L2TP for Subscriber Access — LAC

This chapter provides information about L2TP for subscriber access.

Topics in this chapter include:

Applicability

This chapter describes L2TP Access Concentrator (LAC) support for the L2TP Access Aggregation (LAA) architecture model and was initially written for SR OS Release 11.0.R4. The CLI in the current edition is based on Release 16.0.R7. PPP hosts are supported in a Routed CO model (with IES or VPRN services) using ATM, Ethernet or Ethernet over Pseudowire SAPs. A description of the L2TP Tunnel Switch (LTS) and L2TP Network Server (LNS) functions are out of the scope of this chapter.

Overview

PPP access architectures

The Broadband Forum proposes two architectures for point-to-point protocol (PPP) access.

  • The PPP terminated aggregation architecture (PTA)

  • The L2TP access aggregation architecture (LAA)

The PTA architecture (local-access model) uses the Broadband Network Gateway (BNG) to terminate user PPP sessions (see scenario PPPoE-5 in PPP access architectures).

The LAA architecture (which is a tunneled access model) uses a LAC and an LNS to transport PPP sessions from the LAC to the LNS which performs tunnel termination (see scenario PPPoE-1 and PPPoE -2 in PPP access architectures).

Optionally, an LTS can be used in the transport network to perform the grooming of traffic between tunnels (see scenarios PPPoE-3 and PPPoE-4 in PPP access architectures).

The LNS is the logical termination point of the PPP sessions originated by the remote clients and tunneled by the LAC/LTS.

Figure 1. PPP access architectures

L2TP tunnels - LAC and LNS reachability options

The router instance where the L2TP tunnel starts and where ESM is handled can be one and the same, but does not need to be the same. The LNS peer address can be reachable via IP, BGP/IGP shortcuts, over a spoke SDP (GRE/MPLS), RFC 4364 VPRNs, but cannot be an address belonging to a directly connected interface. See Supported LT2P reachability options.

Figure 2. Supported LT2P reachability options

Recapitulation of the L2TPv2 protocol

L2TPv2 is a client-server protocol relying on UDP and encapsulates Layer 2 packets such as PPP for transmission across a network. L2TPv2 passes control and data messages over separate control and data channels, thus defines following message types:

  • Control messages—The in-band control channel passes sequenced control messages, supporting connection management, call management, error reporting, and session control. Optionally, a shared-secret challenge authentication method can be used between the tunnel endpoints.

    The following messages are used for L2TP tunnel management:

    • Tunnel setup (control connection management)

      • Start-control-connection-request (SCCRQ)

      • Start-control-connection-reply (SCCRP)

      • Start-control-connection-connected (SCCCN)

      • Stop-control-connection-notification (StopCCN)

    • Tunnel keepalive

      • Hello

    The following messages are used for L2TP session (call) management:

    • Session setup over an existing tunnel

      • Incoming-call-request (ICRQ)

      • Incoming-call-reply (ICRP)

      • Incoming-call-connected (ICCN)

      • Call-disconnect-notify (CDN)

    Zero-length body (ZLB) messages are control packets with an L2TP header only and are used to explicitly acknowledge packets, making the control channel reliable.

    L2TP message encoding is done through attribute value pairs (AVP).

  • Data messages — Data messages encapsulate the PPP frames that are sent into the L2TP tunnel.

L2TPv2 sessions run over an L2TP tunnel and are referenced by an L2TP session-id. An L2TP tunnel can carry none, one, or multiple L2TP sessions. An L2TP session corresponds to a PPPoE session. L2TPv3 for LAC-LNS dynamic tunnel setup is not supported.

L2TP header and AVP layout

The L2TPv2 header consists of following fields (RFC 2611):

Table 1. L2TPv2 header fields and descriptions

Field

Description

T

Type of L2TP message (1 bit): 0—data message 1—control message

L

Indicates if the optional Length field is present in the message (1 bit): 0—the field is left out of the message entirely 1—the field is included (must be included in control messages)

-

Reserved for future use, must be set to zero.

S

Indicates if the Ns and Nr fields are present (1 bit): 0 — the fields are left out of the message; entirely 1 — the fields are included (must be included in control messages)

O

Indicates if the Offset field is present (1 bit): 0 — the field is left out of the message entirely (must be left out of control messages); 1 — the field is included

P

Used with data messages only. Indicates priority of the data message (1 bit): 0 — no (this value is used for all control messages); 1 — yes

Version

The version of the message (4 bits): 2 — this is the latest version of the L2TP data message header; 1 — indicates an L2F packet as described in RFC 2341. Packets with an unknown version number are discarded.

Length

The total length (in bytes) of the L2TP message (16 bits).

Tunnel-ID

Identifies the L2TP tunnel (that is, the control connection).This number has local significance — each end gives the same tunnel different tunnel IDs. The ID refers to the receiver, not the sender, and is assigned during tunnel creation (16 bits).

Session-ID

Identifies the PPP session within a tunnel. This number has local significance — each end gives the same session different session IDs. The ID refers to the receiver, not the sender, and is assigned during session creation (16 bits).

Ns

The sequence number of the message. This is mandatory for control messages (to enable re-transmission of lost messages) but optional for data messages (to re-order data messages that were mis-sequenced during forwarding). The number, which starts at 0 and increments by 1, is assigned by an L2TP peer for each session in a tunnel (16 bits).

Nr

The sequence number of the next control message expected to be received. This is equal to the sequence number of last received control message plus 1. Used by the receiving peer to ensure that control messages are sent in order without duplication. In data messages, the field (if present as indicated by the S bit) is ignored (16 bits).

Offset Size

The location of the L2TP payload, expressed as the number of octets from the start of the message header (16 bits).

Offset pad

User-defined bytes used to pad the message header so that the payload starts at the location indicated by the Offset Size field (16 bits).

The AVP header consists of following fields (RFC 2611):

Table 2. AVP header fields and descriptions

Field

Description

M

Mandatory bit — If the M bit is set on an unrecognized AVP within a message associated with a particular session, the session associated with this message MUST be terminated (1 bit).

H

Hidden bit — Identifies the hiding of data in the Attribute-Value field of an AVP. This capability can be used to avoid the passing of sensitive data, such as user passwords, as clear text in an AVP. The H-bit MUST only be set if a shared secret exists between the LAC and LNS. The shared secret is the same secret that is used for tunnel authentication. If the H-bit is set in any AVP(s) in a given control message, a Random Vector AVP must also be present in the message and MUST precede the first AVP having an H bit of 1 (1 bit).

-

Reserved for future use, must be set to zero (4 bits).

Length

Indicates the total number of bytes (including the overall length and bitmask fields) contained in this AVP (10 bits).

Vendor-id

Any vendor wishing to implement their own L2TP extensions can use their own Vendor ID along with private Attribute values. Vendor-ID=0 means that the standard AVPs are used (2 bytes).

Attribute type

A value with a unique interpretation across all AVPs defined under a given Vendor (2 bytes).

Attribute value

This is the actual value as indicated by the Vendor ID and Attribute Type (2 bytes).

RADIUS-triggered tunnel/session setup without LNS renegotiation

RADIUS-triggered tunnel/session setup without LNS renegotiation depicts the complete PPP session setup, using RADIUS authentication on both LAC and LNS. After the discovery phase (PADI/PADO/PADR/PADS) and LCP negotiation phase (LCP config_request/ack), the LAC initiates the L2TP tunnel setup based on RADIUS authentication information (RADIUS request/accept) and includes the negotiated PPP user-LAC information (called LCP proxy information). The LNS replies directly with a successful CHAP authentication if it agrees with the received proxy information. IP negotiation (IPCP config_request/ack) is handled between the user and the LNS, and the LAC has no IP knowledge of this PPP session.

Figure 3. RADIUS-triggered tunnel/session setup without LNS renegotiation

Running multiple PPP sessions over a single L2TP tunnel

Running multiple PPP sessions over a single L2TP tunnel shows multiple PPP sessions tunneled over a single L2TP Tunnel. The LAC encapsulates each PPP session with a different L2TP session-id (SID) but with the same L2TP Tunnel-id (TID).

Figure 5. Running multiple PPP sessions over a single L2TP tunnel

PPP user-initiated release/terminate

PPP user-initiated release/terminate shows the user initiated terminate_request tunneled by the LAC followed by the user initiated PADT terminated on the LAC. The LAC informs the LNS about the termination of the session via the L2TP CDN message. The L2TP tunnel can be optionally (idle-timeout) terminated via the L2TP StopCCN message.

Figure 6. PPP user-initiated release/terminate

L2TP tunnel/session state diagram

L2TP tunnel and session state diagram gives an overview of the main L2TP tunnel and session states. An L2TP tunnel in the establishedIdle state is a tunnel without sessions. A tools command (see Advanced topics) can put an L2TP tunnel in a draining state (this prevents adding new sessions on tunnel but leaves the current sessions intact) or in a drained state (moved from draining to drained when all sessions terminated). The draining and drained state are not shown in the state diagram.

The L2TP tunnel setup occurs first with the triggers being: session activation, auto-establish, and a tools start command (see the Advanced topics section). An L2TP session setup trigger is always session based.

Figure 7. L2TP tunnel and session state diagram

Configuration

Scenario 1: RADIUS-derived L2TP parameters

In the first scenario, the LAC receives an incoming connection and contacts the LAC RADIUS server. The RADIUS server retrieves the attributes for the user's domain (for example @wholesale.com) and passes the tunnel attributes to the LAC. Based on these RADIUS provided tunnel attributes, the LAC selects or initiates a new tunnel to the LTS or directly to the LNS. Once the tunnel is established, the LNS authenticates the end user using its own RADIUS server. Configuring the LNS and the LTS are out of the scope of this example.

In a RADIUS driven L2TP setup, either all or some of the required L2TP attributes are returned via RADIUS. If the RADIUS server only returns the L2TP [67] Tunnel-Server-Endpoint attributes, then the L2TP tunnel/session is established using the ‛l2tp node parameter values’ for the other required L2TP parameters. The ‛l2tp node parameters’ are defined under the configure router/service l2tp hierarchy. If the RADIUS server does not return all of the L2TP attributes and the node values are not configured, then the system falls back to default settings for these L2TP parameters.

The standard and vendor specific [26-6572] L2TP RADIUS attributes are listed in the tables below, together with the corresponding l2tp node parameters and defaults.

