LAC Service Configuration Mode Commands


LAC Service Configuration Mode Commands
 
 
The LAC Service Configuration Mode is used to create and manage L2TP services within contexts on the system. L2TP Access Concentrator (LAC) services facilitate tunneling to peer L2TP Network Servers (LNSs).
 
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
allow
This command configure the system to allow different attributes in the LAC Hostname AVP and Called-Number AVP for L2TP messages exchanged between LAC and LNS.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
allow {aaa-assigned-hostname | called-number value apn}
[ no | defualt ] allow {aaa-assigned-hostname | called-number value apn}
no
Disable the configured attribute and returns to the behavior that uses the LAC-Service name as the HostName AVP.
aaa-assigned-hostname
When enabled if AAA assigns a valid Tunnel-Client-Auth-ID attribute for the tunnel, it is used as the HostName AVP in the L2TP tunnel setup message.
This keyword works in conjunction with local-hostname hostname keyword applied with tunnel l2tp command in APN configuration mode.
When Tunnel parameters are not received from the RADIUS Server, Tunnel parameters configured in APN are considered for the LNS peer selection. When APN configuration is selected, local-hostname configured with tunnel l2tp command in the APN for the LNS peer will be used as a LAC Hostname.
called-number value apn
This keyword configures the system to send APN name in Called-Number AVP as a part of ICRQ message sent to the LNS. If this keyword is not configured, Called-Number AVP will not be included in ICRQ message sent to the LNS.
Usage
Use this command to configure the attribute for the HostName AVP for L2TP messages exchanged between LAC and LNS.
LAC Hostname will be different for the subscribers corresponding to the different corporate APNs. In the absence of a AAA assigned HostName, the LAC-Service name is used as HostName. By default the LAC-Service name is used as the HostName AVP.
Example
The following command enables the use of the value of Tunnel-Client-Auth-ID attribute for the HostName AVP:
allow aaa-assigned-hostname
Use the following command to reset the behavior so that the LAC-Service uses the LAC-Service name as the HostName AVP:
no allow aaa-assigned-hostname
 
bind
This command assigns a local end point address to the LAC service in the current context.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
bind ip_address [max-subscribers]
no bind ip_address
no
Unassign, or unbind, the local end point to the LAC service.
ip_address
This must be a valid IPv4 address, using dotted-decimal notation.
max-subscribers
The maximum number of subscribers that can use the endpoint for this LAC service. Must be an integer from 1 to 2500000.
Usage
Use this command to bind a local end point IP address to the LAC service.
Example
The following command binds the local end point IP address 10.10.10.100 to the LAC service in the current context:
bind 10.10.10.100
The following command removes the binding of the local end point to the LAC service:
no bind
 
data sequence-number
Enables data sequence numbering for sessions that use the current LAC service. Data sequence numbering is enabled by default.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
data sequence-number
no data sequence-number
no
Disables data sequence numbering for sessions.
Usage
An L2TP data packet header has an optional data sequence numbers field. The data sequence number may be used to ensure ordered delivery of data packets. This command is used to re-enable or disable the use of the data sequence numbers for data packets.
Example
Use the following command to disable the use of data sequence numbering:
no data sequence-number
Use the following command to re-enable data sequence numbering:
data sequence-number
 
