For feedback and comments: |
documentation.feedback@alcatel-lucent.com |
•
•
• Peer — A run-time object that is defined by a ip-address/port combination. Multiple tunnels can be terminated on the same peer. The list of peers can be obtained using the show router l2tp peer command.tunnel.com Auth-Type := Local, Password == "tunnel1"Tunnel-Type:1 += L2TP,Tunnel-Medium-Type:1 += IP,Tunnel-Client-Auth-Id:1 += lns_tun,Tunnel-Assignment-Id:1 += 1,Tunnel-Client-Endpoint:1 += 10.0.0.1,Tunnel-Server-Endpoint:1 += 10.0.0.2,Tunnel-Password:1 += TUNNELPASS,Tunnel-Type:2 += L2TP,Tunnel-Medium-Type:2 += IP,Tunnel-Client-Auth-Id:2 += lns_tun,Tunnel-Assignment-Id:2 += 2,Tunnel-Client-Endpoint:2 += 10.0.0.1,Tunnel-Server-Endpoint:2 += 10.0.0.3,Tunnel-Password:2 += TUNNELPASS,Tunnel-Type:3 += L2TP,Tunnel-Medium-Type:3 += IP,Tunnel-Client-Auth-Id:3 += lns_tun,Tunnel-Assignment-Id:3 += 3,Tunnel-Client-Endpoint:3 += 10.0.0.1,Tunnel-Server-Endpoint:3 += 10.0.0.4,Tunnel-Password:3 += TUNNELPASS,Tunnel-Type:4 += L2TP,Tunnel-Medium-Type:4 += IP,Tunnel-Client-Auth-Id:4 += lns_tun,Tunnel-Assignment-Id:4 += 4,Tunnel-Client-Endpoint:4 += 10.0.0.1,Tunnel-Server-Endpoint:4 += 10.0.0.5,Tunnel-Password:4 += TUNNELPASSAlthough there is no configuration option that would control whether a peer can or cannot be blacklisted (it is always blacklisted on tunnel timeout), the amount of time that a peer remains in the blacklist is configurable within the tunnel-selection-blacklist CLI node.
2. This behavior can be enabled with the following CLI:configure router l2tpconfigure service vprn <id> l2tptunnel-selection-blacklistadd-tunnel on <reason> [<reason>...(upto 7 max)]<reason> : cdn-err-code|cdn-inv-dest|cdn-tmp-no-facilities|cdn-perm-no-facilities|tx-cdn-not-established-in-time|stop-ccn-err-code|stop-ccn-other|addr-change-timeoutconfigure router l2tpconfigure service vprn <id> l2tpnext-attempt same-preference-level | next-preference-levelconfigure router l2tpconfigure service vprn <id> l2tp tunnel-selection-blacklistmax-time 1..60 (minutes)max-list-length unlimited | 1..65535show router <id> l2tp peer blacklisted|not-blacklisted|selectableshow router l2tp peer 10.100.0.2===============================================================================Peer IP: 10.100.0.2===============================================================================Roles capab/actual: LAC LNS /LAC - Draining : falseTunnels : 1 Tunnels Active : 0Sessions : 1 Sessions Active : 0Reachability : blacklisted Time Unreachable : 01/31/2013 08:55:06Time Blacklisted : 01/31/2013 08:55:06 Remaining (s) : 34===============================================================================Conn ID Loc-Tu-ID Rem-Tu-ID State Ses ActiveGroup Ses TotalAssignment-------------------------------------------------------------------------------977207296 14911 0 closed 0base_lac_base_lns 1t1-------------------------------------------------------------------------------No. of tunnels: 1===============================================================================show router l2tp tunnel detail===============================================================================L2TP Tunnel Status===============================================================================Connection ID: 831782912State : closedByPeerIP : 10.0.0.1Peer IP : 10.100.0.2Tx dst-IP : 10.100.0.2Rx src-IP : 10.100.0.2Name : lacRemote Name :Assignment ID: t1Group Name : base_lac_base_lnsAcct. Policy : l2tp-baseError Message: N/ARemote Conn ID : 4294901760Tunnel ID : 12692 Remote Tunnel ID : 65535UDP Port : 1701 Remote UDP Port : 1701Preference : 50 Receive Window : 64Hello Interval (s): 300Idle TO (s) : 5 Destruct TO (s) : 60Max Retr Estab : 5 Max Retr Not Estab: 5Session Limit : 32767 AVP Hiding : sensitiveTransport Type : udpIp Challenge : neverTime Started : 01/31/2013 