JUNOSe 8.1.x Broadband Access Configuration Guide > Configuring L2TP > Configuring the LAC

Configuring the LAC

A single E-series router can function as an LAC for some tunnels and an LNS for others, but the router does not support termination at both ends of the same tunnel or session in the same router.

The router can initiate L2TP tunnels based either on a locally configured domain map or RADIUS profile information. In either case, the data is selected by domain name.

l2tp checksum

• Use to enable the generation of a UDP data integrity checksum in data packets sent to an L2TP peer.
• The router always uses UDP checksums during transmission and reception of L2TP control packets.
• Example

host1(config)#l2tp checksum

• Use the no version to disable UDP checksum (the default).
  

  NOTE: This command does not affect the way the router checks the UDP data integrity checksum in L2TP data packets that are received from an L2TP peer. The router checks all non-zero received checksums and discards the packet if a data integrity problem is detected.

  
  

l2tp destruct-timeout

• Use to specify the maximum time period, in the range 10-3600 seconds
  (1 hour), for which the router attempts to maintain dynamic destinations, tunnels, and sessions after they have been destroyed.
• This command facilitates debugging and other analysis by saving underlying memory structures after the destination, tunnel, or session is terminated.
• Any specific dynamic destination, tunnel, or session may not be maintained for this entire time period if the resources must be reclaimed early to allow new tunnels to be established.
• If you use the l2tp destination lockout timeout command to configure an optional lockout timeout, always configure the destruct timeout to be longer than the lockout timeout. The destruct timeout overrides the lockout timeout—when the destruct timeout expires, all information about the locked out destination is deleted, including the lockout timeout and lockout test settings. See Managing the L2TP Destination Lockout Process.
• Example

host1(config)#l2tp destruct-timeout 1200

• Use the no version to set this time to the default, 600 seconds (10 minutes).

l2tp retransmission

• Use to specify the number of retransmission retries, in the range 2-7.
• Use the established keyword to apply the retry count only to established tunnels.
• Use the not-established keyword to apply the retry count only to tunnels that are not established.
• If you do not include a keyword, the router applies the retry count to all tunnels.
• Example

host1(config)#l2tp retransmission 4 established

• Use the no version to set the retransmission retry count to the default, 5.

Configuring Calling Number AVP Formats

The E-series LAC generates L2TP Calling Number AVP 22 for incoming-call request (ICRQ) packets that the LAC sends to the LNS. By default, the E-series LAC generates the Calling Number AVP 22 in descriptive format.

You can also prevent the E-series LAC from sending the Calling Number AVP in ICRQ packets.

NOTE: You cannot change the L2TP Calling Number AVP on tunnel switched interfaces.

You can set up the router to generate AVP 22 in any of the following formats. Agent-circuit-id is suboption 1 of the tags supplied by the PPPoE intermediate agent from the DSLAM. Agent-remote-id is suboption 2.

• Descriptive format—This format includes the following elements:

<interface ID> <delimit> <UID> <delimit> <interface description> <delimit> <connect info> <delimit> <PPPoE description>

• Descriptive include-agent-circuit-id format—This format includes the following elements:

<interface ID> <delimit> <UID> <delimit> <interface description> <delimit> <connect info> <delimit> <PPPoE description> <delimit> <agent-circuit-id>

• Descriptive include-agent-circuit-id include-agent-remote-id format—This format includes the following elements:

<interface ID> <delimit> <UID> <delimit> <interface description> <delimit> <connect info> <delimit> <PPPoE description> <delimit> <agent-circuit-id> <delimit> <agent-remote-id>

• Descriptive include-agent-remote-id format—This format includes the following elements:

<interface ID> <delimit> <UID> <delimit> <interface description> <delimit> <connect info> <delimit> <PPPoE description> <delimit> <agent-remote-id>

• Fixed format—This format is similar to the fixed format of RADIUS attribute 31 (Calling-Station-Id). If you set up the router to generate the Calling Number AVP in fixed format, the router formats the AVP as follows (the maximum number of characters for each field is shown in brackets):

• For ATM: <system name [4]> <slot [2]> <port [1]> <VPI [3]>
  <VCI [5]>
• For Ethernet: <system name [4]> <slot [2]> <port [1]> <VLAN [8]>
• Example

system name=westford, slot=4, port=3, and VLAN=12 produces the following calling number:

west0430000000012

• Include-agent-circuit-id format—This format includes the following element:

<agent-circuit-id>

• Include-agent-circuit-id include-agent-remote-id format—This format includes the following elements:

<agent-circuit-id> <delimit> <agent-remote-id>

• Include-agent-remote-id format—This format includes the following element:

<agent-remote-id>

Configuration Tasks

To set up the router to generate Calling Number AVP 22 in fixed format:

1. Set the calling number format of the tunnel to fixed.

host1(config)#aaa tunnel calling-number-format fixed 

2. Set the format of the RADIUS Calling-Station-Id to fixed.

host1(config)#radius calling-station-format fixed-format

To prevent the E-series LAC from sending the Calling Number AVP in ICRQ packets:

host1(config)#l2tp disable calling-number-avp

For more information about setting up the router to generate Calling Number AVP 22 in a format that includes either or both of the agent-circuit-id and agent-remote-id suboptions of the tags supplied by the PPPoE intermediate agent, see Configuring PPPoE Remote Circuit ID Capture in JUNOSe Link Layer Configuration Guide, Chapter 7, Configuring Point-to-Point Protocol over Ethernet.

Example Scenarios

The following examples show how you can synchronize the contents of RADIUS Calling-Station-Id (Attribute 31) and L2TP Calling-Number (AVP 22).

To send the PPPoE agent-circuit-id in RADIUS Attribute 31 and L2TP AVP 22 and specify that the fixed format is used when the PPPoE agent-circuit-id is unavailable, issue the following commands:

host1(config)#radius calling-station-format fixed-format

host1(config)#radius remote-circuit-id-delimiter #

host1(config)#radius override calling-station-id remote-circuit-id

host1(config)#radius remote-circuit-id-format agent-circuit-id

host1(config)#aaa tunnel calling-number-format include-agent-circuit-id

host1(config)#aaa tunnel calling-number-format-fallback fixed

To send the PPPoE agent-circuit-id and agent-remote-id in RADIUS Attribute 31 and L2TP AVP 22 and specify that the fixed format is used when both PPPoE agent-circuit-id and agent-remote-id are unavailable, issue the following commands:

host1(config)#radius calling-station-format fixed-format

host1(config)#radius remote-circuit-id-delimiter #

host1(config)#radius override calling-station-id remote-circuit-id

host1(config)#radius remote-circuit-id-format agent-circuit-id agent-remote-id

host1(config)#aaa tunnel calling-number-format include-agent-circuit-id 
include-agent-remote-id

host1(config)#aaa tunnel calling-number-format-fallback fixed

aaa tunnel calling-number-format

• Use to configure the format used by the E-series LAC to generate the L2TP Calling Number AVP 22.
• The fixed format is similar to the fixed format of RADIUS attribute 31 (Calling-Station-Id). The LAC uses this format in ICRQ packets that it sends to the LNS.
• Several different descriptive formats include information about the interface and either or both of the suboptions supplied by the PPPoE intermediate agent, agent-circuit-id and agent-remote-id.
• Several simpler formats include only either or both of the PPPoE suboptions, agent-circuit-id and agent-remote-id.
• Examples

host1(config)#aaa tunnel calling-number-format fixed 

host1(config)#aaa tunnel calling-number-format descriptive 
include-agent-circuit-id include-agent-remote-id 

host1(config)#aaa tunnel calling-number-format include-agent-remote-id

• Use the no version to restore the default format, descriptive.

aaa tunnel calling-number-format-fallback

• Use to configure the fallback format that the E-series LAC uses to generate the L2TP Calling Number AVP 22 in the event that the PPPoE agent ID is null or unavailable.
• The fallback format is used only when the configured calling number format includes either or both of the agent-circuit-id and agent-remote-id suboptions.
• The calling number format determines what element triggers use of the fallback format:
  

  Calling Number Format	Fallback Trigger
  agent-circuit-id	agent-circuit-id is empty
  agent-circuit-id include-agent-remote-id	Both agent-circuit-id and agent-remote-id are empty.
  agent-remote-id	agent-remote-id is empty
  descriptive include-agent-circuit-id	agent-circuit-id is empty
  descriptive include-agent-circuit-id include-agent-remote-id	Both agent-circuit-id and agent-remote-id are empty.
  descriptive include-agent-remote-id	agent-remote-id is empty