Table 3. Generic L2TP RADIUS attributes

Attribute

ID

Attribute Name

Mandatory

CLI Node Parameter

Corresponding

Defaults

64

Tunnel-Type

Y

-

-

-

65

Tunnel-Medium-Type

Y

-

-

-

66

Tunnel-Client-Endpoint:[0-31]

N

local-address

no local-address

system-ip

67

Tunnel-Server-Endpoint

N

-

-

-

69

Tunnel-Password

N

password

no password

-

82

Tunnel-Assignment-ID:0

N

-

-

default_radius_group

82

Tunnel-Assignment-ID:[1..31]

N

-

-

Unnamed

83

Tunnel-Preference

N

preference

no preference

50

90

Tunnel-Client-Auth-ID

N

local-name

no local-name

system-name

91

Tunnel-Server-Auth-ID

N

-

-

-

Table 4. Nokia Specific L2TP RADIUS attributes

26-6527

Attribute Name

Mandatory

CLI Node

Parameter

Corresponding Defaults

-46

Alc-Tunnel-Group

N

-

-

-

-47

Alc-Tunnel-Algorithm

N

session-assign-method

no session-assign-method

existingFirst

-48

Alc-Tunnel-Max-Sessions:0

N

-

group-session-limit

131071

-48

Alc-Tunnel-Max-Sessions:[1..31]

N

-

tunnel-session-limit

32767

-49

Alc-Tunnel-Idle-Timeout

N

idle-timeout

no idle-timeout

Infinite

-50

Alc-Tunnel-Hello-Interval

N

hello-interval

no hello-interval

300 sec

-51

Alc-Tunnel-Destruct-Timeout

N

destruct-timeout

no destruct-timeout

60 sec

-52

Alc-Tunnel-Max-Retries-Estab

N

max-retries-estab

no max-retries-estab

5

-53

Alc-Tunnel-Max-Retries-Not-Estab

N

max-retries-not-estab

no max-retries-not-estab

5

-54

Alc-Tunnel-AVP-Hiding

N

avp-hiding

no avp-hiding

Never

-97

Alc-Tunnel-Challenge

N

challenge

no challenge

Never

-104

Alc-Tunnel-Serv-Id

N

-

-

Base

-120

Alc-Tunnel-Rx-Window-Size

N

receive-window-size

no receive-window-size

64

-144

Alc-Tunnel-Acct-Policy

N

radius-accounting-policy

no radius-accounting-policy

-

Base router hosted LAC with single endpoint/single tunnel

Using the mandatory L2TP RADIUS attributes (see the following RADIUS user file) the LAC initiates an L2TP tunnel, as shown in Base router hosted LAC with single endpoint/single tunnel. The source address for the tunnel is the IPv4 address of a loopback interface in the base router system (LAC tunnel endpoint).The destination for the tunnel is defined by the Tunnel-Server-Endpoint RADIUS attribute [67], and is also known as the peer tunnel LNS endpoint address.

Figure 8. Base router hosted LAC with single endpoint/single tunnel

The PPPoE user terminates on IES service 1, sap 1/1/3:100, and is authenticated via RADIUS authentication-policy authentication-1 which provides wholesale/retail (L2TP) information.

configure
    service
        ies 1 customer 1 create
            subscriber-interface "sub-l2tp" create
                unnumbered "system"
                group-interface "grp-l2tp" create
                    authentication-policy "radius-1"
                    sap 1/1/3:100 create
                        sub-sla-mgmt
                            sub-ident-policy "all-subscribers"
                            multi-sub-sap 1000
                            no shutdown
                        exit
                    exit
                    pppoe
                        sap-session-limit 10
                        no shutdown
                    exit
                exit
            exit
            no shutdown
        exit
    exit
exit

The excerpt from the FreeRADIUS users file below shows the attributes to be returned.

user1@wholesale.com     Cleartext-Password := "letmein", NAS-Identifier == "LAC"
                        Alc-Subsc-ID-Str = "%{User-name}",
                        Alc-Subsc-Prof-Str = "sub-profile-1",
                        Alc-SLA-Prof-Str = "sla-profile-1",
                        Tunnel-Type:1 += L2TP,
                        Tunnel-Medium-Type:1 +=IP,
                        Tunnel-Server-Endpoint:1 += 192.168.22.2,

L2TP is enabled (no shutdown) in the related service instance.

The L2TP tunnel is set up in the base instance and not in a VRF because the attribute Alc-Tunnel-Serv-Id is not returned from RADIUS.

Missing L2TP parameters are taken from defaults defined in the router l2tp context.

configure router l2tp 
       calling-number-format "%S %s"  # L2TP AVP 22 format 
                                      # Default format ‛system-name sap-id’
       ---snip---                  
       no local-name                  # default name equals system-name
       no max-retries-estab           # default value equals 5
       ---snip--- 
       no shutdown                    # enable L2TP

This scenario shows the PPPoE session termination (base IES service 1) and the L2TP tunnel setup in the base router instance.

Base router hosted LAC with multiple endpoints

Base router hosted LAC with multiple endpoints shows a scenario with the PPPoE session termination (base IES service 1) and the L2TP tunnel setup in the base router instance.

Figure 9. Base router hosted LAC with multiple endpoints

The following excerpt from the FreeRADIUS users file shows that user user1@wholesale.com has four possible endpoints (LNS), each with its own tunnel preference. The LAC selects one L2TP endpoint out of these four tunnel specifications according to the configured L2TP selection process. This use case uses weighted load balancing between RADIUS-tunnel-1 and RADIUS-tunnel-2. The L2TP tunnel selection process is out of the scope of this chapter.

user1@wholesale.com     Cleartext-Password := "letmein", NAS-Identifier == "LAC"
                        Alc-Subsc-ID-Str = "%{User-name}",
                        Alc-Subsc-Prof-Str = "sub-profile-1",
                        Alc-SLA-Prof-Str = "sla-profile-1",
# group related info
                        Tunnel-Client-Endpoint:0 = 192.168.22.1,
                        Alc-Tunnel-Algorithm:0 = weighted-access,
                        Tunnel-Client-Auth-Id:0 = "lac-pe1",
                        Tunnel-Assignment-Id:0 = "RADIUS-group",
                        Alc-Tunnel-Max-Retries-Estab:0 = 2,
# tunnel-1 related info
                        Tunnel-Type:1 += L2TP,
                        Tunnel-Medium-Type:1 +=IP,
                        Tunnel-Server-Endpoint:1 += 192.168.22.2,
                        Tunnel-Assignment-Id:1 += "RADIUS-tunnel-1",
                        Tunnel-Preference:1 += 100,
# tunnel-2 related info
                        Tunnel-Type:2 += L2TP,
                        Tunnel-Medium-Type:2 +=IP,
                        Tunnel-Server-Endpoint:2 += 192.168.22.3,
                        Tunnel-Assignment-Id:2 += "RADIUS-tunnel-2",
                        Tunnel-Preference:2 += 80,
# tunnel-3 related info
                        Tunnel-Type:3 += L2TP,
                        Tunnel-Medium-Type:3 +=IP,
                        Tunnel-Server-Endpoint:3 += 192.168.22.4,
                        Tunnel-Assignment-Id:3 += "RADIUS-tunnel-3",
                          
---snip--- 

VRF hosted LAC

VRF hosted LAC shows the PPPoE session termination (base IES service 1) and the L2TP tunnel setup in a different router instance (VPRN 65536).

Figure 10. VRF hosted LAC

Using the following L2TP RADIUS attributes, the LAC initiates an L2TP tunnel in VPRN 65536. The PPPoE session is still handled by IES service 1, which proves that both router instances can be different. (See use-case A for configuration details of IES service 1).

user1@wholesale.com     Cleartext-Password := "letmein", NAS-Identifier == "LAC"
                        Alc-Subsc-ID-Str = "%{User-name}",
                        Alc-Subsc-Prof-Str = "sub-profile-1",
                        Alc-SLA-Prof-Str = "sla-profile-1",
                        Alc-Tunnel-Serv-Id = 65536,
                        Tunnel-Client-Auth-Id:0 = "lac-pe1",
                        Tunnel-Assignment-Id:0 = "RADIUS-returned-TG",
                        Tunnel-Type:1 += L2TP,
                        Tunnel-Medium-Type:1 +=IP,
                        Tunnel-Server-Endpoint:1 += 192.168.33.2,
                        Tunnel-Assignment-Id:1 += "RADIUS-returned-TN",

If RADIUS does not return the L2TP source IP address (Tunnel-Client-Endpoint), then the IP address from the VPRN 65536 interface named ‛system’ is used as the L2TP source address. The tunnel setup fails if this system interface does not exist.

configure
    service
        vprn 65536
            interface "system" create
                address 192.168.33.1/32
                loopback
            exit
            l2tp
                no shutdown
            exit

Scenario 2: node-derived L2TP parameters

In the second scenario, the LAC receives the incoming connection and an L2TP tunnel-group-name is assigned during LUDB or RADIUS authentication. This tunnel-group-name refers to the CLI preconfigured tunnel-group name context (configure router <router-name> l2tp group <tunnel-group-name>), which provides the context for all relevant tunnel attributes.

Based on these attributes, the LAC selects and initiates a tunnel to the LTS or directly to the LNS as in Scenario 1: RADIUS-derived L2TP parameters.

RADIUS returns L2TP tunnel group

RADIUS returns L2TP tunnel group shows use case D, where the L2TP tunnel-group-name is assigned during RADIUS authentication.

Figure 11. RADIUS returns L2TP tunnel group
 
user1@wholesale.com     Cleartext-Password := "letmein", NAS-Identifier == "LAC"
                        Alc-Subsc-ID-Str = "%{User-name}",
                        Alc-Subsc-Prof-Str = "sub-profile-1",
                        Alc-SLA-Prof-Str = "sla-profile-1",
                        Alc-Tunnel-Serv-Id = 65536,
                        Alc-Tunnel-Group = "wholesale.com",

The L2TP tunnel is initiated from VPRN 65536 (Alc-Tunnel-Serv-Id) and all L2TP tunnel information is taken from the l2tp group wholesale.com hierarchy (Alc-Tunnel-Group) as defined on the node.

configure
    service
        vprn 65536
            ---snip---
            interface "system" create
                address 192.168.33.1/32
                loopback
            exit
            l2tp
                group "wholesale.com" create
                    tunnel "wholesale.com" create
                        local-address 192.168.33.1
                        local-name "lac-pe1"
                        peer 192.168.33.2
                        no auto-establish
                        no shutdown
                    exit
                    no shutdown
                exit
                no shutdown
            exit
            no shutdown
        exit
    exit
exit

An L2TP tunnel is set up by either a PPP session-trigger, a tools command or by the l2tp group tunnel auto-establish parameter configuration. See the Advanced topics section for the non-session-triggered tunnel setup.

LUDB returns L2TP tunnel group

LUDB returns L2TP tunnel group shows use case E, where the L2TP tunnel-group-name is assigned during LUDB authentication, so this essentially is a RADIUS-less scenario.

