CH01i.book Page 776 Friday, April 30, 2004 8:58 AM
I N D E X
Symbols% VPDN-3-NORESOURCE error message, 128% VPDN-4-MIDERROR error message, 128% VPDN-4-REFUSED error message, 128% VPDN-5-NOIDB error message, 128% VPDN-5-UNREACH error message, 129% VPDN-6-CLOSED error message, 127% VPDN-6-DOWN error message, 129% VPDN-6-MAX_SESS_EXCD error message, 128% VPDN-6-RESIZE error message, 129% VPDN-6-SOFTSHUT error message, 129% VPDN-6-TIMEOUT error message, 129%VPDN-6-AUTHENERR error message, 127%VPDN-6-AUTHENFAIL error message, 127%VPDN-6-AUTHORERR error message, 127%VPDN-6-AUTHORFAIL error message, 127
Numerics3DES (Triple DES), 658
AAAA (authentication, authorization, and accounting)
configuration, 683IKE, 686L2F tunnel establishment, 19L2TP misconfiguration, 312–322remote
authentication failure, 322–326authorization failure, 326, 331case studies, 98–114configuration, 39, 44L2TP, 241LNS, 249
servers, 331–342aaa new-model command, 241, 683AAL5 over MPLS configuration, 594access. See also connections
Internetinterfaces, 440
VPNs, 439remote clients, 293
access listsAH, 733AToM, 615crypto
asymmetric, 726configuration, 673misconfiguration, 699reconfiguration, 700
deleting, 706, 735ESP, 733external interfaces, 705L2TPv3, 395LDP, 622modifying, 729split tunneling, 684
ACCM (Asynchronous Control Character Map), 59, 227
ACFC (Address & Control Field Compression), 59, 268
activation of MP-BGP, 452active lines, verifying, 266adding
default routes, 697preshared keys, 702
additive keyword, 529Address & Control Field Compression (ACFC), 59,
268addresses
configuration, 46DNS, 248IP
misconfigurations, 704mismatches, 644overlapping, 430PPTP, 158virtual templates, 97
MDT, 442peer misconfigurations, 700WINS
configuration, 46L2TP, 248
adjacencies, PIM, 442Administrator subfields, 431Advanced Encryption Standard (AES), 658
CH01i.book Page 777 Friday, April 30, 2004 8:58 AM
778
advertisementsconditional label, 506, 631IS-IS, 496labels
bindings, 502, 628verifying tunnels, 626
PE to CE route, 534VPNs, 511–536
AES (Advanced Encryption Standard), 658aggressive mode negotiation, 665–666AH (Authentication Header), 657, 733alarms, remote, 54algorithms
CSPF, 429encryption, 671hash, 671
modification of MD5, 712reconfiguration of, 724
any keyword, 730Any Transport over MPLS. See AToMapplying crypto maps to external interfaces, 674, 686architecture
IPSec, 656. See also IPSecLayer 3 MPLS VPNs, 421
AS (autonomous system) numbers, 431Assigned Number subfields, 431Assigned Tunnel ID AVP, 218assignments, 508asymmetric crypto access lists, 726asymmetric payload types, L2TPv3, 405Asynchronous Control Character Map (ACCM), 59,
227asynchronous interfaces, L2TP, 240asynchronous lines
L2TP, 239parameters, 37
ATM (asynchronous transfer mode)cell relay, 594–596control words, 582VP cell relay, 380
ATM AAL5 CPCS-SDU control words, 581AToM (Any Transport over MPLS), 577
CEF, 588commands, 645–652configuration, 588Layer 2 PDU transport, 578LDP
Router ID, 589specifying, 589
loopback interfaces, 588MPLS
backbone IGPs, 590–591core interfaces, 589
MTU issues, 602pseudowires, 591–597sample configurations, 597–605technical overview of, 577troubleshooting, 605VC label exchanges, 582–586, 636–645
attachment circuitsAToM
Layer 2 PDU transports, 578, 582pseudowires, 591–597
configuration, 378, 381attributes, RT, 434attribute-value-pairs. See AVPsauthentication, 713
aggressive mode, 665–666AVPs, 226CAs, 680, 736certificates, 714CHAP, 18. See also CHAPIKE, 713L2TPv3, 397LDP
mismatches, 499peers, 499troubleshooting, 624
LNS, 249local
configuration, 44LNS, 249PAC, 158partial, 228
partial PPP failures, 64, 273PPP, 176–180, 301preshared key, 663remote AAA
failure, 322–326troubleshooting, 105–109
RSA signature, 664SHA-1, 253troubleshooting, 713tunneling, 74, 285
advertisements
CH01i.book Page 778 Friday, April 30, 2004 8:58 AM
779
Authentication Header (AH), 657, 733authentication protocol (AuthProtocol), 63authentication, authorization, and accounting. See
AAAauthorization (remote AAA)
failure, 326, 331troubleshooting, 109–114
autodetection, PPP, 239autonomous system (AS) numbers, 431AVPs (attribute-value-pairs), 214
authentication, 226calls
management, 225status, 227
control connection management, 224hiding, 215L2TP encoding formats, 221L2TPv3, 362–363
circuit status, 368control connection management, 366control messages, 364Layer 2 Specific Sublayer, 371session management, 367
Result Code, 222
Bbackbones
IGP, 449, 479–481L2F, 11. See also L2FMDT, 444MPLS, 590–591. See also AToM; MPLSMVPNs, 465VPNs, 437. See also VPNs
baselining networks, 3basic discovery, LDP, 582BGP (Border Gateway Protocol), 451
MP-BGPactivating, 452redistributing routes, 458route redistribution, 518
PIM, 467tables, 520updating, 447
bindingslabels
advertisements, 502
blocking, 631peer LSR, 628verifying, 626
VC label exchanges, 586bits
DF, 689Flags field, 581
bits per second (bps), 236blocking
IPSec traffic, 735ISAKMP firewalls, 705label bindings, 631LDP, 622troubleshooting access lists, 395
Border Gateway Protocol. See BGPbottom-up troubleshooting, 5bps (bits per second), 236
CC (Command / Response) bit, 582cabling, 767calculations
keys, 16MD5, 19
call management AVPs, 225call reception, 228, 260–265
NAS, 52verifying, 56
call sessions, 163. See also sessionscall setup, verifying, 55call status AVPs, 227Call-Disconnect-Notify (CDN) message, 233, 364carrier’s carrier topologies, 419CAs (certificate authorities)
authentication, 680declaring, 679enrollment, 680, 736
case studiesIPSec, 736–746L2F tunnel failures from offload servers, 114L2TP, 311
AAA server unreachable, 331–342authentication, 322–326authorization, 326, 331misconfiguration, 312–322
case studies
CH01i.book Page 779 Friday, April 30, 2004 8:58 AM
780
MPLS VPNs, 536–560PPTP
MPPE attributes not returned, 197–203split tunnels, 203–204
remote AAA, 98–114, 322–331CBC (cipher block chaining), 722CCP (Compression Control Protocol), 93, 184CDN (Call-Disconnect-Notify), 233
LNS, 293messages, 223
CDP (CRL distribution point), 718CE (customer edge) devices, 358
advertisements, 512, 534configuration, 446MVPNs, 464
CEF (Cisco Express Forwarding)AToM
enabling, 588troubleshooting, 608
disabling, 483, 633enabling, 376, 447tables, 424verifying, 509
cell relay, ATM, 594, 596cell-mode, MPLS, 423cells, VP relay, 380certificate revocation list (CRL), 680certificates
authentication, 714CAs. See CAsdigital, 664, 666responders, 707server maps, 678
Challenge Handshake Authentication Protocol. See CHAP
channelscontrol, 137. See also control channelsD, 238
CHAP (Challenge Handshake Authentication Protocol)
configuration, 240L2F tunnel establishment, 18
cipher block chaining (CBC), 722circuit status AVPs, 368circuits, configuration, 378, 381Cisco Express Forwarding. See CEF
classesL2TPv3, 377pseudowire, 377, 380
clear crypto isakmp command, 723clear crypto sa command, 723clear vpdn tunnel command, 34, 120, 348clear vpdn tunnel pptp remote access client/PNS_name
PAC_name command, 210CLID (Client ID), L2F, 15clients
PPP negotiation failures, 84–98remote access
CONFACK, 269disconnections, 293LCP negotiation, 266PPTP, 137
remote VPN, 740VPN group policy profiles, 684
clock set command, 678, 717clock timezone command, 678clocks
configuration, 678troubleshooting, 716–717
cloningvirtual access interfaces, 297virtual interfaces, 168–169virtual templates, 85
commands, 122–126, 413, 651, 67912tp hidden, 229aaa new-model, 241, 683AToM, 645–652clear crypto isakmp, 723clear crypto sa, 723clear vpdn tunnel, 34, 120, 348clear vpdn tunnel pptp remote access client/
ONS_namePac_name, 210clock set, 678, 717clock timezone, 678crl optional, 680, 718(crl) query, 718crypto ca authenticate name, 680crypto ca enroll name, 680crypto ca identity, 679crypto ipsec transform-set, 667crypto isakmp key key address peer_address, 670crypto isakmp policy, 663
CBC (cipher block chaining)
CH01i.book Page 780 Friday, April 30, 2004 8:58 AM
781
crypto isakmp sa, 714crypto map, 674–675crypto transform-set, 671debug, 6–8
IPSec, 750–751L2F, 129–130L2TP, 351MPLS VPNs, 569–571PPTP, 210