  
  
• You can specify either descriptive format or fixed format.
• Example

host1(config)#aaa tunnel calling-number-format-fallback fixed

• Use the no version to restore the default format, descriptive.

l2tp disable calling-number-avp

• Use to prevent the E-series LAC from sending the Calling Number AVP in ICRQ packets.
• Use this command in special situations where you do not want the LAC to send this AVP.
• Example

host1(config)#l2tp disable calling-number-avp

• Use the no version to return to the default, sending of the Calling Number AVP is enabled.

Mapping a User Domain Name to an L2TP Tunnel

The router uses either the local database related to the domain name or a RADIUS server to determine whether to terminate or tunnel PPP connections.

For information about setting up RADIUS to provide this mapping, see Chapter 1, Configuring Remote Access.

For a given domain map, you can choose one of two methods to map the domain to an L2TP tunnel locally on the router:

• Configure tunnels for a domain map and then define tunnel attributes from Domain Map Tunnel configuration mode.
• Configure a tunnel group and then define the attributes for its tunnels from Tunnel Group Tunnel Configuration mode. Use this method only when no tunnels are currently defined for the domain map from Domain Map Tunnel configuration mode. By default, tunnel groups are not assigned to the domain map.

After configuring a tunnel group and the attributes for its tunnels, you can assign the tunnel group to the domain map from Domain Map mode. The tunnel group reference in the domain map is used instead of tunnel definitions configured from Domain Map Tunnel configuration mode.

The RADIUS server can reference tunnel groups through the RADIUS Tunnel Group [26-64] attribute. The advantages of RADIUS support for tunnel groups are:

• The RADIUS server can maintain a single tunnel group attribute associated with each user instead of sets of tunnel attributes for each user.
• The RADIUS server can authenticate users before attempting to establish tunnels.

Mapping from Domain Map Tunnel Mode

To map a domain to an L2TP tunnel locally on the router from Domain Map Tunnel mode, perform the following steps:

1. Specify a domain name.

host1(config)#aaa domain-map westford.com

host1(config-domain-map)# 

2. Specify a virtual router; in this case, the default router is specified.

host1(config-domain-map)#router-name default

3. Specify a tunnel to configure.

host1(config-domain-map)#tunnel 3 

4. Specify the LNS endpoint address of a tunnel.

host1(config-domain-map-tunnel)#address 192.0.2.13

5. Specify a preference for the tunnel.

host1(config-domain-map-tunnel)#preference 5

6. (Optional) Specify an authentication password.

host1(config-domain-map-tunnel)#password temporary

 NOTE: If you specify a password for the LAC, the router requires that the peer (the LNS) authenticate itself to the router. In this case, if the peer fails to authenticate itself, the tunnel terminates.



 

7. (Optional) Specify a hostname for the LAC end of the tunnel.

host1(config-domain-map-tunnel)#client-name host4

8. (Optional) Specify a server name for the LNS.

host1(config-domain-map-tunnel)#server-name boston

9. (Optional) Specify a source IP address for the LAC tunnel endpoint.

host1(config-domain-map-tunnel)#source-address 192.0.3.3

10. Specify a tunnel identification. (The router groups L2TP sessions with the same tunnel identification into the same tunnel.)

host1(config-domain-map-tunnel)#identification acton

11. Specify a medium type. (L2TP supports only IP version 4 [IPv4].)

host1(config-domain-map-tunnel)#medium ipv4

12. (Optional) Specify a default tunnel client name.

host1(config-domain-map-tunnel)#exit

host1(config-domain-map)#exit

host1(config)#aaa tunnel client-name boxford 

13. (Optional) Specify a default tunnel password.

host1(config)#aaa tunnel password 3&92k%b#q4

host1(config)#exit

14. (Optional) Set the format for the tunnel assignment ID.

host1(config)#aaa tunnel assignment-id-format assignmentID

 NOTE:  If you do not set the tunnel assignment ID, the software sets it to default.



