Enables the sending of authentication, authorization, and accounting (AAA) accounting information by the LNS.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

aaa accounting [ roaming ]
[ no ] aaa accounting

no

Disables this option.

roaming

Enables the sending of AAA accounting information by the LNS only for roaming subscribers.

Usage Guidelines

Use this command to enable the sending of AAA accounting information by the LNS. By default this is enabled.

Configures the type of subscriber authentication for PPP sessions terminated at the current LNS.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

authentication { { [ allow-noauth ] [ chap chap_priority ] [ mschap mschap_priority ] [ pap pap_priority ] } | msid-auth }

allow-noauth

Default: Disabled

Configures the LNS to allow PPP sessions access even though they have not been authenticated. This command issued by itself causes the LNS not to attempt authentication for any PPP sessions.

When the allow-noauth option is used in conjunction with commands specifying other authentication protocols and priorities to use, then if attempts to use those protocols fail, the system treats the allow-noauth option as the lowest priority.

If no authentication is allowed, the system constructs an Network Access Identifier (NAI) to provide accounting records for the PPP session.

chap chap_priority

Default: 1

Configures the LNS to attempt to use Challenge Handshake Authentication Protocol (CHAP) to authenticate the PPP session.

A chap_priority must be specified in conjunction with this option. Priorities specify which authentication protocol should be attempted first, second, third and so on.

chap_priority must be an integer from 1 through 1000. The lower the integer, the higher the preference. CHAP is enabled by default as the highest preference.

mschap mschap_priority

Default: Disabled

Configures the LNS to attempt to use the Microsoft Challenge Handshake Authentication Protocol (MSCHAP) to authenticate the PPP session.

A mschap_priority must be specified in conjunction with this option. Priorities specify which authentication protocol should be attempted first, second, third and so on.

mschap_priority must be an integer from 1 through 1000. The lower the integer, the higher the preference.

pap pap_priority

Default: 2

This option configures the LNS to attempt to use the Password Authentication Protocol (PAP) to authenticate the PPP session.

A pap_priority must be specified in conjunction with this option. Priorities specify which authentication protocol should be attempted first, second, third and so on.

pap_priority must be an integer from 1 through 1000. The lower the integer, the higher the preference. PAP is enabled by default as the second highest preference.

msid-auth

Default: Disabled

This option configures the LNS to attempt to authenticate the PPP session based on the Mobile Station Identity (MSID).

Usage Guidelines

Use to specify how the LNS service should handle authentication and what protocols to use. The flexibility is given to configure this option to accommodate the fact that not every mobile will implement the same authentication protocols.

This command maps an incoming Attribute Value Pair (AVP) to a GGSN Access Point Name (APN) for authentication and authorization of the call.

Product

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

[ default | no ] avp map called-number apn

default

Disables mapping.

no

Disables mapping.

Usage Guidelines

For LNS calls received through a LAC, the ICRQ message includes an APN name in the Called Number AVP. This mapping function enables a GGSN system to provide RADIUS authentication/authorization via a defined APN in place of an LNS configuration. If the mapped APN has not been defined within the GGSN configuration then the call will be rejected.

This command assigns the IP address of an interface in the current context to the LNS service.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

bind ip_address  [ max-subscribers max_value  ]
no bind ip_address

no

Unassign, or unbind, the local end point to the LNS service.

ip_address

Specifies the IP address of an interface in the current context. This must be a valid IP address entered using IPV4 dotted-decimal notation.

max-subscribers max_value

Default: 10000

Specifies the maximum number of subscribers that can be connected to this service at any time. max_value must be an integer from 1 through 2500000.

Usage Guidelines

Use this command to bind the IP address of an interface in the current context to the LNS service.

Enables data sequence numbering for sessions that use the current LNS service. Data sequence numbering is enabled by default.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

[ no ] data sequence-number

no

Disables data sequence numbering for sessions.

Usage Guidelines

An L2TP data packet header has an optional data sequence numbers field. The data sequence number may be used to ensure ordered delivery of data packets. This command is used to re-enable or disable the use of the data sequence numbers for data packets.

