn event command, 123, 209, 275debug vpdn l2tp-sequencing command, 414debug vpdn l2x-data command, 124, 345debug vpdn l2x-errors command, 81, 294debug vpdn l2x-events command, 69, 279, 281debug vpdn l2x-packets command, 124, 346, 416debug vpdn packet command, 126, 347, 415debug vtemplate command, 85, 168, 298debug xconnect event command, 414declarations, CAs, 679default Multicast Distribution Tree (default MDT),

443, 466default routes, adding, 697deleting

access lists, 706, 735conditional label advertisements, 632crypto maps, 698import maps, 531VPDN session limitations, 83

demultiplexer fields, VC labels, 578deny any statement, 490Department of Defense (DoD) models, 4DES (Data Encryption Standard), 658devices

CE, 358NAT, 359, 735

DF (Don’t Fragment), 388, 689diagrams, baselining networks, 3Dialed Number Identification Service (DNIS), 228Dialed Number Information Service (DNIS), 19Diffie-Hellman public values, 667, 693digital certificates, 664, 666, 677digital subscriber line access multiplexer (DSLAM), 213disabling

CEF, 483, 633IPSec, 337ISAKMP, 702–703label assignments, 508MPLS, 609, 610VPDN softshut, 296

disconnections, 293. See also connections; troubleshooting

discovery (LDP)neighbors, 611PE peer routers, 637VC label exchanges, 582–586

discovery (LDP)


786

Distinguished Name (DN), 730distributed CEF (dCEF)

AToM, 588enabling, 376

distributionCDP, 718default MDT, 443downstream LSRs, 426label protocols, 428MDT, 442VPN routes, 436

DLCI-to-DLCI connections, Frame Relay, 593DN (Distinguished Name), 730DNIS (Dialed Number Identification Service), 228DNIS (Dialed Number Information Service), 19DNS (Domain Name Service)

addressesconfiguration, 46L2TP, 248

PPTP, 158DoD (Department of Defense) models, 4domains

MD, 441names, 67

Don’t Fragment (DF), 388, 689downstream LSRs, 426downstream-on-demand label distribution, 426DSLAM (digital subscriber line access multiplexer),

213dynamic crypto maps, configuration, 685. See also

crypto mapsdynamic sessions (L2TPv3)

configuration, 376–380sample configurations, 382–387troubleshooting, 400

EE1 controllers

configuration, 36, 238remote alarms, 54

EBGP (Enhanced BGP), configuration, 457Echo-Reply messages, PPTP, 149Echo-Request messages, PPTP, 148ED (Multilink-Endpoint-Discriminator), 270egress LSRs, penultimate hop popping, 421egress PE routers, troubleshooting, 520

EIGRP (Enhanced IGRP), configuration, 455elements, FEC, 584enabling, 242

AAA, 683AToM, 588CEF, 376, 447dCEF, 376loopback interfaces, 621MPLS TE, 469multicasting, 466MVRFs, 466VPDNs, 40, 44

L2TP, 242LNS, 246

Encapsulating Security Payload (ESP), 658–659encapsulation

AAL5, 594AH, 657AToM pseudowires, 591–597Ethernets, 378, 592Frame Relay, 378, 592HDLC, 380, 596Layer 3 MPLS VPNs, 420PPP, 240, 380MPLS, 594VLAN (802.1Q) interfaces, 378

encodingAVPs, 221RD, 431–432

encryption. See also securityalgorithms, 671ESP, 658ESP DES, 253

end-to-end troubleshooting, 5Enhanced BGP (EBGP), configuration, 457Enhanced GRE headers, 147Enhanced IGRP (EIGRP), configuration, 455enrollment, CAs, 680, 736enrollment mode ra command, 679error codes. See also troubleshooting

CDN, 294L2TPv3, 365–366PPTP, 142values, 224

error messagesL2TP, 348–351VPDNs, 126

Distinguished Name (DN)


787

ESP (Encapsulating Security Payload), 658–659access lists, 733DES encryption, 253

establishment of IPSec tunnels, 732Ethernets. See also connections; servers

control words, 582encapsulation, 378, 592port mode attachment circuits, 592VLAN (802.1q) mode, 592

exchangesDiffie-Hellman public values, 693ISAKMP, 694quick mode, 721. See also quick moderoutes, 452VC labels, 582–586, 636–645

Experimental (EXP) field, 422export map misconfigurations, 526export route target mismatches, 525extended authentication (XAuth), 682extended discovery, LDP, 582external access lists, deleting, 735external interfaces. See also interfaces

access lists, 705crypto maps

applying to, 674, 686deleting, 698troubleshooting, 698

Ffailure codes, session/tunnel setup, 35FCS (Frame Check Sequence), 231FEC (Forwarding Equivalence Class), 421, 584fields

Flags, 581Interface Parameters, 585Label, 422Magic Cookie, 139StopCCRQ packet, 152TTL, 422values, 14

files, configuration, 767–771firewalls, 359. See also security

AH/ESP, 733ISAKMP, 705

Flags field, 581

flowchartsIPSec VPN troubleshooting, 690L2F, 48–58PPTP, 160

FORCED CONFACK, 88FORCED CONFREQ, 300FORCED LCP CONFREQ, 88formats

control channels, 138–142Echo-Reply messages, 149Echo-Request messages, 149OCRQ messages, 142–146packets (L2F), 12RD, 431SLI packets, 154

forwardingframes (PPTP), 146–148L2F, 11. See also L2FMDT, 444MPLS, 421PPP frames, 29traffic, 437VPNs, 433. See also VPNsVRF, 433

Forwarding Equivalence Class (FEC), 421, 584Frame Check Sequence (FCS), 231Frame Relay

AToM, 592control words, 580DLCI-to-DLCI connections, 593encapsulation, 378port-to-port connections, 593transports, 579trunks, 379

frame-mode, MPLS, 422frames

forwarding (PPTP), 146–148L2TPv3, 357. See also L2TPv3PPP, 29

functions, 662. See also commands

Ggateways

IPSec remote access, 687SAs, 660–668

gateways


788

generation of RSA key pairs, 679global BGP parameters, configuration, 451global ISDN parameters


groupsasynchronous interfaces, configuration, 38VPDNs

configuration, 40, 44creating virtual templates, 45L2TP, 242 LNS, 246misconfiguration of domain names, 67PPTP, 156reconfiguration, 284