debug aaa authentication, 105debug aaa authorization, 99debug acircuit [error | event], 651debug crypto ipsec, 749debug crypto isakmp, 692, 702, 723debug frame-relay events, 650debug isdn q931, 55, 263debug modem, 264debug mpls 12transport packet {data | error}, 650debug mpls 12transport signaling, 649debug mpls 12transport vc event, 640debug mpls atm-ldp api, 501debug mpls ldp advertisements, 567debug mpls ldp bindings, 568debug mpls ldp messages, 567debug mpls ldp transport events, 566debug mppe packet, 207debug ppp authentication, 65, 91, 300debug ppp mppe detailed, 208debug ppp mppe event, 207debug ppp negotiation, 62, 65, 87, 181, 267debug radius, 106, 315debug vpdn 12-data, 345debug vpdn 12-errors, 294debug vpdn 12-packets, 346debug vpdn 12tp-sequencing, 414debug vpdn 12x-errors, 81debug vpdn 12x-events, 69, 279, 281debug vpdn 12x-packets, 124, 416debug vpdn error, 123, 209, 344debug vpdn event, 123, 209, 275debug vpdn packet, 126, 347, 415debug vpdn 12x-data, 124debug vtemplate, 85, 168, 298debug xconnect event, 414enrollment mode ra, 679ip dfbit set, 388ip domain-name, 678
ip local pool, 683ip ospf network point-to-point, 447ip pim sparse-dense-mode, 465ip pmtu, 388ip unnumbered, 310IPSec, 747–751L2F, 122–126L2TP, 342–348L2TPv3, 410–417lcp renegotiation, 297mpls id, 589mpls ip, 449, 611mpls label protocol ldp, 589mpls ldp advertise-labels, 630MPLS VPNs, 560–571mtu, 248no auto-summary, 453no mpls ldp advertise-labels, 504no vpdn softshut, 296ping, 6–8, 117, 704
MPLS VPNs, 476–479tunnel LSP location, 607
PPTP, 204–210protocol none, 381redistribute, 533redistribute ip, 458router isis, 450router ospf 100, 451service password-encryption, 79show, 6–8
IPSec, 750–751L2F, 129–130L2TP, 351MPLS VPNs, 569–571PPTP, 210
show 12tun session all, 411show adjacency detail, 561show atm vc, 565show caller user, 64, 90, 97, 267, 311show clock, 716show controller e1, 262show crypto ca certificates, 716show crypto engine connections active, 747show crypto ipsec dynamic-map, 748show crypto ipsec sa, 726show crypto ipsec security-association lifetime,
749
commands
CH01i.book Page 781 Friday, April 30, 2004 8:58 AM
782
show crypto ipsec transform-set, 724show crypto isakmp key, 701show crypto isakmp sa, 695show crypto key mypubkey rsa, 747show crypto key pubkey-chain rsa, 748show crypto map tag, 698–699show ip access-lists, 490, 530, 615, 706, 734show ip bgp neighbors, 522show ip bgp vpn4 vrf vrf-name, 524show ip bgp vpnv4 vrf vrf_name, 518show ip bgp vpnv4 vrf vrf_name labels, 565show ip cef, 481, 609show ip cef summary, 509show ip interface, 705show ip rip database vrf, 532show ip route, 535, 697show ip route vrf vrf_name static, 515show ip vrf detail vrf-name, 526show ip vrf interfaces, 513show isdn status, 53–54, 261show mpls 12transport binding, 648show mpls 12transport hw-capability
interface_name, 647show mpls 12transport summary, 647show mpls 12transport vc, 642show mpls 12transport vc vcid detail, 636, 646show mpls atm-ldp capability, 564show mpls forwarding-table, 504, 627show mpls idp bindings, 628show mpls idp discovery, 489show mpls interfaces, 609show mpls ldp bindings, 503, 630–631show mpls ldp discovery, 613show mpls ldp neighbor, 494, 618, 639show mpls ldp parameters, 563show ppp mpe virtual-access number, 206show ppp multilink, 116, 121show route-map, 528show running-config, 67, 283show user, 63show vpdn, 204show vpdn history failure, 122, 342show vpdn session, 81, 205, 292show vpdn session all, 179, 343show vpdn tunnel, 120, 205show vpdn tunnel all, 68, 70, 79, 167, 277show12tun tunnel all, 410
tools, 6–8traceroute, 6–8, 476–479tunnel path-mtu-discovery, 689tunnel protection, 675vpdn domain-delimiter, 19vpdn multihop, 120vpdn search-order domain, 243vpdn session-limit sessions, 297 vpdn softshut, 84, 296xconnect, 393
Common Part Convergence Sublayer-Service Data Units (CPCS-SDUs), 581
compressionACFC, 268MS-PPC, 93PFC, 268
Compression Control Protocol (CCP), 93compulsory tunnel modes, 135
IPSec, 252–254L2TP, 237, 245
conditional label advertisements, 506, 631–632CONFACK (Configure-Ack), 59, 269configuration
AAA, 44, 683asynchronous group interfaces, 38asynchronous interfaces, 240asynchronous lines
L2TP, 239parameters, 37
AToM, 588CEF, 588LDP Router ID, 589loopback interfaces, 588MPLS backbone IGPs, 590–591MPLS core interfaces, 589–590pseudowires, 591–597sample configurations, 597–605specifying LDP, 589troubleshooting, 605, 635VC label exchanges, 636–645
attachment circuits, 378, 381backbones, 449CE routes, 446CHAP, 240classes, 377clocks, 678control channels, 138–142
commands
CH01i.book Page 782 Friday, April 30, 2004 8:58 AM
783
core interfaces, 467crypto access list, 673crypto maps, 674D channels, 238DNS addresses, 46dynamic crypto maps, 685dynamic sessions, 376–380E1/T1 controllers, 36, 238EBGP, 457EIGRP, 455Frame Relay trunks, 379gateways, 687global BGP parameters, 451global ISDN parameters, 37HDL, 596IKE policies, 670, 681, 683IP pools, 46IPSec VPNs, 668
MTU issues, 689–690remote access, 682–688site-to-site, 669–681transform sets, 685troubleshooting, 690–692
ISDN D channels, 37IS-IS, 590L2F
Home Gateways, 43–48maintenance, 32management messages, 17–18NAS, 35–43PPP negotiation, 84–98PPP on NAS, 58–69sessions, 25–31, 80–84teardown, 34–35technical overview of, 12–17troubleshooting, 48–58tunneling, 18–25, 69–80
L2TPcall reception, 260–265case studies, 311compulsory tunnel mode, 237, 245IPSec, 252–255LNS, 246, 252negotiation, 297–311PPP on LAC, 266–278sessions, 290–297troubleshooting, 255, 260
tunnels, 278–290voluntary tunnel mode, 252
L2TPv3, 375–388MTU issues, 387–388sample configurations, 382–387troubleshooting, 389–410
LAC, 237, 243LDP, 448LNS, 245loading, 767–771local authentication, 44, 249local username databases, 682MDTs, 466Microsoft CA servers, 679MPLS, 451MPLS Layer 3 VPNs, 445–459
P routers, 462–464PE routers, 459–462
MVPNs, 464–468OSPF, 456P routers, 465PAC, 158PE routers, 446, 450PE-CE routing protocols, 454PFS, 667PIM, 467PPTP, 155–159
PPP negotiation, 146–148sessions, 142–146
preshared keys, 670pseudowires
classes, 377, 380troubleshooting AtoM, 636
remote AAA, 39case studies, 98–114L2TP, 241LNS, 249
routers, 767–771SKYDANCE_POOL, 249split tunneling access lists, 684static routes, 454, 458static sessions, 380–382TDP/LDP router IDs, 448TE tunnels
between P routers, 472MPLS VPNs, 468–473
transform sets, 253, 671
configuration
CH01i.book Page 783 Friday, April 30, 2004 8:58 AM
784
tunneling, 40, 44VFRs, 454virtual templates, 45, 247VPDNs
groups, 40, 44L2TP, 242LNS, 246
WIN addresses, 46Configure-Ack (CONFACK), 59, 269Configure-Reject (CONFREJ), 60, 270Configure-Request (CONFREQ), 59, 170connections
cabling, 767control, 371–373, 390DLCI-to-DLCI, 593Frame Relay, 379IP, 117, 419. See also VPNsIPSec peers, 704L2TPv3, 390LDP neighbor discovery failures, 611port-to-port, 593PPP teardown, 89. See also PPPPVP, 380SAs, 660
IKE, 660–668transports, 583
conservative label retention, 427constrained shortest path (CSPF) algorithms, 429Constraint-based Routed Label Distribution Protocol
(CR-LDP), 424control channels
configuration, 138–142messages, 216PPTP
maintenance, 148–150messages, 154termination, 150–153
troubleshooting, 163–168Control Connection IDs, L2TPv3, 361control connections, 371–372
maintenance, 373management AVPs, 224, 366teardown, 374troubleshooting, 390
control messagesL2TP, 215, 220–227L2TPv3, 359, 362, 364
control planes, MPLS, 425control VC mismatches, 616control words, 579–580
ATM AAL5 CPCS-SDU, 581Frame Relay, 580
controllers, E1/T1, 36, 238cookies, values, 370copying configuration files, 771core interfaces. See also interfaces
MPLS, 448, 589–590, 610PIM, 467
CPCS-SDUs (Common Part Convergence Sublayer- Service Data Units), 581
Create New VPN Connection Entry Wizard, 685CRL (certificate revocation list), 680CRL distribution point (CDP), 718crl optional command, 680, 718(crl) query command, 718CR-LDP (Constraint-based Routed Label Distribution
Protocol), 424crypto access lists. See also access lists
asymmetric, 726configuration, 673misconfiguration, 699reconfiguration of, 700