This command sets the specified LAC service parameter to its default value or setting.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

default { authentication | data sequence-number | ip source-violation | keepalive-interval | load-balancing | local-receive-window | max-retransmission | max-session-per-tunnel | max-tunnel-challenge-length | max-tunnels | proxy-lcp-authentication | retransmission-timeout-first | retransmission-timeout-max | setup-timeout| single-port-mode | subscriber| trap all tunnel-authentication}

authentication

data sequence-number

Enables data sequence numbering for sessions.

ip source-violation

keepalive-interval

Sets the interval for send L2TP Hello keepalive if there is no control or data transactions to the default value of 60 seconds.

local-receive-window

Sets the window size to be used for the local side for the reliable control transport to the default of 4.

max-retransmission

Sets the maximum number of retransmissions to the default of 5.

max-session-per-tunnel

Sets the maximum number of sessions per tunnel at any point in time to the default of 65535.

max-tunnel-challenge-length

Sets the maximum length of the tunnel challenge to the default of 16 bytes.

max-tunnels

Sets the maximum number of tunnels for this service to the default of 32000.

proxy-lcp-authentication

Sets sending of proxy LCP authentication parameters to the LNS to the default state of enabled.

retransmission-timeout-first

Sets the first retransmit interval to the default of 1 second.

retransmission-timeout-max

Sets the maximum retransmit interval to the default of 8 seconds.

setup-timeout

Sets the maximum time allowed for session setup to the default of 60 seconds.

single-port-mode

Disables assignment of only port 1107 for incoming tunnels and allows dynamic assignment of ports.

subscriber

Sets the name of the default subscriber configuration to use.

tunnel-authentication

Sets tunnel authentication to the default state of enabled.

trap all

Generates all supported SNMP traps.

tunnel-switching

Sets the ability of the LNS to create subsequent tunnels to the default of enabled.

Usage Guidelines

Use the default command to set LAC service parameters to their default states.

Exits the current configuration mode and returns to the Exec mode.

Product

All

Privilege

Security Administrator, Administrator

Syntax

Syntax Description

end

Usage Guidelines

Use this command to return to the Exec mode.

Exits the current mode and returns to the parent configuration mode.

Product

All

Privilege

Security Administrator, Administrator

Syntax

Syntax Description

exit

Usage Guidelines

Use this command to return to the parent configuration mode.

This command configures settings related to IP source-violation detection.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

ip source-violation { clear-on-valid-packet | drop-limit num | period secs | reneg-limit num }
no ip source-violation clear-on-valid-packet

clear-on-valid-packet

Default: disabled

Configures the service to reset the reneg-limit and drop-limit counters after receipt of a properly addressed packet.

drop-limit num

Default: 10

Sets the number of allowed source violations within a detection period before forcing a call disconnect. If num is not specified, the value is set to the default.

num can be an integer from 1 through 1000000.

period secs

Default: 120

The length of time (in seconds) for a source violation detection period to last. drop-limit and reneg-limit counters are decremented each time this value is reached.

The counters are decremented in this manner: reneg-limit counter is reduced by one (1) each time the period value is reached until the counter is zero (0); drop-limit counter is halved each time the period value is reached until the counter is zero (0). If secs is not specified, the value is set to the default.

secs can be an integer from 1 through 1000000.

reneg-limit num

Default: 5

Sets the number of allowed source violations within a detection period before forcing a PPP renegotiation. If num is not specified, the value is set to the default.

num can be an integer from 1 through 1000000.

Usage Guidelines

This function allows the operator to configure a network to prevent problems such as when a user gets handed back and forth between two PDSNs a number of times during a handoff scenario.

When a subscriber packet is received with a source address violation, the system increments both the IP source-violation reneg-limit and drop-limit counters and starts the timer for the IP-source violation period. Every subsequent packet received with a bad source address during the IP-source violation period causes the reneg-limit and drop-limit counters to increment.

For example, if reneg-limit is set to 5, the system allows five packets with a bad source address (source violations), but on the fifth packet, it re-negotiates PPP.

If the drop-limit is set to 10, the above process of receiving five source violations and renegotiating PPP occurs only once. After the second 5-source violation, the call is dropped. The period timer continues to count throughout this process.

If at any time before the call is dropped, the configured source-violation period is exceeded, the counters for drop-limit is decremented by half and reneg-limit is decremented by 1. See period definition above.

This command specifies the amount of time to wait before sending a Hello keepalive message.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

keepalive-interval seconds
no keepalive-interval

no

Disables the generation of Hello keepalive messages on the tunnel.

seconds

Default: 60

Specifies the number of seconds to wait before sending a Hello keepalive message as an integer from 30 through 2147483648.