VPN client policy profiles, 684

Hhash algorithms, 671, 712, 724HDLC (High-level Data-Link Control)

control words, 582encapsulation, 380, 596

head-end (PE) routers, configuration, 469headers

AH, 657Enhanced GRE, 147ESP, 658–659IP over L2TPv3, 360packets, 12session data messages, 369shim, 422

hello messages, L2TP, 233Hidden (H) bits, 221hiding AVPs, 215Home Gateways

CLID, 15MIDs, 14L2F

configuration, 43–48PPP negotiation, 84–98tunnel failures, 114, 122

L2F_CONF messages, 21L2F_OPEN messages, 27passwords, 90PPP frames, 29

hops, penultimate hop popping, 421hostnames, 678

IICCN (Incoming-Call-Connected), 226, 373ICMP (Internet Control Message Protocol), 388ICRP (Incoming-Call-Reply) messages, 230, 373ICRQ (Incoming-Call-Request) messages, 230, 372identity lists crypto maps, 731identification

CLIDs, 16LDP neighbors, 494routers, 448

IETF (Internet Engineering Task Force), 214IGP (Interior Gateway Protocol)

backbonesconfiguration, 449troubleshooting, 479–481

MPLS, 590–591IKE (Internet Key Exchange), 660–668, 713

AAA, 686phase 1, 662, 692–718phase 2, 667, 719–733policies, 712

configuration, 670, 681–683mismatches, 709

remote VPN clients, 740SAs, 712

import mapsdeleting, 531ingress PE routers, 529

import route target mismatches, 525inbound traffic, 439incoming FORCED CONFREQ, 300Incoming-Call-Connected (ICCN), 226, 373Incoming-Call-Reply (ICRP) messages, 230, 373Incoming-Call-Request (ICRQ) messages, 230, 372independent LSP control, 425ingress PE routers

import maps, 529redistribution, 531

initialization of L2F tunnels, 69initialization vector (IV), 722initiation

IKE negotiation, 696quick mode negotiation, 729

initiators, 663IP addressees, 704responders, 707routing, 697

generation of RSA key pairs


789

installation of PE routers, 520instances

forwarding, 433VFR, 453VRF, 433

Interface Parameters field, 585interfaces

access lists, 705, 735asynchronous, 38, 240asynchronous groupBGP, 467core

configuration MPLS, 448disabling MPLS, 610MPLS, 589–590PIM, 467

crypto mapsapplying to, 674, 686deleting, 698troubleshooting, 698

Ethernet encapsulation, 378LC-ATM, 449, 491, 625loopback

configuration, 376IS-IS, 621PE routers, 447

misconfigurations, 513MPLS, 610MPLS TE, 469, 472MTI, 442PRIs, 36, 263VFRs, 454virtual access, 297virtual templates, 247VPNs, 440VRF, 467

Intermediate System-to-Intermediate System. See IS- IS

Internet accessinterfaces, 440VPNs, 439

Internet Control Message Protocol (ICMP), 388Internet Engineering Task Force (IETF), 214Internet Key Exchange. See IKEinterprovider VPNs, 419. See also VPNsIP (Internet Protocol)

addresseslocal pools, 683

misconfigurations, 700, 704mismatches, 644overlapping, 430peer LCCE misconfiguration, 393PPTP, 158virtual templates, 97

backbones, 11connectivity, 117crypto access lists, 673L2TPv3 control message header over, 360pools

creating, 46L2TP, 248

VPNs, 419. See also VPNsip dfbit set command, 388ip domain-name command, 678ip local pool command, 683ip ospf network point-to-point command, 447ip pim sparse-dense-mode command, 465ip pmtu command, 388IP Security (IPSec), L2TP, 236ip unnumbered command, 310IPCP (Internet Protocol Control Protocol)

CONFREQ, 93negotiation, 187

IPSec (IP Security), 655case studies, 736–746commands, 747–751configuration, 668IKE, 660–668L2TP, 236, 252–255

disabling, 337over with preshared keys, 339

lab solutions, 774–775MTU issues, 689–690NAT devices, 735remote access, 682–688SAs, 660, 721security protocols, 656–659site-to-site, 669–681technical overview of, 656–668transform sets, 671, 723troubleshooting, 690–692tunnels, 732

IPSec (IP Security)


790

ISAKMP (Internet Security Association and Key Management Protocol), 660–661

disabling, 702–703exchanges, 694firewalls, 705messages, 703preshared keys, 670re-enabling, 703

ISDN (Integrated Services Digital Network), 37IS-IS (Intermediate System-to-Intermediate System)

advertisements, 496loopback interfaces, 621MPLS backbone IGPs, 590PE routers, 450

IV (initialization vector), 722

Kkeepalives

L2F, 32L2TP, 233PPTP, 150

keys, 679IKE, 660. See also IKEL2F calculations, 16preshared key authentication, 663

keywordsadditive, 529any, 730

LL (Cell Loss Priority, CLP) bit, 582L2F (Layer 2 Forwarding) Protocol, 11

commands, 122–126debug, 129–130show, 129–130

Home Gateways, 43–48maintenance, 32management messages, 17–18messages

L2F_CLOSE messages, 34L2F_CONF messages, 19, 21L2F_ECHO messages, 32L2F_OPEN message, 22, 25

NAS, 35–43PPP, 58–69, 84–98sessions, 25–31, 80–84teardown, 34–35technical overview of, 12–17troubleshooting, 48–58tunneling, 18–25, 114, 122

misconfiguration on AAA servers, 99–105troubleshooting, 69–80

VPDNs, 126L2TP (Layer Two Tunneling Protocol), 213. See also

L2TPv2; L2TPv3AVPs, 213. See also AVPscase studies, 311

AAA server unreachable, 331–342misconfiguration (AAA RADIUS servers),

312–322remote AAA authentication failure, 322–326remote AAA authorization failure, 326

commands, 342–348compulsory tunnel mode, 237control messages, 220–227debug commands, 351error messages, 348–351establishment, 227hello messages, 233IPSec, 252–255

disabling, 337over with preshared keys, 339

keepalives, 233LAC

call reception, 260–265PPP, 266–278

LNS, 246maintenance, 232messages, 234–235negotiation, 297–311outgoing calls, 235–236security, 236sessions, 230–232, 290–297show commands, 351teardown, 233technical overview of, 215–220troubleshooting, 255tunnels, 278–290voluntary tunnel mode, 252

L2TP Access Concentrator. See LAC

ISAKMP (Internet Security Association and Key Management Protocol)


791

l2tp hidden command, 229L2TP Network Server. See LNSL2TPv2 (Layer Two Tunneling Protocol Version 2),