 

15. (Optional) Specify whether or not to use the tunnel peer's Nas-Port [5] and Nas-Port-Type [61] attributes.

host1(config)#aaa tunnel ignore nas-port enable

host1(config)#aaa tunnel ignore nas-port-type disable 

16. (Optional) Set up the router to ignore sequence numbers in data packets received on L2TP tunnels.

host1(config)#l2tp ignore-receive-data-sequencing

17. (Optional) Disable local tunnel authentication challenge generation.

host1(config)#l2tp disable challenge

18. Verify the L2TP tunnel configuration.

host1(config)#show aaa domain-map

Domain: westford.com; router-name: default; ipv6-router-name: default

                                                                            Tunnel

Tunnel   Tunnel         Tunnel        Tunnel   Tunnel    Tunnel    Tunnel   Client

 Tag      Peer          Source         Type    Medium   Password     Id      Name

------   ------------   -----------   ------   ------   ---------  ------   ------

3        192.168.2.13   192.168.3.3   l2tp     ipv4     temporary  acton    host4

         Tunnel                 Tunnel                     Tunnel

Tunnel   Server     Tunnel       Max                       Virtual

 Tag      Name    Preference   Sessions     Tunnel RWS     Router

------   ------   ----------   --------   --------------   -------

3        boston   5            0          system chooses   vr2

host1#show aaa tunnel-parameters

Tunnel password is 3&92k%b#q4

Tunnel client-name is <NULL>

Tunnel nas-port-method is none

Tunnel nas-port ignore disabled

Tunnel nas-port-type ignore disabled

Tunnel assignmentId format is assignmentId

Tunnel calling number format is descriptive 

Mapping from Tunnel Group Tunnel Mode

To map a domain to an L2TP tunnel locally on the router from Tunnel Group Tunnel Configuration mode, perform the following steps:

1. Specify a domain name.

host1(config)#aaa tunnel-group westford

host1(config-tunnel-group)# 

2. Specify a tunnel to configure.

host1(config-tunnel-group)#tunnel 3 

host1(config-tunnel-group-tunnel)#

3. Specify a virtual router; in this case, the default router is specified.

host1(config-tunnel-group-tunnel)#router-name default

4. Specify the LNS endpoint address of a tunnel.

host1(config-tunnel-group-tunnel)#address 192.0.2.13

5. Specify a preference for the tunnel.

host1(config-tunnel-group-tunnel)#preference 5

6. (Optional) Specify an authentication password.

host1(config-tunnel-group-tunnel)#password temporary

 NOTE: If you specify a password for the LAC, the router requires that the peer (the LNS) authenticate itself to the router. In this case, if the peer fails to authenticate itself, the tunnel terminates.



 

7. (Optional) Specify a hostname for the LAC end of the tunnel.

host1(config-tunnel-group-tunnel)#client-name host4

8. (Optional) Specify a server name for the LNS.

host1(config-tunnel-group-tunnel)#server-name boston

9. (Optional) Specify a source IP address for the LAC tunnel endpoint.

host1(config-tunnel-group-tunnel)#source-address 192.0.3.3

10. Specify a tunnel identification. (The router groups L2TP sessions with the same tunnel identification into the same tunnel.)

host1(config-tunnel-group-tunnel)#identification acton

11. Specify a medium type. (L2TP supports only IP version 4 [IPv4].)

host1(config-tunnel-group-tunnel)#medium ipv4

12. Verify the L2TP tunnel configuration.

host1(config)#show aaa domain-map

Domain: westford.com; router-name: default; ipv6-router-name: default

                                                                            Tunnel

Tunnel   Tunnel         Tunnel        Tunnel   Tunnel    Tunnel    Tunnel   Client

 Tag      Peer          Source         Type    Medium   Password     Id      Name

------   ------------   -----------   ------   ------   ---------  ------   ------

3        192.168.2.13   192.168.3.3   l2tp     ipv4     temporary  acton    host4

