Configuring an L2TP Connection on an LNS

To set up a tunnel, you need to set a virtual template and user authentication domain in the L2TP group view on an LNS.

Context

An LNS can receive tunnel setup requests from different LACs by using different virtual templates. After receiving a tunnel setup request from a LAC, the LNS checks whether the received tunnel name is the same as the locally configured LAC tunnel name. The LNS permits the request if the two names are the same.

The L2TP group is configured as the LNS (ACCEPT_DIALIN_L2TP) type in this configuration.

  • When an NetEngine 8000 F functioning as an LNS interconnects with another Huawei device functioning as a LAC, it is recommended that you set the MTU in the virtual template to be less than 1462 bytes (assume that the interface MTU is 1500 bytes).

  • When the NetEngine 8000 F functioning as an LNS interconnects with a LAC that does not support L2TP packet fragmentation, it is recommended that you set the MTU in the virtual template to a value smaller than 1454 bytes (assume that the interface MTU on the LAC is 1500 bytes). If an L2TP packet is longer than 1500 bytes, the packet is fragmented into invalid packets on the LAC.

  • If configuring an MTU manually in a virtual template, ensure that the MTUs negotiated by the L2TP user, LAC, and LNS are the same.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run l2tp-group group-name

    An L2TP group is created, and its view is displayed.

  3. Run allow l2tp virtual-template virtual-template-number remote lac-name[ ip address address ]

    An L2TP connection is configured on the LNS.

    lac-name must be specified in this command for all L2TP groups except for the default L2TP group default-lns.

    In an L2TP group, the start l2tp command and the allow l2tp virtual-template command conflict with each other. If you run one of the commands, the other command becomes invalid.

  4. (Optional) Run default-domain authentication { domain-name | force domain-name | replace domain-name }

    A default authentication domain is configured for L2TP users.

    The default-domain authentication command configures a default authentication domain for L2TP users. When a user goes online from a LAC by using a username without a domain name, the LNS adds the user to the configured default authentication domain for login. User login information, such as the authentication scheme, accounting scheme, and address pool, are configured in the default authentication domain. If no default authentication domain is configured, the LNS adds the user to the domain default1 for login.

    The default-domain authentication force command configures a forcible authentication domain for L2TP users. When a user goes online from a LAC, the LNS logs the user in from the forcible authentication domain, but does not change the user's domain name. The user domain adopts the configuration of the forcible authentication domain.

    The default-domain authentication replace command configures an authentication domain substitute for L2TP users. When a user goes online from a LAC, the LNS switches the user to the domain substitute and changes the user domain name to the name of the authentication domain substitute. The user domain adopts the configuration of the authentication domain substitute.

  5. (Optional) Run roam-domain domain-name

    A roaming domain is configured for the LNS.

  6. (Optional) Run tunnel window receive window-size

    An L2TP receive window size is set for out-of-order packets.

  7. (Optional) Run lns calling-station-id format agent-remote-id

    The LNS is configured to parse the Agent-Remote-Id attribute carried in an IRCQ packet sent from the LAC and encapsulate the attribute into the Calling-Station-Id attribute to be sent to a RADIUS server.

  8. Run quit

    Return to the system view.

  9. (Optional) Run qos link-adjustment vendor redback { lns | lac } * [ slot slot-id ]

    Redback packet adjustment is configured so that user traffic statistics are collected based on the redback mode.

    This command is supported only by the admin VS.

    The following table shows the redback packet adjustment implementation.

    Layer 2

    LAC (UP) (in bytes)

    LAC(DOWN) (in bytes)

    LNS(UP)

    LNS(DOWN)

    Compensation value (default statistics)
    • Dual Qs: 12
    • Single Q: 16
    • Untagged: 20

    4

    6

    4

    Compensation value (CAR)
    • Dual Qs: 12
    • Single Q: -16
    • Untagged: -20

    -4

    6

    -4

    Compensation value (SQ)
    • Dual Qs: -8
    • Single Q: -12
    • Untagged: -16
    • Dual Qs: 24
    • Single Q: 20
    • Untagged: 16

    10

    38

  10. (Optional) Run avp nas-port enable

    The LNS is enabled to parse the NAS-Port attribute carried in the AVP100 field of an ICRQ message received from the LAC.

  11. (Optional) Run radius-attribute include nas-port lns with-user-id accounting-request

    The LNS is enabled to encapsulate the NAS-Port attribute received from the LAC into a packet to be sent to a RADIUS server.

  12. (Optional) Run lns avp calling-number translate agent-remote-id

    The LNS is enabled to copy the value of the Calling-Number attribute carried in an ICRQ message received from the LAC to the Agent-Remote-Id field.

  13. Run commit

    The configuration is committed.

Parent Topic: Configuring an LNS
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >