Mailing List Archive: Distinct IP over L2TP/VPDN

Distinct IP over L2TP/VPDN

Jul 14, 2005, 1:25 AM

Post #1 of 6 (2786 views)

Hi,

Apologies if this is similar to a previous thread.

Scenario:

7206VXR acting as LNS/HomeGateway for L2TP VPDN sessions/tunnels from
Telco. Authenticate PPP connections via our own RADIUS server.

Problem:

DSL users are allocated user@domain details and some (on request) are
given fixed IP's. These are provided via our RADIUS on connection.
Occasionally users are given the same static IP's ( by mistake :-) ).
When this happens, we see identical next-hop WAN IP's via a 'show
users'. Neither user has connectivity since there is major packet loss.
Understandable.

Question:

Is there any way we can change this behaviour on router so that the
first user on particular IP works, subsequent users who connect on same
IP have no connectivity at all?

Any body had similar problems?

Thanks,

Mark.

RE: Distinct IP over L2TP/VPDN [ In reply to ]

oboehmer at cisco

Jul 14, 2005, 1:49 AM

Post #2 of 6 (2720 views)

Permalink

> Problem:
>
> DSL users are allocated user@domain details and some (on request) are
> given fixed IP's. These are provided via our RADIUS on connection.
> Occasionally users are given the same static IP's ( by mistake J ).
> When this happens, we see identical next-hop WAN IP's via a 'show
> users'. Neither user has connectivity since there is major packet
> loss. Understandable.
>
> Question:
>
> Is there any way we can change this behaviour on router so that the
> first user on particular IP works, subsequent users who connect on
> same IP have no connectivity at all?

No, there is nothing you can do about this if you need to safeguard
against incorrect Radius profiles.. There is no logic in IOS which
prevents you from assiging the same IP address to two virtual-access
interfaces.

oli

RE: Distinct IP over L2TP/VPDN [ In reply to ]

k at adamski

Jul 14, 2005, 9:33 AM

Post #3 of 6 (2741 views)

Permalink

On Thu, 14 Jul 2005, Oliver Boehmer (oboehmer) wrote:

>
> > Problem:
> >
> > DSL users are allocated user@domain details and some (on request) are
> > given fixed IP's. These are provided via our RADIUS on connection.
> > Occasionally users are given the same static IP's ( by mistake J ).
> > When this happens, we see identical next-hop WAN IP's via a 'show
> > users'. Neither user has connectivity since there is major packet
> > loss. Understandable.
> >
> > Question:
> >
> > Is there any way we can change this behaviour on router so that the
> > first user on particular IP works, subsequent users who connect on
> > same IP have no connectivity at all?
>
> No, there is nothing you can do about this if you need to safeguard
> against incorrect Radius profiles.. There is no logic in IOS which
> prevents you from assiging the same IP address to two virtual-access
> interfaces.

And IOS should NOT ever enforce this kind of check, since this would be a
valid form of load balancing over two DSL circuits.

K

RE: Distinct IP over L2TP/VPDN [ In reply to ]

oboehmer at cisco

Jul 14, 2005, 9:36 AM

Post #4 of 6 (2743 views)

Permalink

Krzysztof Adamski <mailto:k@adamski.org> wrote on Thursday, July 14,
2005 6:33 PM:

>>> Is there any way we can change this behaviour on router so that the
>>> first user on particular IP works, subsequent users who connect on
>>> same IP have no connectivity at all?
>>
>> No, there is nothing you can do about this if you need to safeguard
>> against incorrect Radius profiles.. There is no logic in IOS which
>> prevents you from assiging the same IP address to two virtual-access
>> interfaces.
>
> And IOS should NOT ever enforce this kind of check, since this would
> be a valid form of load balancing over two DSL circuits.

I totally agree..

oli

Re: Distinct IP over L2TP/VPDN [ In reply to ]

arievayner at gmail

Jul 15, 2005, 4:03 AM

Post #5 of 6 (2743 views)

Permalink

Another point that you should take into account is larger SPs with
10's and even 100's of LNS boxes - how can you ever make them check
such a condition between them all?!

Arie

On 7/14/05, Oliver Boehmer (oboehmer) <oboehmer@cisco.com> wrote:
> Krzysztof Adamski <mailto:k@adamski.org> wrote on Thursday, July 14,
> 2005 6:33 PM:
>
>
> >>> Is there any way we can change this behaviour on router so that the
> >>> first user on particular IP works, subsequent users who connect on
> >>> same IP have no connectivity at all?
> >>
> >> No, there is nothing you can do about this if you need to safeguard
> >> against incorrect Radius profiles.. There is no logic in IOS which
> >> prevents you from assiging the same IP address to two virtual-access
> >> interfaces.
> >
> > And IOS should NOT ever enforce this kind of check, since this would
> > be a valid form of load balancing over two DSL circuits.
>
> I totally agree..
>
> oli
>
> _______________________________________________
> cisco-bba mailing list
> cisco-bba@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
>

Re: Distinct IP over L2TP/VPDN [ In reply to ]

dschapov at dsi

Jul 28, 2005, 12:43 AM

Post #6 of 6 (2741 views)

Permalink

Hi.

> > Problem:
> >
> > DSL users are allocated user@domain details and some (on request) are
> > given fixed IP's. These are provided via our RADIUS on connection.
> > Occasionally users are given the same static IP's ( by mistake J ).
> > When this happens, we see identical next-hop WAN IP's via a 'show
> > users'. Neither user has connectivity since there is major packet
> > loss. Understandable.
> >
> > Question:
> >
> > Is there any way we can change this behaviour on router so that the
> > first user on particular IP works, subsequent users who connect on
> > same IP have no connectivity at all?
>
> No, there is nothing you can do about this if you need to safeguard
> against incorrect Radius profiles.. There is no logic in IOS which
> prevents you from assiging the same IP address to two virtual-access
> interfaces.
>
> oli

Hmm ...
What about
'ppp ipcp address unique' ?

12.3 mainline