crypto ca authenticate name command, 680crypto ca enroll name command, 680crypto ca identity command, 679crypto ipsec transform-set command, 667crypto isakmp key key address peer_address
command, 670crypto isakmp policy command, 663crypto isakmp sa command, 714crypto map command, 674–675crypto maps
configuration, 674deleting, 698DN, 730identity lists, 731interfaces, 674, 686troubleshooting, 698
crypto transform-set command, 671CSPF (constrained shortest path) algorithms, 429customer edge (CE) devices, 358
configuration
CH01i.book Page 784 Friday, April 30, 2004 8:58 AM
785
DD channels
configuration, 37L2TP, 238
Data Encryption Standard (DES), 658data MDTs, configuration, 466. See also MDTdata messages
L2TP, 215L2TPv3, 369
data planes, MPLS, 425data tunnels, 137databases
local username, 682SAD, 660SPD, 660
dCEF (distributed CEF)AToM, 588enabling, 376
debug aaa authentication command, 105debug aaa authorization command, 99debug commands, 6–8
IPSec, 750–751L2F, 129–130L2TP, 351MPLS VPNs, 569–571
debug crypto ipsec command, 749debug crypto isakmp command, 692, 702, 723debug frame-relay events command, 650debug isdn q931 command, 55, 263debug modem command, 264debug mpls atm-ldp api command, 501debug mpls l2transport packet {data | error} command,
650debug mpls l2transport signaling command, 649debug mpls l2transport vc event command, 640debug mpls ldp advertisements command, 567debug mpls ldp bindings command, 568debug mpls ldp messages command, 567debug mpls ldp transport events command, 566debug mppe packet command, 207debug ppp authentication command, 65, 91, 300debug ppp mppe detailed command, 208debug ppp mppe event command, 207debug ppp negotiation command, 62, 65, 87, 181, 267,
273–274, 300debug radius command, 106, 315
debug vpdn error command, 123, 209, 344debug vpdn event command, 123, 209, 275debug vpdn l2tp-sequencing command, 414debug vpdn l2x-data command, 124, 345debug vpdn l2x-errors command, 81, 294debug vpdn l2x-events command, 69, 279, 281debug vpdn l2x-packets command, 124, 346, 416debug vpdn packet command, 126, 347, 415debug vtemplate command, 85, 168, 298debug xconnect event command, 414declarations, CAs, 679default Multicast Distribution Tree (default MDT),
443, 466default routes, adding, 697deleting
access lists, 706, 735conditional label advertisements, 632crypto maps, 698import maps, 531VPDN session limitations, 83
demultiplexer fields, VC labels, 578deny any statement, 490Department of Defense (DoD) models, 4DES (Data Encryption Standard), 658devices
CE, 358NAT, 359, 735
DF (Don’t Fragment), 388, 689diagrams, baselining networks, 3Dialed Number Identification Service (DNIS), 228Dialed Number Information Service (DNIS), 19Diffie-Hellman public values, 667, 693digital certificates, 664, 666, 677digital subscriber line access multiplexer (DSLAM), 213disabling
CEF, 483, 633IPSec, 337ISAKMP, 702–703label assignments, 508MPLS, 609, 610VPDN softshut, 296
disconnections, 293. See also connections; troubleshooting
discovery (LDP)neighbors, 611PE peer routers, 637VC label exchanges, 582–586
discovery (LDP)
CH01i.book Page 785 Friday, April 30, 2004 8:58 AM
786
Distinguished Name (DN), 730distributed CEF (dCEF)
AToM, 588enabling, 376
distributionCDP, 718default MDT, 443downstream LSRs, 426label protocols, 428MDT, 442VPN routes, 436
DLCI-to-DLCI connections, Frame Relay, 593DN (Distinguished Name), 730DNIS (Dialed Number Identification Service), 228DNIS (Dialed Number Information Service), 19DNS (Domain Name Service)
addressesconfiguration, 46L2TP, 248
PPTP, 158DoD (Department of Defense) models, 4domains
MD, 441names, 67
Don’t Fragment (DF), 388, 689downstream LSRs, 426downstream-on-demand label distribution, 426DSLAM (digital subscriber line access multiplexer),
213dynamic crypto maps, configuration, 685. See also
crypto mapsdynamic sessions (L2TPv3)
configuration, 376–380sample configurations, 382–387troubleshooting, 400
EE1 controllers
configuration, 36, 238remote alarms, 54
EBGP (Enhanced BGP), configuration, 457Echo-Reply messages, PPTP, 149Echo-Request messages, PPTP, 148ED (Multilink-Endpoint-Discriminator), 270egress LSRs, penultimate hop popping, 421egress PE routers, troubleshooting, 520
EIGRP (Enhanced IGRP), configuration, 455elements, FEC, 584enabling, 242
AAA, 683AToM, 588CEF, 376, 447dCEF, 376loopback interfaces, 621MPLS TE, 469multicasting, 466MVRFs, 466VPDNs, 40, 44
L2TP, 242LNS, 246
Encapsulating Security Payload (ESP), 658–659encapsulation
AAL5, 594AH, 657AToM pseudowires, 591–597Ethernets, 378, 592Frame Relay, 378, 592HDLC, 380, 596Layer 3 MPLS VPNs, 420PPP, 240, 380MPLS, 594VLAN (802.1Q) interfaces, 378
encodingAVPs, 221RD, 431–432
encryption. See also securityalgorithms, 671ESP, 658ESP DES, 253
end-to-end troubleshooting, 5Enhanced BGP (EBGP), configuration, 457Enhanced GRE headers, 147Enhanced IGRP (EIGRP), configuration, 455enrollment, CAs, 680, 736enrollment mode ra command, 679error codes. See also troubleshooting
CDN, 294L2TPv3, 365–366PPTP, 142values, 224
error messagesL2TP, 348–351VPDNs, 126
Distinguished Name (DN)
CH01i.book Page 786 Friday, April 30, 2004 8:58 AM
787
ESP (Encapsulating Security Payload), 658–659access lists, 733DES encryption, 253
establishment of IPSec tunnels, 732Ethernets. See also connections; servers
control words, 582encapsulation, 378, 592port mode attachment circuits, 592VLAN (802.1q) mode, 592
exchangesDiffie-Hellman public values, 693ISAKMP, 694quick mode, 721. See also quick moderoutes, 452VC labels, 582–586, 636–645
Experimental (EXP) field, 422export map misconfigurations, 526export route target mismatches, 525extended authentication (XAuth), 682extended discovery, LDP, 582external access lists, deleting, 735external interfaces. See also interfaces
access lists, 705crypto maps
applying to, 674, 686deleting, 698troubleshooting, 698
Ffailure codes, session/tunnel setup, 35FCS (Frame Check Sequence), 231FEC (Forwarding Equivalence Class), 421, 584fields
Flags, 581Interface Parameters, 585Label, 422Magic Cookie, 139StopCCRQ packet, 152TTL, 422values, 14
files, configuration, 767–771firewalls, 359. See also security
AH/ESP, 733ISAKMP, 705
Flags field, 581
flowchartsIPSec VPN troubleshooting, 690L2F, 48–58PPTP, 160
FORCED CONFACK, 88FORCED CONFREQ, 300FORCED LCP CONFREQ, 88formats
control channels, 138–142Echo-Reply messages, 149Echo-Request messages, 149OCRQ messages, 142–146packets (L2F), 12RD, 431SLI packets, 154
forwardingframes (PPTP), 146–148L2F, 11. See also L2FMDT, 444MPLS, 421PPP frames, 29traffic, 437VPNs, 433. See also VPNsVRF, 433
Forwarding Equivalence Class (FEC), 421, 584Frame Check Sequence (FCS), 231Frame Relay
AToM, 592control words, 580DLCI-to-DLCI connections, 593encapsulation, 378port-to-port connections, 593transports, 579trunks, 379
frame-mode, MPLS, 422frames
forwarding (PPTP), 146–148L2TPv3, 357. See also L2TPv3PPP, 29
functions, 662. See also commands
Ggateways
IPSec remote access, 687SAs, 660–668
gateways
CH01i.book Page 787 Friday, April 30, 2004 8:58 AM
788
generation of RSA key pairs, 679global BGP parameters, configuration, 451global ISDN parameters
configuration, 37L2TP, 238
groupsasynchronous interfaces, configuration, 38VPDNs
configuration, 40, 44creating virtual templates, 45L2TP, 242 LNS, 246misconfiguration of domain names, 67PPTP, 156reconfiguration, 284
VPN client policy profiles, 684
Hhash algorithms, 671, 712, 724HDLC (High-level Data-Link Control)
control words, 582encapsulation, 380, 596
head-end (PE) routers, configuration, 469headers
AH, 657Enhanced GRE, 147ESP, 658–659IP over L2TPv3, 360packets, 12session data messages, 369shim, 422
hello messages, L2TP, 233Hidden (H) bits, 221hiding AVPs, 215Home Gateways
CLID, 15MIDs, 14L2F
configuration, 43–48PPP negotiation, 84–98tunnel failures, 114, 122
L2F_CONF messages, 21L2F_OPEN messages, 27passwords, 90PPP frames, 29
hops, penultimate hop popping, 421hostnames, 678
IICCN (Incoming-Call-Connected), 226, 373ICMP (Internet Control Message Protocol), 388ICRP (Incoming-Call-Reply) messages, 230, 373ICRQ (Incoming-Call-Request) messages, 230, 372identity lists crypto maps, 731identification
CLIDs, 16LDP neighbors, 494routers, 448
IETF (Internet Engineering Task Force), 214IGP (Interior Gateway Protocol)
backbonesconfiguration, 449troubleshooting, 479–481
MPLS, 590–591IKE (Internet Key Exchange), 660–668, 713
AAA, 686phase 1, 662, 692–718phase 2, 667, 719–733policies, 712
configuration, 670, 681–683mismatches, 709
remote VPN clients, 740SAs, 712
import mapsdeleting, 531ingress PE routers, 529
import route target mismatches, 525inbound traffic, 439incoming FORCED CONFREQ, 300Incoming-Call-Connected (ICCN), 226, 373Incoming-Call-Reply (ICRP) messages, 230, 373Incoming-Call-Request (ICRQ) messages, 230, 372independent LSP control, 425ingress PE routers
import maps, 529redistribution, 531
initialization of L2F tunnels, 69initialization vector (IV), 722initiation
IKE negotiation, 696quick mode negotiation, 729
initiators, 663IP addressees, 704responders, 707routing, 697
generation of RSA key pairs
CH01i.book Page 788 Friday, April 30, 2004 8:58 AM
789
installation of PE routers, 520instances
forwarding, 433VFR, 453VRF, 433
Interface Parameters field, 585interfaces
access lists, 705, 735asynchronous, 38, 240asynchronous groupBGP, 467core
configuration MPLS, 448disabling MPLS, 610MPLS, 589–590PIM, 467
crypto mapsapplying to, 674, 686deleting, 698troubleshooting, 698
Ethernet encapsulation, 378LC-ATM, 449, 491, 625loopback
configuration, 376IS-IS, 621PE routers, 447
misconfigurations, 513MPLS, 610MPLS TE, 469, 472MTI, 442PRIs, 36, 263VFRs, 454virtual access, 297virtual templates, 247VPNs, 440VRF, 467
Intermediate System-to-Intermediate System. See IS- IS
Internet accessinterfaces, 440VPNs, 439
Internet Control Message Protocol (ICMP), 388Internet Engineering Task Force (IETF), 214Internet Key Exchange. See IKEinterprovider VPNs, 419. See also VPNsIP (Internet Protocol)
addresseslocal pools, 683
misconfigurations, 700, 704mismatches, 644overlapping, 430peer LCCE misconfiguration, 393PPTP, 158virtual templates, 97
backbones, 11connectivity, 117crypto access lists, 673L2TPv3 control message header over, 360pools
creating, 46L2TP, 248
VPNs, 419. See also VPNsip dfbit set command, 388ip domain-name command, 678ip local pool command, 683ip ospf network point-to-point command, 447ip pim sparse-dense-mode command, 465ip pmtu command, 388IP Security (IPSec), L2TP, 236ip unnumbered command, 310IPCP (Internet Protocol Control Protocol)
CONFREQ, 93negotiation, 187
IPSec (IP Security), 655case studies, 736–746commands, 747–751configuration, 668IKE, 660–668L2TP, 236, 252–255
disabling, 337over with preshared keys, 339
lab solutions, 774–775MTU issues, 689–690NAT devices, 735remote access, 682–688SAs, 660, 721security protocols, 656–659site-to-site, 669–681technical overview of, 656–668transform sets, 671, 723troubleshooting, 690–692tunnels, 732
IPSec (IP Security)
CH01i.book Page 789 Friday, April 30, 2004 8:58 AM
790
ISAKMP (Internet Security Association and Key Management Protocol), 660–661
disabling, 702–703exchanges, 694firewalls, 705messages, 703preshared keys, 670re-enabling, 703
ISDN (Integrated Services Digital Network), 37IS-IS (Intermediate System-to-Intermediate System)
advertisements, 496loopback interfaces, 621MPLS backbone IGPs, 590PE routers, 450
IV (initialization vector), 722
Kkeepalives
L2F, 32L2TP, 233PPTP, 150
keys, 679IKE, 660. See also IKEL2F calculations, 16preshared key authentication, 663
keywordsadditive, 529any, 730
LL (Cell Loss Priority, CLP) bit, 582L2F (Layer 2 Forwarding) Protocol, 11
commands, 122–126debug, 129–130show, 129–130
Home Gateways, 43–48maintenance, 32management messages, 17–18messages
L2F_CLOSE messages, 34L2F_CONF messages, 19, 21L2F_ECHO messages, 32L2F_OPEN message, 22, 25
NAS, 35–43PPP, 58–69, 84–98sessions, 25–31, 80–84teardown, 34–35technical overview of, 12–17troubleshooting, 48–58tunneling, 18–25, 114, 122
misconfiguration on AAA servers, 99–105troubleshooting, 69–80
VPDNs, 126L2TP (Layer Two Tunneling Protocol), 213. See also
L2TPv2; L2TPv3AVPs, 213. See also AVPscase studies, 311
AAA server unreachable, 331–342misconfiguration (AAA RADIUS servers),
312–322remote AAA authentication failure, 322–326remote AAA authorization failure, 326
commands, 342–348compulsory tunnel mode, 237control messages, 220–227debug commands, 351error messages, 348–351establishment, 227hello messages, 233IPSec, 252–255
disabling, 337over with preshared keys, 339
keepalives, 233LAC
call reception, 260–265PPP, 266–278
LNS, 246maintenance, 232messages, 234–235negotiation, 297–311outgoing calls, 235–236security, 236sessions, 230–232, 290–297show commands, 351teardown, 233technical overview of, 215–220troubleshooting, 255tunnels, 278–290voluntary tunnel mode, 252
L2TP Access Concentrator. See LAC
ISAKMP (Internet Security Association and Key Management Protocol)
CH01i.book Page 790 Friday, April 30, 2004 8:58 AM
791
l2tp hidden command, 229L2TP Network Server. See LNSL2TPv2 (Layer Two Tunneling Protocol Version 2),
773L2TPv3 (Layer Two Tunneling Protocol Version 3),
357asymmetric payload types, 405class configuration, 377commands, 410–417configuration, 375–388control connections, 371–372maintenance, 373messages, 359–371MTU issues, 387–388sample configurations, 382–387sessions, 372SLI, 375teardown, 374technical overview of, 358troubleshooting, 389–409
L2TPv3 control connection endpoints (LCCEs), 359lab routers
configuration files, 768–770troubleshooting, 771–775
lab routers, 768. See also routerslab solutions, troubleshooting, 771–775Label Controlled ATM (LC-ATM) interfaces, 449Label Distribution Protocol (LDP), 424, 428, 578Label field, 422Label Forwarding Information Base (LFIB), 424, 627Label Information Base (LIB), 424label switched path (LSP), 420labels
assignments, 508AToM, 577. See also AToMbindings
advertisements, 502peer LSR, 628verifying, 626
conditional advertisements, 506, 631distribution protocols, 428messages
mapping, 584withdraw, 586
MPLS, 422retention, 427stacks, 423VC exchanges, 578, 582–586, 636–645
LAC (L2TP Access Concentrator), 213call reception, 260–265configuration, 237, 243L2TPv3
configuration, 375–388control connections, 371–373messages, 359–371sessions, 372SLI, 375teardown, 374technical overview of, 358troubleshooting, 389–410
partial PPP authentication failures, 273PPP on, 266–278
Layer 2AToM, 577. See also AToMsublayers, 371
Layer 3, 419. See also VPNsLayer Two Forwarding Protocol. See L2FLayer Two Tunneling Protocol Version 2. See L2TPv2Layer Two Tunneling Protocol Version 3. See L2TPv3Layer Two Tunneling Protocol. See L2TPLC-ATM (Label Controlled ATM) interfaces, 449LC-ATM interfaces
troubleshooting, 491VPI ranges, 625
LCCEs (L2TPv3 control connection endpoints), 359IP address misconfigurations, 393L2TPv3 sample configurations, 382–387routers
dynamic sessions (L2TPv3), 376–380static sessions (L2TPv3), 380–382
VCID mismatches, 403LCP (Link Control Protocol)
negotiation, 18, 228, 266proxy AVPs, 226troubleshooting, 58, 86, 169–176
lcp renegotiation command, 297LDP (Label Distribution Protocol), 424, 428, 578
access lists, 622AToM
loopback interfaces, 588Router ID, 589specifying, 589
authenticationmismatches, 499troubleshooting, 624
LDP (Label Distribution Protocol)
CH01i.book Page 791 Friday, April 30, 2004 8:58 AM
792
configuration, 448control VC mismatches, 616mismatches, 488neighbor discovery
peer PE routers, 637troubleshooting, 611
password mismatches, 500PE routers, 637sessions
PE routers, 639troubleshooting, 493, 618
tunnel LSP establishment, 611updating, 447VC label exchanges, 582–586
leaking packets, 439LFIB (Label Forwarding Information Base), 424, 504,
627LIB (Label Information Base), 424liberal label retention, 427limitations, sessions, 83Link Control Protocol. See LCPLNS
AAA severs unreachable from, 331–342CDN, 293configuration, 246, 252L2TP, 246, 252L2TPv3
control connections, 371–373messages, 359–371sessions, 372SLI, 375teardown, 374technical overview of, 358
RADIUS authentication failures, 322authorization failures, 326
