Contents

L2TP commands· 1

allow l2tp· 1

display l2tp session· 2

display l2tp session temporary· 3

display l2tp tunnel 4

display l2tp va-pool 5

display ppp access-control interface· 6

ip dscp· 7

l2tp enable· 7

l2tp icrq-limit 8

l2tp tsa-id· 9

l2tp user-ip-conflict offline· 10

l2tp virtual-template va-pool 11

l2tp-group· 12

lns-ip· 13

mandatory-chap· 14

mandatory-lcp· 15

ppp access-control enable· 16

ppp lcp imsi request 17

ppp user accept-format imsi-sn split 18

ppp user replace· 19

reset l2tp tunnel 19

source-ip· 20

tunnel authentication· 21

tunnel avp-hidden· 22

tunnel flow-control 23

tunnel name· 23

tunnel password· 24

tunnel retransmit 25

tunnel timeout 26

tunnel timer hello· 27

tunnel window receive· 28

tunnel window send· 29

user 30

 

L2TP commands

allow l2tp

Use allow l2tp to configure an L2TP network server (LNS) to accept Layer 2 Tunneling Protocol (L2TP) tunneling requests from an L2TP access concentrator (LAC), and to specify a VT interface for tunnel setup.

Use undo allow to restore the default.

Syntax

allow l2tp virtual-template virtual-template-number [ remote remote-name ]

undo allow

Default

An LNS denies L2TP tunneling requests from any LACs.

Views

L2TP group view

Predefined user roles

network-admin

Parameters

virtual-template virtual-template-number: Specifies a VT interface by its number. The value range for the virtual-template-number argument is 0 to 1023. An LNS dynamically creates virtual access (VA) interfaces based on the configuration of a VT interface. Each VA interface is used to carry data for a different L2TP session.

remote remote-name: Specifies the name of the tunnel peer (LAC) initiating tunneling requests, a case-sensitive string of 1 to 31 characters.

Usage guidelines

Application scenarios

The allow l2tp command is available only on LNSs.

Operating mechanism

For L2TP group 1, if you do not specify the remote remote-name option, an LNS accepts tunneling requests from any LACs. In this case, L2TP group 1 acts as the default L2TP group. For L2TP groups other than L2TP group 1, the remote remote-name option must be configured.

·     When an LAC that initiates a tunneling request is the tunnel peer configured in an L2TP group, the LNS uses the tunnel parameters configured in this group for tunnel setup.

·     When the LAC is not the tunnel peer configured in any L2TP group, the LNS performs one of the following operations:

¡     Uses the tunnel parameters for the default L2TP group if it exists.

¡     Fails to set up a tunnel with the LAC if the default L2TP group does not exist.

Recommended configuration

As a best practice, configure a default L2TP group on the LNS in the following cases:

·     LACs (such as hosts with Windows 2000 Beta 2 installed) include blank local names in their tunneling requests.

·     The LNS sets up tunnels with multiple LACs by using the same tunnel parameters.

Restrictions and guidelines

The allow l2tp command is available only on L2TP groups in LNS mode.

Make sure the specified name of the tunnel peer is consistent with the local name configured on the LAC.

If you execute this command multiple times for an L2TP group, the most recent configuration takes effect.

Examples

# Specify L2TP group 1 as the default L2TP group, and specify Virtual-Template 1 for tunnel setup. For L2TP group 2, configure the LNS to accept the L2TP tunneling request initiated by the peer (LAC) named aaa, and specify Virtual-Template 2 for tunnel setup.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lns

[Sysname-l2tp1] allow l2tp virtual-template 1

[Sysname-l2tp1] quit

[Sysname] l2tp-group 2 mode lns

[Sysname-l2tp2] allow l2tp virtual-template 2 remote aaa

Related commands

tunnel name

display l2tp session

Use display l2tp session to display information about L2TP sessions.

Syntax

display l2tp session [ statistics ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

statistics: Displays statistics for L2TP sessions.

Examples

# Display statistics for L2TP sessions.

<Sysname> display l2tp session statistics

Total number of sessions: 1

# Display information about L2TP sessions.

<Sysname> display l2tp session

LocalSID      RemoteSID      LocalTID      State

89            36245          10878         Established

Table 1 Command output

Field	Description
LocalSID	Local session ID.
RemoteSID	Remote session ID.
LocalTID	Local tunnel ID.
State	Session state: ·     Idle. ·     Wait-tunnel—Waits for the tunnel to be established. ·     Wait-reply—Waits for an Incoming-Call-Reply (ICRP) message indicating the call is accepted. ·     Wait-connect—Waits for an Incoming-Call-Connected (ICCN) message. ·     Established.

‌

display l2tp session temporary

Use display l2tp session temporary to display information about temporary L2TP sessions.

Syntax

display l2tp session temporary

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about temporary L2TP sessions.

<Sysname> display l2tp session temporary

Total number of temporary sessions: 6

LocalSID    RemoteSID    LocalTID    State

2298        0            19699       Wait-tunnel

42805       0            19699       Wait-tunnel

17777       0            19699       Wait-tunnel

58284       0            19699       Wait-tunnel

33256       0            19699       Wait-tunnel

8228        0            19699       Wait-tunnel

Table 2 Command output

Field	Description
LocalSID	Local session ID.
RemoteSID	Remote session ID.
LocalTID	Local tunnel ID.
State	Session state: ·     Idle. ·     Wait-tunnel—Waits for the tunnel to be established. ·     Wait-reply—Waits for an ICRP message indicating the call is accepted. ·     Wait-connect—Waits for an ICCN message.

‌

display l2tp tunnel

Use display l2tp tunnel to display information about L2TP tunnels.

Syntax

display l2tp tunnel [ statistics ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

statistics: Displays statistics for L2TP tunnels.

Examples

# Display statistics for L2TP tunnels.

<Sysname> display l2tp tunnel statistics

Total number of tunnels: 1

# Display information about L2TP tunnels.

<Sysname> display l2tp tunnel

LocalTID RemoteTID State         Sessions RemoteAddress    RemotePort RemoteName

10878    21        Established   1        20.1.1.2         1701       lns

Table 3 Command output

Field	Description
LocalTID	Local tunnel ID.
RemoteTID	Remote tunnel ID.
State	Tunnel state: ·     Idle. ·     Wait-reply. ·     Wait-connect. ·     Established. ·     Stopping.
Sessions	Number of sessions within the tunnel.
RemoteAddress	IP address of the peer.
RemotePort	UDP port number of the peer.
RemoteName	Name of the tunnel peer.

‌

Related commands

reset l2tp tunnel

display l2tp va-pool

Use display l2tp va-pool to display information about L2TP VA pools.

Syntax

display l2tp va-pool

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about static L2TP VA pools.

<Sysname> display l2tp va-pool

VT interface          Size      Unused      State

Virtual-Template1     1000      900         Normal

Table 4 Command output

Field	Description
VT interface	VT interface that uses the VA pool.
Size	VA pool capacity set for L2TP users.
Unused	VA pool capacity available for L2TP users.
State	Current state of the VA pool: ·     Creating—The VA pool is being created. ·     Destroying—The VA pool is being removed. ·     Normal—The VA pool has been created.

‌

Related commands

l2tp virtual-template va-pool

display ppp access-control interface

Use display ppp access-control interface to display access control information for PPP sessions on a VT interface.

Syntax

display ppp access-control interface virtual-template interface-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

virtual-template interface-number: Specifies an existing VT interface by its number.

Examples

# Display access control information for PPP sessions on Virtual-Template 2.

<Sysname> display ppp access-control interface virtual-template 2

  Interface: Virtual-Access0

  User Name: mike

  In-bound Policy: acl 3000

  Totally 0 packets, 0 bytes, 0% permitted,

  Totally 0 packets, 0 bytes, 0% denied.

 

  Interface: Virtual-Access1

  User Name: tim

  In-bound Policy: acl 3001

  Totally 0 packets, 0 bytes, 0% permitted,

  Totally 0 packets, 0 bytes, 0% denied.

Table 5 Command output

Field	Description
Interface	BAS interface that the PPP user accesses.
User Name	Username of the PPP user.
In-bound Policy	Security ACLs for the PPP user.
Totally x packets, x bytes, x% permitted	Total number, data rate, and pass percentage of permitted packets.
Totally x packets, x bytes, x% denied	Total number, data rate, and reject percentage of denied packets.

 

Related commands

ppp access-control enable

ip dscp

Use ip dscp to set the DSCP value of L2TP packets.

Use undo ip dscp to restore the default.

Syntax

ip dscp dscp-value

undo ip dscp

Default

The DSCP value of L2TP packets is 0.

Views

L2TP group view

Predefined user roles

network-admin

Parameters

dscp-value: Specifies the DSCP value of L2TP packets, in the range of 0 to 63.

Usage guidelines

The DSCP field is the IP ToS byte. This field marks the priority of IP packets for forwarding. This command sets the DSCP value for the IP packet when L2TP encapsulates a PPP frame into an IP packet.