08:56:58 Time Idle : 01/31/2013 08:56:58Time Established : N/A Time Closed : 01/31/2013 08:56:58Stop CCN Result : reqShutDown General Error : noErrorBlacklist-state : blacklistedBlacklist Time : 01/31/2013 08:56:58 Remaining (s) : 49-------------------------------------------------------------------------------No. of tunnels: 1===============================================================================clear router <id> l2tp tunnel-selection-blacklistclear router <id> l2tp peer <ip-address> [udp-port <port>] tunnel-selection-blacklistclear router <id> l2tp group <tunnel-group-name> [tunnel <tunnel-name>] tunnel-selection-blacklistclear router <id> l2tp tunnel <connection-id> tunnel-selection-blacklist*A:eng-BNG-2>config>service>vprn>sub-if>grp-if>ipv6# info----------------------------------------------router-solicitno shutdownexit*A:eng-BNG-2>config>service>vprn>sub-if>grp-if>ipv6# info----------------------------------------------router-solicituser-db "slaac-users"no shutdownexitIf using RADIUS, the attribute “framed-ipv6-prefix” VSA is used. The attribute must be a /64 prefix.*A:eng-BNG-2>config>subscr-mgmt>loc-user-db>ipoe>host# info----------------------------------------------ipv6-slaac-prefix 2001::/64*A:eng-BNG-2>config>service>vprn>dhcp6# info----------------------------------------------local-dhcp-server "dhcp6-server" createuse-pool-from-clientpool "pool-01" createprefix 2001::/32 wan-host createexitexitexit*A:eng-BNG-2>config>service>vprn>sub-if>grp-if# info----------------------------------------------local-address-assignmentipv6client-application ppp-slaac ipoe-slaacserver "dhcp6-server"exitno shutdownexit*A:eng-BNG-2>config>subscr-mgmt>loc-user-db>ipoe>host# info----------------------------------------------ipv6-slaac-prefix-pool "pool-01"configure router l2tpconfigure service vprn <id> l2tpreplace-result-code {cdn-tmp-no-facilities | cdn-prem-no-facilities | cdn-inv-dest}no replace-result-codeIf there is a requirement to support per-ISP (and per-subscriber host) QOS control for downstream traffic on the LAC towards the users based on the DSCP marking in the L2TP header, the command use-ingress-l2tp-dscp must be configured within the sla-profile selected for the users.An example topology is shown in Figure 38 in which the downstream traffic arrives at the LAC with:It would be possible to apply the ler-use-dscp parameter at the LAC network ingress to classify based on the L2TP header DSCP, but this would require the QoS schemes used by all ISPs, and the wholesale provider, to have a consistent interpretation of the DSCP bits.Configuring the parameter use-ingress-l2tp-dscp in the sla-profile of the ISP1 and ISP2 users will force the egress QoS control to be based on the DSCP from the L2TP header received on the LAC (which is set by ISP1/ISP2). This provides per-ISP (and per-subscriber host) QoS control for downstream traffic on the LAC towards the users.Figure 39: L2TP Tunnel AccountingWhen L2TP tunnel accounting is enabled, except for host or sla-profile-based accounting packets and attributes, the following are additional accounting packets and attributes:Table 12 describes L2TP tunnel accounting behavior along with some key RADIUS attributes (apply for both LAC and LNS):
Table 12: L2TP Tunnel Accounting Behavior Table 13 lists the optional attributes that could be optionally included in tunnel accounting packet, some of them are applied for link level accounting only.
Table 13: Optional RADIUS Attributes
Table 14: Supported RADIUS VSAs Policy-name; if the name is disable then this means L2TP tunnel accounting is disabled for this tunnelThe lns-reassembly commands that inform the ingress forwarding plane that all L2TP packets should be sent to the BB-ISA are configured in the config>router>l2tp and config>service>vprn>l2tp contexts.