773L2TPv3 (Layer Two Tunneling Protocol Version 3),

357asymmetric payload types, 405class configuration, 377commands, 410–417configuration, 375–388control connections, 371–372maintenance, 373messages, 359–371MTU issues, 387–388sample configurations, 382–387sessions, 372SLI, 375teardown, 374technical overview of, 358troubleshooting, 389–409

L2TPv3 control connection endpoints (LCCEs), 359lab routers

configuration files, 768–770troubleshooting, 771–775

lab routers, 768. See also routerslab solutions, troubleshooting, 771–775Label Controlled ATM (LC-ATM) interfaces, 449Label Distribution Protocol (LDP), 424, 428, 578Label field, 422Label Forwarding Information Base (LFIB), 424, 627Label Information Base (LIB), 424label switched path (LSP), 420labels

assignments, 508AToM, 577. See also AToMbindings

advertisements, 502peer LSR, 628verifying, 626

conditional advertisements, 506, 631distribution protocols, 428messages

mapping, 584withdraw, 586

MPLS, 422retention, 427stacks, 423VC exchanges, 578, 582–586, 636–645

LAC (L2TP Access Concentrator), 213call reception, 260–265configuration, 237, 243L2TPv3

configuration, 375–388control connections, 371–373messages, 359–371sessions, 372SLI, 375teardown, 374technical overview of, 358troubleshooting, 389–410

partial PPP authentication failures, 273PPP on, 266–278

Layer 2AToM, 577. See also AToMsublayers, 371

Layer 3, 419. See also VPNsLayer Two Forwarding Protocol. See L2FLayer Two Tunneling Protocol Version 2. See L2TPv2Layer Two Tunneling Protocol Version 3. See L2TPv3Layer Two Tunneling Protocol. See L2TPLC-ATM (Label Controlled ATM) interfaces, 449LC-ATM interfaces

troubleshooting, 491VPI ranges, 625

LCCEs (L2TPv3 control connection endpoints), 359IP address misconfigurations, 393L2TPv3 sample configurations, 382–387routers

dynamic sessions (L2TPv3), 376–380static sessions (L2TPv3), 380–382

VCID mismatches, 403LCP (Link Control Protocol)

negotiation, 18, 228, 266proxy AVPs, 226troubleshooting, 58, 86, 169–176

lcp renegotiation command, 297LDP (Label Distribution Protocol), 424, 428, 578

access lists, 622AToM

loopback interfaces, 588Router ID, 589specifying, 589

authenticationmismatches, 499troubleshooting, 624

LDP (Label Distribution Protocol)


792

configuration, 448control VC mismatches, 616mismatches, 488neighbor discovery

peer PE routers, 637troubleshooting, 611

password mismatches, 500PE routers, 637sessions

PE routers, 639troubleshooting, 493, 618

tunnel LSP establishment, 611updating, 447VC label exchanges, 582–586

leaking packets, 439LFIB (Label Forwarding Information Base), 424, 504,

627LIB (Label Information Base), 424liberal label retention, 427limitations, sessions, 83Link Control Protocol. See LCPLNS

AAA severs unreachable from, 331–342CDN, 293configuration, 246, 252L2TP, 246, 252L2TPv3

control connections, 371–373messages, 359–371sessions, 372SLI, 375teardown, 374technical overview of, 358

RADIUS authentication failures, 322authorization failures, 326

VPDNs, 246LNS (L2TP Network Server), 5, 213loading configuration files, 767–771local authentication

configuration, 44LNS, 249PAC, 158

local IP address pool configuration, 683local username database configuration, 682locating LSP tunnels, 607

loopback interfaces. See also interfacesAToM, 588configuration, 376IS-IS, 621PE routers, 447

loss of alarm signals, 262loss of signals, 54LSPs (label switched paths), 420

AToM, 607independent control, 425MPLS VPNs, 481–511ordered control, 425tunnels, 611, 626

LSRs (Labeled Switched Routers)downstream, 426label retention, 427LDP

neighbor discovery failures, 611session failures, 618

penultimate hop popping, 421

MMagic Cookie field, 139Magic Numbers, 59main mode negotiation, 663

failure of, 692–718RSA signature authentication, 664

maintenance. See also troubleshootingL2F, 32L2TP, 232L2TPv3, 373PPTP, 148–150tunneling, 32

managementIKE, 660–668L2F messages, 17–18

mandatory (M) bits, 221maps, 678

ACCM, 227crypto

applying to interfaces, 674, 686configuration, 674deleting, 698DN, 730troubleshooting, 698

leaking packets


793

dynamic crypto, 685export map misconfiguration, 526import

deleting, 531ingress PE routers, 529

label messages, 584Maximum Segment Size (MSS), 690Maximum Transmission Unit (MTU), 387–388MD (Multicast Domains), 441MD5 (Message Digest 5)

hash algorithms, 712calculating, 19

Message Digest 5. See MD5Message Type AVP, 222messages

CDN, 233, 364control channels (ZLB Ack), 216Echo-Reply (PPTP), 149Echo-Request (PPTP), 148error. See error messageshello (L2TP), 233ICMP, 388ICRP, 230ICRQ, 230ISAKMP, 661, 703L2F, 17–18L2F_CLOSE, 34L2F_CONF, 19, 21L2F_ECHO, 32L2F_OPEN, 22, 25L2TP, 220–227, 234–235L2TPv3, 359–371labels, 584–586OCCN, 235OCRP, 144, 235OCRQ, 142–146, 235PPTP, 154PPTP Control, 138SCCCN, 229, 372SCCRP, 229, 371SCCRQ, 139, 229, 371SLI, 234, 375StopCCN, 234, 364TERMACK, 90TERMREQ, 90WEN, 234

Microsoft CA servers, configuration, 679Microsoft Point-to-Point Compression (MS-PPC), 93

Microsoft Point-to-Point Encryption (MPPE)attributes not returned, 197–203negotiation, 180

MID (multiplex ID), 14midpoint router configuration, 472misconfigurations

crypto access lists, 699export maps, 526 interfaces, 513IP addresses, 704L2TP, 312–322peer addresses, 700peer IP addresses, 644peer LCCE IP addresses, 393preshared keys, 714static routes, 514

mismatchesauthentication password, 624IKE policies, 709IP addresses, 644IPSec transform sets, 723LDP, 488

authentication, 499passwords, 500

MTU, 643Peer LCCE VCIDs, 403proposals, 711targets, 525VC ID, 642VC types, 640VPDN, 72, 281