Examples

# Set the DSCP value of L2TP packets to 50.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] ip dscp 50

l2tp enable

Use l2tp enable to enable L2TP.

Use undo l2tp enable to disable L2TP.

Syntax

l2tp enable

undo l2tp enable

Default

L2TP is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

For L2TP configurations to take effect, you must enable L2TP.

Examples

# Enable L2TP.

<Sysname> system-view

[Sysname] l2tp enable

l2tp icrq-limit

Use l2tp icrq-limit to set the maximum number of incoming call request (ICRQ) packets that the LNS can process per second.

Use undo l2tp icrq-limit to restore the default.

Syntax

l2tp icrq-limit number

undo l2tp icrq-limit

Default

The maximum number of ICRQ packets that the LNS can process per second is not limited.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the ICRQ packet processing limit in the range of 1 to 1000.

Usage guidelines

To avoid device performance degradation and make sure the LNS can process ICRQ requests correctly, use this command to adjust the ICRQ packet processing rate limit.

Examples

# Set the maximum number of ICRQ packets that the LNS can process per second to 200.

<Sysname> system-view

[Sysname] l2tp icrq-limit 200

l2tp tsa-id

Use l2tp tsa-id to set the TSA ID for the L2TP tunnel switching (LTS) device and enable L2TP loop detection on the LTS device.

Use undo l2tp tsa-id to restore the default.

Syntax

l2tp tsa-id tsa-id

undo l2tp tsa-id

Default

The TSA ID of the LTS device is not set, and L2TP loop detection is disabled on the LTS device.

Views

System view

Predefined user roles

network-admin

Parameters

tsa-id: Specifies a TSA ID that uniquely identifies the LTS device. This argument is a case-sensitive string of 1 to 64 characters.

Usage guidelines

Application scenarios

The LTS device compares the configured TSA ID with each TSA ID Attribute Value Pair (AVP) in a received ICRQ packet for loop detection.

Operating mechanism

The LTS device compares the configured TSA ID with each TSA ID Attribute Value Pair (AVP) in a received ICRQ packet:

·     If a match is found, a loop exists. The LTS immediately tears down the session.

·     If no match is found, the LTS performs the following operations:

a.     Encapsulates the configured TSA ID into a new TSA ID AVP.

b.     Appends the new TSA ID AVP to the packet.

c.     Sends the packet to the next hop LTS.

Restrictions and guidelines

To avoid loop detection errors, make sure the TSA ID of each LTS device is unique.

Examples

# Set the TSA ID of the LTS device to lts0, and enable L2TP loop detection on the LTS device.

<Sysname> system-view

[Sysname] l2tp tsa-id lts0

l2tp user-ip-conflict offline

Use l2tp user-ip-conflict offline to allow a new L2TP user to come online and log out an old L2TP user when the IP addresses of the two user conflict.

Use undo l2tp user-ip-conflict to restore the default.

Syntax

l2tp user-ip-conflict offline

undo l2tp user-ip-conflict

Default

A new L2TP user cannot come online and an old L2TP user keeps online when the IP addresses of the two user conflict.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

When the IP addresses of a new L2TP user and an old L2TP user conflict, you can select to forbid the new user from coming online or log out the old user.

Restrictions and guidelines

This command takes effect only on IPv4 L2TP users on LNSs.

Examples

# Allow a new L2TP user to come online and log out an old L2TP user when the IP addresses of the two user conflict.

<Sysname> system-view

[Sysname] l2tp user-ip-conflict offline

l2tp virtual-template va-pool

Use l2tp virtual-template va-pool to create a static VA pool.

Use undo l2tp virtual-template va-pool to delete a static VA pool.

Syntax

l2tp virtual-template template-number va-pool va-volume

undo l2tp virtual-template template-number va-pool

Default

No static VA pool exists.

Views

System view

Predefined user roles

network-admin

Parameters

virtual-template template-number: Specifies an existing VT interface by its number to use the static VA pool.

va-pool va-volume: Specifies the maximum number of VA interfaces contained in the static VA pool, in the range of 1 to 65534.

Usage guidelines

Application scenarios

The LNS creates a VA interface for an L2TP session to exchange packets with the LAC, and it deletes the VA interface when the user goes offline. Creating and deleting VA interfaces take time. If a large number of users are coming online or going offline, the performance of L2TP connection establishment and termination will be degraded.

You can configure a VA pool to improve the performance. A VA pool contains a group of VA interfaces. The LNS selects a VA interface from the pool for a requesting user and places the interface back to the VA pool when the user goes offline. This mechanism speeds up the establishment and termination of L2TP connections.