         Tunnel                 Tunnel                     Tunnel

Tunnel   Server     Tunnel       Max                       Virtual

 Tag      Name    Preference   Sessions     Tunnel RWS     Router

------   ------   ----------   --------   --------------   -------

3        boston   5            0          system chooses   vr2

host1#show aaa tunnel-parameters

Tunnel password is 3&92k%b#q4

Tunnel client-name is <NULL>

Tunnel nas-port-method is none

Tunnel nas-port ignore disabled

Tunnel nas-port-type ignore disabled

tunnel assignmentId format is assignmentId

aaa tunnel calling number format is descriptive 

aaa domain-map

• Use to map a user domain name to a virtual router and enter Domain Map Configuration mode.
• Example

host1(config)#aaa domain-map westford.com

host1(config-domain-map)#

• Use the no version to remove the domain map.

aaa tunnel assignment-id-format

• Use to determine the value of the tunnel assignment ID that is passed to PPP/L2TP.
• The tunnel assignment ID format can be either only assignmentID or clientAuthId + serverAuthId + assignmentId.
• If you do not set a tunnel assignment ID, the software sets it to default. This parameter is only used by the L2TP LAC device, and the tunnel assignment ID is generated only by the L2TP LAC device.
• Example

host1(config)#aaa tunnel assignment-id-format assignmentID

• Use the no version to return the tunnel assignment ID to the default, assignmentID.

aaa tunnel client-name

• Use to specify a default tunnel client name. If the tunnel client name is not included in the tunnel attributes that are returned from the domain map or authentication server, the router uses the default name.
• Example

host1(config)#aaa tunnel client-name boxford 

• Use the no version to delete the client name.

aaa tunnel-group

• Use to specify an AAA tunnel group and change the mode to Tunnel Group Tunnel Configuration mode. From Tunnel Group Tunnel Configuration mode, you can add up to 31 tunnel definitions.
• Example

host1(config)#aaa tunnel-group westford

• Use the no version to delete the AAA group tunnel configuration from the router.

aaa tunnel ignore

• Use to specify whether or not to use the tunnel peer's NAS-Port [5] and NAS-Port-Type [61]. When enabled, the attribute is supplied by the tunnel peer. When disabled, the attribute is not supplied.
• Example

host1(config)#aaa tunnel ignore nas-port-type disable 

• Use the no version to restore the default, enable.

aaa tunnel nas-port-method

• Use to configure the tunnel's default NAS port type to provide limited support for a Cisco proprietary vendor-specific method when configuring the LAC to LNS NAS port identification transfer mechanism.
  

  NOTE: We recommend you not use this feature; we cannot guarantee continued compatibility.

  
  
• Example

host1(config)#aaa tunnel nas-port-method cisco-avp

• Use the no version to disable the command.

aaa tunnel password

• Use to specify a default tunnel password. If the tunnel password is not included in the tunnel attributes that are returned from the domain map or authentication server, the router uses the default password.
• Example

host1(config)#aaa tunnel password 3&92k%b#q4

• Use the no version to delete the tunnel password.

address

• Use to set the LNS endpoint address of a tunnel.
• Example 1

host1(config-domain-map-tunnel)#address 172.31.1.98

• Example 2

host1(config-tunnel-group-tunnel)#address 172.31.1.98

• Use the no version to delete the tunnel address.

client-name

• Use to specify the hostname that the LAC sends to the LNS when communicating to the LNS about the tunnel.
• The hostname can be up to 64 characters (no spaces).
  

  NOTE: If the LNS does not accept tunnels from unknown hosts, and if no hostname is specified, the LAC uses the router name as the hostname.

  
  
• Example 1

host1(config-domain-map-tunnel)#client-name host4

• Example 2

host1(config-tunnel-group-tunnel)#client-name host4

• Use the no version to remove the hostname.

identification

• Use to specify the ID of a tunnel.
• The router groups users with the same tunnel ID in the same tunnel. This occurs only when both the destination (virtual router, IP address) and the ID are the same.
• Example 1

host1(config-domain-map-tunnel)#identification acton

• Example 2

host1(config-tunnel-group-tunnel)#identification acton

• Use the no version to remove the assignment ID from the tunnel.

l2tp disable challenge

• Use to disable the generation of authentication challenges by the local tunnel, so that the tunnel does not send a challenge during negotiation. However, the tunnel does accept and respond to challenges it receives from the peer.
• Example

host1(config)#l2tp disable challenge

• Use the no version to return to the default, which is local challenge generation enabled.

