background image

L2TP Network Server

This chapter describes the support for Layer 2 Tunneling Protocol (L2TP) Network Server (LNS) functionality
on Cisco

®

ASR 5500 chassis and explains how it is configured. The product Administration Guides provide

examples and procedures for configuration of basic services on the system. It is recommended that you select
the configuration example that best meets your service model, and configure the required elements for that
model, as described in the respective product Administration Guide, before using the procedures in this chapter.

The Layer 2 Tunneling Protocol (L2TP) Network Server (LNS) is a licensed Cisco feature. A separate feature
license may be required. Contact your Cisco account representative for detailed information on specific
licensing requirements. For information on installing and verifying licenses, refer to the

Managing License

Keys

section of the

Software Management Operations

chapter in the

System Administration Guide

.

Important

When enabled though the session license and feature use key, LNS functionality is configured as context-level
services on the system. LNS services support the termination of L2TP encapsulated tunnels from L2TP Access
Concentrators (LACs) in accordance with RFC 2661.

While establishing the L2TP session from LAC to LNS, the PPP connection for the user is established. The
server uses CHAP authentication protocol to authenticate the connection. While calculating the CHAP response
for the CHAP challenge received by the server, the server does not consider the CHAP password.

Important

The LNS service uses UDP ports 13660 through 13668 as the source port for receiving packets from the LAC.
You can force the LNS to only use the standard L2TP port (UDP Port 1701) with the

single-port-mode

LNS

service configuration mode command. Refer to the

Command Line Interface Reference

for more information

on this command.

Important

LNS Service Operation, on page 2

Configuring the System to Support LNS Functionality, on page 10

L2TP Network Server

1

Summary of Contents for L2TP

Page 1: ...ement Operations chapter in the System Administration Guide Important When enabled though the session license and feature use key LNS functionality is configured as context level services on the system LNS services support the termination of L2TP encapsulated tunnels from L2TP Access Concentrators LACs in accordance with RFC 2661 While establishing the L2TP session from LAC to LNS the PPP connecti...

Page 2: ...e peer LACs The source context is also be configured to provide AAA functionality for subscriber sessions The destination context facilitates the packet data network interface s and can optionally be configured with pools of IP addresses for assignment to subscriber sessions In this configuration the LNS service in the source context terminates L2TP tunnels from peer LACs and routes the subscriber...

Page 3: ...ill be configured IP address and subnet This specifies the physical port to which the interface will be bound Ports are identified by the chassis slot number where the line card resides in followed by the number of the physical connector on the line card For example port 17 1 identifies connector number 1 on the card in slot 17 A single physical port can facilitate multiple interfaces Physical por...

Page 4: ...h tunnel facilitated by the LNS service The number can be configured to any integer value from 1 to 65535 The default is 65535 Maximum number of sessions per tunnel This defines the maximum number of tunnels supported by the LNS service The number can be configured to any integer value from 1 to 32000 The default is 32000 Maximum number of tunnels IP address or network prefix and mask The IP addre...

Page 5: ...igured IP address and subnet A single physical port can facilitate multiple interfaces Physical port number This is an identification string between 1 and 79 characters alpha and or numeric by which the physical port will be recognized by the system Multiple descriptions are needed if multiple ports will be used Physical ports are configured within the source context and are used to bind logical A...

Page 6: ...assigned a priority RADIUS Authentication server Shared Secret The shared secret is a string between 1 and 15 characters alpha and or numeric that specifies the key that is exchanged between the RADIUS authentication server and the source context A shared secret is needed for each configured RADIUS server UDP Port Number Specifies the port used by the source context and the RADIUS authentication s...

Page 7: ... communications The UDP port number can be any integer value between 1 and 65535 The default value is 1813 Specifies the name by which the source context will be identified in the Access Request message s it sends to the RADIUS server The name must be between 1 and 32 alpha and or numeric characters and is case sensitive RADIUS attribute NAS Identifier Specifies the IP address of the source contex...

Page 8: ...face Multiple addresses and or subnets are needed if multiple interfaces will be configured IP address and subnet A single physical port can facilitate multiple interfaces Physical port number This is an identification string between 1 and 79 characters alpha and or numeric by which the physical port will be recognized by the system Multiple descriptions will be needed if multiple ports will be us...

Page 9: ...st from a peer LAC is received by the LNS service The tunnel is to facilitate a subscriber session 2 The LAC and LNS establish the L2TP tunnel according to the procedures defined in RFC 2661 Once the L2TP tunnel is established subscriber L2TP sessions can be established 3 The LNS service determines which context to use in providing AAA functionality for the subscriber session if authentication is ...

Page 10: ...ure additional LNS service properties refer LNS Configuration Mode Commands chapter in Command Line Interface Reference Important To configure the system to provide access control list facility to subscribers Step 1 Create the LNS service and bind it to an interface IP address by applying the example configuration in the Creating and Binding LNS Service section Step 2 Specify the authentication pa...

Page 11: ...vice Use the following example to authentication parameters for LNS service configure context dest_ctxt_name lns service lns_svc_name authentication allow noauth chap pref mschap pref pap pref msid auth end Note For more information on authentication procedure and priorities refer authentication command section in LNS Configuration Mode Commands chapter of the Command Line Interface Reference Conf...

Page 12: ...ed for the subscriber in the event that their mobile node does not negotiate CHAP PAP or MSCHAP If this option is selected no further attempts are made to authenticate the user Instead the constructed NAI is used for accounting purposes This command should only be used if the LNS service is configured to allow no authentication using the authentication allow noauth command Important Verifying the ...

Page 13: ...on Enabled Tunnel Switching Enabled Max Tunnel Challenge Length 16 PPP Authentication CHAP 1 PAP 2 Allow Noauthentication Disabled MSID Authentication Disabled No NAI Construct Domain defined No Default Subscriber defined IP Src Violation Reneg Limit 5 IP Src Violation Drop Limit 10 IP Src Violation Period 120 secs Service Status Not started Newcall Policy None L2TP Network Server 13 L2TP Network ...

Page 14: ...L2TP Network Server 14 L2TP Network Server Verifying the LNS Service Configuration ...

Reviews: