L2TP Network Server


L2TP Network Server
 
 
This chapter describes the support for Layer 2 Tunneling Protocol (L2TP) Network Server (LNS) functionality on  ST16 and Cisco® ASR 5000 Chassis and explains how it is configured. The product Administration Guides provide examples and procedures for configuration of basic services on the system. It is recommended that you select the configuration example that best meets your service model, and configure the required elements for that model, as described in the respective product Administration Guide, before using the procedures in this chapter.
Important: This product requires that you buy a license and feature use key. Not all features and functions may be functioning on all platforms.
When enabled though the session license and feature use key, LNS functionality is configured as context-level services on the system. LNS services support the termination of L2TP encapsulated tunnels from L2TP Access Concentrators (LACs) in accordance with RFC 2661.
Important: The LNS service uses UDP ports 13660 through 13668 as the source port for receiving packets from the LAC. You can force the LNS to only use the standard L2TP port (UDP Port 1701) with the single-port-mode LNS service configuration mode command. Refer to the Command Line Interface Reference for more information on this command.
 
L2TP LNS Session and Tunnel Capacities
The system is capable of supporting L2TP tunnels for all subscriber sessions or on a session-by-session basis.
Each L2TP tunnel can facilitate one or more subscriber sessions. The number of supported L2TP sessions and tunnels corresponds to the number of active Packet Accelerator Cards (PACs) or Packet Services Cards (PSCs) available to the system.
The following table lists tunnel and session capacities for the ST16,
L2TP LNS Tunnel and Session Capacity per ST16
L2TP LNS Tunnel and Session Capacity per ASR 5000
 
LNS Service Operation
As mentioned previously, LNS functionality on the system is configured via context-level services. LNS services can be configured in the same context as other services supported on the system or in its own context. Each context can support multiple LNS services.
One of the most simple configuration that can be implemented on the system to support Simple IP data applications requires that two contexts (one source and one destination) be configured on the system as shown in the following figure.
LNS Configuration Example
The source context facilitates the LNS service(s) and the PDN and AAA interfaces. The PDN interface is bound to the LNS service and connects L2TP tunnels and sessions from one or more peer LACs. The source context is also be configured to provide AAA functionality for subscriber sessions. The destination context facilitates the packet data network interface(s) and can optionally be configured with pools of IP addresses for assignment to subscriber sessions.
In this configuration, the LNS service in the source context terminates L2TP tunnels from peer LACs and routes the subscriber session data through the destination context to and from a packet data network such as the Internet or a home network.
 
Information Required
Prior to configuring the system as shown in figure above, a minimum amount of information is required. The following sections describe the information required to configure the source and destination contexts.
 
Source Context Configuration
The following table lists the information that is required to configure the source context.
Required Information for Source Context Configuration
NOTE: For this configuration, the IP context name should be identical to the name of the destination context.
 
Destination Context Configuration
The following table lists the information that is required to configure the destination context.
Required Information for Destination Context Configuration
NOTE: For this configuration, the destination context name should not match the domain name of a specific domain.
 
How This Configuration Works
The following figure and the text that follows describe how this LNS service configuration with a single source and destination context would be used by the system to terminate an L2TP tunnel.
 
Call Processing Using a Single Source and Destination Context
 
1.
2.
Once the L2TP tunnel is established, subscriber L2TP sessions can be established.
3.
For this example, the result of this process is that LNS service determined that AAA functionality should be provided by the Source context.
4.
5.
The system determines that the egress context is the destination context based on the configuration of either the Default subscriber’s ip-context name or from the SN-VPN-NAME or SN1-VPN-NAME attributes that is configured in the subscriber’s RADIUS profile.
6.
7.
 