Operating mechanism

When you configure a static VA pool, follow these guidelines:

·     A VT interface can be associated with only one static VA pool. To change the capacity of a static VA pool, delete the previous configuration, and reconfigure the static VA pool.

·     Creating or deleting a static VA pool takes time. During the process of creating or deleting a static VA pool, users can come online or go offline, but the static VA pool does not take effect.

·     The system might create a static VA pool that contains VA interfaces less than the specified number because of insufficient resources. In this case, you can use the display l2tp va-pool command to view the number of available VA interfaces and current state of the static VA pool.

·     Create a static VA pool with an appropriate capacity, because a static VA pool occupies much system memory.

·     Deleting a static VA pool does not log off the users who are using VA interfaces in the static VA pool.

Examples

# Create a static VA pool with a capacity of 1000 VA interfaces for Virtual-template 2.

<Sysname> system-view

[Sysname] l2tp virtual-template 2 va-pool 1000

Related commands

display l2tp va-pool

l2tp-group

Use l2tp-group to create an L2TP group and enter its view, or enter the view of an existing L2TP group.

Use undo l2tp-group to delete an L2TP group.

Syntax

l2tp-group group-number [ mode { lac | lns } ]

undo l2tp-group group-number

Default

No L2TP group exists.

Views

System view

Predefined user roles

network-admin

Parameters

group-number: Specifies an L2TP group by its number in the range of 1 to 65535.

mode: Specifies a mode for the L2TP group.

lac: Specifies the LAC mode.

lns: Specifies the LNS mode.

Usage guidelines

To create a new L2TP group, you must specify the mode keyword. To enter the view of an existing L2TP group, you do not need to specify this keyword.

In L2TP group view, you can configure L2TP tunnel parameters, such as tunnel authentication and flow control.

A device can have L2TP groups in both LAC and LNS modes at the same time.

Examples

# Create L2TP group 2 in LAC mode, and enter its view.

<Sysname> system-view

[Sysname] l2tp-group 2 mode lac

[Sysname-l2tp2]

Related commands

allow l2tp

lns-ip

user

lns-ip

Use lns-ip to specify LNS IP addresses or domain names on an LAC.

Use undo lns-ip to remove the specified LNS IP addresses or domain names on an LAC.

Syntax

lns-ip { ip-address | host-name name }&<1-5>

undo lns-ip

Default

No LNS IP addresses or domain names are specified on an LAC.

Views

L2TP group view

Predefined user roles

network-admin

Parameters

ip-address: Specifies LNS IP addresses.

host-name name: Specifies LNS host names (domain names). A domain name is a dot (.) separated list of strings, for example, example.com. Each string cannot exceed 63 characters. A domain name cannot exceed 253 characters, including dots (.). A domain name is case-insensitive, and each string can contain letters, digits, hyphens (-), underscores (_), and dots (.).

&<1-5> indicates that you can enter a maximum of five IP addresses or domain names.

Usage guidelines

Application scenarios

When the IP address of an LNS is fixed, you can specify the LNS IP address by using the lns-ip ip-address command. When the IP address of an LNS is not fixed, you can specify the LNS domain name by using the lns-ip host-name command. In this case, the LAC will deliver the domain name to the DNS module for processing. Then, the LAC can initiate an L2TP tunneling request to the LNS according to the returned IP address. For more information about DNS, see Network Connectivity Configuration Guide.

Operating mechanism

The LAC initiates an L2TP tunneling request to its specified LNSs consecutively in their configuration order until it receives an acknowledgment from an LNS. The LNS then becomes the tunnel peer.

Restrictions and guidelines

The lns-ip command is available only on L2TP groups in LAC mode.

If you execute this command multiple times for an L2TP group, the most recent configuration takes effect.

Examples

# Specify the LNS IP address as 202.1.1.1.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] lns-ip 202.1.1.1

# Specify the LNS domain name as example.com.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] lns-ip host-name example.com

mandatory-chap

Use mandatory-chap to force the LNS to perform CHAP authentication for users.

Use undo mandatory-chap to restore the default.

Syntax

mandatory-chap

undo mandatory-chap

Default

An LNS does not perform CHAP authentication for users.

Views

L2TP group view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

The LNS uses the LAC as an authentication proxy. The LAC sends the LNS all user authentication information from users and the authentication method configured on the LAC itself. The LNS then checks the user validity according to the received information and the locally configured authentication method.

Operating mechanism

When mandatory CHAP authentication is configured, a user who depends on an LAC to initiate tunneling requests is authenticated by both the LAC and the LNS for increased security. Some users might not support the authentication on the LNS. In this situation, do not configure this command, because CHAP authentication on the LNS will fail.

