LNS Service Configuration
Mode Commands
The LNS Service Configuration
Mode is used to create and manage L2TP services within contexts
on the system. L2TP Network Server (LNS) services facilitate tunneling
with peer L2TP Access Concentrators (LACs).
IMPORTANT:
The commands or keywords/variables
that are available are dependent on platform type, product version,
and installed license(s).
aaa accounting
Enables the sending
of authentication, authorization, and accounting (AAA) accounting
information by the LNS.
Privilege:
Security Administrator,
Administrator
Syntax
aaa accounting
[ no ] aaa accounting
Usage:
Use this command to
enable the sending of AAA accounting information by the LNS. By default
this is enabled.
Example:
The following command
enables the sending of AAA accounting information by the LNS:
aaa accounting
authentication
Configures the type
of subscriber authentication for PPP sessions terminated at the
current LNS.
Privilege:
Security Administrator,
Administrator
Syntax
authentication { { [ allow-noauth ] [ chap chap_priority ] [ mschap mschap_priority ] [ pap pap_priority ] } | msid-auth }
allow-noauth
Default: Disabled
Configures the LNS
to allow PPP sessions access even though they have not been authenticated.
This command issued by itself causes the LNS not to attempt authentication
for any PPP sessions.
When the allow-noauth option
is used in conjunction with commands specifying other authentication
protocols and priorities to use, then if attempts to use those protocols
fail, the system treats the allow-noauth option
as the lowest priority.
If no authentication
is allowed, the system constructs an Network Access Identifier (NAI)
to provide accounting records for the PPP session.
chap chap_priority
Default: 1
Configures the LNS
to attempt to use Challenge Handshake Authentication Protocol (CHAP)
to authenticate the PPP session.
A chap_priority must
be specified in conjunction with this option. Priorities specify
which authentication protocol should be attempted first, second,
third and so on.
chap_priority must
be an integer from 1 through 1000. The lower the integer, the higher
the preference. CHAP is enabled by default as the highest preference.
mschap mschap_priority
Default: Disabled
Configures the LNS
to attempt to use the Microsoft Challenge Handshake Authentication Protocol
(MSCHAP) to authenticate the PPP session.
A mschap_priority must
be specified in conjunction with this option. Priorities specify
which authentication protocol should be attempted first, second,
third and so on.
mschap_priority must
be an integer from 1 through 1000. The lower the integer, the higher
the preference.
pap pap_priority
Default: 2
This option configures
the LNS to attempt to use the Password Authentication Protocol (PAP)
to authenticate the PPP session.
A pap_priority must
be specified in conjunction with this option. Priorities specify
which authentication protocol should be attempted first, second,
third and so on.
pap_priority must
be an integer from 1 through 1000. The lower the integer, the higher
the preference. PAP is enabled by default as the second highest preference.
msid-auth
Default: Disabled
This option configures
the LNS to attempt to authenticate the PPP session based on the Mobile
Station Identity (MSID).
Usage:
Use to specify how
the LNS service should handle authentication and what protocols
to use. The flexibility is given to configure this option to accommodate
the fact that not every mobile will implement the same authentication
protocols.
By default LNS authentication
options are set as follows:
- allow-noauth disabled
- chap enabled with
a priority of 1
- mschap disabled
- msid-auth disabled
- pap enabled with a
priority of 2
IMPORTANT:
At least one of the
keywords must be used to complete the command.
Example:
The following command
configures the LNS service to allow no authentication for PPP sessions
and would perform accounting using the default NAI-construct of
username@domain:
authentication allow-noauth
The following command
configures the system to attempt authentication first using CHAP, then
MSCHAP, and finally PAP. If the allow-noauth command was also issued,
when all attempts to authenticate the subscriber using these protocols
failed, then the subscriber would be allowed access:
authentication chap
1 mschap 2 pap 3
avp map called-number
apn
This command maps
an incoming Attribute Value Pair (AVP) to a GGSN Access Point Name
(APN) for authentication and authorization of the call.
