建立VPDN网络

　　VPDN(Virtual Private Dialup Networks)是基于拨号用户的虚拟专用网业务，结合相应的认证、授权和计费功能，建立安全可靠的虚拟专用网络。
　　
　　VPDN优点是：安全性好，不易被攻击；保密性好，有效防止非法访问；自行生成和管理VPDN用户，组网方式灵活。
　　
　　相关概念
　　
　　Client: PC or router attached to a remote access network, which is the initiator of a call.
　　
　　L2TP: Layer 2 Tunnel Protocol. PPP defines an encapsulation mechanism for transporting multiprotocol packets across layer 2 (L2) point-to-point links. Typically, a user obtains an L2 connection to a Network Access Server (NAS) using a technique such as dialup plain old telephone service (POTS), ISDN or Asymmetric Digital Subscriber Line (ADSL) and then runs PPP over that connection. In such a configuration, the L2 termination point and PPP session endpoint reside on the same physical device (the NAS).
　　
　　L2TP extends the PPP model by allowing the L2 and PPP endpoints to reside on different devices interconnected by a network. With L2TP, a user has an L2 connection to an access concentrator, and the concentrator then tunnels individual PPP frames to the NAS. This allows the actual processing of PPP packets to be divorced from the termination of the L2 circuit.
　　
　　L2F: Layer 2 Forwarding Protocol. L2F is a tunneling protocol older than L2TP.
　　
　　LAC: L2TP Access Concentrator. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the LNS. The LAC sits between an LNS and a client and forwards packets to and from each. Packets sent from the LAC to the LNS require tunneling with the L2TP protocol. The connection from the LAC to the client is typically through ISDN or analog.
　　
　　LNS: L2TP Network Server. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the LAC. The LNS is the logical termination point of a PPP session that is being tunneled from the client by the LAC.
　　
　　Home Gateway: Same definition as LNS in L2F terminology.
　　
　　NAS: Same definition as LAC in L2F terminology.
　　
　　Tunnel: In L2TP terminology, a Tunnel exists between a LAC-LNS pair. The Tunnel consists of a control connection and zero or more L2TP Sessions. The Tunnel carries encapsulated PPP datagrams and control messages between the LAC and the LNS. The process is the same for L2F.
　　
　　Session: L2TP is connection-oriented. The LNS and LAC maintain a state for each call that is initiated or answered by an LAC. An L2TP Session is created between the LAC and LNS when an end-to-end PPP connection is established between a client and the LNS. Datagrams related to the PPP connection are sent over the Tunnel between the LAC and LNS. There is a one-to-one relationship between established L2TP Sessions and their associated calls. The process is the same for L2F.
　　
　　L2TP访问中心 LAC 的重点
　　
　　1.隧道类型
　　隧道类型分L2F 和L2TP
　　默认是L2F
　　如需要使用L2TP，也是我们最常用的，应注意此命令对大小写敏感。
　　
　　2.L2TP-tunnel 口令
　　基本命令格式为
　　accept-dialin
　　protocol l2tp
　　virtual-template 1
　　terminate-from hostname xiaoming
　　local name tony
　　domain www.bitscn.com
　　
　　VPDN 的基本配置示例拓扑
　　
　　NAS 的相关配置
　　源码:--------------------------------------------------------------------------------version 12.0 网管网www.bitscn.com
　　service timestamps debug datetime msec
　　service timestamps log datetime msec
　　!
　　hostname as5300
　　!
　　aaa new-model
　　aaa authentication login default local
　　aaa authentication login CONSOLE none
　　aaa authentication ppp default if-needed group tacacs+
　　aaa authorization network default group tacacs+
　　enable password somethingSecret
　　!
　　username john password 0 secret4me
　　!
　　ip subnet-zero
　　!
　　vpdn enable
　　!
　　isdn switch-type primary-5ess
　　!
　　controller T1 0
　　 framing esf
　　 clock source line primary
　　 linecode b8zs
　　 pri-group timeslots 1-24
　　!
　　controller T1 1
　　 framing esf
　　 clock source line secondary 1
　　 linecode b8zs
　　 pri-group timeslots 1-24
　　!
　　controller T1 2
　　 framing esf
　　 linecode b8zs
　　 pri-group timeslots 1-24
　　!
　　controller T1 3
　　 framing esf
　　 linecode b8zs
　　 pri-group timeslots 1-24 网管u家u.bitsCN.com
　　!
　　interface Ethernet0
　　 ip address 172.16.186.52 255.255.255.240
　　 no ip directed-broadcast
　　!
　　interface Serial0:23
　　 no ip address
　　 no ip directed-broadcast
　　 encapsulation ppp
　　 ip tcp header-compression passive
　　 dialer rotary-group 1
　　 isdn switch-type primary-5ess
　　 isdn incoming-voice modem
　　 no cdp enable
　　!
　　interface Serial1:23
　　 no ip address
　　 no ip directed-broadcast
　　 encapsulation ppp
　　 ip tcp header-compression passive
　　 dialer rotary-group 1
　　 isdn switch-type primary-5ess
　　 isdn incoming-voice modem
　　 no cdp enable
　　!
　　interface Serial2:23
　　 no ip address
　　 no ip directed-broadcast
　　 encapsulation ppp
　　 ip tcp header-compression passive
　　 dialer rotary-group 1
　　 isdn switch-type primary-5ess
　　 isdn incoming-voice modem
　　 no cdp enable
　　!
　　interface Serial3:23
　　 no ip address
　　 no ip directed-broadcast
　　 encapsulation ppp
　　 ip tcp header-compression passive
　　 dialer rotary-group 1
　　 isdn switch-type primary-5ess
　　 isdn incoming-voice modem
　　 no cdp enable
　　!
　　interface FastEthernet0
　　 no ip address
　　 no ip directed-broadcast
　　 shutdown
　　!
　　interface Group-Async1
　　 ip unnumbered Ethernet0
　　 no ip directed-broadcast
　　 encapsulation ppp
　　 ip tcp header-compression passive
　　 async mode interactive
　　 peer default ip address pool IPaddressPool
　　 no cdp enable
　　 ppp authentication chap
　　 group-range 1 96
　　!
　　interface Dialer1
　　 ip unnumbered Ethernet0
　　 no ip directed-broadcast
　　 encapsulation ppp
　　 ip tcp header-compression passive
　　 dialer-group 1
　　 peer default ip address pool IPaddressPool
　　 no cdp enable
　　 ppp authentication chap
　　!
　　ip local pool IPaddressPool 10.10.10.1 10.10.10.254