MMP (Multichassis Multilink PPP), 213models

DoD, 4L2TPv3. See L2TPv3OSI, 4VPNs. See VPNs

modems, verifying call reception, 56. See also connections

modesaggressive negotiation, 665AH, 657ESP, 658main, 663, 692–718MPLS, 422–423PIM-DM, 442PIM-SM, 442quick, 668, 719–733

modes


794

modificationAAA, 44, 683access lists, 729asynchronous group interfaces, 38asynchronous interfaces, 240asynchronous lines


AToM, 588CEF, 588LDP Router ID, 589loopback interfaces, 588MPLS backbone IGPs, 590–591MPLS core interfaces, 589–590pseudowires, 591–597sample configurations, 597–605specifying LDP, 589troubleshooting, 605, 635VC label exchanges, 636–645

attachment circuits, 378, 381backbones, 449CE routes, 446CHAP, 240classes, 377clocks, 678control channels, 138–142core interfaces, 467crypto access list, 673crypto maps, 674D channels, 238DNS addresses, 46dynamic crypto maps, 685dynamic sessions, 376–380E1/T1 controllers, 36, 238EBGP, 457EIGRP, 455Frame Relay trunks, 379gateways, 687global BGP parameters, 451global ISDN parameters, 37HDL, 596IKE policies, 670, 681, 683IP pools, 46IPSec VPNs, 668

MTU issues, 689–690remote access, 682–688site-to-site, 669–681

transform sets, 685troubleshooting, 690–692


Home Gateways, 43–48maintenance, 32management messages, 17–18NAS, 35–43PPP negotiation, 84–98PPP on NAS, 58–69sessions, 25–31, 80–84teardown, 34–35technical overview of, 12–17troubleshooting, 48–58tunneling, 18–25, 69–80

L2TPcall reception, 260–265case studies, 311compulsory tunnel mode, 237, 245IPSec, 252–255LNS, 246, 252negotiation, 297–311PPP on LAC, 266–278sessions, 290–297troubleshooting, 255, 260tunnels, 278–290voluntary tunnel mode, 252


LAC, 237, 243LDP, 448LNS, 245local authentication, 44, 249local username databases, 682MDTs, 466Microsoft CA servers, 679MPLS, 451MPLS Layer 3 VPNs, 445–459


MVPNs, 464–468OSPF, 456P routers, 465PAC, 158

modification


795

PE routers, 446, 450PE-CE routing protocols, 454PFS, 667PIM, 467PPTP, 155–159







transform sets, 253, 671tunneling, 40, 44VFRs, 454virtual templates, 45, 247VPDNs

groups, 40, 44L2TP, 242LNS, 246

WIN addresses, 46moving configuration files, 771MP (Multilink PPP), 135MP-BGP (Multiprotocol Extensions for BGP-4), 428MP-BGP, 429

activating, 452redistribution, 531route redistribution, 458, 531

MPLS (multiprotocol label switching)AAL5 over configuration, 594AToM, 507, 609backbone IGPs, 590–591control planes, 425core interfaces, 589–590data planes, 425

disabling, 609forwarding, 421HDLC over encapsulation, 596interfaces, 610lab solutions, 773–774labels, 422Layer 3 VPNs

configuration, 445–459P router configuration, 462–464PE route sample configuration, 459–462technical overview of, 420–445

modes, 422cell-mode, 423frame-mode, 422

OSPF configuration, 451TE tunnel configuration, 468–473verifying, 484VPNs

case studies, 536–560commands, 560–571troubleshooting, 473–536

mpls ip command, 449, 589, 611mpls label protocol ldp command, 589mpls ldp advertise-labels command, 630MPPE (Microsoft Point-to-Point Encryption)

attributes not returned, 197–203negotiation, 180

MRRU (Multilink-Maximum-Reconstructed-Receive- Unit), 269

MS-PPC (Microsoft Point-to-Point Compression), 93, 182

MSS (Maximum Segment Size), 690MTI Multicast Tunnel Interface), 442MTU (Maximum Transmission Unit), 387

AToM, 602IPSec VPNs, 689–690L2TPv3, 387–388mismatches, 643

mtu command, 248Multicast Domains (MD), 441Multicast Tunnel Interface (MTI), 442Multicast VPNs (MVPNs), 441. See also VPNsMulticast VRF (MVRF), 442multicasting, enabling, 466Multichassis Multilink PPP (MMP), 213Multilink PPP (MP), 135Multilink-Endpoint-Discriminator (ED), 270

Multilink-Endpoint-Discriminator (ED)


796

Multilink-Maximum-Reconstructed-Receive-Unit (MRRU), 269

multiple sessions, tunneling, 15multiplex ID (MID), 14Multiprotocol Extensions for BGP-4 (MP-BGP), 428multiprotocol label switching. See MPLSMVPNs (Multicast VPNs), 441. See also VPNs

CE routers, 464configuration, 464–468PE routers, 465, 467

MVRF (Multicast VRF), 442, 466

Nnames

domainsrouters, 678VPDNs, 67

hostnames, 678NAS (Network Access Server), 11

call reception, 52L2F

configuration, 35–43PPP, 58–69sessions, 80–84tunneling, 69–80

L2F_OPEN, 22, 25LCP negotiation failures, 58PPP frames, 29

NAT (Network Address Translation), 359, 735NCP (Network Control Protocol), 58, 231

failure on LNS, 304troubleshooting, 91, 180–197

negotiationaggressive mode, 665CCP, 184IKE

remote VPN client failure, 740SAs, 712

IPCP, 187L2TP

case studies, 311troubleshooting, 297–311

LCP, 18, 228, 266main mode, 663, 692–718MPPE, 180

NCP, 58, 91, 180–197, 231PPP, 146–148quick mode, 668, 719–733termination, 185troubleshooting, 58, 86, 169–176

neighborsLDP, 494, 611, 637MP-BGP, 452

Network Access Server. See NASNetwork Control Protocol. See NCPNetwork Time Protocol (NTP), 678networks

baselining, 3MPLS, 577

no auto-summary command, 453no mpls ldp advertise-labels command, 504no vpdn softshut command, 296NONCE payloads, 663, 720NTP (Network Time Protocol), 678

OO (Offset) bits, 360Oakley Key Determination Protocol (RFC 2412), 660OCCN (Outgoing-Call-Connected) messages, 235OCRP (Outgoing-Call-Reply) messages, 144, 235OCRQ (Outgoing-Call-Request) messages, 142–146,

235offload servers, L2F tunnel failures, 114, 122Offset pad field, 219Offset size field, 219Open Shortest Path First. See OSPFOpen Systems Interconnection. See OSIoptimization