Figure 12. LUDB returns L2TP tunnel group

The PPPoE user enters on an IES service 1, sap 1/1/3:100, and is authenticated via the LUDB which provides L2TP wholesale/retail and ESM information. The PPPoE context refers to a local-user database l2tp to provide the subscriber authentication and the tunnel setup parameters, so no RADIUS is needed.

configure
    service
        ies 1 customer 1 create
            subscriber-interface "sub-l2tp" create
                unnumbered "system"
                group-interface "grp-l2tp" create
                    sap 1/1/3:100 create
                        sub-sla-mgmt
                            sub-ident-policy "all-subscribers"
                            multi-sub-sap 1000
                            no shutdown
                        exit
                    exit
                    pppoe
                        sap-session-limit 10
                        user-db "l2tp"
                        no shutdown
                    exit
                exit
            exit
            no shutdown
        exit
    exit
exit

The referenced local user database l2tp configuration provides all of the required L2TP and ESM information.

configure
    subscriber-mgmt
        local-user-db "l2tp" create
            ppp
                match-list username
                host "wholesale.com" create
                    host-identification
                        username "wholesale.com" domain-only
                    exit
                    password ignore
                    identification-strings 254 create
                        subscriber-id "user@wholesale.com"
                        sla-profile-string "sla-profile-1"
                        sub-profile-string "sub-profile-1"
                    exit
                    l2tp
                        group "wholesale.com" service-id 65536
                    exit
                    no shutdown
                exit
            exit
            no shutdown
        exit
    exit
exit

Operation and troubleshooting

The subsequent sections explain how the use cases A to E described in the configuration section are verified using show, debug, and tools commands.

The standard router debugging tools can be used to monitor and troubleshoot the L2TP tunnel and session setup.

Useful show commands are:

show service id <service-id> ppp session [detail]
show router l2tp tunnel [detail]
show router l2tp session [detail]
show router l2tp peer [ip-address]

To debug and show PPPoE packets:

debug service id <service-id> ppp packet mode egr-ingr-and-dropped
debug service id <service-id> ppp packet detail-level medium

To debug and show RADIUS authentication:

debug router radius packet-type authentication 

To debug and show LUDB authentication:

debug subscriber-mgmt local-user-db <local-user-db-name> detail all

To debug and show the LAC tunnel selection process and L2TP state machine:

debug router l2tp event lac-session-setup
debug router l2tp event finite-state-machine

To debug and show the L2TP tunnel and session setup:

debug router l2tp packet direction both
debug router l2tp packet detail-level high

Understanding the L2TP debug output

The following L2TP ICRQ message (debug router l2tp packet) is used to explain how the displayed debug output should be interpreted. See Recapitulation of the L2TPv2 protocol -L2TP header and AVP layout for more details.

19 2019/05/21 14:02:10.811 CEST MINOR: DEBUG #2001 Base L2TP(v2, ctrl, egress)
"L2TP(v2, ctrl, egress): UDP 192.0.2.1:1701 -> 192.168.22.2:1701
tunnel 13008 session 0, ns 2 nr 1, flags:, reserved=0
    AVP MessageType(0,0), flags: mandatory, reserved=0
        IncomingCallRequest(10)
    AVP AssignedSessionId(0,14), flags: mandatory, reserved=0
        26540
    AVP CallSerialNumber(0,15), flags: mandatory, reserved=0
        25216
    AVP CallingNumber(0,22), flags: mandatory, reserved=0
        "LAC 1/1/3:100"
    AVP AgentCircuitId(3561,1), flags:, reserved=0
        "circuit0"
    AVP AgentRemoteId(3561,2), flags:, reserved=0
        "remote0"
    AVP ActDataRateUp(3561,129), flags:, reserved=0
        2000000
    AVP ActDataRateDown(3561,130), flags:, reserved=0
        4000000"
  • L2TP(v2, ctrl, egress): UDP 192.0.2.1:1701 -> 192.168.22.2:1701

    • version: v2

    • type field (T-bit): control message (ctrl)

    • 192.0.2.1:1701 -> 192.168.22.2:1701

      • 192.0.2.1:1701 - source tunnel-end-point:source udp port

      • 192.168.22.2:1701 - destination tunnel-end-point:destination udp port

  • tunnel 13008 session 0, ns 2 nr 1, flags:, reserved=0

    • tunnel-id: 13008

    • session-id: 0

    • ns:2

    • nr:1

    • flags: 0 (refers to T/L/S/O/P bits L2TP header)

    • reserved field:0

  • AVP CallingNumber(0,22), flags: mandatory, reserved=0

    • AVP MessageType(0,22): "LAC 1/1/3:100"

      • Vendor-id: 0 - Standard Attribute

      • Attribute Type: 22 – Calling Number AVP

      • Attribute Value: "LAC 1/1/3:100"

Scenario 1: RADIUS-derived L2TP parameters

Base router hosted LAC with single endpoint/single tunnel

The debug service id <service-id> ppp packet mode egr-ingr-and-dropped command shows the PPPoE packet exchange. The following PADI packet shows the service, SAP, and received PPPoE tags. The received PPPoE DSL forum tags are by default copied during the LAC L2TP tunnel setup into the Incoming Call Request (ICRQ) DSL Forum AVPs (RFC 5515).

1 2019/05/21 14:02:10.779 CEST MINOR: DEBUG #2001 Base PPPoE
"PPPoE: RX Packet
   IES 1, SAP 1/1/3:100
 
   DMAC: ff:ff:ff:ff:ff:ff
   SMAC: 00:00:00:00:01:01
   Ether Type: 0x8863 (Discovery)
 
   PPPoE Header:
   Version: 1                 Type      : 1
   Code   : 0x09 (PADI)       Session-Id: 0x0000 (0)
   Length : 48
 
   PPPoE Tags:
   [0x0101] Service-Name: ""
   [0x0103] Host-Uniq: len = 1, value = 31
   [0x0105] Vendor-Specific: vendor-id = 0x0de9 (ADSL Forum)
      [0x01] Agent-Circuit-Id: "circuit0"
      [0x02] Agent-Remote-Id: "remote0"
      [0x81] Actual-Upstream: 2000
      [0x82] Actual-Downstream: 4000
"

The debug router radius packet-type authentication command shows the actual authentication parameters returned by RADIUS. This example returns the minimum set of L2TP related RADIUS attributes.

12 2019/05/21 14:02:10.806 CEST MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Receive
  Access-Accept(2) id 16 len 89 from 172.16.1.11:1812 vrid 1 pol rsp-radius-1
    VSA [26] 15 Nokia(6527)
      SUBSC PROF STR [12] 13 sub-profile-1
    VSA [26] 15 Nokia(6527)
      SLA PROF STR [13] 13 sla-profile-1
    TUNNEL TYPE [64] 4 1 L2TP(3)
    TUNNEL MEDIUM TYPE [65] 4 1 IPv4(1)
    TUNNEL SERVER ENDPOINT [67] 13 1 192.168.22.2
"

The debug router l2tp event lac-session-setup command shows the LAC tunnel selection for this example. An L2TP group-name default_radius_group with tunnel-name unnamed is created in this case, because RADIUS did not return an explicit group and tunnel name.

13 2019/05/21 14:02:10.808 CEST MINOR: DEBUG #2001 Base PPPoE 13->L2TP
"PPPoE 13->L2TP: UDP 192.0.2.1:1701 -> 192.168.22.2:1701
preference 50 tunnel default_radius_group:unnamed
    request to open new tunnel 1640"
14 2019/05/21 14:02:10.808 CEST MINOR: DEBUG #2001 Base PPPoE 13->L2TP
"PPPoE 13->L2TP: UDP 192.0.2.1:1701 -> 192.168.22.2:1701
preference 50 tunnel default_radius_group:unnamed
    create session 107505580"

The debug router l2tp packet detail-level command shows the L2TP tunnel and session setup for this example.

For the tunnel setup, the LAC sends a start-control-connection-request (SCCRQ) containing the assigned tunnel ID (no tunnel authentication in the example). The tunnel is now in a wait-reply state.

15 2019/05/21 14:02:10.808 CEST MINOR: DEBUG #2001 Base L2TP(v2, ctrl, egress)
"L2TP(v2, ctrl, egress): UDP 192.0.2.1:1701 -> 192.168.22.2:1701
tunnel 0 session 0, ns 0 nr 0, flags:, reserved=0
    AVP MessageType(0,0), flags: mandatory, reserved=0
        StartControlConnectionRequest(1)
    AVP ProtocolVersion(0,2), flags: mandatory, reserved=0
        version=1, revision=0
    AVP HostName(0,7), flags: mandatory, reserved=0
        "lac-pe1"
    AVP WindowSize(0,10), flags: mandatory, reserved=0
        64
    AVP FramingCapabilities(0,3), flags: mandatory, reserved=0
        sync=no, async=no
    AVP BearerCapabilities(0,4), flags: mandatory, reserved=0
        digital=yes, analogue=no
    AVP FirmwareRevision(0,6), flags:, reserved=0
        4869
    AVP VendorName(0,8), flags:, reserved=0
        "Nokia"
    AVP AssignedTunnelId(0,9), flags: mandatory, reserved=0
        1640"

The LNS can bring up the tunnel, so the LNS replies with a start-control-connection-reply (SCCRP) including the assigned tunnel-id.

16 2019/05/21 14:02:10.809 CEST MINOR: DEBUG #2001 Base L2TP(v2, ctrl, ingress)
"L2TP(v2, ctrl, ingress): UDP 192.168.22.2:1701 -> 192.0.2.1:1701
tunnel 1640 session 0, ns 0 nr 1, flags:, reserved=0
    AVP MessageType(0,0), flags: mandatory, reserved=0
        StartControlConnectionReply(2)
    AVP ProtocolVersion(0,2), flags: mandatory, reserved=0
        version=1, revision=0
    AVP HostName(0,7), flags: mandatory, reserved=0
        "lns-pe2"
    AVP WindowSize(0,10), flags: mandatory, reserved=0
        64
    AVP FramingCapabilities(0,3), flags: mandatory, reserved=0
        sync=no, async=no
    AVP BearerCapabilities(0,4), flags: mandatory, reserved=0
        digital=yes, analogue=no
    AVP FirmwareRevision(0,6), flags:, reserved=0
        4869
    AVP VendorName(0,8), flags:, reserved=0
        "Nokia"
    AVP AssignedTunnelId(0,9), flags: mandatory, reserved=0
        13008"

As the last step in the tunnel setup phase, the LAC responds with a start-control-connection-connected (SCCCN) message. After an LNS ZLB acknowledgment, the tunnel is in the establishedIdle state.