VPDNs, 246LNS (L2TP Network Server), 5, 213loading configuration files, 767–771local authentication
configuration, 44LNS, 249PAC, 158
local IP address pool configuration, 683local username database configuration, 682locating LSP tunnels, 607
loopback interfaces. See also interfacesAToM, 588configuration, 376IS-IS, 621PE routers, 447
loss of alarm signals, 262loss of signals, 54LSPs (label switched paths), 420
AToM, 607independent control, 425MPLS VPNs, 481–511ordered control, 425tunnels, 611, 626
LSRs (Labeled Switched Routers)downstream, 426label retention, 427LDP
neighbor discovery failures, 611session failures, 618
penultimate hop popping, 421
MMagic Cookie field, 139Magic Numbers, 59main mode negotiation, 663
failure of, 692–718RSA signature authentication, 664
maintenance. See also troubleshootingL2F, 32L2TP, 232L2TPv3, 373PPTP, 148–150tunneling, 32
managementIKE, 660–668L2F messages, 17–18
mandatory (M) bits, 221maps, 678
ACCM, 227crypto
applying to interfaces, 674, 686configuration, 674deleting, 698DN, 730troubleshooting, 698
leaking packets
CH01i.book Page 792 Friday, April 30, 2004 8:58 AM
793
dynamic crypto, 685export map misconfiguration, 526import
deleting, 531ingress PE routers, 529
label messages, 584Maximum Segment Size (MSS), 690Maximum Transmission Unit (MTU), 387–388MD (Multicast Domains), 441MD5 (Message Digest 5)
hash algorithms, 712calculating, 19
Message Digest 5. See MD5Message Type AVP, 222messages
CDN, 233, 364control channels (ZLB Ack), 216Echo-Reply (PPTP), 149Echo-Request (PPTP), 148error. See error messageshello (L2TP), 233ICMP, 388ICRP, 230ICRQ, 230ISAKMP, 661, 703L2F, 17–18L2F_CLOSE, 34L2F_CONF, 19, 21L2F_ECHO, 32L2F_OPEN, 22, 25L2TP, 220–227, 234–235L2TPv3, 359–371labels, 584–586OCCN, 235OCRP, 144, 235OCRQ, 142–146, 235PPTP, 154PPTP Control, 138SCCCN, 229, 372SCCRP, 229, 371SCCRQ, 139, 229, 371SLI, 234, 375StopCCN, 234, 364TERMACK, 90TERMREQ, 90WEN, 234
Microsoft CA servers, configuration, 679Microsoft Point-to-Point Compression (MS-PPC), 93
Microsoft Point-to-Point Encryption (MPPE)attributes not returned, 197–203negotiation, 180
MID (multiplex ID), 14midpoint router configuration, 472misconfigurations
crypto access lists, 699export maps, 526 interfaces, 513IP addresses, 704L2TP, 312–322peer addresses, 700peer IP addresses, 644peer LCCE IP addresses, 393preshared keys, 714static routes, 514
mismatchesauthentication password, 624IKE policies, 709IP addresses, 644IPSec transform sets, 723LDP, 488
authentication, 499passwords, 500
MTU, 643Peer LCCE VCIDs, 403proposals, 711targets, 525VC ID, 642VC types, 640VPDN, 72, 281
MMP (Multichassis Multilink PPP), 213models
DoD, 4L2TPv3. See L2TPv3OSI, 4VPNs. See VPNs
modems, verifying call reception, 56. See also connections
modesaggressive negotiation, 665AH, 657ESP, 658main, 663, 692–718MPLS, 422–423PIM-DM, 442PIM-SM, 442quick, 668, 719–733
modes
CH01i.book Page 793 Friday, April 30, 2004 8:58 AM
794
modificationAAA, 44, 683access lists, 729asynchronous group interfaces, 38asynchronous interfaces, 240asynchronous lines
L2TP, 239parameters, 37
AToM, 588CEF, 588LDP Router ID, 589loopback interfaces, 588MPLS backbone IGPs, 590–591MPLS core interfaces, 589–590pseudowires, 591–597sample configurations, 597–605specifying LDP, 589troubleshooting, 605, 635VC label exchanges, 636–645
attachment circuits, 378, 381backbones, 449CE routes, 446CHAP, 240classes, 377clocks, 678control channels, 138–142core interfaces, 467crypto access list, 673crypto maps, 674D channels, 238DNS addresses, 46dynamic crypto maps, 685dynamic sessions, 376–380E1/T1 controllers, 36, 238EBGP, 457EIGRP, 455Frame Relay trunks, 379gateways, 687global BGP parameters, 451global ISDN parameters, 37HDL, 596IKE policies, 670, 681, 683IP pools, 46IPSec VPNs, 668
MTU issues, 689–690remote access, 682–688site-to-site, 669–681
transform sets, 685troubleshooting, 690–692
ISDN D channels, 37IS-IS, 590L2F
Home Gateways, 43–48maintenance, 32management messages, 17–18NAS, 35–43PPP negotiation, 84–98PPP on NAS, 58–69sessions, 25–31, 80–84teardown, 34–35technical overview of, 12–17troubleshooting, 48–58tunneling, 18–25, 69–80
L2TPcall reception, 260–265case studies, 311compulsory tunnel mode, 237, 245IPSec, 252–255LNS, 246, 252negotiation, 297–311PPP on LAC, 266–278sessions, 290–297troubleshooting, 255, 260tunnels, 278–290voluntary tunnel mode, 252
L2TPv3, 375–388MTU issues, 387–388sample configurations, 382–387troubleshooting, 389–410
LAC, 237, 243LDP, 448LNS, 245local authentication, 44, 249local username databases, 682MDTs, 466Microsoft CA servers, 679MPLS, 451MPLS Layer 3 VPNs, 445–459
P routers, 462–464PE routers, 459–462
MVPNs, 464–468OSPF, 456P routers, 465PAC, 158
modification
CH01i.book Page 794 Friday, April 30, 2004 8:58 AM
795
PE routers, 446, 450PE-CE routing protocols, 454PFS, 667PIM, 467PPTP, 155–159
PPP negotiation, 146–148sessions, 142–146
preshared keys, 670pseudowires
classes, 377, 380troubleshooting AtoM, 636
remote AAA, 39case studies, 98–114L2TP, 241LNS, 249
routers, 767–771SKYDANCE_POOL, 249split tunneling access lists, 684static routes, 454, 458static sessions, 380–382TDP/LDP router IDs, 448TE tunnels
between P routers, 472MPLS VPNs, 468–473
transform sets, 253, 671tunneling, 40, 44VFRs, 454virtual templates, 45, 247VPDNs
groups, 40, 44L2TP, 242LNS, 246
WIN addresses, 46moving configuration files, 771MP (Multilink PPP), 135MP-BGP (Multiprotocol Extensions for BGP-4), 428MP-BGP, 429
activating, 452redistribution, 531route redistribution, 458, 531
MPLS (multiprotocol label switching)AAL5 over configuration, 594AToM, 507, 609backbone IGPs, 590–591control planes, 425core interfaces, 589–590data planes, 425
disabling, 609forwarding, 421HDLC over encapsulation, 596interfaces, 610lab solutions, 773–774labels, 422Layer 3 VPNs
configuration, 445–459P router configuration, 462–464PE route sample configuration, 459–462technical overview of, 420–445
modes, 422cell-mode, 423frame-mode, 422
OSPF configuration, 451TE tunnel configuration, 468–473verifying, 484VPNs
case studies, 536–560commands, 560–571troubleshooting, 473–536
mpls ip command, 449, 589, 611mpls label protocol ldp command, 589mpls ldp advertise-labels command, 630MPPE (Microsoft Point-to-Point Encryption)
attributes not returned, 197–203negotiation, 180
MRRU (Multilink-Maximum-Reconstructed-Receive- Unit), 269
MS-PPC (Microsoft Point-to-Point Compression), 93, 182
MSS (Maximum Segment Size), 690MTI Multicast Tunnel Interface), 442MTU (Maximum Transmission Unit), 387
AToM, 602IPSec VPNs, 689–690L2TPv3, 387–388mismatches, 643
mtu command, 248Multicast Domains (MD), 441Multicast Tunnel Interface (MTI), 442Multicast VPNs (MVPNs), 441. See also VPNsMulticast VRF (MVRF), 442multicasting, enabling, 466Multichassis Multilink PPP (MMP), 213Multilink PPP (MP), 135Multilink-Endpoint-Discriminator (ED), 270
Multilink-Endpoint-Discriminator (ED)
CH01i.book Page 795 Friday, April 30, 2004 8:58 AM
796
Multilink-Maximum-Reconstructed-Receive-Unit (MRRU), 269
multiple sessions, tunneling, 15multiplex ID (MID), 14Multiprotocol Extensions for BGP-4 (MP-BGP), 428multiprotocol label switching. See MPLSMVPNs (Multicast VPNs), 441. See also VPNs
CE routers, 464configuration, 464–468PE routers, 465, 467
MVRF (Multicast VRF), 442, 466
Nnames
domainsrouters, 678VPDNs, 67
hostnames, 678NAS (Network Access Server), 11
call reception, 52L2F
configuration, 35–43PPP, 58–69sessions, 80–84tunneling, 69–80
L2F_OPEN, 22, 25LCP negotiation failures, 58PPP frames, 29
NAT (Network Address Translation), 359, 735NCP (Network Control Protocol), 58, 231
failure on LNS, 304troubleshooting, 91, 180–197
negotiationaggressive mode, 665CCP, 184IKE
remote VPN client failure, 740SAs, 712
IPCP, 187L2TP
case studies, 311troubleshooting, 297–311
LCP, 18, 228, 266main mode, 663, 692–718MPPE, 180
NCP, 58, 91, 180–197, 231PPP, 146–148quick mode, 668, 719–733termination, 185troubleshooting, 58, 86, 169–176
neighborsLDP, 494, 611, 637MP-BGP, 452
Network Access Server. See NASNetwork Control Protocol. See NCPNetwork Time Protocol (NTP), 678networks