Restrictions and guidelines

This command is available only on L2TP groups in LNS mode.

This command takes effect only on NAS-initiated L2TP tunnels.

The mandatory-lcp command takes precedence over this command. If both commands are configured for an L2TP group, the LNS performs LCP renegotiation with the user.

Examples

# Force the LNS to perform CHAP authentication for users.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lns

[Sysname-l2tp1] mandatory-chap

Related commands

mandatory-lcp

mandatory-lcp

Use mandatory-lcp to force an LNS to perform LCP negotiation with users.

Use undo mandatory-lcp to restore the default.

Syntax

mandatory-lcp

undo mandatory-lcp

Default

An LNS does not perform LCP negotiation with users.

Views

L2TP group view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

By default, to establish a NAS-initiated tunnel, the user performs LCP negotiation with the LAC. If the negotiation succeeds, the LAC initiates a tunneling request and sends the negotiation results (including authentication information) to the LNS. Then, the LNS determines whether the user is valid based on the information received instead of performing LCP renegotiation with the user.

If you do not expect the LNS to accept LCP negotiation parameters, configure this command to perform an LCP negotiation between the LNS and the user. In this case, the information sent by the LAC will be ignored.

Restrictions and guidelines

Some users might not support LCP negotiation. In this case, do not configure this command because LCP negotiation will fail.

This command is available only on L2TP groups in LNS mode.

This command takes effect only on NAS-initiated L2TP tunnels.

This command takes precedence over the mandatory-chap command. If both commands are configured for an L2TP group, the LNS performs LCP negotiation with the user.

Examples

# Force an LNS to perform LCP negotiation with users.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lns

[Sysname-l2tp1] mandatory-lcp

Related commands

mandatory-chap

ppp access-control enable

Use ppp access-control enable to enable L2TP-based EAD.

Use undo ppp access-control enable to disable L2TP-based EAD.

Syntax

ppp access-control enable

undo ppp access-control enable

Default

L2TP-based EAD is disabled.

Views

VT interface view

Predefined user roles

network-admin

Usage guidelines

This command does not apply to PPP sessions that already exist on the VT interface. It only applies to newly created PPP sessions on the VT interface.

Different ACLs can be used for different users if the VT interface is used as the access interface for the LNS.

L2TP-based EAD enables the LNS to transparently pass CAMS/IMC packets to the iNode client to inform the client of EAD server information, such as the IP address.

Examples

# Enable L2TP-based EAD.

<Sysname> system-view

[Sysname] interface virtual-template 10

[Sysname-Virtual-Template10] ppp access-control enable

Related commands

display ppp access-control interface

ppp lcp imsi request

Use ppp lcp imsi request to enable the LNS to initiate IMSI binding authentication requests.

Use undo ppp lcp imsi request to restore the default.

Syntax

ppp lcp imsi request

undo ppp lcp imsi request

Default

The LNS does not initiate IMSI binding authentication requests.

Views

Interface view

Predefined user roles

network-admin

Examples

# Enable the LNS to initiate IMSI binding authentication requests.

<Sysname> system-view

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp lcp imsi request

Related commands

ppp lcp imsi accept

ppp lcp imsi string

 

ppp user accept-format imsi-sn split

Use ppp user accept-format imsi-sn split to configure the separator for the received authentication information.

Use undo ppp user accept-format to restore the default.

Syntax

ppp user accept-format imsi-sn split splitchart

undo ppp user accept-format

Default

No separator is configured for the received authentication information.

Views

Interface view

Predefined user roles

network-admin

Parameters

splitchart: Specifies the separator. The separator contains one character, and it can be a letter, digit, or sign such as the percent sign (%), pound sign (#), and at sign (@).

Usage guidelines

By default, the authentication information contains only the client username. If you include the IMSI or SN information in the authentication information, you must configure the separator to separate different types of information. For example, if you specify the at sign (@) as the separator, the information imsiinfo@sninfo@username will be split into imsiinfo, sninfo, and username.

If no IMSI/SN information is received from the peer during the authentication process, the IMSI/SN information split from the received authentication information is used.

Examples

# Configure the pound sign (#) as the separator for the authentication information.

<Sysname> system-view

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp user accept-format imsi-sn split #

Related commands

ppp user replace

ppp user replace

Use ppp user replace to replace the client username with the IMSI or SN information for authentication.

Use undo ppp user replace to restore the default.

Syntax

ppp user replace { imsi | sn }

undo ppp user replace

Default

The client username is used for authentication.