17 2019/05/21 14:02:10.810 CEST MINOR: DEBUG #2001 Base L2TP(v2, ctrl, egress)
"L2TP(v2, ctrl, egress): UDP 192.0.2.1:1701 -> 192.168.22.2:1701
tunnel 13008 session 0, ns 1 nr 1, flags:, reserved=0
    AVP MessageType(0,0), flags: mandatory, reserved=0
        StartControlConnectionConnected(3)"

Once the tunnel exists the session setup starts, a three-way exchange for session establishment within the tunnel is performed. The LAC sends an incoming-call-request (ICRQ) with the parameter information for the session. The session is now in the wait-reply state.

19 2019/05/21 14:02:10.811 CEST MINOR: DEBUG #2001 Base L2TP(v2, ctrl, egress)
"L2TP(v2, ctrl, egress): UDP 192.0.2.1:1701 -> 192.168.22.2:1701
tunnel 13008 session 0, ns 2 nr 1, flags:, reserved=0
    AVP MessageType(0,0), flags: mandatory, reserved=0
        IncomingCallRequest(10)
    AVP AssignedSessionId(0,14), flags: mandatory, reserved=0
        26540
    AVP CallSerialNumber(0,15), flags: mandatory, reserved=0
        25216
    AVP CallingNumber(0,22), flags: mandatory, reserved=0
        "LAC 1/1/3:100"
    AVP AgentCircuitId(3561,1), flags:, reserved=0
        "circuit0"
    AVP AgentRemoteId(3561,2), flags:, reserved=0
        "remote0"
    AVP ActDataRateUp(3561,129), flags:, reserved=0
        2000000
    AVP ActDataRateDown(3561,130), flags:, reserved=0
        4000000"

The LNS then sends an incoming-call-reply (ICRP) that contains the assigned session ID. The session is now in the connect state.

21 2019/05/21 14:02:10.813 CEST MINOR: DEBUG #2001 Base L2TP(v2, ctrl, ingress)
"L2TP(v2, ctrl, ingress): UDP 192.168.22.2:1701 -> 192.0.2.1:1701
tunnel 1640 session 26540, ns 1 nr 3, flags:, reserved=0
    AVP MessageType(0,0), flags: mandatory, reserved=0
        IncomingCallReply(11)
    AVP AssignedSessionId(0,14), flags: mandatory, reserved=0
        2466"

Finally, the LAC sends an incoming call connected (ICCN) and provides the LNS with additional information from the user initiated session. This information includes the LCP information from the negotiation that the LAC and remote user performed. This information is used by the LNS to decide whether to start LCP re-negotiation and/or authentication re-negotiation with the PPP user or not. After an LNS ZLB acknowledgment, the session is in the established state.

24 2019/05/21 14:02:10.814 CEST MINOR: DEBUG #2001 Base L2TP(v2, ctrl, egress)
"L2TP(v2, ctrl, egress): UDP 192.0.2.1:1701 -> 192.168.22.2:1701
tunnel 13008 session 2466, ns 3 nr 2, flags:, reserved=0
    AVP MessageType(0,0), flags: mandatory, reserved=0
        IncomingCallConnected(12)
    AVP FramingType(0,19), flags: mandatory, reserved=0
        sync=no, async=no
    AVP TxConnectSpeed(0,24), flags: mandatory, reserved=0
        4294967295
    AVP InitialRxLcpConfReq(0,26), flags:, reserved=0
         01 04 05 d4
         [1] MRU: 1492
    AVP LastTxLcpConfReq(0,27), flags:, reserved=0
         01 04 05 d4 03 05 c2 23 05 05 06 75 25 ad d3
         [1] MRU: 1492
         [3] Authentication-Protocol: 0xc223 (CHAP), Algorithm = 5 (MD5)
         [5] Magic-Number: 0x7525add3
    AVP LastRxLcpConfReq(0,28), flags:, reserved=0
         01 04 05 d4
         [1] MRU: 1492
    AVP ProxyAuthenType(0,29), flags:, reserved=0
        chap(2)
    AVP ProxyAuthenName(0,30), flags:, reserved=0
         "user1@wholesale.com"
    AVP ProxyAuthenChallenge(0,31), flags:, reserved=0
         13 ba fc db 18 15 b5 21 03 c9 61 8d 8a 1b 43 00
         c3 4a 80 51 df 52 f4 06 26 c8 16 db ce 2b 7d 62
         e5 7a bd 7d 0f
    AVP ProxyAuthenId(0,32), flags:, reserved=0
        id=1, reserved=0
    AVP ProxyAuthenResponse(0,33), flags:, reserved=0
         da c4 40 35 e4 4b 3f 72 3f eb 84 7b 09 99 5d f7
    AVP RxConnectSpeed(0,38), flags:, reserved=0
        4294967295"

The operational PPPoE session information for the IES 1 (base router) instance is as follows.

*A:LAC# show service id 1 ppp session
  
===============================================================================
PPP sessions for service 1
===============================================================================
User-Name
  Descr.
           Up Time       Type  Termination     IP/L2TP-Id/Interface-Id MC-Stdby
-------------------------------------------------------------------------------
user1@wholesale.com
  svc:1 sap:1/1/3:100 mac:00:00:00:00:01:01 sid:1
           0d 00:10:01   oE    lac             107505580
-------------------------------------------------------------------------------
No. of PPP sessions: 1
===============================================================================
*A:LAC#

The operational tunnel information in the base instance shows that the tunnel is established.

*A:LAC# show router l2tp tunnel
===============================================================================
Conn ID    Loc-Tu-ID Rem-Tu-ID State              Blacklist-state   Ses Active
  Group                                                             Ses Total
    Assignment
-------------------------------------------------------------------------------
107479040  1640      13008     established        not-blacklisted   1
  default_radius_group                                              1
    unnamed
-------------------------------------------------------------------------------
No. of tunnels: 1
===============================================================================
*A:LAC#

Detailed operational tunnel information is obtained using following command.

*A:LAC# show router l2tp tunnel tunnel-id 1640 detail
 
===============================================================================
L2TP Tunnel 107479040
===============================================================================
 
Connection ID: 107479040
Protocol     : v2
State        : established
IP           : 192.0.2.1
UDP          : 1701
Peer IP      : 192.168.22.2
Peer UDP     : 1701
Tx dst-IP    : 192.168.22.2
Tx dst-UDP   : 1701
Rx src-IP    : 192.168.22.2
Rx src-UDP   : 1701
Name         : lac-pe1
Remote Name  : lns-pe2
Assignment ID: unnamed
Group Name   : default_radius_group
Acct. Policy : N/A
Error Message: N/A
 
                                        Remote Conn ID    : 852492288
Tunnel ID         : 1640                Remote Tunnel ID  : 13008
Preference        : 50                  Receive Window    : 64
Hello Interval (s): 300                 AVP Hiding        : never
Idle TO (s)       : infinite            Destruct TO (s)   : 60
Max Retr Estab    : 5                   Max Retr Not Estab: 5
Cfg'd Sess Limit  : unlimited           Oper Session Limit: 32767                  '
Transport Type    : udpIp               Challenge         : never
Time Started      : 05/21/2019 14:02:11 Time Idle         : N/A
Time Established  : 05/21/2019 14:02:11 Time Closed       : N/A
Stop CCN Result   : noError             General Error     : noError
Blacklist-state   : not-blacklisted
Set Dont Fragment : true
 
Failover
State             : not-recoverable
Recovery Conn ID  : N/A
Recovery state    : not-applicable
Recovered Conn ID : N/A
Recovery method   : mcs
Track SRRP        : (Not specified)
Ctrl msg behavior : handle
Recovery time (ms)
Requested         : N/A
Peer              : N/A
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
No. of tunnels: 1
===============================================================================
*A:LAC#

The operational L2TP session information shows the L2TP session is established.

*A:LAC# show router l2tp session
  
===============================================================================
L2TP Session Summary
===============================================================================
ID                  Control Conn ID     Tunnel-ID   Session-ID  State
-------------------------------------------------------------------------------
107505580           107479040           1640        26540       established
-------------------------------------------------------------------------------
No. of sessions: 1
===============================================================================
*A:LAC#

For detailed operational L2TP session information use the following command.

*A:LAC# show router l2tp session session-id 26540 detail
  
===============================================================================
L2TP Session 107505580
===============================================================================
  
Connection ID: 107505580
State        : established
Tunnel Group : default_radius_group
Assignment ID: unnamed
Error Message: N/A
  
Control Conn ID   : 107479040           Rem Cntrl Conn ID : 852492288
Tunnel ID         : 1640                Remote Tunnel ID  : 13008
Session ID        : 26540               Remote Session ID : 2466
PW Type           : ppp                 Remote Conn ID    : 852494754
Time Started      : 05/21/2019 14:02:11
Time Established  : 05/21/2019 14:02:11 Time Closed       : N/A
CDN Result        : noError             General Error     : noError
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
No. of sessions: 1
===============================================================================
*A:LAC#

Base router hosted LAC with multiple endpoints

The debug router radius packet-type authentication command shows the actual RADIUS authentication parameters returned. This example returns multiple tunnel endpoints from which the LAC selects one. This example uses weighted load balancing. (The L2TP tunnel selection process is out of the scope of this example).

12 2019/05/22 10:57:38.331 CEST MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Receive
  Access-Accept(2) id 83 len 225 from 172.16.1.11:1812 vrid 1 pol rsp-radius-1
    VSA [26] 15 Nokia(6527)
      SUBSC PROF STR [12] 13 sub-profile-1
    VSA [26] 15 Nokia(6527)
      SLA PROF STR [13] 13 sla-profile-1
    TUNNEL CLIENT ENDPOINT [66] 12 192.168.22.1
    VSA [26] 6 Nokia(6527)
      TUNNEL ALGORITHM [47] 4 weighted access(1)
    TUNNEL CLIENT AUTH ID [90] 7 lac-pe1
    TUNNEL ASSIGNMENT ID [82] 12 RADIUS-group
    VSA [26] 6 Nokia(6527)
      TUNNEL MAX RETRIES ESTAB [52] 4 0 2
    TUNNEL TYPE [64] 4 1 L2TP(3)
    TUNNEL MEDIUM TYPE [65] 4 1 IPv4(1)
    TUNNEL SERVER ENDPOINT [67] 13 1 192.168.22.2
    TUNNEL ASSIGNMENT ID [82] 16 1 RADIUS-tunnel-1
    TUNNEL PREFERENCE [83] 4 1 100
    TUNNEL TYPE [64] 4 2 L2TP(3)
    TUNNEL MEDIUM TYPE [65] 4 2 IPv4(1)
    TUNNEL SERVER ENDPOINT [67] 13 2 192.168.22.3
    TUNNEL ASSIGNMENT ID [82] 16 2 RADIUS-tunnel-2
    TUNNEL PREFERENCE [83] 4 2 80
"

The debug router l2tp event lac-session-setup command shows the LAC tunnel LNS2-T2 is selected for this example.