Usage Guidelines

Use this command to set the amount of time to wait before sending a Hello keepalive message or disable the generation of Hello keepalive messages completely. A keepalive mechanism is employed by L2TP in order to differentiate tunnel outages from extended periods of no control or data activity on a tunnel. This is accomplished by injecting Hello control messages after a specified period of time has elapsed since the last data or control message was received on a tunnel. As for any other control message, if the Hello message is not reliably delivered then the tunnel is declared down and is reset. The transport reset mechanism along with the injection of Hello messages ensures that a connectivity failure between the LNS and the LAC is detected at both ends of a tunnel.

Specifies the number of control messages the remote peer LAC can send before waiting for an acknowledgement.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

local-receive-window integer

integer

Default: 4

Specifies the number of control messages to send before waiting for an acknowledgement as an integer from 1 through 256.

Usage Guidelines

Use this command to set the size of the control message receive window being offered to the remote peer LAC. The remote peer LAC may send the specified number of control messages before it must wait for an acknowledgment.

Sets the maximum number of retransmissions of a control message to a peer before the tunnel and all sessions within it are cleared.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

max-retransmission integer

integer

Default: 5

Specifies the maximum number of retransmissions of a control message to a peer as an integer from 1 through 10.

Usage Guidelines

Each tunnel maintains a queue of control messages to be transmitted to its peer. After a period of time passes without acknowledgement, a message is retransmitted. Each subsequent retransmission of a message employs an exponential backoff interval. For example; if the first retransmission occurs after 1 second, the next retransmission occurs after 2 seconds has elapsed, then the next after 4 seconds. If no peer response is detected after the number of retransmissions set by this command, the tunnel and all sessions within are cleared.

Use this command to set the maximum number of retransmissions that the LAC service sends before closing the tunnel and all sessions within. it.

Sets the maximum number of sessions that can be facilitated by a single tunnel at any time.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

max-sessions-per-tunnel integer

integer

Default: 512

Specifies the maximum number of sessions as an integer from 1 through 65535.

Usage Guidelines

Use this command to set the maximum number of sessions you want to allow in a tunnel.

Sets the maximum length of the tunnel challenge in bytes. The challenge is used for authentication purposes during tunnel creation.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

max-tunnel-challenge-length bytes

bytes

Default: 16

Specifies the number of bytes to set the maximum length of the tunnel challenge as an integer from 4 through 32.

Usage Guidelines

Use this command to set the maximum length, in bytes, for the tunnel challenge that is used during tunnel creation.

The maximum number of tunnels that the current LNS service can support.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

max-tunnels integer

integer

Default: 32000

Specifies the maximum number of tunnels as an integer from 1 through 32000.

Usage Guidelines

Use this command to set the maximum number tunnels that this LNS service can support at any one time.

Designates the alias domain name to use for Network Access Identifier (NAI) construction.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

nai-construction domain domain_name { @ | % | - | \ | # | / }
no nai-construction domain

no

Deletes the NAI construction domain alias.

domain_name { @ | % | - | \ | # | / }

Specifies the desired domain name alias followed immediately by a separator from the valid list. domain_name must be an alphanumeric string of from 1 through 79 characters.

Usage Guidelines

Use this command to specify the domain alias and separator to use for NAI construction. The specified domain name must be followed by a valid separator (@ | % | - | \ | # | /).

Configures new call related behavior.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

newcall duplicate-subscriber-requested-address { accept | reject }
default newcall duplicate-subscriber-requested-address

default

Sets or restores default value assigned for specified parameter

duplicate-subscriber-requested-address

Configures how duplicate sessions with same address request are handled.

Adds a peer LAC address for the current LNS service. Up to eight peer LACs can be configured for each LNS service.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

peer-lac { ip_address | ip_address/mask } [ encrypted ] secret secret [ description text ]
no peer-lac ip_address

no peer-lac ip_address

Deletes the peer LAC IP address specified by ip_address. ip_address must be entered using IPv4 dotted-decimal notation.

ip_address

The IP address of a specific peer LAC for the current LNS service. ip_address must be entered using IPv4 dotted-decimal notation.

ip_address/mask

A network prefix and mask enabling communication with a group of peer LACs. ip_address is the network prefix expressed in IPv4 dotted-decimal notation.

mask is the number of bits that defines the prefix.

encrypted

Specifies the encrypted shared key between the LAC and the LNS service.

This keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the secret keyword is the encrypted version of the plain text secret. Only the encrypted secret is saved as part of the configuration file.

secret secret

Designates the secret which is shared between the current LNS service and the peer LAC. secret must ben alphanumeric string of 1 through 127 characters that is case sensitive.

description text

Specifies the descriptive text to use to describe the specified peer LAC. text must be an alphanumeric string of 0 through 79 characters.

