- About this Guide
- GGSN Support in GPRS/UMTS Wireless Data Services
- Understanding the Service Operation
- GGSN Service Configuration Procedures
- GGSN Configuration Example
- Mobile IP Configuration Examples
- GGSN and Mobile IP Service in a Single System Configuration Example
- Mobile-IP and Proxy-MIP Timer Considerations
- Session Tracing
- Troubleshooting the Service
- 3GPP ULI Reporting Support Enhanced
- Backup and Recovery of Key KPI Statistics
- Bulkstats for Average Data Rate per IPPOOL
- CoA, RADIUS DM, and Session Redirection (Hotlining)
- Direct Tunnel for 4G (LTE) Networks
- Embed IMSI into Session Id
- Enabling S6b for IMS APN
- Extended QCI Options
- GGSN UPC Collision Handling
- GRE Protocol Interface
- Gx Interface Support
- Gy Interface Support
- ICAP Interface Support
- IP Header Compression
- IP Pool Sharing Protocol
- IPv6 Prefix Delegation from the RADIUS Server and the Local Pool
- L2TP Access Concentrator
- L2TP Network Server
- Mobile IP Registration Revocation
- Multimedia Broadcast and Multicast Service
- Multi-Protocol Label Switching (MPLS) Support
- Revised Marking for Subscriber Traffic
- Rejection/Redirection of HA Sessions on Network Failures
- Policy Forwarding
- Proxy-Mobile IP
- QoS Management
- Remote Address-based RADIUS Accounting
- Routing Behind the Mobile Station on an APN
- Rf Interface Support
- Separation of 2G, 3G, and 4G Bulkstatistics
- Subscriber Overcharging Protection
- Traffic Policing and Shaping
- Type of Service/Traffic Class Configuration for Predefined Rules
- Engineering Rules
GGSN Administration Guide, StarOS Release 21.6
- Updated:
- January 25, 2018
Chapter: L2TP Network Server
L2TP Network
Server
This chapter describes the support for Layer 2 Tunneling Protocol (L2TP) Network Server (LNS) functionality on Cisco® ASR 5500 chassis and explains how it is configured. The product Administration Guides provide examples and procedures for configuration of basic services on the system. It is recommended that you select the configuration example that best meets your service model, and configure the required elements for that model, as described in the respective product Administration Guide, before using the procedures in this chapter.
The Layer 2 Tunneling Protocol (L2TP) Network Server (LNS) is a licensed Cisco feature. A separate feature license may be required. Contact your Cisco account representative for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the Managing License Keys section of the Software Management Operations chapter in the System Administration Guide.
When enabled though the session license and feature use key, LNS functionality is configured as context-level services on the system. LNS services support the termination of L2TP encapsulated tunnels from L2TP Access Concentrators (LACs) in accordance with RFC 2661.
While establishing the L2TP session from LAC to LNS, the PPP connection for the user is established. The server uses CHAP authentication protocol to authenticate the connection. While calculating the CHAP response for the CHAP challenge received by the server, the server does not consider the CHAP password.
The LNS service uses UDP ports 13660 through 13668 as the source port for receiving packets from the LAC. You can force the LNS to only use the standard L2TP port (UDP Port 1701) with the single-port-mode LNS service configuration mode command. Refer to the Command Line Interface Reference for more information on this command.
LNS Service Operation
As mentioned previously, LNS functionality on the system is configured via context-level services. LNS services can be configured in the same context as other services supported on the system or in its own context. Each context can support multiple LNS services.
The source context facilitates the LNS service(s) and the PDN and AAA interfaces. The PDN interface is bound to the LNS service and connects L2TP tunnels and sessions from one or more peer LACs. The source context is also be configured to provide AAA functionality for subscriber sessions. The destination context facilitates the packet data network interface(s) and can optionally be configured with pools of IP addresses for assignment to subscriber sessions.
In this configuration, the LNS service in the source context terminates L2TP tunnels from peer LACs and routes the subscriber session data through the destination context to and from a packet data network such as the Internet or a home network.
Information Required
Prior to configuring the system as shown in figure above, a minimum amount of information is required. The following sections describe the information required to configure the source and destination contexts.
Source Context Configuration
The following table lists the information that is required to configure the source context.
| Required Information | Description |
|---|---|
|
Source context name |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the source context will be recognized by the system. |
|
PDN Interface Configuration |
|
|
PDN interface name |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system. Multiple names are needed if multiple interfaces will be configured. These PDN interfaces facilitates the L2TP tunnels/sessions from the LAC and are configured in the source context. |
|
IP address and subnet |
These will be assigned to the PDN interface. Multiple addresses and/or subnets are needed if multiple interfaces will be configured. |
|
Physical port number |
This specifies the physical port to which the interface will be bound. Ports are identified by the chassis slot number where the line card resides in, followed by the number of the physical connector on the line card. For example, port 17/1 identifies connector number 1 on the card in slot 17. A single physical port can facilitate multiple interfaces. |
|
Physical port description |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system. Multiple descriptions are needed if multiple ports will be used. Physical ports are configured within the source context and are used to bind logical PDN interfaces. |
|
Gateway IP address |
Used when configuring static routes from the PDN interface(s) to a specific network. |
|
LNS service Configuration |
|
|
LNS service name |
This is an identification string between 1 and 63 characters (alpha and/or numeric) by which the LNS service will be recognized by the system. Multiple names are needed if multiple LNS services will be used. LNS services are configured in the source context. |
|
Authentication protocols used |
Specifies how the system handles authentication: using a protocol (such as CHAP, PAP, or MSCHAP), or not requiring any authentication. |
|
Domain alias for NAI-construction |
Specifies a context name for the system to use to provide accounting functionality for a subscriber session. This parameter is needed only if the system is configured to support no authentication. |
|
Maximum number of sessions per tunnel |
This defines the maximum number of sessions supported by each tunnel facilitated by the LNS service. The number can be configured to any integer value from 1 to 65535. The default is 65535. |
|
Maximum number of tunnels |
This defines the maximum number of tunnels supported by the LNS service. The number can be configured to any integer value from 1 to 32000. The default is 32000. |
|
Peer LAC |
IP address or network prefix and mask: The IP address of a specific peer LAC for which the LNS service terminates L2TP tunnels. The IP address must be expressed in dotted decimal notation. Multiple peer LACs can be configured. Alternately, to simplify configuration, a group of peer LACs can be specified by entering a network prefix and a mask. |
|
Secret: The shared secret used by the LNS to authenticate the peer LAC. The secret can be from 1 to 256 alpha and/or numeric characters and is case sensitive. |
|
|
AAA Interface Configuration |
|
|
AAA interface name |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system. Multiple names are needed if multiple interfaces will be configured. AAA interfaces will be configured in the source context. |
|
IP address and subnet |
These will be assigned to the AAA interface. Multiple addresses and/or subnets are needed if multiple interfaces will be configured. |
|
Physical port number |
A single physical port can facilitate multiple interfaces. |
|
Physical port description |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system. Multiple descriptions are needed if multiple ports will be used. Physical ports are configured within the source context and are used to bind logical AAA interfaces. |
|
Gateway IP address |
Used when configuring static routes from the AAA interface(s) to a specific network. |
|
RADIUS Server Configuration |
|
|
RADIUS Authentication server |
IP Address: Specifies the IP address of the RADIUS authentication server the source context will communicate with to provide subscriber authentication functions. Multiple addresses are needed if multiple RADIUS servers will be configured. RADIUS authentication servers are configured within the source context. Multiple servers can be configured and each assigned a priority. |
|
Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS authentication server and the source context. A shared secret is needed for each configured RADIUS server. |
|
|
UDP Port Number: Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812. |
|
|
RADIUS Accounting server |
IP Address: Specifies the IP address of the RADIUS accounting server that the source context will communicate with to provide subscriber accounting functions. Multiple addresses are needed if multiple RADIUS servers will be configured. RADIUS accounting servers are configured within the source context. Multiple servers can be configured and each assigned a priority. |
|
Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS accounting server and the source context. A shared secret is needed for each configured RADIUS server. |
|
|
UDP Port Number: Specifies the port used by the source context and the RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813. |
|
|
RADIUS attribute NAS Identifier |
Specifies the name by which the source context will be identified in the Access-Request message(s) it sends to the RADIUS server. The name must be between 1 and 32 alpha and/or numeric characters and is case sensitive. |
|
RADIUS NAS IP address |
Specifies the IP address of the source context's AAA interface. A secondary IP address interface can optionally be configured. |
|
Default Subscriber Configuration |
|
|
"Default" subscriber's IP context name |
Specifies the name of the egress context on the system that facilitates the PDN ports. For this configuration, the IP context name should be identical to the name of the destination context. |
Destination Context Configuration
The following table lists the information that is required to configure the destination context.