13 2019/05/22 10:57:38.332 CEST MINOR: DEBUG #2001 Base PPPoE 38->L2TP
"PPPoE 38->L2TP: UDP 192.168.22.1:1701 -> 192.168.22.3:1701
preference 80 tunnel RADIUS-group:RADIUS-tunnel-2
    request to open new tunnel 8880"
14 2019/05/22 10:57:38.332 CEST MINOR: DEBUG #2001 Base PPPoE 38->L2TP
"PPPoE 38->L2TP: UDP 192.168.22.1:1701 -> 192.168.22.3:1701
preference 80 tunnel RADIUS-group:RADIUS-tunnel-2
    create session 581989428"

The operational PPPoE session information in IES 1/base instance is shown as follows.

*A:LAC# show service id 1 ppp session
  
===============================================================================
PPP sessions for service 1
===============================================================================
User-Name
  Descr.
           Up Time       Type  Termination     IP/L2TP-Id/Interface-Id MC-Stdby
-------------------------------------------------------------------------------
user1@wholesale.com
  svc:1 sap:1/1/3:100 mac:00:00:00:00:01:01 sid:1
           0d 00:01:19   oE    lac             1066935934
-------------------------------------------------------------------------------
No. of PPP sessions: 1
===============================================================================
*A:LAC#

The operational L2TP tunnel information (base instance) is shown below.

*A:LAC# show router l2tp tunnel
===============================================================================
Conn ID    Loc-Tu-ID Rem-Tu-ID State              Blacklist-state   Ses Active
  Group                                                             Ses Total
    Assignment
-------------------------------------------------------------------------------
581959680  8880      11367     established        not-blacklisted   1
  RADIUS-group                                                      1
    RADIUS-tunnel-2
-------------------------------------------------------------------------------
No. of tunnels: 1
===============================================================================
*A:LAC#

Operational session information (base instance) shows the session is in the established state.

*A:LAC# show router l2tp session
 
===============================================================================
L2TP Session Summary
===============================================================================
ID                  Control Conn ID     Tunnel-ID   Session-ID  State
-------------------------------------------------------------------------------
581989428           581959680           8880        29748       established
-------------------------------------------------------------------------------
No. of sessions: 1
===============================================================================
*A:LAC#

The L2TP endpoint/peer information shows there are two tunnels for tunnel endpoint 192.168.22.2.

*A:LAC# show router l2tp peer
===============================================================================
L2TP Peers
===============================================================================
Peer IP                                            Port  Tun Active Ses Active
                                      Drain Reachability Tun Total  Ses Total
-------------------------------------------------------------------------------
192.168.22.2                                       1701  0          0
                                                         0          0
192.168.22.3                                       1701  1          1
                                                         1          1
-------------------------------------------------------------------------------
No. of peers: 2
===============================================================================
*A:LAC#

The following command gives a system overview of subscriber session related data. This system overview shows the current and peak values per session type (local PTA, LAC, LTS, LNS) and an overview of the number of originated or terminated L2TP tunnels. Peak values can be cleared via the clear subscriber-mgmt peakvalue-stats command.

*A:LAC# show subscriber-mgmt statistics session system
 
===============================================================================
Subscriber Management Statistics for System
===============================================================================
       Type                                Current     Peak      Peak Timestamp
-------------------------------------------------------------------------------
 
-------------------------------------------------------------------------------
PPP Session Statistics
-------------------------------------------------------------------------------
Local  PPP Sessions     - PPPoE                  0        0
       PPP Sessions     - PPPoEoA                0        0
       PPP Sessions     - PPPoA                  0        0
       PPP Sessions     - L2TP (LNS)             0        0
-------------------------------------------------------------------------------
LAC    PPP Sessions     - PPPoE                  1        2 05/22/2019 10:13:30
       PPP Sessions     - PPPoEoA                0        0
       PPP Sessions     - PPPoA                  0        0
       PPP Sessions     - L2TP (LTS)             0        0
-------------------------------------------------------------------------------
Total  PPP Sessions     - established            1        2 05/22/2019 10:13:30
       PPP Sessions     - in setup               0        1 05/22/2019 10:57:38
       PPP Sessions     - local                  0        0
       PPP Sessions     - LAC                    1        2 05/22/2019 10:13:30
-------------------------------------------------------------------------------
L2TP   L2TP Tunnels     - originator             1        3 05/21/2019 14:49:38
       L2TP Tunnels     - receiver               0        0
       Total L2TP Tunnels                        1        3 05/21/2019 14:49:38
-------------------------------------------------------------------------------
 
-------------------------------------------------------------------------------
IPOE Session Statistics
-------------------------------------------------------------------------------
Total  IPOE Sessions    - established            0        0
       IPOE Sessions    - in setup               0        0
-------------------------------------------------------------------------------
===============================================================================
Peak values last reset at : n/a
*A:LAC#

VRF hosted LAC

This example returns VPRN 65536 as the L2TP service instance [26-6527-104 Alc-Tunnel-Serv-Id]. The VPRN 65536 interface system address is used as the L2TP source address because the attribute Tunnel-Client-Endpoint is not returned.

The IP address 192.168.33.1 (Tunnel-Server-Endpoint) needs to be routable in VRF 65536 over a SAP or to a remote PE. This example uses BGP/MPLS IP virtual private networks (VPNs) (RFC 4364) to access the remote PE.

*A:LAC# show router 65536 route-table
 
===============================================================================
Route Table (Service: 65536)
===============================================================================
Dest Prefix[Flags]                            Type    Proto     Age        Pref
      Next Hop[Interface Name]                                    Metric
-------------------------------------------------------------------------------
---snip---
192.168.33.1/32                               Local   Local     01d21h26m  0
       system                                                       0
192.168.33.2/32                               Remote  BGP VPN   20h03m54s  170
       192.0.2.2 (tunneled)                                         10
---snip---
===============================================================================
*A:LAC#

Operational PPPoE session information for IES 1 (base instance) is shown using following command.

*A:LAC# show service id 1 ppp session
 
===============================================================================
PPP sessions for service 1
===============================================================================
User-Name
  Descr.
           Up Time       Type  Termination     IP/L2TP-Id/Interface-Id MC-Stdby
-------------------------------------------------------------------------------
user1@wholesale.com
  svc:1 sap:1/1/3:100 mac:00:00:00:00:01:01 sid:1
           0d 00:07:40   oE    lac             893192647
-------------------------------------------------------------------------------
No. of PPP sessions: 1
===============================================================================
*A:LAC#

Operational tunnel information for VPRN 65536 is displayed as follows.

*A:LAC# show router 65536 l2tp tunnel
===============================================================================
Conn ID    Loc-Tu-ID Rem-Tu-ID State              Blacklist-state   Ses Active
  Group                                                             Ses Total
    Assignment
-------------------------------------------------------------------------------
893190144  13629     14251     established        not-blacklisted   1
  RADIUS-returned-TG                                                1
    RADIUS-returned-TN
-------------------------------------------------------------------------------
No. of tunnels: 1
===============================================================================
*A:LAC#

Operational session information for VPRN 65536 is displayed using following command, and shows that the session is established.

*A:LAC# show router 65536 l2tp session
 
===============================================================================
L2TP Session Summary
===============================================================================
ID                  Control Conn ID     Tunnel-ID   Session-ID  State
-------------------------------------------------------------------------------
893192647           893190144           13629       2503        established
-------------------------------------------------------------------------------
No. of sessions: 1
===============================================================================
*A:LAC#

Scenario 2: Node-derived L2TP parameters

RADIUS returns L2TP group

This example returns VPRN 65536 as the L2TP service instance [26-6527-104 ] Alc-Tunnel-Serv-Id and an L2TP group name wholesale.com [26-6527-46 ] Alc-Tunnel-Group.

12 2019/05/22 11:15:46.604 CEST MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Receive
  Access-Accept(2) id 85 len 95 from 172.16.1.11:1812 vrid 1 pol rsp-radius-1
    VSA [26] 15 Nokia(6527)
      SUBSC PROF STR [12] 13 sub-profile-1
    VSA [26] 15 Nokia(6527)
      SLA PROF STR [13] 13 sla-profile-1
    VSA [26] 6 Nokia(6527)
      TUNNEL SERVICE ID [104] 4 65536
    VSA [26] 15 Nokia(6527)
      TUNNEL GROUP [46] 13 wholesale.com
"

For operational PPPoE session information in IES 1/base instance, use following command.

A:LAC# show service id 1 ppp session
 
===============================================================================
PPP sessions for service 1
===============================================================================
User-Name
  Descr.
           Up Time       Type  Termination     IP/L2TP-Id/Interface-Id MC-Stdby
-------------------------------------------------------------------------------
user1@wholesale.com
  svc:1 sap:1/1/3:100 mac:00:00:00:00:01:01 sid:1
           0d 00:02:35   oE    lac             217909462
-------------------------------------------------------------------------------
No. of PPP sessions: 1
===============================================================================
*A:LAC#

Operational tunnel information for VPRN 65536 shows the tunnel is in the established state.

*A:LAC# show router 65536 l2tp tunnel
===============================================================================
Conn ID    Loc-Tu-ID Rem-Tu-ID State              Blacklist-state   Ses Active
  Group                                                             Ses Total
    Assignment
-------------------------------------------------------------------------------
217907200  3325      374       established        not-blacklisted   1
  wholesale.com                                                     1
    wholesale.com
-------------------------------------------------------------------------------
No. of tunnels: 1
===============================================================================
*A:LAC#

The operational session information for VPRN 65536 shows the session is in the established state.

*A:LAC# show router 65536 l2tp session
===============================================================================
L2TP Session Summary
===============================================================================
ID                  Control Conn ID     Tunnel-ID   Session-ID  State
-------------------------------------------------------------------------------
217909462           217907200           3325        2262        established
-------------------------------------------------------------------------------
No. of sessions: 1
===============================================================================
*A:LAC#

LUDB returns L2TP group

This example returns VPRN 65536 as the L2TP service instance and L2TP group name wholesale.com (LUDB L2TP group "wholesale.com" service-id 65536).

The debug subscriber-mgmt local-user-db l2tp detail all command shows the LUDB authentication access (The returned parameter details are not shown).

11 2019/05/22 11:26:21.277 CEST MINOR: DEBUG #2001 Base LUDB
"LUDB: User lookup success - host found
  user-name:
    original:  user1@wholesale.com
    masked:    user1@wholesale.com
 
  Host wholesale.com found in user data base l2tp"

To show the operational data from LUDB l2tp, use the following command.