baselining, 3MPLS, 577
no auto-summary command, 453no mpls ldp advertise-labels command, 504no vpdn softshut command, 296NONCE payloads, 663, 720NTP (Network Time Protocol), 678
OO (Offset) bits, 360Oakley Key Determination Protocol (RFC 2412), 660OCCN (Outgoing-Call-Connected) messages, 235OCRP (Outgoing-Call-Reply) messages, 144, 235OCRQ (Outgoing-Call-Request) messages, 142–146,
235offload servers, L2F tunnel failures, 114, 122Offset pad field, 219Offset size field, 219Open Shortest Path First. See OSPFOpen Systems Interconnection. See OSIoptimization
L2F management messages, 17MDT, 444
optionsAAA, 44, 683access lists, 729asynchronous group interfaces, 38asynchronous interfaces, 240asynchronous lines
L2TP, 239parameters, 37
AToM, 588CEF, 588
Multilink-Maximum-Reconstructed-Receive-Unit (MRRU)
CH01i.book Page 796 Friday, April 30, 2004 8:58 AM
797
LDP Router ID, 589loopback interfaces, 588MPLS backbone IGPs, 590–591MPLS core interfaces, 589–590pseudowires, 591–597sample configurations, 597–605specifying LDP, 589troubleshooting, 605, 635VC label exchanges, 636–645
attachment circuits, 378, 381backbones, 449CE routes, 446CHAP, 240classes, 377clocks, 678control channels, 138–142core interfaces, 467crypto access list, 673crypto maps, 674D channels, 238DNS addresses, 46dynamic crypto maps, 685dynamic sessions, 376–380E1/T1 controllers, 36, 238EBGP, 457EIGRP, 455Frame Relay trunks, 379gateways, 687global BGP parameters, 451global ISDN parameters, 37HDL, 596IKE policies, 670, 681, 683IP pools, 46IPSec VPNs, 668
MTU issues, 689–690remote access, 682–688site-to-site, 669–681transform sets, 685troubleshooting, 690–692
ISDN D channels, 37IS-IS, 590L2F
Home Gateways, 43–48maintenance, 32management messages, 17–18NAS, 35–43PPP negotiation, 84–98PPP on NAS, 58–69
sessions, 25–31, 80–84teardown, 34–35technical overview of, 12–17troubleshooting, 48–58tunneling, 18–25, 69–80
L2TPcall reception, 260–265case studies, 311compulsory tunnel mode, 237, 245IPSec, 252–255LNS, 246, 252negotiation, 297–311PPP on LAC, 266–278sessions, 290–297troubleshooting, 255, 260tunnels, 278–290voluntary tunnel mode, 252
L2TPv3, 375–388MTU issues, 387–388sample configurations, 382–387troubleshooting, 389–410
LAC, 237, 243LDP, 448LNS, 245local authentication, 44, 249local username databases, 682MDTs, 466Microsoft CA servers, 679MPLS, 451MPLS Layer 3 VPNs, 445–459
P routers, 462–464PE routers, 459–462
MVPNs, 464–468OSPF, 456P routers, 465PAC, 158PE routers, 446, 450PE-CE routing protocols, 454PFS, 667PIM, 467PPTP, 155–159
PPP negotiation, 146–148sessions, 142–146
preshared keys, 670pseudowires
classes, 377, 380troubleshooting AtoM, 636
options
CH01i.book Page 797 Friday, April 30, 2004 8:58 AM
798
remote AAA, 39case studies, 98–114L2TP, 241LNS, 249
routers, 767–771SKYDANCE_POOL, 249split tunneling access lists, 684static routes, 454, 458static sessions, 380–382TDP/LDP router IDs, 448TE tunnels
between P routers, 472MPLS VPNs, 468–473
transform sets, 253, 671tunneling, 40, 44VFRs, 454virtual templates, 45, 247VPDNs
groups, 40, 44L2TP, 242LNS, 246
WIN addresses, 46ordered LSP control, 425OSI (Open System Interconnection), 4OSPF (Open Shortest Path First)
configuration, 456MPLS
backbone IGPs, 591configuration, 451
outbound traffic, 439outgoing calls, L2TP, 235–236Outgoing-Call-Connected (OCCN) messages, 235Outgoing-Call-Reply (OCRP) messages, 144, 235Outgoing-Call-Request (OCRQ) messages, 142–146, 235overlaps
IP address spaces, 430VPI ranges, 625
overlay VPN models, 419
PP (Priority) bits, 360P routers
configuration, 462–464MVPN configuration, 465TE tunnels, 472
PAC (PPTP Access Concentrator), 135CONFREQ, 170local authentication, 158PPTP termination, 153
packetsAH, 657control channels, 138–142Echo-Reply messages, 149Echo-Request messages, 148ESP, 658–659L2F formats, 12L2TPv3, 376. See also L2TPv3leaking, 439MTU, 602OCRQ messages, 142–146payload options, 17PPTP
maintenance, 148–150messages, 154termination, 150–153
SLI, 154StopCCRQ fields, 152TCP SYN, 690tunneling, 16
parametersasynchronous lines configuration, 37, 239global ISDN configuration, 37interfaces, 469
partial authentication, 228partial PPP authentication failures, 64, 273passwords
authentication, 624LDP mismatches, 500reconfiguration, 90, 107tunnel reconfiguration, 79
pasting configuration files, 771Path MTU Discovery (PMTUD), 689payloads, 662
asymmetric L2TPv3 types, 405NONCE, 663, 720packet options, 17
PDUs (protocol data units), 577PE (provider edge) routers, 358
advertisements, 512AToM
CEF, 588configuration, 588
ordered LSP control
CH01i.book Page 798 Friday, April 30, 2004 8:58 AM
799
LDP Router ID, 589loopback interfaces, 588MPLS backbone IGPs, 590–591 MPLS core interfaces, 589–590pseudowires, 591–597sample configurations, 597–605specifying LDP, 589troubleshooting, 605, 635VC label exchanges, 636–645
CE route advertisement, 534configuration, 446import maps, 529installation, 520IS-IS configuration, 450MP_BGP route redistribution, 531MVPNs, 465–468routers
configuration, 459–462IP address mismatches, 644LDP, 637LDP session failures, 639
TE tunnels, 468– 472VC label exchanges, 582–586VRF, 433
PE-CE routing protocolconfiguration, 454MP-BGP redistribution, 531troubleshooting, 514–516
peer address misconfigurations, 700peer IP addresses reconfiguration, 704peer LACs, 359peer LCCEs
sample L2TPv3 configurations, 382VCID mismatches, 403
peer LSRs, 628peer PE routers, 644peers
adding default routes, 697DN-based crypto maps, 730IPSec
troubleshooting, 704tunneling, 733–736
LC-ATM interfaces, 625LDP authentication, 499tunnel maintenance, 32
peer-to-peer VPN model, 419
penultimate hop popping, 421Perfect Forward Secrecy (PFS), 667permanent virtual path (PVP), 380PERRIS_POOL (IP pool), 46PFC (Protocol Field Compression), 59, 268PFS (Perfect Forward Secrecy), 667PIM (Protocol Independent Multicast), 428
adjacencies, 442BGP, 467CE routers, 464PE routers, 465, 467VRF interfaces, 467
PIM Bi-directional (PIM-BIDIR), 442PIM Dense Mode (PIM-DM), 442PIM Source Specific Multicast (PIM-SSM), 442PIM Sparse-Mode (PIM-SM), 442PIM-BIDIR (PIM Bi-directional), 442PIM-DM (PIM Dense Mode), 442PIM-SM (PIM Sparse-Mode), 442PIM-SSM (PIM Source Specific Multicast), 442ping command, 6–8, 117, 704. See also
troubleshootingMPLS VPNs, 476–479tunnel LSP location, 607
placement of crypto maps, verifying, 698platforms, routers, 767PMTUD (Path MTU Discovery), 689PNS (PPTP Network Server), 135Point-of-Presence (POP), 135, 213Point-to-Point Tunneling Protocol. See PPTPpolicies
IKE, 712AAA, 686configuration, 670, 681, 683mismatches, 709
VPM client group profiles, 684pools (IP), 683
creating, 46L2TP, 248PPTP, 158
POP (Point-of-Presence), 135, 213port mode, ATM cell relay, 596ports, Ethernets, 592port-to-port connections, Frame Relay, 593
port-to-port connections, Frame Relay
CH01i.book Page 799 Friday, April 30, 2004 8:58 AM
800
PPP (Point-to-Point Protocol), 11authentication, 301autodetection, 239control words, 582encapsulation, 240, 380frames, 29L2F negotiation, 84–98LAC, 266–278MMP, 213MP, 135NAS, 58–69negotiation, 146–148partial authentication failures, 64PPTP, 135teardown, 89troubleshooting, 86, 176–180
PPTP (Point-to-Point Tunneling Protocol), 135authentication, 176–180case studies
MPPE attributes not returned, 197–203split tunnels, 203
commands, 204–210configuration, 155–159control channels
configuration, 138–142troubleshooting, 163–168
debug commands, 210frame forwarding, 146–148keepalives, 150LCP negotiation, 169–176maintenance, 148–150messages, 154NCP negotiating, 180–197PPP negotiation, 146–148sessions
configuration, 142–146troubleshooting, 163–168
show commands, 210technical overview of, 137termination, 150–153troubleshooting, 159–162virtual interfaces, 168–169virtual templates, 156
PPTP Access Concentrator. See PACPPTP Network Server. See PNSpreshared key authentication, 665
preshared keysadding, 702authentication, 663, 713compulsory tunnel mode, 252–254configuration, 670L2TP, 339misconfigurations, 714responders, 707site-to-site IPSec VPNs, 675troubleshooting, 701voluntary tunnel mode, 255