L2F management messages, 17MDT, 444

optionsAAA, 44, 683access lists, 729asynchronous group interfaces, 38asynchronous interfaces, 240asynchronous lines


AToM, 588CEF, 588

Multilink-Maximum-Reconstructed-Receive-Unit (MRRU)


797

LDP Router ID, 589loopback interfaces, 588MPLS backbone IGPs, 590–591MPLS core interfaces, 589–590pseudowires, 591–597sample configurations, 597–605specifying LDP, 589troubleshooting, 605, 635VC label exchanges, 636–645

attachment circuits, 378, 381backbones, 449CE routes, 446CHAP, 240classes, 377clocks, 678control channels, 138–142core interfaces, 467crypto access list, 673crypto maps, 674D channels, 238DNS addresses, 46dynamic crypto maps, 685dynamic sessions, 376–380E1/T1 controllers, 36, 238EBGP, 457EIGRP, 455Frame Relay trunks, 379gateways, 687global BGP parameters, 451global ISDN parameters, 37HDL, 596IKE policies, 670, 681, 683IP pools, 46IPSec VPNs, 668

MTU issues, 689–690remote access, 682–688site-to-site, 669–681transform sets, 685troubleshooting, 690–692


Home Gateways, 43–48maintenance, 32management messages, 17–18NAS, 35–43PPP negotiation, 84–98PPP on NAS, 58–69

sessions, 25–31, 80–84teardown, 34–35technical overview of, 12–17troubleshooting, 48–58tunneling, 18–25, 69–80

L2TPcall reception, 260–265case studies, 311compulsory tunnel mode, 237, 245IPSec, 252–255LNS, 246, 252negotiation, 297–311PPP on LAC, 266–278sessions, 290–297troubleshooting, 255, 260tunnels, 278–290voluntary tunnel mode, 252


LAC, 237, 243LDP, 448LNS, 245local authentication, 44, 249local username databases, 682MDTs, 466Microsoft CA servers, 679MPLS, 451MPLS Layer 3 VPNs, 445–459


MVPNs, 464–468OSPF, 456P routers, 465PAC, 158PE routers, 446, 450PE-CE routing protocols, 454PFS, 667PIM, 467PPTP, 155–159




options


798




transform sets, 253, 671tunneling, 40, 44VFRs, 454virtual templates, 45, 247VPDNs

groups, 40, 44L2TP, 242LNS, 246

WIN addresses, 46ordered LSP control, 425OSI (Open System Interconnection), 4OSPF (Open Shortest Path First)

configuration, 456MPLS

backbone IGPs, 591configuration, 451

outbound traffic, 439outgoing calls, L2TP, 235–236Outgoing-Call-Connected (OCCN) messages, 235Outgoing-Call-Reply (OCRP) messages, 144, 235Outgoing-Call-Request (OCRQ) messages, 142–146, 235overlaps

IP address spaces, 430VPI ranges, 625

overlay VPN models, 419

PP (Priority) bits, 360P routers

configuration, 462–464MVPN configuration, 465TE tunnels, 472

PAC (PPTP Access Concentrator), 135CONFREQ, 170local authentication, 158PPTP termination, 153

packetsAH, 657control channels, 138–142Echo-Reply messages, 149Echo-Request messages, 148ESP, 658–659L2F formats, 12L2TPv3, 376. See also L2TPv3leaking, 439MTU, 602OCRQ messages, 142–146payload options, 17PPTP


SLI, 154StopCCRQ fields, 152TCP SYN, 690tunneling, 16

parametersasynchronous lines configuration, 37, 239global ISDN configuration, 37interfaces, 469

partial authentication, 228partial PPP authentication failures, 64, 273passwords

authentication, 624LDP mismatches, 500reconfiguration, 90, 107tunnel reconfiguration, 79

pasting configuration files, 771Path MTU Discovery (PMTUD), 689payloads, 662

asymmetric L2TPv3 types, 405NONCE, 663, 720packet options, 17

PDUs (protocol data units), 577PE (provider edge) routers, 358

advertisements, 512AToM

CEF, 588configuration, 588

ordered LSP control


799

LDP Router ID, 589loopback interfaces, 588MPLS backbone IGPs, 590–591 MPLS core interfaces, 589–590pseudowires, 591–597sample configurations, 597–605specifying LDP, 589troubleshooting, 605, 635VC label exchanges, 636–645

CE route advertisement, 534configuration, 446import maps, 529installation, 520IS-IS configuration, 450MP_BGP route redistribution, 531MVPNs, 465–468routers

configuration, 459–462IP address mismatches, 644LDP, 637LDP session failures, 639

TE tunnels, 468– 472VC label exchanges, 582–586VRF, 433

PE-CE routing protocolconfiguration, 454MP-BGP redistribution, 531troubleshooting, 514–516

peer address misconfigurations, 700peer IP addresses reconfiguration, 704peer LACs, 359peer LCCEs

sample L2TPv3 configurations, 382VCID mismatches, 403

peer LSRs, 628peer PE routers, 644peers

adding default routes, 697DN-based crypto maps, 730IPSec

troubleshooting, 704tunneling, 733–736

LC-ATM interfaces, 625LDP authentication, 499tunnel maintenance, 32

peer-to-peer VPN model, 419

penultimate hop popping, 421Perfect Forward Secrecy (PFS), 667permanent virtual path (PVP), 380PERRIS_POOL (IP pool), 46PFC (Protocol Field Compression), 59, 268PFS (Perfect Forward Secrecy), 667PIM (Protocol Independent Multicast), 428

adjacencies, 442BGP, 467CE routers, 464PE routers, 465, 467VRF interfaces, 467

PIM Bi-directional (PIM-BIDIR), 442PIM Dense Mode (PIM-DM), 442PIM Source Specific Multicast (PIM-SSM), 442PIM Sparse-Mode (PIM-SM), 442PIM-BIDIR (PIM Bi-directional), 442PIM-DM (PIM Dense Mode), 442PIM-SM (PIM Sparse-Mode), 442PIM-SSM (PIM Source Specific Multicast), 442ping command, 6–8, 117, 704. See also

troubleshootingMPLS VPNs, 476–479tunnel LSP location, 607

placement of crypto maps, verifying, 698platforms, routers, 767PMTUD (Path MTU Discovery), 689PNS (PPTP Network Server), 135Point-of-Presence (POP), 135, 213Point-to-Point Tunneling Protocol. See PPTPpolicies