Views

Interface view

Predefined user roles

network-admin

Parameters

imsi: Specifies IMSI information.

sn: Specifies SN information.

Examples

# Replace the client username with the IMSI information for authentication.

<Sysname> system-view

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp user replace imsi

Related commands

ppp user accept-format imsi-sn split

reset l2tp tunnel

Use reset l2tp tunnel to disconnect tunnels and all sessions within the tunnels.

Syntax

reset l2tp tunnel { id tunnel-id | name remote-name }

Views

User view

Predefined user roles

network-admin

Parameters

id tunnel-id: Specifies a tunnel by its local ID in the range of 1 to 65535.

name remote-name: Specifies L2TP tunnels by the tunnel peer name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

When the number of user connections is 0 or a network fault occurs, you can disconnect the L2TP tunnel by using this command on either the LAC or LNS. After the tunnel is disconnected, all sessions within it are disconnected.

If you specify a tunnel peer name, all tunnels with the tunnel peer name will be disconnected. If no tunnel with the tunnel peer name exists, nothing happens.

A tunnel disconnected by force can be re-established when a client makes a call.

Examples

# Disconnect all tunnels with the tunnel peer name of aaa.

<Sysname> reset l2tp tunnel name aaa

Related commands

display l2tp tunnel

source-ip

Use source-ip to configure the source IP address of L2TP tunnel packets.

Use undo source-ip to restore the default.

Syntax

source-ip ip-address

undo source-ip

Default

The source IP address of L2TP tunnel packets is the IP address of the egress interface.

Views

L2TP group view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the source IP address of L2TP tunnel packets.

Usage guidelines

Recommended configuration

For high availability, as a best practice, use the IP address of a loopback interface as the source IP address of L2TP tunnel packets.

Restrictions and guidelines

This command is available only on an L2TP group in LAC mode.

Examples

# Configure the source IP address of L2TP tunnel packets as 2.2.2.2.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] source-ip 2.2.2.2

tunnel authentication

Use tunnel authentication to enable L2TP tunnel authentication.

Use undo tunnel authentication to disable L2TP tunnel authentication.

Syntax

tunnel authentication

undo tunnel authentication

Default

L2TP tunnel authentication is enabled.

Views

L2TP group view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

Tunnel authentication prevents the local end from establishing L2TP tunnels with illegal remote ends.

Recommended configuration

For tunnel security, enable tunnel authentication.

You can enable tunnel authentication on both sides or either side.

Restrictions and guidelines

To ensure a successful tunnel establishment when tunnel authentication is enabled on both sides or either side, set the same non-null key on the LAC and the LNS. To set the tunnel authentication key, use the tunnel password command.

When neither side is enabled with tunnel authentication, the key settings of the LAC and the LNS do not affect the tunnel establishment.

Examples

# Enable L2TP tunnel authentication.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lns

[Sysname-l2tp1] tunnel authentication

Related commands

tunnel password

tunnel avp-hidden

Use tunnel avp-hidden to enable transferring AVP data in hidden mode.

Use undo tunnel avp-hidden to restore the default.

Syntax

tunnel avp-hidden

undo tunnel avp-hidden

Default

AVP data is transferred over the tunnel in plaintext mode.

Views

L2TP group view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

L2TP uses AVPs to transmit tunnel negotiation parameters, session negotiation parameters, and user authentication information. This feature can hide sensitive AVP data, such as user passwords. This feature encrypts AVP data with the key configured by using the tunnel password command before transmission.

Restrictions and guidelines

The tunnel avp-hidden command can be executed for L2TP groups in both LAC and LNS modes. However, it does not take effect on L2TP groups in LNS mode.

For this command to take effect, you must enable tunnel authentication by using the tunnel authentication command.

Examples

# Enable transferring AVP data in hidden mode.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] tunnel avp-hidden

Related commands

tunnel authentication

tunnel password

tunnel flow-control

Use tunnel flow-control to enable L2TP session flow control.

Use undo tunnel flow-control to disable L2TP session flow control.

Syntax

tunnel flow-control

undo tunnel flow-control

Default

L2TP session flow control is disabled.

Views

L2TP group view

Predefined user roles

network-admin

Usage guidelines

This feature adds sequence numbers to transmitted packets and uses them to reorder packets arriving out of order and to detect lost packets.

This feature takes effect on both sent and received L2TP data messages. The L2TP sessions support this feature if either the LAC or LNS is enabled with this feature.

When the device acts as an LAC, a change in the flow control status on the LNS causes the same change in the flow control status of L2TP sessions. When the device acts as an LNS, a change in the flow control status on the LAC does not affect the flow control status of L2TP sessions.