PRI (Primary Rate Interface), 36, 263profiles, VPN client group policies, 684proposals
acceptances, 693mismatches, 711
Protocol Field Compression (PFC), 59, 268Protocol Independent Multicast (PIM), 428protocol none command, 381protocols
BGP, 447CCP, 93CHAP
configuration, 240L2F tunnel establishment, 18
CR-LDP, 424ICMP, 388L2F, 11L2TP, 213
call reception, 260–265case studies, 311compulsory tunnel mode, 237, 245control messages, 220–227establishment, 227, 229IPSec, 252–255LNS, 246, 252maintenance, 232messages, 234–235outgoing calls, 235–236PPP on LAC, 266–278security, 236sessions, 230–232, 290–311teardown, 233technical overview of, 215–220troubleshooting, 255, 260tunnels, 278–290voluntary tunnel mode, 252
PPP (Point-to-Point Protocol)
CH01i.book Page 800 Friday, April 30, 2004 8:58 AM
801
L2TPv3, 357label distribution, 428LCP negotiation, 18LDP, 424, 428, 578
configuration, 448updating, 447
NCP negotiation, 58, 91, 231NTP, 678PE-CE routing, 454, 514–516PPP, 11
forwarding frames, 29NAS, 58–69partial authentication failures, 64
PPTP, 135RSVP, 424security, 656–659. See also IPSec; securitySLIP, 11TDP, 424, 428, 578VPDN mismatches, 72, 281
provider edge. See PE routers, provisioning MPLS VPNs, 430Proxy LCPs, 226pseudowires
AToM, 591–597control words, 580troubleshooting, 636
classes, 377, 380PVP (permanent virtual path), 380
Qquick mode negotiation, 668, 719–733
RRA (Registration Authority), 679RADIUS (Remote Authentication Dial-in User
Service), 241authentication failures, 105–109, 322–326authorization failures, 109–114, 326, 331L2TP misconfiguration, 312–322server unreachable from LNS, 331
ranges, troubleshooting, 625RD (Route Distinguisher), 430–432
reconfiguration. See also configurationauthentication, 178crypto access lists, 700hash algorithms, 724passwords, 90, 107peer IP addresses, 704tunnel passwords, 79usernames, 90VPDN groups, 284
redistribute command, 533redistribute rip command, 458redistribution
MP-BGP, 458, 531routes, 518
re-enabling ISAMP, 703reference models, 4Registration Authority (RA), 679remote AAA, 44. See also AAA
authentication failures, 105–109authorization failures, 109–114case studies, 98–114configuration, 39L2TP configuration, 241LNS, 249
remote access clients. See also access; clientsCONFACK, 269disconnections, 293PPP negotiation failures, 84–98PPTP, 137
maintenance, 148–150messages, 154termination, 150–153
remote access IPSec VPNs configuration, 655, 682– 688
remote alarms, E1 controllers, 54Remote Authentication Dial-In User Service. See
RADIUSremote clients, LCP negotiation failures, 58remote VPN clients, IKE negotiation failures, 740reports, alarms, 54Resource Reservation Protocol (RSVP), 424, 428responders
preshared keys, 707quick mode, 720
Result Code AVPs, 222, 364
Result Code AVPs
CH01i.book Page 801 Friday, April 30, 2004 8:58 AM
802
result codesCDN
messages, 223verifying from, 294
PPTP, 141StopCCN messages, 223
retention of labels, 427RIP (Routing Information Protocol), 454Route Distinguisher (RD), 430Route Target (RT), 434router isis command, 450router ospf 100 command, 451routers
AToMCEF, 588configuration, 588LDP ROUTER ID, 589loopback interfaces, 588MPLS backbone IGPs, 590–591MPLS core interfaces, 589–590pseudowires, 591–597sample configurations, 597–605specifying LDP, 589troubleshooting, 605, 635VC label exchanges, 636–645
CA enrollment, 680CE
configuration, 446MVPNs, 464
clocks, 678configuration, 767–771domains, 678hostnames, 678ID configuration, 448L2TPv3
configuration, 375–388dynamic sessions, 376–380static sessions, 380–382troubleshooting, 389–410
LCCE configuration, 382–387P
configuration, 462–464MVPNs, 465TE tunnels, 472
PE, 358configuration, 446, 459–462import maps, 529
IP address mismatches, 644IS-IS, 450LDP, 637LDP session failures, 639MP-BGP redistribution, 531MVPNs, 464–468TE tunnels, 468–472VRF, 433
platforms, 767responders, 707VC label exchanges, 582–586
routesdefault, 697MP-BGP
activating, 452redistribution, 458, 518
PE to CE advertisement, 534static
configuration, 454, 458packet leaking, 439troubleshooting, 514
VPNs, 436, 511–536routing
initiators, 697PE-CE protocols, 454VPNs, 433VRF, 433
RSA key pairs, generating, 679RSA signature authentication, 664–666RSVP (Resource Reservation Protocol), 424, 428RT (Route Target), 434
SSAD (Security Association Database), 660sample configurations, AToM, 597–605SAs (security associations), 660
IKE, 660–668, 712IPSec, 721
SCCCN (Start-Control-Connection-Connected), 229SCCRP (Start-Control-Connection-Reply), 229, 371SCCRQ (Start-Control-Connection-Request), 139,
229, 371secrets, tunneling, 40, 44
result codes
CH01i.book Page 802 Friday, April 30, 2004 8:58 AM
803
securityfirewalls, 359IPSec, 655
configuration, 668IKE, 660–668MTU issues, 689–690remote access, 682–688SAs, 660security protocols, 656–659site-to-site, 669–681technical overview of, 656–668troubleshooting, 690–692
L2TP, 236Security Association Database (SAD), 660security associations. See SAsSecurity Parameter Index (SPI), 660, 721Security Policy Database (SPD), 660sequences, PPTP tunnel setup, 162servers
AAA. See also AAAmisconfigurations, 99–105unreachable from LNS, 331–342
addressesconfiguration, 46L2TP, 248PPTP, 158
certificate maps, 678L2TP, 213LNS, 5Microsoft CA, 679NAS, 11offload, 114, 122PNS, 135
service password-encryption command, 79Session IDs, 219sessions
data message headers, 369dynamic
L2TPv3, 376–380troubleshooting, 400
failure codes, 35L2F, 25–31, 80–84L2TP, 230–232, 290–297L2TPv3, 372
sample configurations, 382–387teardowns, 374troubleshooting, 408
LDPblocking access lists, 622PE routers, 639troubleshooting, 493, 618VC label exchanges, 582–586
management AVPs, 367PPTP
configuration, 142–146messages, 154termination, 150–153troubleshooting, 163–168
static, 380–382Set-Info-Link (SLI)
messages, 234, 375packets, 154
SHA-1 authentication, 253shim headers, 422show adjacency detail command, 561show atm vc command, 565show caller user command, 64, 90, 97, 267, 311show clock command, 716show commands, 6–8
IPSec, 750–751L2F, 129–130L2TP, 351MPLS VPNs, 569–571
show controller e1 command, 262show crypto ca certificates command, 716show crypto engine connections active command, 747show crypto ipsec dynamic-map command, 748show crypto ipsec sa command, 726show crypto ipsec security-association lifetime
command, 749show crypto ipsec transform-set command, 724show crypto isakmp key command, 701show crypto isakmp sa command, 695show crypto key mypubkey rsa command, 747show crypto key pubkey-chain rsa command, 748show crypto map tag command, 698–699show ip access-lists command, 490, 530, 615, 706, 734show ip bgp neighbors command, 522show ip bgp vpnv4 vrf vrf_name command, 518, 524show ip bgp vpnv4 vrf vrf_name labels command, 565show ip cef command, 481, 609show ip cef summary command, 509show ip interface command, 705show ip rip database vrf command, 532
show ip rip database vrf command
CH01i.book Page 803 Friday, April 30, 2004 8:58 AM
804
show ip route command, 535, 697show ip route vrf vrf_name static command, 515show ip vrf detail vrf_name command, 526show ip vrf interfaces command, 513show isdn status command, 53–54, 261show l2tun session all command, 411show l2tun tunnel all command, 410show mpls atm-ldp capability command, 564show mpls forwarding-table command, 504, 627show mpls interfaces command, 609show mpls l2transport binding command, 648show mpls l2transport hw-capability interface
interface_name command, 647show mpls l2transport summary command, 647show mpls l2transport vc command, 642show mpls l2transport vc vcid detail command, 636show mpls ldp bindings command, 503, 628, 630–631show mpls ldp discovery command, 489, 613show mpls ldp neighbor command, 494, 618, 639show mpls ldp parameters command, 563show ppp mppe virtual-access number command, 206show ppp multilink command, 116, 121show route-map command, 528show running-config command, 67, 283show user command, 63show vpdn command, 204show vpdn history failure command, 122, 342show vpdn session all command, 179, 343show vpdn session command, 81, 205, 292show vpdn tunnel all command, 68, 70, 79, 167, 277,show vpdn tunnel command, 120, 205shutdown, tunnels, 283signals