网管bitscn_com

　　no ip http server
　　ip classless
　　ip route 0.0.0.0 0.0.0.0 172.16.186.49
　　!
　　tacacs-server host 172.16.171.9
　　tacacs-server key 2easy
　　!
　　line con 0
　　 login authentication CONSOLE
　　 transport input none
　　line 1 96
　　 autoselect during-login
　　 autoselect ppp
　　 modem Dialin
　　line aux 0
　　line vty 0 4
　　!
　　end
　　
　　LNS 相关配置
　　源码:--------------------------------------------------------------------------------
　　!
　　version 12.0
　　service timestamps debug uptime
　　service timestamps log uptime
　　!
　　hostname access-9
　　!
　　aaa new-model
　　aaa authentication login default local
　　aaa authentication login CONSOLE none
　　aaa authentication ppp default if-needed group tacacs+
　　aaa authorization network default group tacacs+
　　enable password somethingSecret
　　!
　　ip subnet-zero
　　!
　　vpdn enable
　　!
　　vpdn-group DEFAULT 网管网www.bitscn.com
　　! Default L2TP VPDN group
　　 accept-dialin
　　　protocol any
　　　virtual-template 1
　　 local name LNS
　　 lcp renegotiation always
　　 l2tp tunnel password 0 not2tell
　　!
　　vpdn-group POP1
　　 accept-dialin
　　　protocol l2tp
　　　virtua