Configuring the System to Support LNS Functionality
Many of the procedures required to configure the system to support LNS functionality are provided in the System Administration Guide. The System Administration Guide provides information and procedures for configuring contexts, interfaces and ports, AAA functionality, and IP address pools on the system.
This section provides information and instructions for configuring LNS services on the system allowing it to communicate with peer LAC nodes.
Important: This section provides the minimum instruction set for configuring an LNS service allowing the system to terminate L2TP tunnels and process data sessions. For more information on commands that configure additional LNS service properties, refer LNS Configuration Mode Commands chapter in Command Line Interface Reference.
To configure the system to provide access control list facility to subscribers:
Step 1
Step 2
Step 3
Step 4
Configure peer LACs for the LNS service by applying the example configuration in the Configuring Tunnel and Session Parameters for LNS Service section.
Step 5
Optional. Specify the domain alias designated for the context which the LNS service uses for AAA functionality by applying the example configuration in the Configuring Domain Alias for AAA Subscribers section.
Step 6
Verify your LNS service configuration by following the steps in the Verifying the LNS Service Configuration section.
Step 7
Save your configuration as described in the Verifying and Saving Your Configuration chapter.
 
Creating and Binding LNS Service
Use the following example to create the LNS service and bind the IP address to it:
configure
  context <dest_ctxt_name> -noconfirm
     lns-service <lns_svc_name> -noconfirm
        bind address <ip_address> [ max-subscribers <max_subscriber> ]
        end
Notes:
 
Configuring Authentication Parameters for LNS Service
Use the following example to authentication parameters for LNS service:
configure
  context <dest_ctxt_name>
     lns-service <lns_svc_name>
        authentication { { [ allow-noauth | chap <pref> | mschap <pref> | | pap <pref> ] } | msid-auth }
        end
Note:
For more information on authentication procedure and priorities, refer authentication command section in LNS Configuration Mode Commands chapter of Command Line Interface Reference.
 
Configuring Tunnel and Session Parameters for LNS Service
Use the following example to configure the tunnel and session parameters for LNS service:
configure
  context <dest_ctxt_name>
     lns-service <lns_svc_name>
        max-tunnel <max_tunnels>
        max-session-per-tunnel <max_sessions>
        end
Note:
 
Configuring Peer LAC servers for LNS Service
Use the following example to configure the peer LAC servers for LNS service:
configure
  context <dest_ctxt_name>
     lns-service <lns_svc_name>
        peer-lac { <lac_ip_address> | <ip_address>/<mask> } [ encrypted ] secret <secret_string> [ description <desc_text> ]
        end
Note:
 
Configuring Domain Alias for AAA Subscribers
Use the following example to create the LNS service and bind the IP address to it:
configure
  context <dest_ctxt_name> -noconfirm
     lns-service <lns_svc_name> -noconfirm
        nai-construct domain <domain_alias>
        end
Note:
Important: This command should only be used if the LNS service is configured to allow “no authentication” using the authentication allow-noauth command.
 
Verifying the LNS Service Configuration
These instructions are used to verify the LNS service configuration.
Step 1
show lns-service name service_name
The output of this command displays the configuration of the LNS service and should appear similar to that shown below.
Service name: testlns
  Context:                       test
  Bind:                          Not Done
  Local IP Address:              0.0.0.0
  First Retransmission Timeout:  1 (secs)
  Max Retransmission Timeout:    8 (secs)
  Max Retransmissions:           5
  Setup Timeout:                 60 (secs)
  Max Sessions:                  500000        Max Tunnels:            32000
  Max Sessions Per Tunnel:       65535
  Keep-alive Interval:           60            Control Receive Window: 16
  Data Sequence Numbers:         Enabled
  Tunnel Authentication:         Enabled
  Tunnel Switching:              Enabled
  Max Tunnel Challenge Length:   16
  PPP Authentication:            CHAP 1 PAP 2
  Allow Noauthentication:        Disabled      MSID Authentication:    Disabled
  No NAI Construct Domain defined
  No Default Subscriber defined
  IP Src Violation Reneg Limit:  5
  IP Src Violation Drop Limit:   10
  IP Src Violation Period:       120 (secs)
  Service Status:                Not started
  Newcall Policy:                None

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883