Privilege:
Security Administrator,
Administrator
Syntax
[ default | no ] avp
map called-number apn
default
Disables mapping.
Usage:
For LNS calls received
through a LAC, the ICRQ message includes an APN name in the Called
Number AVP. This mapping function enables a GGSN system to provide
RADIUS authentication/authorization via a defined APN in
place of an LNS configuration. If the mapped APN has not been defined
within the GGSN configuration then the call will be rejected.
Example:
Enter the following
command to enable mapping:
avp map called-number apn
Enter the following
command to disable mapping:
no avp map called-number apn
bind
This command assigns
the IP address of an interface in the current context to the LNS
service.
Privilege:
Security Administrator,
Administrator
Syntax
bind ip_address [ max-subscribers max_value ]
no bind ip_address
no
Unassign, or unbind,
the local end point to the LNS service.
ip_address
Specifies the IP address
of an interface in the current context. This must be a valid IP
address entered using IPV4 dotted-decimal notation.
max-subscribers max_value
Default: 10000
Specifies the maximum
number of subscribers that can be connected to this service at any time. max_value must
be an integer from 1 through 2500000.
Usage:
Use this command to
bind the IP address of an interface in the current context to the
LNS service.
Example:
The following command
binds the current context interface IP address
192.168.100.10 to
the current LNS service:
bind 192.168.100.10
The following command
removes the binding of the IP address from the LNS service:
no bind
data sequence-number
Enables data sequence
numbering for sessions that use the current LNS service. Data sequence
numbering is enabled by default.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] data
sequence-number
no
Disables data sequence
numbering for sessions.
Usage:
An L2TP data packet
header has an optional data sequence numbers field. The data sequence
number may be used to ensure ordered delivery of data packets. This
command is used to re-enable or disable the use of the data sequence
numbers for data packets.
Example:
Use the following
command to disable the use of data sequence numbering:
no data sequence-number
Use the following
command to re-enable data sequence numbering:
data sequence-number
default
This command sets
the specified LAC service parameter to its default value or setting.
Privilege:
Security Administrator,
Administrator
Syntax
default { authentication | data
sequence-number | ip source-violation | keepalive-interval | load-balancing | local-receive-window | max-retransmission | max-session-per-tunnel | max-tunnel-challenge-length | max-tunnels | proxy-lcp-authentication | retransmission-timeout-first | retransmission-timeout-max | setup-timeout| single-port-mode | subscriber| trap
all tunnel-authentication}
authentication
Sets the authentication
parameters for PPP sessions to the following defaults:
- allow-noauth disabled
- chap enabled with
a priority of 1
- mschap disabled
- msid-auth disabled
- pap enabled with a
priority of 2
data sequence-number
Enables data sequence
numbering for sessions.
ip source-violation
Sets the IP source
violation parameters to the following defaults:
- drop-limit 10
- period 120 seconds
- reneg-limit 5
keepalive-interval
Sets the interval
for send L2TP Hello keepalive if there is no control or data transactions
to the default value of 60 seconds.
local-receive-window
Sets the window size
to be used for the local side for the reliable control transport
to the default of 4.
max-retransmission
Sets the maximum number
of retransmissions to the default of 5.
max-session-per-tunnel
Sets the maximum number
of sessions per tunnel at any point in time to the default of 65535.
max-tunnel-challenge-length
Sets the maximum length
of the tunnel challenge to the default of 16 bytes.
max-tunnels
Sets the maximum number
of tunnels for this service to the default of 32000.
proxy-lcp-authentication
Sets sending of proxy
LCP authentication parameters to the LNS to the default state of enabled.
retransmission-timeout-first
Sets the first retransmit
interval to the default of 1 second.
retransmission-timeout-max
Sets the maximum retransmit
interval to the default of 8 seconds.
setup-timeout
Sets the maximum time
allowed for session setup to the default of 60 seconds.
single-port-mode
Disables assignment
of only port 1107 for incoming tunnels and allows dynamic assignment of
ports.
subscriber
Sets the name of the
default subscriber configuration to use.
tunnel-authentication
Sets tunnel authentication
to the default state of enabled.
trap all
Generates all supported
SNMP traps.
tunnel-switching
Sets the ability of
the LNS to create subsequent tunnels to the default of enabled.