IKE, 712AAA, 686configuration, 670, 681, 683mismatches, 709

VPM client group profiles, 684pools (IP), 683

creating, 46L2TP, 248PPTP, 158

POP (Point-of-Presence), 135, 213port mode, ATM cell relay, 596ports, Ethernets, 592port-to-port connections, Frame Relay, 593

port-to-port connections, Frame Relay


800

PPP (Point-to-Point Protocol), 11authentication, 301autodetection, 239control words, 582encapsulation, 240, 380frames, 29L2F negotiation, 84–98LAC, 266–278MMP, 213MP, 135NAS, 58–69negotiation, 146–148partial authentication failures, 64PPTP, 135teardown, 89troubleshooting, 86, 176–180

PPTP (Point-to-Point Tunneling Protocol), 135authentication, 176–180case studies

MPPE attributes not returned, 197–203split tunnels, 203

commands, 204–210configuration, 155–159control channels

configuration, 138–142troubleshooting, 163–168

debug commands, 210frame forwarding, 146–148keepalives, 150LCP negotiation, 169–176maintenance, 148–150messages, 154NCP negotiating, 180–197PPP negotiation, 146–148sessions

configuration, 142–146troubleshooting, 163–168

show commands, 210technical overview of, 137termination, 150–153troubleshooting, 159–162virtual interfaces, 168–169virtual templates, 156

PPTP Access Concentrator. See PACPPTP Network Server. See PNSpreshared key authentication, 665

preshared keysadding, 702authentication, 663, 713compulsory tunnel mode, 252–254configuration, 670L2TP, 339misconfigurations, 714responders, 707site-to-site IPSec VPNs, 675troubleshooting, 701voluntary tunnel mode, 255

PRI (Primary Rate Interface), 36, 263profiles, VPN client group policies, 684proposals

acceptances, 693mismatches, 711

Protocol Field Compression (PFC), 59, 268Protocol Independent Multicast (PIM), 428protocol none command, 381protocols

BGP, 447CCP, 93CHAP

configuration, 240L2F tunnel establishment, 18

CR-LDP, 424ICMP, 388L2F, 11L2TP, 213

call reception, 260–265case studies, 311compulsory tunnel mode, 237, 245control messages, 220–227establishment, 227, 229IPSec, 252–255LNS, 246, 252maintenance, 232messages, 234–235outgoing calls, 235–236PPP on LAC, 266–278security, 236sessions, 230–232, 290–311teardown, 233technical overview of, 215–220troubleshooting, 255, 260tunnels, 278–290voluntary tunnel mode, 252

PPP (Point-to-Point Protocol)


801

L2TPv3, 357label distribution, 428LCP negotiation, 18LDP, 424, 428, 578

configuration, 448updating, 447

NCP negotiation, 58, 91, 231NTP, 678PE-CE routing, 454, 514–516PPP, 11

forwarding frames, 29NAS, 58–69partial authentication failures, 64

PPTP, 135RSVP, 424security, 656–659. See also IPSec; securitySLIP, 11TDP, 424, 428, 578VPDN mismatches, 72, 281

provider edge. See PE routers, provisioning MPLS VPNs, 430Proxy LCPs, 226pseudowires

AToM, 591–597control words, 580troubleshooting, 636

classes, 377, 380PVP (permanent virtual path), 380

Qquick mode negotiation, 668, 719–733

RRA (Registration Authority), 679RADIUS (Remote Authentication Dial-in User

Service), 241authentication failures, 105–109, 322–326authorization failures, 109–114, 326, 331L2TP misconfiguration, 312–322server unreachable from LNS, 331

ranges, troubleshooting, 625RD (Route Distinguisher), 430–432

reconfiguration. See also configurationauthentication, 178crypto access lists, 700hash algorithms, 724passwords, 90, 107peer IP addresses, 704tunnel passwords, 79usernames, 90VPDN groups, 284

redistribute command, 533redistribute rip command, 458redistribution

MP-BGP, 458, 531routes, 518

re-enabling ISAMP, 703reference models, 4Registration Authority (RA), 679remote AAA, 44. See also AAA

authentication failures, 105–109authorization failures, 109–114case studies, 98–114configuration, 39L2TP configuration, 241LNS, 249

remote access clients. See also access; clientsCONFACK, 269disconnections, 293PPP negotiation failures, 84–98PPTP, 137


remote access IPSec VPNs configuration, 655, 682– 688

remote alarms, E1 controllers, 54Remote Authentication Dial-In User Service. See

RADIUSremote clients, LCP negotiation failures, 58remote VPN clients, IKE negotiation failures, 740reports, alarms, 54Resource Reservation Protocol (RSVP), 424, 428responders

preshared keys, 707quick mode, 720

Result Code AVPs, 222, 364

Result Code AVPs


802

result codesCDN

messages, 223verifying from, 294

PPTP, 141StopCCN messages, 223

retention of labels, 427RIP (Routing Information Protocol), 454Route Distinguisher (RD), 430Route Target (RT), 434router isis command, 450router ospf 100 command, 451routers

AToMCEF, 588configuration, 588LDP ROUTER ID, 589loopback interfaces, 588MPLS backbone IGPs, 590–591MPLS core interfaces, 589–590pseudowires, 591–597sample configurations, 597–605specifying LDP, 589troubleshooting, 605, 635VC label exchanges, 636–645

CA enrollment, 680CE

configuration, 446MVPNs, 464

clocks, 678configuration, 767–771domains, 678hostnames, 678ID configuration, 448L2TPv3

configuration, 375–388dynamic sessions, 376–380static sessions, 380–382troubleshooting, 389–410

LCCE configuration, 382–387P

configuration, 462–464MVPNs, 465TE tunnels, 472

PE, 358configuration, 446, 459–462import maps, 529

IP address mismatches, 644IS-IS, 450LDP, 637LDP session failures, 639MP-BGP redistribution, 531MVPNs, 464–468TE tunnels, 468–472VRF, 433

platforms, 767responders, 707VC label exchanges, 582–586

routesdefault, 697MP-BGP

activating, 452redistribution, 458, 518

PE to CE advertisement, 534static

configuration, 454, 458packet leaking, 439troubleshooting, 514

VPNs, 436, 511–536routing

initiators, 697PE-CE protocols, 454VPNs, 433VRF, 433

RSA key pairs, generating, 679RSA signature authentication, 664–666RSVP (Resource Reservation Protocol), 424, 428RT (Route Target), 434

SSAD (Security Association Database), 660sample configurations, AToM, 597–605SAs (security associations), 660