Examples

# Enable L2TP session flow control.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] tunnel flow-control

tunnel name

Use tunnel name to specify the local tunnel name.

Use undo tunnel name to restore the default.

Syntax

tunnel name name

undo tunnel name

Default

The local tunnel name is the device name. For more information about the device name, see System Management Configuration Guide.

Views

L2TP group view

Predefined user roles

network-admin

Parameters

name: Specifies the local tunnel name, a case-sensitive string of 1 to 31 characters.

Examples

# Specify the local tunnel name as itsme.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lns

[Sysname-l2tp1] tunnel name itsme

Related commands

sysname (Fundamentals Command Reference)

tunnel password

Use tunnel password to configure the key for tunnel authentication.

Use undo tunnel password to restore the default.

Syntax

tunnel password { cipher | simple } string

undo tunnel password

Default

No key is configured for tunnel authentication.

Views

L2TP group view

Predefined user roles

network-admin

Parameters

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 16 characters. Its encrypted form is a case-sensitive string of 1 to 53 characters.

Usage guidelines

For this command to take effect, you must enable tunnel authentication by using the tunnel authentication command.

For the tunnel authentication key change to take effect, change the tunnel authentication key before tunnel negotiation is performed.

Examples

# Configure the key for tunnel authentication to a plaintext key yougotit.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] tunnel password simple yougotit

Related commands

tunnel authentication

tunnel retransmit

Use tunnel retransmit to configure the retransmission attempts for L2TP control packets.

Use undo tunnel retransmit to restore the default.

Syntax

tunnel retransmit times

undo tunnel retransmit

Default

The retransmission attempts for L2TP control packets is 9.

Views

L2TP group view

Predefined user roles

network-admin

Parameters

times: Specifies the retransmission attempts for L2TP control packets.

Usage guidelines

When the local end sends an L2TP control packet to the peer end of an L2TP tunnel, the local end will retransmit the packet if it fails to receive a reply within a certain period of time (the initial timeout timer is configured by using the tunnel timeout command).

If the local end still fails to receive a reply when the retransmission attempts on the local end reaches the times specified in this command, the local end will consider that the L2TP tunnel has been abnormally disrupted and clear information about the tunnel.

Examples

# Configure retransmission attempts for L2TP control packets as 3.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] tunnel retransmit 3

Related commands

tunnel timeout

tunnel timeout

Use tunnel timeout to configure the retransmission timeout timer for L2TP control packets.

Use undo tunnel timeout to restore the default.

Syntax

tunnel timeout timeout

undo tunnel timeout

Default

The initial retransmission timeout timer is 1 second.

Views

L2TP group view

Predefined user roles

network-admin

Parameters

timeout: Specifies the initial retransmission timeout timer.

Usage guidelines

When the local end sends an L2TP control packet to the peer end of the L2TP tunnel, the local end will retransmit the packet if it fails to receive a reply within the retransmission timeout timer. If the local end still fails to receive a reply when the retransmission attempts on the local end reaches the times specified in the tunnel retransmit command, the local end will consider that the L2TP tunnel has been abnormally disrupted and clear information about the tunnel.

The current retransmission timeout timer is the initial retransmission timeout timer×2×existing retransmission attempts. When the retransmission timeout timer for a retransmission reaches 16 seconds, the retransmission timeout timer is fixed at 16 seconds for the current and remaining retransmissions. For example, if the tunnel retransmit command specifies the retransmission attempts as 5 and the tunnel timeout command specifies the initial retransmission timeout timer as 3 seconds, the retransmission timeout timers for these 5 retransmission attempts are 3, 6, 12, 16, and 16 separately.

To prevent the device from sending a large number of L2TP control packets within a short period of time, which affects the device performance, the device automatically ignores the  tunnel timeout command configuration when the total number of L2TP tunnels in all L2TP groups exceeds 256 and automatically sets the retransmission timeout timer to 16 seconds for L2TP control packets. When the total number of L2TP tunnel reaches or drops below 256, the device calculates the retransmission timeout timer for the next retransmission according to the existing retransmission times and the tunnel timeout command configuration.

Examples

# Configure the initial retransmission timeout timer as 10 seconds.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] tunnel timeout 10

Related commands

tunnel retransmit

tunnel timer hello

Use tunnel timer hello to set the Hello interval.

Use undo tunnel timer hello to restore the default.

Syntax

tunnel timer hello hello-interval

undo tunnel timer hello

Default

The Hello interval is 60 seconds.

Views

L2TP group view

Predefined user roles

network-admin

Parameters

hello-interval: Specifies the interval at which the LAC or the LNS sends Hello packets, in the range of 10 to 1000 seconds.