l2tp ignore-receive-data-sequencing

• Use to prevent sequence number checking for data packets received on all L2TP tunnels in the router. This command does not affect the insertion of sequence numbers in packets sent from the router.
• We recommend that you set up the router to ignore sequence numbers in received data packets if you are using IP reassembly. Because IP reassembly might reorder L2TP packets, out-of-order packets might be dropped when sequence numbers are being used on L2TP data packets.
• Example

host1(config)#l2tp ignore-receive-data-sequencing

• Use the no version to cause the router to check sequence numbers on received L2TP data packets.

max-sessions

• Use to set the maximum sessions per tunnel.
• Example 1

host1(config-domain-map-tunnel)#max-sessions 3294967295

• Example 2

host1(config-tunnel-group-tunnel)#max-sessions 3294967295

• Use the no version to disable the feature and restore the default value of zero.

medium ipv4

• Use to specify the type of medium for a tunnel.
• The only medium type currently supported is IPv4.
• Example 1

host1(config-domain-map-tunnel)#medium ipv4

• Example 2

host1(config-tunnel-group-tunnel)#medium ipv4

• Use the no version to set the medium to the default, IPv4.

password

• Use to specify the password for a tunnel.
• If you specify a password, your router (the LAC) requires that the peer (the LNS) authenticate itself to the router.
• If the peer fails to authenticate itself, the tunnel terminates.
• Example 1

host1(config-domain-map-tunnel)#password temporary

• Example 2

host1(config-tunnel-group-tunnel)#password temporary

• Use the no version to remove the password.

preference

• Use to specify the preference level for a tunnel.
• You can specify up to eight levels of preference.
• You can assign the same preference to a maximum of 31 tunnels.
• When you define multiple preferences for a destination, you increase the probability of a successful connection.
• Example 1

host1(config-domain-map-tunnel)#preference 5

• Example 2

host1(config-tunnel-group-tunnel)#preference 5

• Use the no version to set the preference number from the tunnel to the default, 0.

receive-window

• Use to configure the L2TP receive window size (RWS) for a tunnel on the LAC.
• Example 1

host1(config-domain-map-tunnel)#receive-window 4

• Example 2

host1(config-tunnel-group-tunnel)#receive-window 4

• Use the no version to revert to the systemwide RWS setting configured with the L2TP tunnel. Currently, the only supported value is 4.

router-name

• Use to map a user domain name to a virtual router.
• Example 1

host1(config-domain-map)#router-name vrout

• Example 2

host1(config-tunnel-group-tunnel)#router-name vrout

• Use the no version to delete the entry.

server-name

• Use to specify the hostname expected from the peer (the LNS) when you set up a tunnel.
• When this name is specified, the peer must identify itself with this name during tunnel startup. Otherwise, the tunnel is terminated.
• The server name can be up to 64 characters (no spaces).
• Example 1

host1(config-domain-map-tunnel)#server-name boston

• Example 2

host1(config-tunnel-group-tunnel)#server-name boston

• Use the no version to remove the server name.

source-address

• Use to specify the address of the local tunnel endpoint (the LAC). All L2TP packets sent to the peer use this source address.
• By default, the router uses the virtual router's router ID as the source address. You can override this behavior for an L2TP tunnel by specifying a source address. If you do specify a source address, use the address of a stable IP interface (for example, a loopback interface). Make sure that the address is configured in the virtual router for this domain map, and that the address is reachable by the peer.
• Example 1

host1(config-domain-map-tunnel)#source-address 172.23.2.74

• Example 2

host1(config-tunnel-group-tunnel)#source-address 172.23.2.74

• Use the no version to remove the source address.

tunnel

• Use to specify a tunnel and to enter Domain Map Tunnel Configuration mode.
• Example 1

host1(config-domain-map)#tunnel 3

host1(config-domain-map-tunnel)# 

• Example 2

host1(config-tunnel-group-tunnel)#tunnel 3

• Use the no version to delete the tunnel configuration.

tunnel group

• Use to assign a tunnel group to the domain map. You can assign a tunnel group only when no tunnels are currently defined for the domain map from AAA Domain Map Tunnel mode.
• Example

host1(config-domain-map)#tunnel group storm

• Use the no version to delete the tunnel group.

type

• Use to specify the L2TP tunnel type (RADIUS attribute 64, Tunnel-Type).
• Example 1

host1(config-domain-map-tunnel)#type l2tp

• Example 2

host1(config-tunnel-group-tunnel)#type l2tp

• Use the no version to delete the entry. Currently, the only supported value is L2TP.

