L2TP LAC Subscriber Configuration
Configuring an L2TP LAC
To configure an L2TP LAC:
- Configure a tunnel profile to apply to subscribers.
- (Optional) Configure the method used for selecting among multiple tunnels.
- (Optional) Configure the LAC to not send Calling Number AVP 22 to the LNS.
- (Optional) Specify the method for setting the transmit and receive connect speeds.
- (Optional) Configure whether the L2TP failover protocol is negotiated or the silent failover method is used for resynchronization.
- (Optional) Specify the format for the tunnel name.
- (Optional) Specify when and how many times L2TP retransmits unacknowledged control messages.
- (Optional) Specify how long a tunnel can remain idle before being torn down.
- (Optional) Specify the L2TP receive window size for the L2TP tunnel. The receive window size specifies the number of packets a peer can send before waiting for an acknowledgment from the router.
- (Optional) Specify how long the router retains information about terminated dynamic tunnels, sessions, and destinations.
- (Optional) Specify how the LAC handles IP address or UDP port change requests.
- (Optional) Configure all tunnels on the LAC for interoperation with Cisco LNS devices.
- (Optional) Specify that the LAC sends information to the LNS about subscriber access lines.
- (Optional) Configure the LAC to create the IPv6 address family (inet6) when establishing a tunnel for subscribers, enabling the application of IPv6 firewall filters.
- (Optional) Prevent the creation of new sessions, destinations, or tunnels for L2TP.
- (Optional) Enable SNMP statistics counters.
- (Optional) Configure trace options for troubleshooting the configuration.
Configuring How the LAC Responds to Address and Port Changes Requested by the LNS
An LNS can use the SCCRP message that it sends the LAC when a tunnel is being established to request a change in the destination IP address or UDP port that the LAC uses to communicate with the LNS. By default, the LAC accepts the request and makes the change. You can use the tx-address-change statement to configure one of the following methods for the LAC to handle these change requests for all tunnels:
accept—The LAC accepts the change from the LNS. It sends all subsequent packets to and receives packets from the new IP address or UDP port.
ignore—The LAC continues to send packets to the original address or port, but accepts packets from the new address or port.
reject—The LAC sends a StopCCN message to the original address or port and then terminates the connection to that LNS.
The LAC accepts a change in address or port only once, when the tunnel is being established. Tunnels that are already established are not affected. The LAC drops any L2TP control packets containing change requests received at any other time, or in any packet other than an SCCRP message.
This statement does not support IPv6 addresses.
To configure how the LAC handles change requests for the IP address, the UDP port, or both:
(Optional) Configure the LAC to accept all change requests. This is the default behavior.
(Optional) Configure the LAC to ignore all change requests.
(Optional) Configure the LAC to ignore change requests only for the IP address.
(Optional) Configure the LAC to ignore change requests only for the UDP port.
(Optional) Configure the LAC to reject all change requests.
(Optional) Configure the LAC to reject change requests only for the IP address.
(Optional) Configure the LAC to reject change requests only for the UDP port.
For example, the following configuration causes the LAC to ignore requests to change the UDP port, but to reject requests to change the IP address:
Conflicting configurations are not allowed and fail the configuration commit check. You cannot For example, the following configuration fails, because it specifies that UDP port changes are ignored, but that all changes are rejected:
Use the show services l2tp summary command to display the current behavior of the LAC:
show services l2tp summary
Failover within a preference level is Disabled Weighted load balancing is Disabled Tunnel authentication challenge is Enabled Calling number avp is Enabled Failover Protocol is Disabled Tx Connect speed method is static Rx speed avp when equal is Disabled Tunnel assignment id format is assignment-id Tunnel Tx Address Change is Ignore Max Retransmissions for Established Tunnel is 7 Max Retransmissions for Not Established Tunnel is 5 Tunnel Idle Timeout is 60 seconds Destruct Timeout is 300 seconds Destination Lockout Timeout is 300 seconds Destinations: 1, Tunnels: 0, Sessions: 0
Depending on the configuration, this command displays one of the following outputs:
Tunnel Tx Address Change is Accept
Tunnel Tx Address Change is Ignore
Tunnel Tx Address Change is Reject
Tunnel Tx Address Change is Ignore IP Address & Accept UDP Port
Tunnel Tx Address Change is Ignore IP Address & Reject UDP Port
Tunnel Tx Address Change is Accept IP Address & Ignore UDP Port
Tunnel Tx Address Change is Accept IP Address & Reject UDP Port
Tunnel Tx Address Change is Reject IP Address & Accept UDP Port
Tunnel Tx Address Change is Reject IP Address & Ignore UDP Port
LAC Interoperation with Third-Party LNS Devices
In some network environments, the LAC may need to interoperate with an LNS configured on a device from another vendor that does not run Junos OS. Interoperation with Cisco Systems devices requires the LAC to communicate a NAS port type, but the LAC does not provide this information by default.
You can enable interoperation with Cisco Systems devices by configuring the NAS port method as cisco-avp, which causes the LAC to include the Cisco Systems NAS Port Info AVP (100) when it sends an incoming call request (ICRQ) to the LNS. The AVP includes information that identifies the NAS port and indicates whether the port type is ATM or Ethernet.
You can configure the NAS port method globally for all tunnels on the LAC or in a tunnel profile for only the tunnels instantiated by the profile.
You can also include the Tunnel-Nas-Port-Method VSA [26–30] in your RADIUS server configuration with the value set to 1 to indicate Cisco Systems CLID. In this case, RADIUS can override the global value by modifying or creating a tunnel profile. The RADIUS configuration has precedence over the tunnel profile configuration, which in turn has precedence over the global LAC configuration.
If the LNS receiving the AVP is an MX Series router instead of a Cisco Systems device, the LNS simply ignores the AVP, unless the LNS is configured for L2TP tunnel switching. In that case, the LNS preserves the value of the AVP and passes it along when it switches tunnels for the LAC.
Globally Configuring the LAC to Interoperate with Cisco LNS Devices
Cisco LNS devices require from the LAC both the physical NAS port number identifier and the type of the physical port, such as Ethernet or ATM. By default, the LAC does not include this information. You can globally configure the LAC to provide this information by including the NAS Port Info AVP (100) in the ICRQ that it sends to the LNS. This configuration enables the LAC to interoperate with a Cisco LNS.
To globally configure the LAC to include the NAS Port Info AVP:
Specify the NAS port method.
This global configuration for the LAC can be overridden by the configuration in a tunnel profile or RADIUS.
Use the show services l2tp tunnel extensive command to display the current behavior of the LAC:
show services l2tp tunnel extensive
Tunnel local ID: 51872, Tunnel remote ID: 8660 Remote IP: 192.0.2.20:1701 Sessions: 5, State: Established Tunnel Name: 1/tunnel-test-2 Local IP: 203.0.113.2:1701 Local name: testlac, Remote name: ce-lns Effective Peer Resync Mechanism: silent failover Nas Port Method: none Tunnel Logical System: default, Tunnel Routing Instance: default Max sessions: 128100, Window size: 4, Hello interval: 60 Create time: Thu Jul 25 12:55:41 2013, Up time: 11:18:14 Idle time: 00:00:00 Statistics since: Thu Jul 25 12:55:41 2013 Packets Bytes Control Tx 702 15.5k Control Rx 690 8.5k Data Tx 153.3k 6.6M Data Rx 126.3k 5.9M Errors Tx 0 Errors Rx 0