Usage guidelines

The device sends Hello packets at the set interval. This prevents the L2TP tunnels and sessions from being removed due to timeouts.

You can set different Hello intervals for the LNS and LAC.

Examples

# Set the Hello interval to 90 seconds.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] tunnel timer hello 90

tunnel window receive

Use tunnel window receive to set the receiving window size for an L2TP tunnel.

Use undo tunnel window receive to restore the default.

Syntax

tunnel window receive size

undo tunnel window receive

Default

The receiving window size for an L2TP tunnel is 1024.

Views

L2TP group view

Predefined user roles

network-admin

Parameters

size: Specifies the receiving window size in the range of 1 to 5000. It is the number of packets that can be buffered at the local end.

Usage guidelines

Application scenarios

To enable the device to process a larger number of disordered packets, use this command to enlarge the receiving window size for an L2TP tunnel.

Operating mechanism

The device uses a receiving window to reorder disordered packets based on packet sequence numbers.

If the sequence number of a packet is within the receiving window but does not equal the minimum value of the window, the device performs the following operations:

1.     The device buffers the packet.

2.     The minimum value and maximum value of the receiving window increment by one.

3.     The device continues to check the next arriving packet.

If the sequence number of a packet equals the minimum value of the receiving window, the device performs the following operations:

1.     The device processes the packet.

2.     The minimum value and maximum value of the receiving window increment by one.

3.     The device checks buffered packets for a packet with the sequence number equal to the new minimum value of the receiving window.

4.     If no required packet is found, the device checks the next arriving packet.

If the sequence number of a packet is not within the receiving window, the device drops the packet.

In the L2TP tunnel establishment process, the device uses the value specified in L2TP group view as the receiving window size.

Changing the receiving window size after an L2TP tunnel is established does not affect the established L2TP tunnel.

Restrictions and guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the receiving window size for L2TP group 1 to 128.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] tunnel window receive 128

Related commands

tunnel window send

tunnel window send

Use tunnel window send to set the sending window size for an L2TP tunnel.

Use undo tunnel window send to restore the default.

Syntax

tunnel window send size

undo tunnel window send

Default

The sending window size for an L2TP tunnel is 0, which means using the value of the receiving window size carried in messages sent by the peer end in the tunnel establishment process.

Views

L2TP group view

Predefined user roles

network-admin

Parameters

size: Specifies the sending window size for an L2TP tunnel, in the range of 0 to 1024. It is the maximum number of packets the device can send to a peer end when the device receives no response from the peer end. If the messages from the peer end carry no receiving window size in the tunnel establishment process, the sending window size for the device is 4.

Usage guidelines

Application scenarios

The packet processing capability of a peer end might mismatch the receiving window size of the peer end in some networks. For example, the actual packet processing capability of the peer end is 10, but the receiving window size of the peer end is 20. To ensure stable L2TP services, you can adjust the sending window size for the device to match the actual packet processing capability of the peer end.

Operating mechanism

The sending window size set in L2TP group view is obtained in the L2TP tunnel establishment process.

·     If the sending window size is 0, the device uses the default sending window size.

·     If the sending window size is not 0, the device uses the specified value as the sending window size.

Changing the sending window size after an L2TP tunnel is established does not affect the established L2TP tunnel.

Restrictions and guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the sending window size for L2TP group 1 to 128.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] tunnel window send 128

Related commands

tunnel window receive

user

Use user to configure the condition for the LAC to initiate tunneling requests.

Use undo user to restore the default.

Syntax

user { domain domain-name | fullusername user-name }

undo user

Default

No condition is configured for the LAC to initiate tunneling requests.

Views

L2TP group view

Predefined user roles

network-admin

Parameters

domain domain-name: Configures the LAC to initiate tunneling requests to the LNS when the domain name of a user matches a configured domain name. The domain-name argument represents the domain name of the user and is a case-insensitive string of 1 to 24 characters.

fullusername user-name: Configures the LAC to initiate tunneling requests to the LNS when the username of a user matches a configured full username. The domain-name argument represents the username of the user and is a case-sensitive string of 1 to 255 characters.

Usage guidelines

The LAC initiates tunneling requests to the LNS only when the domain name or the username of a user matches a configured domain name or a configured full username.

This command is available only on L2TP groups in LAC mode.

If you execute this command multiple times for an L2TP group, the most recent configuration takes effect.

Examples

# Configure the LAC to initiate tunneling requests to the LNS when the username of the user is test@dm1.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] user fullusername test@dm1