Usage:
Use the default command
to set LAC service parameters to their default states.
Example:
Use the following
command to set the keepalive interval to the default value of 60
seconds:
default keepalive-interval
Use the following
command to set the maximum number of sessions per tunnel to the default
value of 512:
default max-session-per-tunnel
end
Exits the current
configuration mode and returns to the Exec mode.
Privilege:
Security Administrator,
Administrator
Usage:
Use this command to
return to the Exec mode.
exit
Exits the current
mode and returns to the parent configuration mode.
Privilege:
Security Administrator,
Administrator
Usage:
Use this command to
return to the parent configuration mode.
ip source-violation
This command configures
settings related to IP source-violation detection.
Privilege:
Security Administrator,
Administrator
Syntax
ip source-violation { clear-on-valid-packet | drop-limit num | period secs | reneg-limit num }
no ip source-violation
clear-on-valid-packet
clear-on-valid-packet
Default: disabled
Configures the service
to reset the reneg-limit and drop-limit counters after receipt of
a properly addressed packet.
drop-limit num
Default: 10
Sets the number of
allowed source violations within a detection period before forcing
a call disconnect. If num is
not specified, the value is set to the default.
num can
be an integer from 1 through 1000000.
period secs
Default: 120
The length of time
(in seconds) for a source violation detection period to last. drop-limit
and reneg-limit counters are decremented each time this value is
reached.
The counters are decremented
in this manner: reneg-limit counter is reduced by one (1) each time
the period value is reached until the counter is zero (0); drop-limit
counter is halved each time the period value is reached until the
counter is zero (0). If secs is not
specified, the value is set to the default.
secs can
be an integer from 1 through 1000000.
reneg-limit num
Default: 5
Sets the number of
allowed source violations within a detection period before forcing
a PPP renegotiation. If num is not
specified, the value is set to the default.
num can
be an integer from 1 through 1000000.
Usage:
This function allows
the operator to configure a network to prevent problems such as
when a user gets handed back and forth between two PDSNs a number
of times during a handoff scenario.
When a subscriber
packet is received with a source address violation, the system increments
both the IP source-violation reneg-limit and drop-limit counters
and starts the timer for the IP-source violation period. Every subsequent
packet received with a bad source address during the IP-source violation
period causes the reneg-limit and drop-limit counters to increment.
For example, if reneg-limit
is set to 5, the system allows five packets with a bad source address
(source violations), but on the fifth packet, it re-negotiates PPP.
If the drop-limit
is set to 10, the above process of receiving five source violations
and renegotiating PPP occurs only once. After the second 5-source
violation, the call is dropped. The period timer continues to count
throughout this process.
If at any time before
the call is dropped, the configured source-violation period is exceeded,
the counters for drop-limit is decremented by half and reneg-limit
is decremented by 1. See period definition above.
Example:
To set the maximum
number of source violations before dropping a call to 100, enter
the following command:
ip source-violation drop-limit 100
keepalive-interval
This command specifies
the amount of time to wait before sending a Hello keepalive message.
Privilege:
Security Administrator,
Administrator
Syntax
keepalive-interval seconds
no keepalive-interval
no
Disables the generation
of Hello keepalive messages on the tunnel.
seconds
Default: 60
Specifies the number
of seconds to wait before sending a Hello keepalive message as an integer
from 30 through 2147483648.
Usage:
Use this command to
set the amount of time to wait before sending a Hello keepalive message
or disable the generation of Hello keepalive messages completely.
A keepalive mechanism is employed by L2TP in order to differentiate
tunnel outages from extended periods of no control or data activity
on a tunnel. This is accomplished by injecting Hello control messages
after a specified period of time has elapsed since the last data
or control message was received on a tunnel. As for any other control
message, if the Hello message is not reliably delivered then the
tunnel is declared down and is reset. The transport reset mechanism
along with the injection of Hello messages ensures that a connectivity
failure between the LNS and the LAC is detected at both ends of
a tunnel.