IKE, 660–668, 712IPSec, 721

SCCCN (Start-Control-Connection-Connected), 229SCCRP (Start-Control-Connection-Reply), 229, 371SCCRQ (Start-Control-Connection-Request), 139,

229, 371secrets, tunneling, 40, 44

result codes


803

securityfirewalls, 359IPSec, 655

configuration, 668IKE, 660–668MTU issues, 689–690remote access, 682–688SAs, 660security protocols, 656–659site-to-site, 669–681technical overview of, 656–668troubleshooting, 690–692

L2TP, 236Security Association Database (SAD), 660security associations. See SAsSecurity Parameter Index (SPI), 660, 721Security Policy Database (SPD), 660sequences, PPTP tunnel setup, 162servers

AAA. See also AAAmisconfigurations, 99–105unreachable from LNS, 331–342

addressesconfiguration, 46L2TP, 248PPTP, 158

certificate maps, 678L2TP, 213LNS, 5Microsoft CA, 679NAS, 11offload, 114, 122PNS, 135

service password-encryption command, 79Session IDs, 219sessions

data message headers, 369dynamic

L2TPv3, 376–380troubleshooting, 400

failure codes, 35L2F, 25–31, 80–84L2TP, 230–232, 290–297L2TPv3, 372

sample configurations, 382–387teardowns, 374troubleshooting, 408

LDPblocking access lists, 622PE routers, 639troubleshooting, 493, 618VC label exchanges, 582–586

management AVPs, 367PPTP

configuration, 142–146messages, 154termination, 150–153troubleshooting, 163–168

static, 380–382Set-Info-Link (SLI)

messages, 234, 375packets, 154

SHA-1 authentication, 253shim headers, 422show adjacency detail command, 561show atm vc command, 565show caller user command, 64, 90, 97, 267, 311show clock command, 716show commands, 6–8

IPSec, 750–751L2F, 129–130L2TP, 351MPLS VPNs, 569–571

show controller e1 command, 262show crypto ca certificates command, 716show crypto engine connections active command, 747show crypto ipsec dynamic-map command, 748show crypto ipsec sa command, 726show crypto ipsec security-association lifetime

command, 749show crypto ipsec transform-set command, 724show crypto isakmp key command, 701show crypto isakmp sa command, 695show crypto key mypubkey rsa command, 747show crypto key pubkey-chain rsa command, 748show crypto map tag command, 698–699show ip access-lists command, 490, 530, 615, 706, 734show ip bgp neighbors command, 522show ip bgp vpnv4 vrf vrf_name command, 518, 524show ip bgp vpnv4 vrf vrf_name labels command, 565show ip cef command, 481, 609show ip cef summary command, 509show ip interface command, 705show ip rip database vrf command, 532

show ip rip database vrf command


804

show ip route command, 535, 697show ip route vrf vrf_name static command, 515show ip vrf detail vrf_name command, 526show ip vrf interfaces command, 513show isdn status command, 53–54, 261show l2tun session all command, 411show l2tun tunnel all command, 410show mpls atm-ldp capability command, 564show mpls forwarding-table command, 504, 627show mpls interfaces command, 609show mpls l2transport binding command, 648show mpls l2transport hw-capability interface

interface_name command, 647show mpls l2transport summary command, 647show mpls l2transport vc command, 642show mpls l2transport vc vcid detail command, 636show mpls ldp bindings command, 503, 628, 630–631show mpls ldp discovery command, 489, 613show mpls ldp neighbor command, 494, 618, 639show mpls ldp parameters command, 563show ppp mppe virtual-access number command, 206show ppp multilink command, 116, 121show route-map command, 528show running-config command, 67, 283show user command, 63show vpdn command, 204show vpdn history failure command, 122, 342show vpdn session all command, 179, 343show vpdn session command, 81, 205, 292show vpdn tunnel all command, 68, 70, 79, 167, 277,show vpdn tunnel command, 120, 205shutdown, tunnels, 283signals

loss, 54loss of alarm, 262

signatures, RSA authentication, 664site-to-site IPSec VPN configuration, 669–681site-to-site VPNs, 655SKEME (Secure Key Exchange Mechanism for the

Internet), 660SKYDANCE_POOL, creating, 249SLI (Set-Link-Info)

messages, 234, 375packets, 154

SLIP (Serial Line Internet Protocol), 11SMI Network Management Private Enterprise Codes

(RFC 1700), 221, 363

solutions, troubleshooting labs, 771–775SPD (Security Policy Database), 660specifying LDP (AToM), 589SPI (Security Parameter Index), 660, 721split tunneling access lists, 684split tunnels PPTP, 203–204stack (S) bits, 422stacks, labels, 423Start-Control-Connection-Connected (SCCCN), 229,

372Start-Control-Connection-Reply (SCCRP), 229, 371Start-Control-Connection-Request (SCCRQ), 139,

229, 371statements, deny any, 490static routes

configuration, 454, 458packet leaking, 439troubleshooting, 514

static sessions (L2TPv3)configuration, 380–382troubleshooting, 408

StopCCN (Stop-Control-Connection-Notification) message, 234, 364

StopCCRQ packet fields, 152sublayers, Layer 3, 371switches, global ISDN parameters, 37switching

Frame Relay, 378MPLS, 577

TT (transport type) bit, 581T1, L2TP configuration, 238tables

BGP, 520CEF, 424VRF, 433

TACACS+ (Terminal Access Controller Access Control Server plus), 241

Tag Distribution Protocol (TDP), 424, 428, 578tail-end router configuration, 472target mismatches, 525TDP (Tag Distribution Protocol), 424, 428, 578TDP/LDP router IDs, configuration, 448

show ip route command


805

TE (traffic-engineering) tunnels, 423MPLS VPN, 468–473P routers, 472

teardownL2F tunneling, 34–35L2TP, 233L2TPv3, 374PPP connections, 89

templates (virtual)cloning, 85configuration IP addresses, 97creating, 45PPTP, 156