default
This command sets the specified LAC service parameter to its default value or setting.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
default {data sequence-number | hide-attributes | keepalive-interval | load-balancing | local-receive-window | max-retransmission | max-session-per-tunnel | max-tunnel-challenge-length | max-tunnels | proxy-lcp-authentication | retransmission-timeout-first | retransmission-timeout-max | trap all |tunnel-authentication}
data sequence-number
Enables data sequence numbering for sessions.
hide-attributes
Disables hiding attributes in control messages sent from the LAC to the LNS.
keepalive-interval
Sets the interval for send L2TP Hello keepalive if there is no control or data transactions to the default value of 60 secs.
load-balancing
Sets the load balancing algorithm to be used when many LNS peers have been configured to the default of round robin.
local-receive-window
Sets the window size to be used for the local side for the reliable control transport to the default of 16.
max-retransmission
Sets the maximum number of retransmissions to the default of 5.
max-session-per-tunnel
Sets the maximum number of sessions per tunnel at any point in time to the default of 512.
max-tunnel-challenge-length
Sets the maximum length of the tunnel challenge to the default of 16 bytes.
max-tunnels
Sets the maximum number of tunnels for this service to the default of 32000.
proxy-lcp-authentication
Sets sending of proxy LCP authentication parameters to the LNS to the default state of enabled.
retransmission-timeout-first
Sets the first retransmit interval to the default of 1 second.
retransmission-timeout-max
Sets the maximum retransmit interval to the default of 8 seconds.
trap all
Generates all supported SNMP traps.
tunnel-authentication
Sets tunnel authentication to the default state of enabled.
Usage
Use the default command to set LAC service parameters to their default states.
Example
Use the following command to set the keep alive interval to the default value of 60 seconds:
default keepalive-interval
Use the following command to set the maximum number of sessions per tunnel to the default value of 512:
default max-session-per-tunnel
 
hide-attributes
Enables hiding certain attributes (such as proxy-auth-name and proxy-auth-rsp) in control messages sent from the LAC to the LNS. The LAC hides such attributes only if tunnel authentication is enabled between the LAC and the LNS.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
hide-attributes
no hide-attributes
no
Disable hiding attributes.
Usage
Use this command to hide certain attributes from control messages when tunnel authentication is enabled between the LAC and the LNS.
Example
The following command enables hiding attributes:
hide-attributes
 
keepalive-interval
This command specifies the amount of time to wait before sending a Hello keep alive message.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
keepalive-interval seconds
no keepalive-interval
no
Disables the generation of Hello keep alive messages on the tunnel.
seconds
Default: 60
The number of seconds to wait before sending a Hello keep alive message. The number can be configured to any integer value from 30 to 2147483648.
Usage
Use this command to set the amount of time to wait before sending a Hello keep alive message or disable the generation of Hello keep alive messages completely. A keep alive mechanism is employed by L2TP in order to differentiate tunnel outages from extended periods of no control or data activity on a tunnel. This is accomplished by injecting Hello control messages after a specified period of time has elapsed since the last data or control message was received on a tunnel. As for any other control message, if the Hello message is not reliably delivered then the tunnel is declared down and is reset. The transport reset mechanism along with the injection of Hello messages ensures that a connectivity failure between the LNS and the LAC is detected at both ends of a tunnel.
Example
Use the following command to set the Hello keep alive message interval to 120 seconds:
keepalive-interval 120
Use the following command to disable the generation of Hello keep alive messages:
no keepalive-interval
 
load-balancing
Configures how LNSs are selected for this LAC service.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
load-balancing {balanced | prioritized | random}
balanced
LNS selection is made without regard to prioritization, but in a sequential order that balances the load across the total number of LNS nodes available.
prioritized
LNS selection is made based on the priority assigned in the Tunnel-Preference attribute. An example of this method is three LNS nodes, with preferences of 1, 2, and 3 respectively. In this example, the RADIUS server always tries the tunnel with a preference of 1 before using any of the other LNS nodes.
random
Default: Enabled
LNS selection is random in order, wherein the RADIUS server does not use the Tunnel-Preference attribute in determining which LNS to select.
Usage
Use this command to configure the load-balancing algorithm that defines how the LNS node is selected by the LAC when there are multiple peer LNSs configured in the LAC service.
Example
The following command sets the LAC service to connect to LNSs in a sequential order;
load-balancing balanced
The following command sets the LAC service to connect to LNSs according to the priority assigned through the Tunnel-Preference attribute:
load-balancing prioritized
 