*A:LAC# show subscriber-mgmt local-user-db "l2tp" ppp-host "wholesale.com" 
                                      | match N/A invert-match 
                                      | match none invert-match
  
===============================================================================
PPP Host "wholesale.com"
===============================================================================
Admin State          : Up
Last Mgmt Change     : 05/20/2019 13:45:52
 
Host Identification
 User Name           : wholesale.com (domain only)
 
Matched Objects      : userName
 
Password Type        : ignore
PADO Delay           : 0msec
Diameter app policy  : (Not Specified)
Diameter auth policy : (Not Specified)
Force IPv6CP         : Disabled
Ignore DF Bit        : Disabled
 
DHCPv6 lease times
 Renew timer         : > 9999 days
 Rebind timer        : > 9999 days
 Preferred lifetime  : 0d 00:00:00
 Valid lifetime      : 0d 00:00:00
 
Identification Strings (option 254)
 Subscriber Id       : user@wholesale.com
 SLA Profile String  : sla-profile-1
 Sub Profile String  : sub-profile-1
 
L2TP
 Service             : 65536
 Tunnel Group        : wholesale.com
 
MSAP defaults
 
Filter Overrules
 
Access loop info
===============================================================================
*A:LAC#

The debug router l2tp event lac-session-setup command shows the LAC tunnel selected for this example.

12 2019/05/22 11:26:21.278 CEST MINOR: DEBUG #2001 vprn65536 PPPoE 41->L2TP
"PPPoE 41->L2TP: UDP 192.168.33.1:1701 -> 192.168.33.2:1701
preference 50 tunnel wholesale.com:wholesale.com
    request to open new tunnel 11734"
13 2019/05/22 11:26:21.278 CEST MINOR: DEBUG #2001 vprn65536 PPPoE 41->L2TP
"PPPoE 41->L2TP: UDP 192.168.33.1:1701 -> 192.168.33.2:1701
preference 50 tunnel wholesale.com:wholesale.com
    create session 769017741"

For the operational PPPoE session information in IES 1/base instance, use the following command.

*A:LAC# show service id 1 ppp session
 
===============================================================================
PPP sessions for service 1
===============================================================================
User-Name
  Descr.
           Up Time       Type  Termination     IP/L2TP-Id/Interface-Id MC-Stdby
-------------------------------------------------------------------------------
user1@wholesale.com
  svc:1 sap:1/1/3:100 mac:00:00:00:00:01:01 sid:1
           0d 00:03:12   oE    lac             769017741
-------------------------------------------------------------------------------
No. of PPP sessions: 1
===============================================================================
*A:LAC#

Operational tunnel information for VPRN 65536 can be obtained using following command.

*A:LAC# show router 65536 l2tp tunnel
===============================================================================
Conn ID    Loc-Tu-ID Rem-Tu-ID State              Blacklist-state   Ses Active
  Group                                                             Ses Total
    Assignment
-------------------------------------------------------------------------------
768999424  11734     4184      established        not-blacklisted   1
  wholesale.com                                                     1
    wholesale.com
-------------------------------------------------------------------------------
No. of tunnels: 1
===============================================================================
*A:LAC#

The operational session information for VPRN 65536 shows the session is in the established state.

*A:LAC# show router 65536 l2tp session
 
===============================================================================
L2TP Session Summary
===============================================================================
ID                  Control Conn ID     Tunnel-ID   Session-ID  State
-------------------------------------------------------------------------------
769017741           768999424           11734       18317       established
-------------------------------------------------------------------------------
No. of sessions: 1
===============================================================================
*A:LAC#

Advanced topics

Non-session-triggered L2TP tunnel setup

In addition to the PPP-session-triggered setup, an L2TP tunnel can also be set up via a tools command or an auto-establish command.

These non-session triggers are useful, for example, during the initial configuration phase where the LAC-LNS tunnel setup can be tested without the need for a user to attempt and establish a PPPoE connection.

The PPPoE user still triggers the L2TP session-setup over this L2TP tunnel and RADIUS needs to return an L2TP group name with the relevant name during authentication.

Auto-establish

Every minute, a check is performed to determine if tunnels need to be established (a process referred to as scan auto-establish). The tunnel state is establishedIdle when the tunnel is setup, and becomes established when user triggered sessions are set up over this tunnel.

configure
    service
        vprn 65536 customer 1 create
            l2tp
                group "wholesale.com" create
                    tunnel "wholesale.com" create
                        local-address 192.168.33.1
                        local-name "lac-pe1"
                        peer 192.168.33.2
                        auto-establish
                        no shutdown
                    exit
                    no shutdown
                exit
                no shutdown
            exit
            no shutdown
        exit
    exit
exit

There is no difference in operational behavior for a tunnel set up via a session-trigger or an auto-establish command. Removing the auto-establish parameter has no impact on active tunnels (establishedIdle or established).

*A:LAC# show router 65536 l2tp tunnel
===============================================================================
Conn ID    Loc-Tu-ID Rem-Tu-ID State              Blacklist-state   Ses Active
  Group                                                             Ses Total
    Assignment
-------------------------------------------------------------------------------
475136000  7250      6770      establishedIdle    not-blacklisted   0
  wholesale.com                                                     0
    wholesale.com
-------------------------------------------------------------------------------
No. of tunnels: 1
===============================================================================
*A:LAC#
Tools tunnel start

First revert to the original situation, without auto-establish, as follows:

*A:LAC# configure service vprn 65536 l2tp group "wholesale.com"
                                   tunnel "wholesale.com" no auto-establish
*A:LAC#

Verify the tunnel does not exist anymore, as follows:

*A:LAC# show router 65536 l2tp tunnel
No entries found.
*A:LAC#

Issue the tools command to manually establish the L2TP tunnel, as follows:

*A:LAC# tools perform router 65536 l2tp group "wholesale.com" 
                                            tunnel "wholesale.com" start
*A:LAC#

Verify a new tunnel has been created, as follows:

*A:LAC# show router 65536 l2tp tunnel
===============================================================================
Conn ID    Loc-Tu-ID Rem-Tu-ID State              Blacklist-state   Ses Active
  Group                                                             Ses Total
    Assignment
-------------------------------------------------------------------------------
282394624  4309      4437      establishedIdle    not-blacklisted   0
  wholesale.com                                                     0
    wholesale.com
-------------------------------------------------------------------------------
No. of tunnels: 1
===============================================================================
*A:LAC#

How long remains a tunnel idle before being torn down?

An L2TP tunnel can be torn down automatically, after the expiration of an idle timer, or manually through a tools command.

Idle timeout

A persistent tunnel is a tunnel that remains available after the last session over that tunnel is closed. To create a persistent tunnel, the idle-timeout parameter must be set to infinite.

A non-persistent tunnel is torn down immediately (idle-timeout zero) after the last session over that tunnel is closed or after a configurable delay. The idle-timeout parameter is set via the RADIUS [26-6527-49] Alc-Tunnel-Idle-Timeout attribute or the corresponding node parameter. The default value for this parameter is infinite (persistent).

configure router l2tp | configure service vprn l2tp
       idle-timeout [0..3600] s
       ---snip---
       group <tunnel-group-name>
           idle-timeout [0..3600] s | infinite       
           ---snip---  
           tunnel  <tunnel-name>
              idle-timeout [0..3600] s | infinite       
              ---snip---

The following shows an example of a non-persistent tunnel (idle-timeout 30 seconds). The tunnel changes state from established to establishedIdle when the last session is terminated. Idle-timeout seconds later, the session changes to the closed state. For the purpose of troubleshooting, the operational data stays available for destruct-timeout seconds (see later).

*A:LAC# show router l2tp tunnel detail
 
===============================================================================
L2TP Tunnel 921436160
===============================================================================
 
Connection ID: 921436160
Protocol     : v2
State        : closed
IP           : 192.0.2.1
 
---snip---
 
Name         : lac-pe1
Remote Name  : lns-pe2
Assignment ID: unnamed
Group Name   : default_radius_group
Acct. Policy : N/A
Error Message: idle timeout (30 seconds) expired
 
                                        Remote Conn ID    : 280231936
Tunnel ID         : 14060               Remote Tunnel ID  : 4276
Preference        : 50                  Receive Window    : 64
Hello Interval (s): 300                 AVP Hiding        : never
Idle TO (s)       : 30                  Destruct TO (s)   : 60
Max Retr Estab    : 5                   Max Retr Not Estab: 5
Cfg'd Sess Limit  : unlimited           Oper Session Limit: 32767                  '
Transport Type    : udpIp               Challenge         : never
 
---snip---
 
No. of tunnels: 1
===============================================================================
*A:LAC#

The following shows an example of a persistent tunnel (idle-timeout infinite).

*A:LAC# show router l2tp tunnel detail
 
===============================================================================
L2TP Tunnel 235405312
===============================================================================
 
Connection ID: 235405312
Protocol     : v2
State        : establishedIdle
IP           : 192.0.2.1
 
---snip---
 
Name         : lac-pe1
Remote Name  : lns-pe2
Assignment ID: unnamed
Group Name   : default_radius_group
Acct. Policy : N/A
Error Message: N/A
 
                                        Remote Conn ID    : 154861568
Tunnel ID         : 3592                Remote Tunnel ID  : 2363
Preference        : 50                  Receive Window    : 64
Hello Interval (s): 300                 AVP Hiding        : never
Idle TO (s)       : infinite            Destruct TO (s)   : 60
Max Retr Estab    : 5                   Max Retr Not Estab: 5
Cfg'd Sess Limit  : unlimited           Oper Session Limit: 32767
Transport Type    : udpIp               Challenge         : never
 
---snip---
 
No. of tunnels: 1
===============================================================================
*A:LAC#
Tools tunnel stop

In addition to the idle timeout used for tunnel termination, a tools stop command is also available that can be used to terminate persistent and non-persistent tunnels at any moment in time. Be aware that this command is very destructive and destroys all sessions carried over the closed tunnel.

Following command shows the tunnel is in the establishedIdle state.

*A:LAC# show router 65536 l2tp tunnel
===============================================================================
Conn ID    Loc-Tu-ID Rem-Tu-ID State              Blacklist-state   Ses Active
  Group                                                             Ses Total
    Assignment
-------------------------------------------------------------------------------
60293120   920       7499      establishedIdle    not-blacklisted   0
  wholesale.com                                                     0
    wholesale.com
-------------------------------------------------------------------------------
No. of tunnels: 1
===============================================================================
*A:LAC#

The following command terminates the L2TP tunnel. The tunnel is aborted (the LAC sends StopCCN) using the <connection-id> or <tunnel-group-name>+<tunnel-name> as input. This StopCCN indicates "operator request" as the error reason.

*A:LAC# tools perform router 65536 l2tp group "wholesale.com" 
                                         tunnel "wholesale.com" stop
INFO: CLI stopped 1 tunnels, destructed 0 tunnels.
*A:LAC#

The following debug output shows the tunnel being aborted.