| Required Information | Description |
|---|---|
|
Destination context name |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the destination context will be recognized by the system. For this configuration, the destination context name should not match the domain name of a specific domain. |
|
PDN Interface Configuration |
|
|
PDN interface name |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system. Multiple names are needed if multiple interfaces will be configured. PDN interfaces are used to connect to a packet network and are configured in the destination context. |
|
IP address and subnet |
These will be assigned to the PDN interface. Multiple addresses and/or subnets are needed if multiple interfaces will be configured. |
|
Physical port number |
A single physical port can facilitate multiple interfaces. |
|
Physical port description(s) |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system. Multiple descriptions will be needed if multiple ports will be used. Physical ports are configured within the destination context and are used to bind logical PDN interfaces. |
|
Gateway IP address(es) |
Used when configuring static routes from the PDN interface(s) to a specific network. |
|
IP Address Pool Configuration (optional) |
|
|
IP address pool name(s) |
If IP address pools will be configured in the destination context(s), names or identifiers will be needed for them. The pool name can be between 1 and 31 alpha and/or numeric characters and is case sensitive. |
|
IP pool addresses |
An initial address and a subnet, or a starting address and an ending address, are required for each configured pool. The pool will then consist of every possible address within the subnet, or all addresses from the starting address to the ending address. The pool can be configured as public, private, or static. |
How This Configuration Works
The following figure and the text that follows describe how this LNS service configuration with a single source and destination context would be used by the system to terminate an L2TP tunnel.
- An L2TP tunnel request from a peer LAC is received by the LNS service. The tunnel is to facilitate a subscriber session.
- The LAC and LNS
establish the L2TP tunnel according to the procedures defined in RFC 2661.
Once the L2TP tunnel is established, subscriber L2TP sessions can be established.
- The LNS service
determines which context to use in providing AAA functionality for the
subscriber session if authentication is enabled for the LNS service. For more
information on this process, refer How the System Selects Contexts in System
Administration Guide.
For this example, the result of this process is that LNS service determined that AAA functionality should be provided by the Source context.
- The system communicates with the AAA server specified in the Source context's AAA configuration to authenticate the subscriber.
- Upon successful
authentication, the LNS service terminates the subscriber's PPP datagrams from
the L2TP session and the system determines which egress context to use for the
subscriber session. For more information on egress context selection process,
refer How the System Selects Contexts in System Administration Guide.
The system determines that the egress context is the destination context based on the configuration of either the Default subscriber's ip-context name or from the SN-VPN-NAME or SN1-VPN-NAME attributes that is configured in the subscriber's RADIUS profile.
- Data traffic for the subscriber session is routed through the PDN interface in the Destination context.
- Accounting information for the session is sent to the AAA server over the AAA interface.
Configuring the System to Support LNS Functionality
Many of the procedures required to configure the system to support LNS functionality are provided in the System Administration Guide. The System Administration Guide provides information and procedures for configuring contexts, interfaces and ports, AAA functionality, and IP address pools on the system.
This section provides information and instructions for configuring LNS services on the system allowing it to communicate with peer LAC nodes.
This section provides the minimum instruction set for configuring an LNS service allowing the system to terminate L2TP tunnels and process data sessions. For more information on commands that configure additional LNS service properties, refer LNS Configuration Mode Commands chapter in Command Line Interface Reference.
To configure the system to provide access control list facility to subscribers:
Creating and Binding LNS Service
Use the following example to create the LNS service and bind the IP address to it:
configure context <dest_ctxt_name> -noconfirm lns-service <lns_svc_name> -noconfirm bind address <ip_address> [ max-subscribers <max_subscriber> ] end
-
LNS service has to be configured in destination context.
-
Bind address is the interface address that is to serve as an L2TP PDN interface.
-
Multiple addresses on the same IP interface can be bound to different LNS services. However, each address can be bound to only one LNS service. In addition, the LNS service can not be bound to the same interface as other services such as a LAC service.
Configuring Authentication Parameters for LNS Service
Use the following example to authentication parameters for LNS service:
configure context <dest_ctxt_name> lns-service <lns_svc_name> authentication { { [ allow-noauth | chap <pref> | mschap <pref> | | pap <pref> ] } | msid-auth } end
Configuring Tunnel and Session Parameters for LNS Service
Use the following example to configure the tunnel and session parameters for LNS service:
configure context <dest_ctxt_name> lns-service <lns_svc_name> max-tunnel <max_tunnels> max-session-per-tunnel <max_sessions> end
Configuring Peer LAC servers for LNS Service
Use the following example to configure the peer LAC servers for LNS service:
configure context <dest_ctxt_name> lns-service <lns_svc_name> peer-lac { <lac_ip_address> | <ip_address>/<mask> } [ encrypted ] secret <secret_string> [ description <desc_text> ] end
Configuring Domain Alias for AAA Subscribers
Use the following example to create the LNS service and bind the IP address to it:
configure context <dest_ctxt_name> -noconfirm lns-service <lns_svc_name> -noconfirm nai-construct domain <domain_alias> end
-
If this command is enabled, an NAI is constructed for the subscriber in the event that their mobile node does not negotiate CHAP, PAP, or MSCHAP.
-
If this option is selected, no further attempts are made to authenticate the user. Instead, the constructed NAI is used for accounting purposes. Important: This command should only be used if the LNS service is configured to allow "no authentication" using the authentication allow-noauth command.
Verifying the LNS Service Configuration
These instructions are used to verify the LNS service configuration.
Feedback