local-receive-window
Specifies the number of control messages the remote peer LNS can send before waiting for an acknowledgement.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
local-receive-window integer
integer
Default: 4
The number of control messages to send before waiting for an acknowledgement. The number can be configured to any integer value from 1 to 256.
Usage
Use this command to set the size of the control message receive window being offered to the remote peer LNS. The remote peer LNS may send the specified number of control messages before it must wait for an acknowledgment.
Example
The following command sets the local receive window to 10 control messages:
local-receive-window 10
 
max-retransmission
Sets the maximum number of retransmissions of a control message to a peer before the tunnel and all sessions within it are cleared.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
max-retransmission integer
integer
Default: 5
The maximum number of retransmissions of a control message to a peer. This value must be an integer in the range of 1 to 10.
Usage
Each tunnel maintains a queue of control messages to be transmitted to its peer. After a period of time passes without acknowledgement, a message is retransmitted. Each subsequent retransmission of a message employs an exponential backoff interval. For example; if the first retransmission occurs after 1 second, the next retransmission occurs after 2 seconds has elapsed, then the next after 4 seconds. If no peer response is detected after the number of retransmissions set by this command, the tunnel and all sessions within are cleared.
Use this command to set the maximum number of retransmissions that the LAC service sends before closing the tunnel and all sessions within. it.
Example
The following command sets the maximum number of retransmissions of a control message to a peer to 7:
max-retransmissions 7
 
max-session-per-tunnel
Sets the maximum number of sessions that can be facilitated by a single a tunnel at any time.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
max-sessions-per-tunnel integer
integer
Default: 512
The maximum number of sessions. This value must be in the range of 1 to 65535.
Usage
Use this command to set the maximum number of sessions you want to allow in a tunnel.
Example
The following command sets the maximum number of sessions in a tunnel to 5000:
max-sessions-per-tunnel 5000
 
max-tunnel-challenge-length
Sets the maximum length of the tunnel challenge in bytes.The challenge is used for tunnel authentication purposes during tunnel creation.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
max-tunnel-challenge-length bytes
bytes
Default: 16
The number of bytes to set the maximum length of the tunnel challenge. This must be a value from 4 to 32.
Usage
Use this command to set the maximum length, in bytes, for the tunnel challenge that is used during tunnel creation.
Example
The following command sets the maximum length of the tunnel challenge to 32 bytes:
max-tunnel-challenge-length 32
 
max-tunnels
The maximum number of tunnels that the current LAC service can support.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
max-tunnels integer
integer
Default: 32000
The maximum number of tunnels. This value must be an integer from 1 to 32000.
Usage
Use this command to set the maximum number tunnels that this LAC service can support at any on time.
Example
Use the following command to set the maximum number of tunnels for the current LAC service to 20000:
max-tunnels 20000
 
peer-lns
Adds a peer LNS address for the current LAC service. Up to 8 peer LNSs can be configured for each LAC service.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
peer-lns ip_address [encrypted] secret secret [crypto-map map_name { [encrypted] isakmp-secret secret } ] [ description text ] [ preference integer]
no peer-lns ip_address
no peer-lns ip_address
Deletes the peer LNS at the IP address specified by ip_address. ip_address must be entered in standard IPv4 dotted decimal notation.
ip_address
The IP address of the peer LNS for the current LAC service. ip_address must be entered in standard IPv4 dotted decimal notation.
[encrypted] secret secret
Designates the secret which is shared between the current LAC service and the peer LNS. secret must be a string from 1 to 256 alpha and/or numeric characters and is case sensitive.
encrypted secret secret: Specifies that encryption should be used when communicating the secret with the peer LNS.
crypto-map map_name { [encrypted] isakmp-secret secret }
map_name is the name of a crypto map that has been configured in the current context. map_name must be a string from 1 to 127 alpha and/or numeric characters and is case sensitive.
isakmp-secret secret: The pre-shared key for IKE. secret must be a string from 1 to 127 alpha and/or numeric characters and is case sensitive.
encrypted isakmp-secret secret: The pre-shared key for IKE. Encryption must be used when sending the key. secret must be a string from 1 to 127 alpha and/or numeric characters.
description text
Specifies the descriptive text to use to describe the specified peer LNS. text must be 0 to 79 alpha and/or numeric characters with no spaces or a quoted string of printable characters.
preference integer
This sets the priority of the peer LNS if multiple peer LNSs are configured. integer must be a value ranging from 1 to 128.
Usage
Use this command to add a peer LNS address for the current LAC service.
Example
The following command adds a peer LNS to the current LAC service with the IP address of 10.10.10.100, sets encryption on, specifies the shared secret to be 1b34nnf5d, and sets the preference to 3:
peer-lns 10.10.10.100 encrypted secret 1b34nnf5d preference 3
The following command removes the peer LNS with the IP address of 10.10.10.200 for the current LAC service:
no peer-lns 10.10.10.200
 
proxy-lcp-authentication
Enables and disables the sending of proxy LCP authentication parameters to the LNS.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
proxy-lcp-authentication
no proxy-lcp-authentication
no
Disables the sending of proxy LCP authentication parameters to the LNS.
proxy-lcp-authentication
Default: Enabled
Enables the sending of proxy LCP authentication parameters to the LNS.
Usage
Use this feature in situations where the peer LNS does not understand the proxy LCP Auth AVPs that the system sends and does not do an LCP renegotiation and tears down the call.
Example
Use the following command to disable the sending of proxy LCP authentication parameters to the LNS;
no proxy-lcp-authentication
Use the following command to re-enable the sending of proxy LCP authentication parameters to the LNS
proxy-lcp-authentication
 
retransmission-timeout-first
Each tunnel maintains a queue of control messages to transmit to its peer. After a period of time passes without acknowledgement, a message is retransmitted. This command sets the initial timeout for retransmission of control messages.
Privilege
Security Administrator, Administrator
Syntax
retransmission-timeout-first integer
integer
Default: 1
The amount of time to wait before sending the first control message retransmission. This value is measured in seconds and must be an integer from 1 to 100.
Usage
Use this command to set the initial timeout before retransmitting control messages to the peer.
Example
The following command sets the initial retransmission timeout to 3 seconds:
retransmission-timeout-first 3
 
retransmission-timeout-max
This command configures maximum amount of time between two retransmission of control messages.
Privilege
Security Administrator, Administrator
Syntax
retransmission-timeout-max integer
integer
Default: 8
integer is the maximum time in seconds to wait before retransmitting control messages and must be an integer between 1 through 100.
Usage
Use this command to set the maximum amount of time that can elapse before retransmitting control messages.
Each tunnel maintains a queue of control messages to transmit to its peer. After a period of time passes without acknowledgement, a message is retransmitted. Each subsequent retransmission of a message employs an exponential backoff interval.
Example
The following command sets the maximum retransmission time-out to 10 seconds:
retransmission-timeout-max 10
 
single-port-mode
This command enables/disables the L2TP LAC service always to use standard L2TP port 1701 as source port for all L2TP control and data packets originated from LAC node.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
[no | default] single-port-mode
no
Disables the configured single source port configuration from this LAC service.
default
Default: Enabled
Sets this command to default state of disabled. By default single source port configuration for L2TP LAC packets is disabled.
Usage
Use this command to enable or disable the single port mode for L2TP LAC service.
If this feature is enabled, then L2TP LAC service will always use standard L2TP port 1701 as source port for all L2TP control/data packets originated from LAC (instead of the default scheme in which each L2TPMgr uses a dynamic source port). L2TPMgr instance 1 will handle all L2TP calls for the service.
Caution: Changing this configuration, while the service is already running, will cause restart of the service.
Example
The following command enables the LAC service to use port 1701 as source port for all L2TP control and data packets:
single-port-mode
 