loss, 54loss of alarm, 262
signatures, RSA authentication, 664site-to-site IPSec VPN configuration, 669–681site-to-site VPNs, 655SKEME (Secure Key Exchange Mechanism for the
Internet), 660SKYDANCE_POOL, creating, 249SLI (Set-Link-Info)
messages, 234, 375packets, 154
SLIP (Serial Line Internet Protocol), 11SMI Network Management Private Enterprise Codes
(RFC 1700), 221, 363
solutions, troubleshooting labs, 771–775SPD (Security Policy Database), 660specifying LDP (AToM), 589SPI (Security Parameter Index), 660, 721split tunneling access lists, 684split tunnels PPTP, 203–204stack (S) bits, 422stacks, labels, 423Start-Control-Connection-Connected (SCCCN), 229,
372Start-Control-Connection-Reply (SCCRP), 229, 371Start-Control-Connection-Request (SCCRQ), 139,
229, 371statements, deny any, 490static routes
configuration, 454, 458packet leaking, 439troubleshooting, 514
static sessions (L2TPv3)configuration, 380–382troubleshooting, 408
StopCCN (Stop-Control-Connection-Notification) message, 234, 364
StopCCRQ packet fields, 152sublayers, Layer 3, 371switches, global ISDN parameters, 37switching
Frame Relay, 378MPLS, 577
TT (transport type) bit, 581T1, L2TP configuration, 238tables
BGP, 520CEF, 424VRF, 433
TACACS+ (Terminal Access Controller Access Control Server plus), 241
Tag Distribution Protocol (TDP), 424, 428, 578tail-end router configuration, 472target mismatches, 525TDP (Tag Distribution Protocol), 424, 428, 578TDP/LDP router IDs, configuration, 448
show ip route command
CH01i.book Page 804 Friday, April 30, 2004 8:58 AM
805
TE (traffic-engineering) tunnels, 423MPLS VPN, 468–473P routers, 472
teardownL2F tunneling, 34–35L2TP, 233L2TPv3, 374PPP connections, 89
templates (virtual)cloning, 85configuration IP addresses, 97creating, 45PPTP, 156
Terminal Access Controller Access Control Server plus (TACACS+), 241
Terminate-Acks (TERMACKs), 67, 90Terminate-Request (TERMREQ), 90, 275Terminate-Requests (TERMREQs), 67termination
negotiation, 185PPTP, 150–153
testing IP connectivity, 117time zone configuration, 678Time-to-Live (TTL), 422tools, 6–8top-down troubleshooting, 5topologies
baselining, 3carrier’s carrier, 419IPSec VPNs, 690MPLS Layer VPNs, 419
traceroute command, 6–8, 476–479traffic
crypto access lists, 673IPSec, 733–736VPNs, 437
traffic-engineering. See TE tunnelstransform sets
configuration, 253IPSec, 685, 671mismatches, 723
transparent forwarding, 11transports
AToM Layer 2 PDU, 578, 582connections, 583control words, 580Frame Relay, 579
treesdefault MDT, 443MDT, 442
Triple DES (3DES), 658troubleshooting
AToM, 605, 635VC label exchanges, 636–645troubleshooting, 645–652
authentication tunnels, 285CAs, 736certificate authentication, 714clocks, 716–717commands, 747–751crypto maps, 698IGP backbones, 479–481IKE, 713IPCP negotiation, 187IPSec
tunneling, 733–736VPNs, 689–692
ISAKMP messages, 703L2F, 48–58, 122–126
error messages, 126Home Gateway configuration, 43–48maintenance, 32management messages, 17–18NAS configuration, 35–43PPP, 58–69, 84–98sessions, 25–31, 80–84teardown, 34–35technical overview of, 12–17tunneling, 18–25, 69–80
L2TP, 255, 260call reception, 260–265case studies, 311commands, 342–348negotiation, 297–311PPP on LAC, 266–278sessions, 290–297tunnels, 278–290
L2TPv3, 389–410, 410–417lab solutions, 771–775LC-ATM interfaces, 491LCP negotiation, 58, 86LDP sessions, 493LSP, 481–511MPLS VPNs, 420–445, 473–536
troubleshooting
CH01i.book Page 805 Friday, April 30, 2004 8:58 AM
806
case studies, 536–560commands, 560–571
MPPE negotiation, 180MTUs, 387–388NCP negotiation, 91partial PPP authentication, 273PE-CE routing protocols, 514, 516PPP partial authentication failures, 64PPTP, 159–162
authentication, 176–180commands, 204–210control channels, 163–168debug commands, 210LCP negotiation, 169–176NCP negotiation, 180–197sessions, 163–168show commands, 210virtual interfaces, 168–169
preshared keys, 701routing initiators, 697split tunnels, 203–204static routes, 514tools, 6–8tunneling authentication failures, 74types of, 5VPDN protocol mismatches, 72VPN advertisements, 511–536
trunksFrame Relay, 379switching, 378
TTL (Time-to-Live), 422Tunnel IDs, 218tunnel path-mtu-discovery command, 689tunnel protection command, 675tunneling
authentication, 74, 285failure codes, 35IPSec
establishing, 732traffic, 733–736troubleshooting, 730
L2F, 18–25maintenance, 32multiple sessions, 15teardown, 34–35troubleshooting, 69–80
L2TP, 213
call reception, 260–265compulsory tunnel mode, 237, 245control messages, 220–227establishment, 227, 229IPSec, 252–255LNS, 246, 252maintenance, 232messages, 234–235outgoing calls, 235–236PPP on LAC, 266–278security, 236sessions, 230–232teardown, 233technical overview of, 215–220troubleshooting, 255, 260, 278–290voluntary tunnel mode, 252
labels, 626LSP
locating, 607troubleshooting, 611
management, 17MTI, 442packets, 16password reconfiguration, 79PPP frames, 29PPTP, 135secret configuration, 40, 44shutdown, 283split tunneling access lists, 684TE, 423, 468–473
typesof payloads, 662of troubleshooting, 5of VCs, 585, 640
Uunsolicited downstream label distribution, 426updating
BGP, 447LDP, 447PIM, 467, 679
usernameslocal databases, 682reconfiguration, 90
user-to-tunnel associations, 19, 679
MPPE negotiation
CH01i.book Page 806 Friday, April 30, 2004 8:58 AM
807
Vvalues
cookies, 370Diffie-Hellman public, 667, 693error codes, 224fields, 14payloads, 662VCID, 368
VC (virtual connection)ATM cell relay, 595control mismatches, 616ID mismatches, 642label exchanges, 636–645labels, 578, 582–586types, 585, 640
VCID (Virtual Circuit) values, 368, 403Vendor-ID field, 221verification
access lists, 615active lines, 266call reception, 56call setup, 55CEF, 509, 608crypto map placement, 698label bindings, 626LFIB, 504MPLS, 484, 609NCP negotiation, 97peer IP addresses, 704PPTP
session setup, 178tunnels, 167, 175
PRI, 263tunnel LSPs, 607virtual interfaces, 175VPDN groups, 169
Virtual Circuit ID (VCID) values, 368, 403virtual interfaces, troubleshooting, 168–169virtual template interfaces, L2TP, 247virtual templates
cloning, 85, 297creating, 45IP address configuration, 97PPTP, 156
VLAN (802.1Q) interface encapsulation, 378
voluntary tunnel modeIPSec configuration, 255L2TP, 252
voluntary tunnel modes, 135technical overview of PPTP, 137PPTP, 155
vpdn domain-delimiter command, 19vpdn multihop command, 120vpdn search order domain command, 243vpdn session-limit sessions command, 297vpdn softshut command, 84, 296VPDNs (Virtual Private Data Networks)
enabling, 40, 44error messages, 126groups
configuration, 40, 44creating virtual templates, 45misconfiguration of domain names, 67PPTP, 156reconfiguration, 284
L2TP, 242LNS, 246mismatches, 281protocol mismatches, 72session limitations, 83
VPN Routing and Forwarding (VRF), 433VPN-IPv4 (VPNv4) address family, troubleshooting,
522VPNs (virtual private networks)
advertisements, 511–536interfaces, 440Internet access, 439IPSec, 655
configuration, 668IKE, 660–668MTU issues, 689–690remote access, 682–688SAs, 660security protocols, 656–659site-to-site, 669–681technical overview of, 656–668troubleshooting, 690–692
Layer 3 MPLSconfiguration, 445–459P router configuration, 462–464PE router sample configuration, 459–462technical overview of, 420–445
VPNs (virtual private networks)
CH01i.book Page 807 Friday, April 30, 2004 8:58 AM
808
MPLScase studies, 536–560commands, 560–571TE tunnels, 468–473troubleshooting, 473–536
route distribution, 436traffic, 437
VRF (VPN Routing and Forwarding), 433interfaces, 467, 454MVRF, 442packet leaking, 439
WWEN (WAN-Error-Notify) message, 234WINS (Windows Internet Naming System)
addressesconfiguration, 46L2TP, 248
PPTP, 158withdraw messages, labels, 586wizards, Create New VPN Connection Entry, 685
XXAuth (extended authentication), 682xconnect command, 393
ZZLB Ack (Zero-Length-Body Acknowledgement),
216, 360
VRF (VPN Routing and Forwarding)
CH01i.book Page 808 Friday, April 30, 2004 8:58 AM