Configuring the RX Speed on the LAC

You can configure the E-series LAC to generate L2TP Receive (RX) Speed AVP 38 when the receive speed equals the transmit (TX) speed. The AVPs can then be used to generate the RADIUS Connect-Info attribute [77] on the LNS. The information in the RADIUS attribute can be used by service providers to identify a customer's service.

To set up the router to generate the Receive Speed (AVP 38), complete the following steps:

1. On the ATM subinterface, configure the advisory receive speed. See JUNOSe Link Layer Configuration Guide, Chapter 1, Configuring ATM for information about configuring the advisory speed.

host1(config-subif)#atm atm1483 advisory-rx-speed 2000 

2. Specify that the RX Speed AVP is always generated. If you do not specify this command, the RX Speed AVP is generated only when the RX speed differs from the TX speed.

host1(config)#l2tp rx-connect-speed-when-equal

l2tp rx-connect-speed-when-equal

• Use on the LAC to always generate the RX Speed AVP if the speed is not zero. If you do not specify this command, the RX Speed AVP is generated only when the RX speed differs from the TX speed.
• Example

host1(config)#l2tp rx-connect-speed-when-equal 

• Use the no version to generate the AVP only when the RX speed differs from the TX speed.

Managing the L2TP Destination Lockout Process

When multiple sets of tunneling parameters are available, L2TP uses a selection algorithm to choose the best tunnel for subscriber traffic. As part of this selection process, the JUNOSe software's L2TP implementation includes a lockout feature in which the router locks out, or disregards, destinations that are assumed to be unavailable.

By default, when a destination becomes unavailable, L2TP locks out that destination for a lockout timeout of 300 seconds (5 minutes). After the lockout timeout expires, L2TP assumes that the destination is now available and includes the destination when performing the selection algorithm.

Modifying the Lockout Procedure

You can optionally configure your own lockout procedure by specifying the lockout timeout you want to use or enabling a lockout test, or both. When the lockout timeout expires, the destination is either immediately unlocked (if lockout testing is not enabled) or begins the lockout test to verify that the destination is available.

L2TP performs the lockout test by attempting to establish a tunnel to the unavailable destination. For the test, L2TP must first obtain the parameters for a tunnel to the destination. If no such tunnel currently exists, L2TP must wait until it receives a new session request that has tunnel parameters for the locked out destination. The destination remains locked out while L2TP waits for the tunnel parameters and becomes available only after successful completion of the lockout test. Therefore, if lockout testing is enabled, the destination is actually locked out longer than the lockout timer you specify.

NOTE: Always configure the lockout timeout to be shorter than the destruct timeout. The destruct timeout (as described for l2tp destruct-timeout) overrides the lockout timeout—when the destruct timeout expires, all information about the locked out destination is deleted, including the time remaining on the destination's lockout timeout and the requirement to run a lockout test prior to returning the destination to service. As a result, the locked out destination might be returned to service prior to expiration of your configured lockout timeout and without completion of the lockout test you specified.

Figure 9 shows how locked-out destinations transition from a locked-out state to available status when using the default lockout configuration, a configuration that includes a modified lockout timer, and a configuration with both a modified timer and the lockout test.

Figure 9: Lockout States

You can use the following commands to manage L2TP destination lockout and configure a lockout process that meets the needs of your network environment:

• Use the l2tp destination lockout-timeout command to modify the default lockout timeout period.
• Use the l2tp destination lockout-test command to configure L2TP to perform a lockout test, which verifies that a currently locked out destination is now available and to include it in the selection algorithm.
• Use the l2tp unlock destination command to force L2TP to immediately unlock the specified locked out destination; the destination is then considered to be available by the selection algorithm. L2TP disregards any time remaining in the existing lockout timeout and also disregards the lockout test (if configured).
• Use the l2tp unlock-test destination command to force L2TP to immediately begin the lockout testing procedure for the specified destination; any time remaining in the existing lockout timeout is not taken into account.
• Use the show l2tp and show l2tp destination lockout commands to view information about the L2TP configuration and statistics.