Terminal Access Controller Access Control Server plus (TACACS+), 241

Terminate-Acks (TERMACKs), 67, 90Terminate-Request (TERMREQ), 90, 275Terminate-Requests (TERMREQs), 67termination

negotiation, 185PPTP, 150–153

testing IP connectivity, 117time zone configuration, 678Time-to-Live (TTL), 422tools, 6–8top-down troubleshooting, 5topologies

baselining, 3carrier’s carrier, 419IPSec VPNs, 690MPLS Layer VPNs, 419

traceroute command, 6–8, 476–479traffic

crypto access lists, 673IPSec, 733–736VPNs, 437

traffic-engineering. See TE tunnelstransform sets

configuration, 253IPSec, 685, 671mismatches, 723

transparent forwarding, 11transports

AToM Layer 2 PDU, 578, 582connections, 583control words, 580Frame Relay, 579

treesdefault MDT, 443MDT, 442

Triple DES (3DES), 658troubleshooting

AToM, 605, 635VC label exchanges, 636–645troubleshooting, 645–652

authentication tunnels, 285CAs, 736certificate authentication, 714clocks, 716–717commands, 747–751crypto maps, 698IGP backbones, 479–481IKE, 713IPCP negotiation, 187IPSec

tunneling, 733–736VPNs, 689–692

ISAKMP messages, 703L2F, 48–58, 122–126

error messages, 126Home Gateway configuration, 43–48maintenance, 32management messages, 17–18NAS configuration, 35–43PPP, 58–69, 84–98sessions, 25–31, 80–84teardown, 34–35technical overview of, 12–17tunneling, 18–25, 69–80

L2TP, 255, 260call reception, 260–265case studies, 311commands, 342–348negotiation, 297–311PPP on LAC, 266–278sessions, 290–297tunnels, 278–290

L2TPv3, 389–410, 410–417lab solutions, 771–775LC-ATM interfaces, 491LCP negotiation, 58, 86LDP sessions, 493LSP, 481–511MPLS VPNs, 420–445, 473–536

troubleshooting


806

case studies, 536–560commands, 560–571

MPPE negotiation, 180MTUs, 387–388NCP negotiation, 91partial PPP authentication, 273PE-CE routing protocols, 514, 516PPP partial authentication failures, 64PPTP, 159–162

authentication, 176–180commands, 204–210control channels, 163–168debug commands, 210LCP negotiation, 169–176NCP negotiation, 180–197sessions, 163–168show commands, 210virtual interfaces, 168–169

preshared keys, 701routing initiators, 697split tunnels, 203–204static routes, 514tools, 6–8tunneling authentication failures, 74types of, 5VPDN protocol mismatches, 72VPN advertisements, 511–536

trunksFrame Relay, 379switching, 378

TTL (Time-to-Live), 422Tunnel IDs, 218tunnel path-mtu-discovery command, 689tunnel protection command, 675tunneling

authentication, 74, 285failure codes, 35IPSec

establishing, 732traffic, 733–736troubleshooting, 730

L2F, 18–25maintenance, 32multiple sessions, 15teardown, 34–35troubleshooting, 69–80

L2TP, 213

call reception, 260–265compulsory tunnel mode, 237, 245control messages, 220–227establishment, 227, 229IPSec, 252–255LNS, 246, 252maintenance, 232messages, 234–235outgoing calls, 235–236PPP on LAC, 266–278security, 236sessions, 230–232teardown, 233technical overview of, 215–220troubleshooting, 255, 260, 278–290voluntary tunnel mode, 252

labels, 626LSP

locating, 607troubleshooting, 611

management, 17MTI, 442packets, 16password reconfiguration, 79PPP frames, 29PPTP, 135secret configuration, 40, 44shutdown, 283split tunneling access lists, 684TE, 423, 468–473

typesof payloads, 662of troubleshooting, 5of VCs, 585, 640

Uunsolicited downstream label distribution, 426updating

BGP, 447LDP, 447PIM, 467, 679

usernameslocal databases, 682reconfiguration, 90

user-to-tunnel associations, 19, 679

MPPE negotiation


807

Vvalues

cookies, 370Diffie-Hellman public, 667, 693error codes, 224fields, 14payloads, 662VCID, 368

VC (virtual connection)ATM cell relay, 595control mismatches, 616ID mismatches, 642label exchanges, 636–645labels, 578, 582–586types, 585, 640

VCID (Virtual Circuit) values, 368, 403Vendor-ID field, 221verification

access lists, 615active lines, 266call reception, 56call setup, 55CEF, 509, 608crypto map placement, 698label bindings, 626LFIB, 504MPLS, 484, 609NCP negotiation, 97peer IP addresses, 704PPTP

session setup, 178tunnels, 167, 175

PRI, 263tunnel LSPs, 607virtual interfaces, 175VPDN groups, 169

Virtual Circuit ID (VCID) values, 368, 403virtual interfaces, troubleshooting, 168–169virtual template interfaces, L2TP, 247virtual templates

cloning, 85, 297creating, 45IP address configuration, 97PPTP, 156

VLAN (802.1Q) interface encapsulation, 378

voluntary tunnel modeIPSec configuration, 255L2TP, 252

voluntary tunnel modes, 135technical overview of PPTP, 137PPTP, 155

vpdn domain-delimiter command, 19vpdn multihop command, 120vpdn search order domain command, 243vpdn session-limit sessions command, 297vpdn softshut command, 84, 296VPDNs (Virtual Private Data Networks)

enabling, 40, 44error messages, 126groups

configuration, 40, 44creating virtual templates, 45misconfiguration of domain names, 67PPTP, 156reconfiguration, 284

L2TP, 242LNS, 246mismatches, 281protocol mismatches, 72session limitations, 83

VPN Routing and Forwarding (VRF), 433VPN-IPv4 (VPNv4) address family, troubleshooting,

522VPNs (virtual private networks)

advertisements, 511–536interfaces, 440Internet access, 439IPSec, 655

configuration, 668IKE, 660–668MTU issues, 689–690remote access, 682–688SAs, 660security protocols, 656–659site-to-site, 669–681technical overview of, 656–668troubleshooting, 690–692

Layer 3 MPLSconfiguration, 445–459P router configuration, 462–464PE router sample configuration, 459–462technical overview of, 420–445

VPNs (virtual private networks)


808

MPLScase studies, 536–560commands, 560–571TE tunnels, 468–473troubleshooting, 473–536

route distribution, 436traffic, 437

VRF (VPN Routing and Forwarding), 433interfaces, 467, 454MVRF, 442packet leaking, 439

WWEN (WAN-Error-Notify) message, 234WINS (Windows Internet Naming System)

addressesconfiguration, 46L2TP, 248

PPTP, 158withdraw messages, labels, 586wizards, Create New VPN Connection Entry, 685

XXAuth (extended authentication), 682xconnect command, 393

ZZLB Ack (Zero-Length-Body Acknowledgement),

216, 360

VRF (VPN Routing and Forwarding)


Date post:	01-Aug-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

CH01i.book Page 776 Friday, April 30, 2004 8:58...

Documents