Example:
Use the following
command to set the Hello keepalive message interval to
120 seconds:
keepalive-interval 120
Use the following
command to disable the generation of Hello keepalive messages:
no keepalive-interval
local-receive-window
Specifies the number
of control messages the remote peer LAC can send before waiting
for an acknowledgement.
Privilege:
Security Administrator,
Administrator
Syntax
local-receive-window integer
integer
Default: 4
Specifies the number
of control messages to send before waiting for an acknowledgement
as an integer from 1 through 256.
Usage:
Use this command to
set the size of the control message receive window being offered
to the remote peer LAC. The remote peer LAC may send the specified
number of control messages before it must wait for an acknowledgment.
Example:
The following command
sets the local receive window to
10 control
messages:
local-receive-window 10
max-retransmission
Sets the maximum number
of retransmissions of a control message to a peer before the tunnel
and all sessions within it are cleared.
Privilege:
Security Administrator,
Administrator
Syntax
max-retransmission integer
integer
Default: 5
Specifies the maximum
number of retransmissions of a control message to a peer as an integer
from 1 through 10.
Usage:
Each tunnel maintains
a queue of control messages to be transmitted to its peer. After
a period of time passes without acknowledgement, a message is retransmitted.
Each subsequent retransmission of a message employs an exponential
backoff interval. For example; if the first retransmission occurs
after 1 second, the next retransmission occurs after 2 seconds has
elapsed, then the next after 4 seconds. If no peer response is detected
after the number of retransmissions set by this command, the tunnel
and all sessions within are cleared.
Use this command to
set the maximum number of retransmissions that the LAC service sends
before closing the tunnel and all sessions within. it.
Example:
The following command
sets the maximum number of retransmissions of a control message to
a peer to 7:
max-retransmissions 7
max-session-per-tunnel
Sets the maximum number
of sessions that can be facilitated by a single tunnel at any time.
Privilege:
Security Administrator,
Administrator
Syntax
max-sessions-per-tunnel integer
integer
Default: 512
Specifies the maximum
number of sessions as an integer from 1 through 65535.
Usage:
Use this command to
set the maximum number of sessions you want to allow in a tunnel.
Example:
The following command
sets the maximum number of sessions in a tunnel to
5000:
max-sessions-per-tunnel 5000
max-tunnel-challenge-length
Sets the maximum length
of the tunnel challenge in bytes. The challenge is used for authentication
purposes during tunnel creation.
Privilege:
Security Administrator,
Administrator
Syntax
max-tunnel-challenge-length bytes
bytes
Default: 16
Specifies the number
of bytes to set the maximum length of the tunnel challenge as an integer
from 4 through 32.
Usage:
Use this command to
set the maximum length, in bytes, for the tunnel challenge that
is used during tunnel creation.
Example:
The following command
sets the maximum length of the tunnel challenge to
32 bytes:
max-tunnel-challenge-length 32
max-tunnels
The maximum number
of tunnels that the current LNS service can support.
Privilege:
Security Administrator,
Administrator
Syntax
max-tunnels integer
integer
Default: 32000
Specifies the maximum
number of tunnels as an integer from 1 through 32000.
Usage:
Use this command to
set the maximum number tunnels that this LNS service can support at
any one time.
Example:
Use the following
command to set the maximum number of tunnels for the current LNS service
to
20000:
max-tunnels 20000
nai-construction
domain
Designates the alias
domain name to use for Network Access Identifier (NAI) construction.
Privilege:
Security Administrator,
Administrator
Syntax
nai-construction domain domain_name { @ | % | - | \ | # | / }
no nai-construction domain
no
Deletes the NAI construction
domain alias.
domain_name { @ | % | - | \ | # | / }
Specifies the desired
domain name alias followed immediately by a separator from the valid list. domain_name must
be an alphanumeric string of from 1 through 79 characters.