13 2019/05/22 12:12:28.377 CEST MINOR: DEBUG #2001 vprn65536 L2TP(v2, ctrl, egress)
"L2TP(v2, ctrl, egress): UDP 192.168.33.1:1701 -> 192.168.33.2:1701
tunnel 12828 session 0, ns 2 nr 1, flags:, reserved=0
    AVP MessageType(0,0), flags: mandatory, reserved=0
        StopControlConnectionNotification(4)
    AVP ResultCode(0,1), flags: mandatory, reserved=0
        result-code: "generalRequestToClearControlConnection"(1), 
                                 error-code: "noGeneralError"(0)
        error-msg: "operator request"
    AVP AssignedTunnelId(0,9), flags: mandatory, reserved=0
        3695"

Alternatively, the tunnel can also be stopped with the following command. The effect would be the same.

*A:LAC# tools perform router 65536 l2tp tunnel 964886528 stop

Keepalive - L2TP hello

A keepalive mechanism is employed by L2TP in order to differentiate between tunnel outages and no control or data activity on a tunnel for an extended period. This is accomplished by injecting hello control messages after a specified period of time has elapsed since the last data or control message (ZLB not included) was received on a tunnel. As for any other L2TP control message, if the hello message is not reliably delivered, then the tunnel is declared down and reset, as defined in RFC 2661. This means that SR OS does not send hello packets if session control traffic is handled over this tunnel. The hello timer is reset if the system transmits any control packet over this tunnel (ZLB packets and data traffic are not taken into account).

The keepalive function is disabled (not recommended) using RADIUS [26-6527-50] Alc-Tunnel-Hello-Interval -1 or hello-interval infinite (default 300). The number of retries for unsuccessful hello packet delivery equals RADIUS [26-6527-52] Alc-Tunnel-Max-Retries-Estab or node parameter max-retries-estab (default 5). The retry interval is initially set to 1 second and doubles on each retry with a maximum interval of 8 seconds. Using a max-retries-estab 7 results in a retry of [1,2,4,8,8,8,8 seconds].

configure router l2tp | configure service vprn l2tp]
    hello-interval [60..3600] s | infinite  # default 300 s
    max-retries-estab [2..7]                # default 5
    ---snip---
    group <tunnel-group-name>
        hello-interval [60..3600] s | infinite
        max-retries-estab [2..7]     
        ---snip---
        tunnel  <tunnel-name>
            hello-interval [60..3600] s | infinite
            max-retries-estab [2..7]     
            ---snip---

For example, the LAC can be configured with an hello timer of 1 minute and the LNS with an hello timer of 2 minutes. The hello timer interval for LAC and LNS do not have to be same because the keepalive mechanism works asynchronous. See L2TP keepalive mechanism.

*A:LAC# show router l2tp tunnel
===============================================================================
Conn ID    Loc-Tu-ID Rem-Tu-ID State              Blacklist-state   Ses Active
  Group                                                             Ses Total
    Assignment
-------------------------------------------------------------------------------
794361856  11364     5391      established        not-blacklisted   1
  default_radius_group                                              1
    unnamed
-------------------------------------------------------------------------------
No. of tunnels: 1
===============================================================================
Figure 13. L2TP keepalive mechanism

L2TP keepalive mechanism shows the tunnel being closed after 5 unsuccessful Hello deliveries with error-message connection with peer lost.

*A:LAC# show router 65536 l2tp tunnel detail
 
===============================================================================
L2TP Tunnel 479985664
===============================================================================
 
Connection ID: 479985664

---snip---

Acct. Policy : N/A
Error Message: connection with peer lost
 
                                        Remote Conn ID    : 201195520
Tunnel ID         : 7324                Remote Tunnel ID  : 3070
Preference        : 50                  Receive Window    : 64
Hello Interval (s): 60                  AVP Hiding        : never
 
---snip---
 
No. of tunnels: 1
===============================================================================
*A:LAC#

Keeping closed tunnel and session information

The destruct-timeout parameter (expressed in seconds) controls the period of time that the tunnel, or session data related to a closed (disconnected) tunnel, or session persists before being removed. The destruct timeout is a debugging aid by keeping underlying memory structures after the tunnel or session is terminated. It is configured via the RADIUS [26-6527-51] Alc-Tunnel-Destruct-Timeout attribute or the corresponding node parameter. Default value for this parameter is 60 seconds.

configure router l2tp | configure service vprn l2tp
    destruct-timeout [60..86400] 
    ---snip---  
    group <tunnel-group-name>
        destruct-timeout [60..86400]
        ---snip--- 
        tunnel  <tunnel-name>
            destruct-timeout [60..86400] 

The following output shows a session that is closed and the reason for it being terminated.

*A:LAC# show router l2tp session detail
 
===============================================================================
L2TP Session 900466242
===============================================================================
 
Connection ID: 900466242
State        : closed
Tunnel Group : default_radius_group
Assignment ID: unnamed
Error Message: Terminated by PPPoE: Received PPPoE PADT
 
Control Conn ID   : 900464640           Rem Cntrl Conn ID : 899416064
Tunnel ID         : 13740               Remote Tunnel ID  : 13724
Session ID        : 1602                Remote Session ID : 23489
PW Type           : ppp                 Remote Conn ID    : 899439553
Time Started      : 05/22/2019 13:54:44
Time Established  : 05/22/2019 13:54:44 Time Closed       : 05/22/2019 13:54:50
CDN Result        : generalError        General Error     : vendorSpecific
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
No. of sessions: 1
===============================================================================
*A:LAC#

The following output shows a tunnel that is closed and the reason for it being closed.

*A:LAC# show router l2tp tunnel detail
 
===============================================================================
L2TP Tunnel 900464640
===============================================================================
 
Connection ID: 900464640
Protocol     : v2
State        : closed
IP           : 192.0.2.1
UDP          : 1701
Peer IP      : 192.168.22.2
Peer UDP     : 1701
Tx dst-IP    : 192.168.22.2
Tx dst-UDP   : 1701
Rx src-IP    : 192.168.22.2
Rx src-UDP   : 1701
Name         : lac-pe1
Remote Name  : lns-pe2
Assignment ID: unnamed
Group Name   : default_radius_group
Acct. Policy : N/A
Error Message: idle timeout (60 seconds) expired
 
---snip---
 
No. of tunnels: 1
===============================================================================
*A:LAC#

When the destruct timeout expires the tunnel and session is deleted, as follows:

*A:LAC# show router l2tp session detail
No entries found.
*A:LAC# show router l2tp tunnel detail
No entries found.
*A:LAC#

Floating peers

A floating peer exists if the peer LNS address indicated in the source address of the SCCRP is different from the peer address known on the LAC. Floating peer allowance is configuration driven and is rejected by default.

The parameter peer-address-change-policy specifies whether the LAC accepts, ignores or rejects requests from a peer to change the destination IP address or UDP port.

configure router l2tp | configure service vprn l2tp
       peer-address-change-policy accept | ignore | reject
  • accept — Specifies that this system accepts any source IP address change for received L2TP control messages related to a locally originated tunnel in the state wait-reply and rejects any peer address change for other tunnels. In case the new peer IP address is accepted, it is learned and used as destination address in subsequent L2TP messages, as shown in Floating peers accept.

    Figure 14. Floating peers accept
  • ignore — Specifies that this system ignores any source IP address change for received L2TP control messages, does not learn any new peer IP address and does not change the destination address in subsequent L2TP messages, as shown in Floating peers ignore.

    Figure 15. Floating peers ignore
  • reject — Specifies that this system rejects any source IP address change for received L2TP control messages and drops those messages, as shown in Floating peers reject.

    Figure 16. Floating peers reject

The values Peer IP, Tx dst-IP and Rx src-IP in the show router l2tp tunnel detail command indicates if floating peers are used or not.

An example of a floating peer (peer-address-change-policy accept) is as follows.

*A:LAC# show router l2tp tunnel detail 
=======================================
L2TP Tunnel Status
=======================================
Connection ID: 897122304
State        : established
IP           : 192.0.2.1
UDP          : 1701
Peer IP      : 192.0.2.2 # (1) peer address used in SCCRQ 
Peer UDP     : 1701
Tx dst-IP    : 192.0.2.12 # (3) peer address used in SCCCN 
Tx dst-UDP   : 1701
Rx src-IP    : 192.0.2.12 # (2) SCCRP different IP received
Rx src-UDP   : 1701
---snip---

Tx/Rx connect speed - AVP 24/38

The connect speed (TX AVP 24 and RX AVP 38) is passed in the ICCN messages sent from the LAC to the LNS. The L2TP AVP 24 defines the (Tx) connect speed in bps from the perspective of traffic flowing from the LAC towards the subscriber (BNG downstream rate).The L2TP AVP 38 defines the (Rx) connect speed in bps from the perspective of traffic flowing from the subscriber toward the LAC (BNG upstream rate).

The report-rate configuration option indicates what rate is reported to the LNS when creating an L2TP session.

configure subscriber-mgmt sla-profile <sla-profile-name> ingress | egress
    report-rate agg-rate-limit|scheduler|pppoe-actual-rate|policer|rfc5515-actual-rate
  • agg-rate-limit — Take the aggregate rate as received from the RADIUS Access-Accept message in VSA Alc-Subscriber-QoS-Override. When this RADIUS VSA is not present in the Access-Accept, or when RADIUS is not used, then take the configured aggregate rate limit. In the case where this is not configured, then take the port rate.

  • scheduler <scheduler-name> — Take the rate of the specified scheduler. In case the scheduler is not linked with the scheduler-policy from the subscriber-profile, then take the port rate.

  • pppoe-actual-rate — Take the rate from the DSL-Forum Vendor-Specific PPPoE Tag when available, otherwise take the port rate.

  • rfc5515-actual-rate — Put the same value as the transmitted Actual-Data-Rate-Upstream AVP in the Rx-Connect-Speed AVP, and the same value as the transmitted Actual-Data-Rate-Downstream AVP in the Tx-Connect-Speed AVP.

Calling number AVP 22 format

The format of AVP 22 calling number in the ICRQ message is configurable via the parameter calling-number-format. The default format is "%S<space>%s" and corresponds to the concatenation of system-name<space>sap-id. Available parameters are %S (system-name), %c (Agent Circuit Id), %r Agent Remote Id, %s (sap-id), %l (Logical Line ID) and fixed strings. A combination can be configured from any of these parameters, but the total configured format cannot exceed 255 characters.

