5-24
Cisco 10000 Series Router Software Configuration Guide
OL-2226-23
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server
L2TP Network Server
To be VRF aware, ISPs must define multiple instances of the same operational parameters and secure
them to the VRF partitions. Securing AAA parameters to a VRF can be accomplished from one or more
of the following sources:
•
Virtual template—Used as a generic interface configuration.
•
Service provider AAA server—Used to associate a remote user with a specific VPN based on the
domain name. The server then provides the VPN-specific configuration for the virtual access
interface that includes the IP address and port number of the customer AAA server.
•
Customer VPN AAA server—Used to authenticate the remote user and to provide user-specific
configurations for the virtual access interface.
For more information on the per VRF AAA feature, see the
“Configuring per VRF AAA Services”
section on page 5-31
and the
“RADIUS Attribute Screening” section on page 16-39
.
Private Servers
Private servers are servers defined within a server group. These servers have private addresses within the
default server group containing all the servers. Private servers remain hidden from other groups. If you
do not specify private server parameters, global configurations are used. If you do not specify global
configurations, default values are used.
You configure all server operational parameters per host, per server group, or globally. Per host
configurations have precedence over per server group configurations. Per server group configurations
have precedence over global configurations.
RADIUS Attribute Screening
The RADIUS Attribute Screening feature allows you to configure a list of “accept” or “reject” RADIUS
attributes on the Cisco 10000 series router for authorization and accounting purposes. Based on the
accept or reject list you configure for a particular purpose, the Cisco 10000 series router:
•
Accepts and processes all standard RADIUS attributes
•
Rejects all standard RADIUS attributes
Before you configure a RADIUS accept or reject list, you must enable AAA using the
aaa new-model
command in global configuration mode. For more information, see the
“Configuring RADIUS Attribute
Accept or Reject Lists” section on page 5-37
,
the
“RADIUS Attribute Screening” section on page 16-39
,
or see the
Cisco IOS Command Summary, Volume 2 of 3, Release 12.2
.
Packet Fragmentation
The setting of the Don’t Fragment (DF) bit determines if a packet is eligible for fragmentation. If the DF
bit is clear, a packet is fragmented only if it exceeds the maximum transfer unit (MTU) size. If the DF
bit is set, a packet is not fragmented and instead is dropped. For packets entering an L2TP tunnel that
exceed the MTU size, enter the following command in global configuration mode to configure the Cisco
10000 series router to ignore the setting of the DF bit and to fragment the packets:
Router(config)#
[
no
]
ip pxf ignore 12tp df-bit