Usage:
Use this command to
specify the domain alias and separator to use for NAI construction. The
specified domain name must be followed by a valid separator (@ | % | - | \ | # | /).
Example:
To specify a domain
alias of
mydomain@ with
a separator of @, enter the following command:
nai-construction domain mydomain@
To delete the current
setting for the NAI construction domain alias, enter the following command:
no nai-construction domain
peer-lac
Adds a peer LAC address
for the current LNS service. Up to eight peer LACs can be configured
for each LNS service.
Privilege:
Security Administrator,
Administrator
Syntax
peer-lac { ip_address | ip_address/mask } [ encrypted ] secret secret [ description text ]
no peer-lac ip_address
no peer-lac ip_address
Deletes the peer LAC
IP address specified by ip_address. ip_address must
be entered using IPv4 dotted-decimal notation.
ip_address
The IP address of
a specific peer LAC for the current LNS service. ip_address must
be entered using IPv4 dotted-decimal notation.
ip_address/mask
A network prefix and
mask enabling communication with a group of peer LACs. ip_address is
the network prefix expressed in IPv4 dotted-decimal notation.
mask is
the number of bits that defines the prefix.
encrypted
Specifies the encrypted
shared key between the LAC and the LNS service.
This keyword is intended
only for use by the system while saving configuration scripts. The system
displays the encrypted keyword in the configuration file as a flag
that the variable following the secret keyword is the encrypted
version of the plain text secret. Only the encrypted secret is saved
as part of the configuration file.
secret secret
Designates the secret
which is shared between the current LNS service and the peer LAC. secret must
ben alphanumeric string of 1 through 127 characters that is case
sensitive.
description text
Specifies the descriptive
text to use to describe the specified peer LAC. text must
be an alphanumeric string of 0 through 79 characters.
Usage:
Use this command to
add a peer LAC address for the current LNS service.
Specific peer LACs
can be configured by specifying their individual IP addresses. In addition,
to simplify configuration, communication with a group of peer LACs
can be enabled by specifying a network prefix and a mask.
Example:
The following command
adds a peer LAC to the current LNS service with the IP address of
10.10.10.100,
and specifies the shared secret to be
1b34nnf5d:
peer-lac 10.10.10.100
secret 1b34nnf5d
The following command
enables communication with up to 16 peer LACs on the 192.168.1.0
network each having a secret of
abc123:
peer-lac 92.168.1.0/28
secret abc123
The following command
removes the peer LAC with the IP address of
10.10.10.200 for
the current LNS service:
no peer-lac 10.10.10.200
proxy-lcp-authentication
Enables/disables
proxy LCP authentication.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] proxy-lcp-authentication
no
Disables the processing
of proxy LCP authentication parameters from the LAC.
proxy-lcp-authentication
Default: Enabled
Enables the processing
proxy LCP authentication parameters from the LAC.
Usage:
When enabled, if proxy
LCP authentication parameters are received from the LAC and are acceptable,
the LNS resumes the PPP session from the authentication phase and
goes to the IPCP phase.
When disabled, PPP
is always started from the LCP phase, ignoring and discarding any proxy
LCP authentication parameters received from the LAC. Disable this
feature in situations where accept proxy LCP Auth AVPs that the
peer LAC sends should not be expected.
Example:
Use the following
command to disable the processing of proxy LCP authentication parameters
from the LAC:
no proxy-lcp-authentication
Use the following
command to re-enable the processing of proxy LCP authentication parameters
from the LAC:
proxy-lcp-authentication
retransmission-timeout-first
Configures the initial
timeout for the retransmission of control messages to the peer LAC.
Privilege:
Security Administrator,
Administrator
Syntax
retransmission-timeout-first integer
integer
Default: 1
Specifies the amount
of time (in seconds) to wait before sending the first control message retransmission.
This value is an integer from 1 through 100.
Usage:
Each tunnel maintains
a queue of control messages to transmit to its peer. After a period
of time passes without acknowledgement, a message is retransmitted.