Example 1: Default configuration.

configure router l2tp calling-number-format "%S %s"
19 2019/05/22 14:01:04.885 CEST MINOR: DEBUG #2001 Base L2TP(v2, ctrl, egress)
"L2TP(v2, ctrl, egress): UDP 192.0.2.1:1701 -> 192.168.22.2:1701
tunnel 5593 session 0, ns 2 nr 1, flags:, reserved=0
    AVP MessageType(0,0), flags: mandatory, reserved=0
        IncomingCallRequest(10)
    AVP AssignedSessionId(0,14), flags: mandatory, reserved=0
        15342
    AVP CallSerialNumber(0,15), flags: mandatory, reserved=0
        84781
    AVP CallingNumber(0,22), flags: mandatory, reserved=0
        "LAC 1/1/3:100"
    AVP AgentCircuitId(3561,1), flags:, reserved=0
        "circuit0"
    AVP AgentRemoteId(3561,2), flags:, reserved=0
        "remote0"
    AVP ActDataRateUp(3561,129), flags:, reserved=0
        2000000
    AVP ActDataRateDown(3561,130), flags:, reserved=0
        4000000"

Example 2: Customized configuration and all parameters (%S %s %c) are available to construct the requested AVP 22.

configure router l2tp calling-number-format "start-%S###%s###%c-end"
19 2019/05/22 14:05:28.116 CEST MINOR: DEBUG #2001 Base L2TP(v2, ctrl, egress)
"L2TP(v2, ctrl, egress): UDP 192.0.2.1:1701 -> 192.168.22.2:1701
tunnel 832 session 0, ns 2 nr 1, flags:, reserved=0
    AVP MessageType(0,0), flags: mandatory, reserved=0
        IncomingCallRequest(10)
    AVP AssignedSessionId(0,14), flags: mandatory, reserved=0
        24748
    AVP CallSerialNumber(0,15), flags: mandatory, reserved=0
        84782
    AVP CallingNumber(0,22), flags: mandatory, reserved=0
        "start-LAC###1/1/3:100###circuit0-end"
    AVP AgentCircuitId(3561,1), flags:, reserved=0
        "circuit0"
    AVP AgentRemoteId(3561,2), flags:, reserved=0
        "remote0"
    AVP ActDataRateUp(3561,129), flags:, reserved=0
        2000000
    AVP ActDataRateDown(3561,130), flags:, reserved=0
        4000000"

Example 3: Customized configuration and not all parameters are available to construct the requested AVP 22. Option-82 circuit-id (%c),remote-id (%r), and LLID (%l) information are lacking and therefore missing (skipped) in the formatted attribute.

configure router l2tp calling-number-format "%S#%c#%r#%l#%s"
19 2019/05/22 14:07:26.302 CEST MINOR: DEBUG #2001 Base L2TP(v2, ctrl, egress)
"L2TP(v2, ctrl, egress): UDP 192.0.2.1:1701 -> 192.168.22.2:1701
tunnel 255 session 0, ns 2 nr 1, flags:, reserved=0
    AVP MessageType(0,0), flags: mandatory, reserved=0
        IncomingCallRequest(10)
    AVP AssignedSessionId(0,14), flags: mandatory, reserved=0
        20814
    AVP CallSerialNumber(0,15), flags: mandatory, reserved=0
        84783
    AVP CallingNumber(0,22), flags: mandatory, reserved=0
        "LAC#circuit0#remote0##1/1/3:100"
    AVP AgentCircuitId(3561,1), flags:, reserved=0
        "circuit0"
    AVP AgentRemoteId(3561,2), flags:, reserved=0
        "remote0"
    AVP ActDataRateUp(3561,129), flags:, reserved=0
        2000000

Prevent LAC from transmitting calling number AVP 22 to LNS

By default, the LAC includes the calling number AVP 22 in the L2TP incoming-call-request (ICRQ) packets transmitted to LNS. This AVP identifies the interface that is connected to the customer in the access network. Network access interface information can be hidden by configuring the LAC not to send the calling number AVP to the LNS.

Use the following command to disable the sending of L2TP calling number AVP 22.

configure router l2tp 
        exclude-avps calling-number

AVP 100 - Cisco-Nas-Port

Interoperation with a Cisco LNS requires that the LAC communicates a NAS port type to the LNS via the L2TP ICRQ ‛Cisco Nas Port Info AVP (100)’. This AVP (100) includes information that identifies the NAS port and indicates whether the port type is Ethernet or ATM and is configured via the cisco-nas-port parameter.

The Cisco AVP 100 format is as follows:

  • First 5 bytes are NAS-Port-Type:

    • 0f10090203 (Ethernet)

    • 0f10090201 (ATM)

  • Remaining four bytes correspond with the configured cisco-nas-port value

Example:

  • Ethernet 12b s-vlan-id; 10b c-vlan-id; 3b slot number; 2b MDA nbr; 5b port

  • ATM 12b VPI; 10b VCI; 3b slot number; 2b MDA nbr; 5b port

configure router l2tp 
        cisco-nas-port ethernet "*12o*10i*3s*2m*5p" atm "*12v*10c*3s*2m*5p"

nas-port 1/1/3:100 corresponds to 102563 (000000000000 0001100100 001 01 00011).

19 2019/05/22 14:11:49.431 CEST MINOR: DEBUG #2001 Base L2TP(v2, ctrl, egress)
"L2TP(v2, ctrl, egress): UDP 192.0.2.1:1701 -> 192.168.22.2:1701
tunnel 13002 session 0, ns 2 nr 1, flags:, reserved=0
    AVP MessageType(0,0), flags: mandatory, reserved=0
        IncomingCallRequest(10)
    AVP CiscoNasPort(9,100), flags:, reserved=0
        102563 type=ethernet(0f:10:09:02:03)
    AVP AssignedSessionId(0,14), flags: mandatory, reserved=0
        2461
    AVP CallSerialNumber(0,15), flags: mandatory, reserved=0
        84784
    AVP CallingNumber(0,22), flags: mandatory, reserved=0
        "LAC 1/1/3:100"
    AVP AgentCircuitId(3561,1), flags:, reserved=0
        "circuit0"
    AVP AgentRemoteId(3561,2), flags:, reserved=0
        "remote0"
    AVP ActDataRateUp(3561,129), flags:, reserved=0
        2000000
    AVP ActDataRateDown(3561,130), flags:, reserved=0
        4000000"

L2TP group/peer/tunnel draining

When the LAC has established sessions, the LAC can avoid the creation of new sessions for a specific group, peer, or tunnel, via the drain command.

No new sessions are created for a group, peer or tunnel that is being drained (draining state) but the current sessions are left intact.

After the drain command is issued, the group, peer, or tunnel moves from a draining to drained state when the last session is closed. A drained group, peer, or tunnel can then be managed (reconfigured, deleted) without any user impact.

Be aware that a group, peer, or tunnel in a draining or drained state is skipped in the tunnel selection process. The next example shows a tunnel draining; group and peer draining works according in the same way.

A tunnel has 1 session and is in established state.

*A:LAC# show router 65536 l2tp tunnel
===============================================================================
Conn ID    Loc-Tu-ID Rem-Tu-ID State              Blacklist-state   Ses Active
  Group                                                             Ses Total
    Assignment
-------------------------------------------------------------------------------
1023868928 15623     9957      established        not-blacklisted   1
  wholesale.com                                                     1
    wholesale.com
-------------------------------------------------------------------------------
No. of tunnels: 1
===============================================================================
*A:LAC#

The following tools drain command puts the tunnel in a draining state and leaves the sessions intact.

*A:LAC# tools perform router 65536 l2tp tunnel 1023868928 drain
*A:LAC#

Initially the tunnel is in the draining state.

*A:LAC# show router 65536 l2tp tunnel
===============================================================================
Conn ID    Loc-Tu-ID Rem-Tu-ID State              Blacklist-state   Ses Active
  Group                                                             Ses Total
    Assignment
-------------------------------------------------------------------------------
1023868928 15623     9957      draining           not-blacklisted   1
  wholesale.com                                                     1
    wholesale.com
-------------------------------------------------------------------------------
No. of tunnels: 1
===============================================================================
*A:LAC#

The tunnel moves to the drained state at the moment the last session is closed. Debugging shows that a drained tunnel is also not used as last resort and is skipped during the tunnel selection process.

*A:LAC# show router 65536 l2tp tunnel
===============================================================================
Conn ID    Loc-Tu-ID Rem-Tu-ID State              Blacklist-state   Ses Active
  Group                                                             Ses Total
    Assignment
-------------------------------------------------------------------------------
1023868928 15623     9957      drained            not-blacklisted   0
  wholesale.com                                                     1
    wholesale.com
-------------------------------------------------------------------------------
No. of tunnels: 1
===============================================================================
*A:LAC#

The following output shows new sessions cannot select a drained tunnel.

82289 2019/05/22 14:43:56.549 CEST MINOR: DEBUG #2001 vprn65536 PPPoE 19644->L2TP
"PPPoE 19644->L2TP: UDP 192.168.33.1:1701 -> 192.168.33.2:1701
preference 50 tunnel wholesale.com:wholesale.com
    no additional session can be created in tunnel 15623"
82290 2019/05/22 14:43:56.549 CEST MINOR: DEBUG #2001 vprn65536 PPPoE 19644->L2TP
"PPPoE 19644->L2TP:
    stop: no more tunnels can be tried"

The drained tunnel can then be closed without user impact.

*A:LAC# tools perform router 65536 l2tp tunnel 1023868928 stop
*A:LAC#
207376 2019/05/22 14:45:01.981 CEST MINOR: DEBUG #2001 vprn65536 L2TP(v2, ctrl,
                                                                   ingress)
"L2TP(v2, ctrl, ingress): UDP 192.168.33.2:1701 -> 192.168.33.1:1701
tunnel 15623 session 0, ns 2 nr 8, flags:, reserved=0"

207377 2019/05/22 14:46:01.853 CEST MINOR: DEBUG #2001 vprn65536 L2TP(v2, ctrl,
                                                                   ingress)
"L2TP(v2, ctrl, ingress): UDP 192.168.33.2:1701 -> 192.168.33.1:1701
tunnel 15623 session 0, ns 2 nr 8, flags:, reserved=0
    AVP MessageType(0,0), flags: mandatory, reserved=0
        StopControlConnectionNotification(4)
    AVP ResultCode(0,1), flags: mandatory, reserved=0
        result-code: "generalRequestToClearControlConnection"(1), 
                                         error-code: "noGeneralError"(0)
        error-msg: "idle timeout (60 seconds) expired"
    AVP AssignedTunnelId(0,9), flags: mandatory, reserved=0
        9957"

For draining and undraining for example a group, following commands can be used.

tools perform router 65536 l2tp group "wholesale.com" drain
tools perform router 65536 l2tp group "wholesale.com" no drain

Conclusion

This example provides the LAC L2TP access server configuration and troubleshooting commands for the LAA architecture (tunneled-access) model.