Usage Guidelines

Use this command to add a peer LAC address for the current LNS service.

Specific peer LACs can be configured by specifying their individual IP addresses. In addition, to simplify configuration, communication with a group of peer LACs can be enabled by specifying a network prefix and a mask.

Enables/disables proxy LCP authentication.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

[ no ] proxy-lcp-authentication

no

Disables the processing of proxy LCP authentication parameters from the LAC.

proxy-lcp-authentication

Default: Enabled

Enables the processing proxy LCP authentication parameters from the LAC.

Usage Guidelines

When enabled, if proxy LCP authentication parameters are received from the LAC and are acceptable, the LNS resumes the PPP session from the authentication phase and goes to the IPCP phase.

When disabled, PPP is always started from the LCP phase, ignoring and discarding any proxy LCP authentication parameters received from the LAC. Disable this feature in situations where accept proxy LCP Auth AVPs that the peer LAC sends should not be expected.

Configures the initial timeout for the retransmission of control messages to the peer LAC.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

retransmission-timeout-first integer

integer

Default: 1

Specifies the amount of time (in seconds) to wait before sending the first control message retransmission. This value is an integer from 1 through 100.

Usage Guidelines

Each tunnel maintains a queue of control messages to transmit to its peer. After a period of time passes without acknowledgement, a message is retransmitted.

Configures the maximum amount of time that can elapse before retransmitting control messages to the peer LAC.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

retransmission-timeout-max integer

integer

Default: 8

Specifies the maximum time (in seconds) to wait before retransmitting control messages. If this limit is reached, the tunnel, and all sessions within it, is cleared. This value is an integer from 1 through 100.

Usage Guidelines

Each tunnel maintains a queue of control messages to transmit to its peer. After a period of time passes without acknowledgement, a message is retransmitted. Each subsequent retransmission of a message employs an exponential backoff interval. For example; if the first retransmission occurs after 1 second, the next retransmission occurs after 2 seconds has elapsed, then the next after 4 seconds. This continues until the limit set by this command is reached. If this limit is reached, the tunnel, and all sessions within it, is cleared.

Configures the maximum amount of time, in seconds, allowed for session setup.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

setup-timeout seconds

seconds

Default: 60

Specifies the maximum time (in seconds) to wait for the setup of a session. seconds must be an integer from 1 through 1000000.

Usage Guidelines

This command controls the amount of time allowed for tunnel establishment with a peer LAC. If this timer is exceeded the tunnel setup is aborted.

When enabled, this command sets the LNS to use only the default local UDP port (port 1701) for the life of a tunnel.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

[ default | no ] single-port-mode

no

Disable single port mode

Usage Guidelines

Use this command to control the L2TP LNS tunnel local UDP port assignment mode. If single-port-mode is enabled, the LNS-service uses the standard UDP port (port 1701) for the life of the incoming tunnel. Otherwise, it assigns a new local UDP port number for a tunnel when it responds to a tunnel create request received on the standard port number. This is done for load distributing the tunnel processing between multiple tasks within the system to increase the capacity and performance. Even though all L2TP LACs are required to support such dynamic port assignments during tunnel establishments, there exist some LACs that do not support port assignment other than port 1701. This single-port-mode feature can be enabled to support such LAC peers. This configuration must be applied for the LNS-Service before the bind command is executed.

This command generates SNMP traps.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

[ no ] trap all

no

Disables SNMP traps.

Usage Guidelines

Use this command to enable/disable all supported SNMP traps.

Enables/disables L2TP tunnel authentication for the LNS service.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

[ no ] tunnel-authentication

no

Disables tunnel authentication

Tunnel authentication is enabled by default.

Usage Guidelines

When tunnel authentication is enabled, a configured shared secret is used to ensure that the LNS service is communicating with an authorized peer LAC. The shared secret is configured by the peer-lac command, the tunnel l2tp command in the Subscriber Configuration mode, or the Tunnel-Password attribute in the subscribers RADIUS profile.

Enables or disables the LNS service from creating tunnels to another LAC for an existing tunnel.

Product

PDSN

GGSN

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > LNS Service Configuration

configure > context context_name > lns-service service_name

Entering the above command sequence results in the following prompt:

[context_name]host_name(config-lns-service)#

Syntax

Syntax Description

[ no ] tunnel-switching

no

Disable tunnel switching.

Tunnel switching is enabled by default.

Usage Guidelines

Tunnel switching is when the LNS has a tunnel connected to a LAC and creates a tunnel to a different LAC and routes the data from the original LAC through the new tunnel to the other LAC.