Example:
The following command
sets the initial retransmission timeout to 3 seconds:
retransmission-timeout-first 3
retransmission-timeout-max
Configures the maximum
amount of time that can elapse before retransmitting control messages
to the peer LAC.
Privilege:
Security Administrator,
Administrator
Syntax
retransmission-timeout-max integer
integer
Default: 8
Specifies the maximum
time (in seconds) to wait before retransmitting control messages.
If this limit is reached, the tunnel, and all sessions within it,
is cleared. This value is an integer from 1 through 100.
Usage:
Each tunnel maintains
a queue of control messages to transmit to its peer. After a period
of time passes without acknowledgement, a message is retransmitted.
Each subsequent retransmission of a message employs an exponential
backoff interval. For example; if the first retransmission occurs
after 1 second, the next retransmission occurs after 2 seconds has
elapsed, then the next after 4 seconds. This continues until the
limit set by this command is reached. If this limit is reached,
the tunnel, and all sessions within it, is cleared.
Example:
Use the following
command to set the maximum retransmission time-out to
10 seconds:
retransmission-timeout-max 10
setup-timeout
Configures the maximum
amount of time, in seconds, allowed for session setup.
Privilege:
Security Administrator,
Administrator
Syntax
setup-timeout seconds
seconds
Default: 60
Specifies the maximum
time (in seconds) to wait for the setup of a session. seconds must
be an integer from 1 through 1000000.
Usage:
This command controls
the amount of time allowed for tunnel establishment with a peer LAC.
If this timer is exceeded the tunnel setup is aborted.
Example:
The following command
configures a maximum setup time of 120 seconds:
setup-timeout 120
single-port-mode
When enabled, this
command sets the LNS to use only the default local UDP port (port
1701) for the life of a tunnel.
Privilege:
Security Administrator,
Administrator
Syntax
[ default | no ] single-port-mode
no
Disable single port
mode
Usage:
Use this command to
control the L2TP LNS tunnel local UDP port assignment mode. If single-port-mode
is enabled, the LNS-service uses the standard UDP port (port 1701)
for the life of the incoming tunnel. Otherwise, it assigns a new
local UDP port number for a tunnel when it responds to a tunnel
create request received on the standard port number. This is done
for load distributing the tunnel processing between multiple tasks
within the system to increase the capacity and performance. Even
though all L2TP LACs are required to support such dynamic port assignments
during tunnel establishments, there exist some LACs that do not
support port assignment other than port 1701. This single-port-mode
feature can be enabled to support such LAC peers. This configuration
must be applied for the LNS-Service before the bind command
is executed.
Example:
The following command
enables single port mode for the current LNS service:
single-port-mode
trap
This command generates
SNMP traps.
Privilege:
Security Administrator,
Administrator
Usage:
Use this command to
enable/disable all supported SNMP traps.
Example:
To enable all supported
SNMP traps, enter the following command;
trap all
tunnel-authentication
Enables/disables
L2TP tunnel authentication for the LNS service.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tunnel-authentication
no
Disables tunnel authentication
Tunnel authentication
is enabled by default.
Usage:
When tunnel authentication
is enabled, a configured shared secret is used to ensure that the LNS
service is communicating with an authorized peer LAC. The shared
secret is configured by the peer-lac command,
the tunnel l2tp command
in the Subscriber Configuration mode, or the Tunnel-Password attribute
in the subscribers RADIUS profile.
Example:
To disable tunnel
authentication, use the following command:
no tunnel-authentication
To re-enable tunnel
authentication, use the following command:
tunnel-authentication
tunnel-switching
Enables or disables
the LNS service from creating tunnels to another LAC for an existing
tunnel.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tunnel-switching
no
Disable tunnel switching.
Tunnel switching is
enabled by default.
Usage:
Tunnel switching is
when the LNS has a tunnel connected to a LAC and creates a tunnel
to a different LAC and routes the data from the original LAC through
the new tunnel to the other LAC.
Example:
To disable tunnel
switching in the LNS, enter the following command;
no tunnel-switching