l2tp destination lockout-test

• Use to configure L2TP to test locked-out destinations; verifies that a previously locked-out destination is available before the router changes the destination's status.
• Example

host1(config)#l2tp destination lockout-test 

• Use the no version to disable testing of locked out destinations.

l2tp destination lockout-timeout

• Use to configure the amount of time (in seconds) between when an L2TP destination is found to be unavailable and when it is eligible for unlocking.
• When the timeout period expires, L2TP either begins the lockout test procedure (if configured to do so) or immediately returns the destination to available state.
• Always configure the lockout timeout to be shorter than the destruct timeout. The destruct timeout (as described for l2tp destruct-timeout) overrides the lockout timeout—when the destruct timeout expires, all information about the locked out destination is deleted, including the time remaining on the destination's lockout timeout and the requirement to run a lockout test prior to returning the destination to service.
• The new lockout timeout only affects future locked-out destinations; it does not affect destinations that are currently locked out.
• Specify a lockout timeout in the range 60-3600 seconds (1 minute-1 hour).
• Example

host1(config)#l2tp destination lockout-timeout 500

• Use the no version to restore the default lockout timeout value, 300 seconds (5 minutes).

l2tp unlock destination

• Use to force L2TP to immediately unlock the specified L2TP destination, which is currently locked out and unavailable. L2TP then considers the destination to be available.
• Any remaining lockout time and the lockout test setting (if configured) are not taken into account.
• You must be at privilege level 10 or higher to use this command.
• Example

host1(config)#l2tp unlock destination ip 192.168.1.98

• There is no no version.

l2tp unlock-test destination

• Use to force L2TP to immediately start the lockout test for the specified destination.
• Any remaining lockout time for the destination is ignored.
• If lockout testing is not configured, this command immediately unlocks the destination and L2TP then considers the destination to be available.
• You must be at privilege level 10 or higher to use this command.
• Example

host1(config)#l2tp unlock-test destination ip 192.169.110.8

• There is no no version.

Managing Address Changes Received from Remote Endpoints

A remote endpoint can use the Start-Control-Connection-Reply (SCCRP) packets that it sends to the E-series LAC to change the address that the LAC uses to communicate with the endpoint. By default, the LAC accepts the change and uses the new address to communicate with the endpoint. However, you can configure the LAC to ignore or reject the requested change. Setting up the LAC to ignore address changes in SCCRP packets enables the router to construct tunnels with separate receive and transmit addresses and to avoid problems due to a misconfiguration. Three possible configurations are available:

• Default configuration—The E-series LAC accepts the change from the endpoint. The LAC then sends all subsequent packets to, and accepts packets from, the new address.
• Ignore configuration (specified by the l2tp ignore-transmit-address-change command)—The LAC continues to send packets to the original address but accepts packets from the new address.
• Reject configuration (specified by the l2tp reject-transmit-address-change command)—The LAC sends a Stop-Control-Connection-Notification (StopCCN) to the original address, then terminates the connection to the endpoint.

The reject specification takes precedence over the ignore specification.

The router accepts a change in receive address only once, during the tunnel establishment phase, and only on an SCCRP packet. Subsequent changes result in the router dropping packets. Any changes do not affect established tunnels.

Use the show l2tp command to display the SCCRP address change configuration.

l2tp ignore-transmit-address-change

• Use to set up the router to ignore address changes in SCCRP control packets received from the remote endpoint.
• Use the ip-address or udp-port keyword to ignore the specific address component. Omit the keywords to ignore the entire address change in the SCCRP packet.
• Example

host1(config)#l2tp ignore-transmit-address-change 

• Use the no version to return to the default; the router accepts address changes and port changes in SCCRP packets.

l2tp reject-transmit-address-change

• Use to set up the router to reject address changes in SCCRP control packets received from the remote endpoint.
• Use the ip-address or udp-port keyword to reject the specific address component. Omit the keywords to reject the entire address change in the SCCRP packet.
• Example

host1(config)#l2tp reject-transmit-address-change ip-address

• Use the no version to return to the default; the router accepts address changes in SCCRP packets.