snoop framed-ip-address
When enabled, this feature allows the LAC to detect IPCP packets exchanged between the mobile node and the LNS and extract the framed-ip-address assigned to the mobile node. The address will be reported in accounting start/stop messages and will be displayed for subscriber sessions.
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
snoop framed-ip-address
no snoop framed-ip-address
default snoop framed-ip-address
no
Disables the feature. Accounting start/stop will occur before the PPP session is established and the framed IP address field will be reported as 0.0.0.0.
default
Disabled.
Usage
This feature is available to address simple IP roaming scenarios. If this feature is enabled, the accounting start will be sent only after the framed-ip-address is detected. If the framed-ip-address is not detected within 16 seconds, an accounting start will be sent for the session with the 0.0.0.0 address. If the session is disconnected during the detection attempt, accounting start/stop will be sent for the session. If the session renegotiates IPCP, an accounting stop will be generated with a framed-ip-address from the old session and an accounting start will be generated with an IP address for the new session. IPv6 address detection is not supported.
Important: When this feature is enabled and the show subscribers all command is invoked, the framed-IP-address is displayed for the PDSN Simple IP subscriber in the output display.
 
trap
This command generates SNMP traps.
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
trap all
no trap all
no
Disables SNMP traps.
Usage
Use this command to enable/disable all supported SNMP traps.
Example
To enable all supported SNMP traps, enter the following command:
trap all
 
tunnel-authentication
Enables tunnel authentication. When tunnel authentication is enabled, a configured shared secret is used to ensure that the LAC service is communicating with an authorized peer LNS. The shared secret is configured by the R_peer-lns command in the LAC service configuration mode, the R_tunnel l2tp command in the subscriber configuration mode, or the Tunnel-Password attribute in the subscribers RADIUS profile.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
tunnel-authentication
no tunnel-authentication
no
Disables tunnel authentication
Tunnel authentication is enabled by default.
Usage
Disable or enable the usage of secrets to authenticate a peer LNS when setting up a tunnel.
Example
To disable tunnel authentication, use the following command:
no tunnel-authentication
To re-enable tunnel authentication, use the following command:
tunnel-authentication
 
tunnel selection-key
This command enables the support to create tunnels between L2TP service and an LNS server on the basis of value of attribute “Tunnel-Server-Auth-ID” received from AAA server.
Privilege
Security Administrator, Administrator
Syntax
tunnel selection-key { tunnel-server-auth-id | none }
[default] tunnel selection-key
default
This keyword disables the creation of tunnel between LAC service and LNS based on key value received in attribute, “Tunnel-Server-Auth-ID” from AAA server.
tunnel-server-auth-id
Default: Enabled
This keyword enables the creation of tunnels between LAC service on GGSN and an LNS server on the basis of domain attribute, “Tunnel-Server-Auth-ID”, value received from AAA server.
none
Default: Enabled
This keyword disables the creation of multiple tunnels between a pair of LAC service on GGSN and LNS server. LAC will not make use of key to choose a tunnel with LNS in this setup.
Usage
Use this command to enable or disable the creation of additional L2TP tunnels between LAC service on GGSN and LNS server on the basis of “Tunnel-Server-Auth-ID” attribute value received from AAA Server in Access-Accept message. This value of attribute is treated as a key for tunnel selection and creation.
When the LAC needs to establish a new L2TP session, it would first check if there is already an existing L2TP tunnel with the peer LNS based on the value of key configured. If no such tunnel exists for the key, it will create a new Tunnel with the LNS.
Default configuration have selection-key as none. Hence, LAC will not make use of key to choose a tunnel with LNS, in default setup.
Maximum number of session as configured with max-sessions-per-tunnel command will be applicable for each tunnel created through this command. By default each tunnel supports 512 sessions.
If LAC service needs to establish a new tunnel for new L2TP session with LNS and the tunnel create request fails because maximum tunnel creation limit is reached, LAC will try other LNS addresses received from AAA server in Access-Accept message for the APN/subscriber. If all available peer-LNS are exhausted, LAC service will reject the call.
Example
The following command enables the use of “Tunnel-Server-Auth-ID” attribute value received from AAA Server in Access-Accept message as a key for tunnel selection and creation:
tunnel selection-key tunnel-server-auth-id
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883