LAC Tunnel Selection Overview
L2TP enables you to specify:
- Up to 31 destinations for a domain.
- Up to eight levels of preference. Preference indicates the order in which the router attempts to connect to the destinations specified for a domain. Zero (0) is the highest level of preference.
- Up to 31 destinations for a single preference level.
When the LAC determines that a PPP session should be tunneled, it selects a tunnel from a set of tunnels associated with either the PPP user or the PPP user’s domain. The router provides the following methods for selecting tunnels:
- Tunnel selection failover between preference levels (the default behavior)
- Tunnel selection failover within a preference level
- Maximum sessions per tunnel
- Weighted load balancing
Tunnel Selection Failover Between Preference Levels
When a user tries to log in to a domain, in the default method, the router attempts to connect to a destination in that domain by means of the associated tunnel with the highest preference level. If more than one destination is considered reachable by a tunnel in the preference level, the router randomly selects a destination and attempts to contact it through its associated tunnel at that level. If the router is unsuccessful, it marks the destination as unreachable and does not try to connect to that destination for five minutes. The router then moves to the next lower preference level and repeats the process.
For example, suppose that there are three destinations for a domain and a tunnel has been defined for each destination: A, B, and C. All destinations are considered reachable, and the preference levels for the tunnels are assigned as follows:
- A at preference 0
- B at preference 1
- C at preference 2
When a PPP user tries to connect to the domain, the router initially attempts to reach a destination by a tunnel at preference level 0. In this example, that is destination A. If this connection attempt fails, the router excludes destination A for five minutes and goes to the next level (preference 1) to reach a destination for the domain. At level 1, it attempts to connect to destination B. If the second connection attempt also fails, the router excludes destination B in addition to the already excluded destination A. The router goes to the next level (preference 2), and attempts to connect to destination C, the only destination in the domain that is still available. If that attempt also fails, the router has attempted to connect to every tunnel available for the domain. When the exclusion period for destination A expires, the router can attempt again to connect to destination A, and so on.
Although the five-minute timer typically prevents an unreachable destination from being tried until the timer expires, the timer is ignored in some circumstances. For example, If all destinations at a preference level are marked as unreachable when a user tries to log in to a domain, the router chooses and attempts to connect to the destination that failed first and therefore has the shortest time remaining until the timer expires. The key is to understand that the router always chooses a single destination at each level of preference, even if all destinations have recently failed.
If more than one destination for the domain is present at a preference level, the router randomly selects among them. If the router fails to connect to a destination at all preference levels with destinations for the domain, it cycles back to the highest level that still has a destination not excluded by an attempt.
For example, suppose that again there are three destinations for a domain and a tunnel has been defined for each destination: A, B, and C. All destinations are considered reachable, but the tunnels are distributed among the preference levels as follows:
- A and B at preference 0
- C at preference 1
If a PPP user tries to connect to the domain, the router randomly selects between A and B at level 0. Suppose it selects B, but the connection attempt fails. The router excludes destination B for five minutes and goes to the next level (preference 1) to reach a destination for the domain. At level 1, it attempts to connect to destination C. If the second connection attempt also fails, the router excludes destination C in addition to the already excluded destination B. The router cycles back to preference level 0. If destination B is still excluded, it attempts to connect to destination A. If the exclusion period for destination B has expired, then the router once again randomly selects between A and B to attempt a connection.
Tunnel Selection Failover Within a Preference Level
When tunnel selection failover within a preference level is configured, if the router tries to connect to a destination and is unsuccessful, it selects a new destination at the same preference level. If all destinations at a preference level are marked as unreachable, the router does not attempt to connect to a destination at that level. It drops to the next lower preference level to select a destination.
If all destinations at all preference levels are marked as unreachable, the router chooses the destination that failed first and tries to make a connection. If the connection fails, the router rejects the PPP user session without attempting to contact the remote router.
For example, suppose that there are four destinations for a domain and a tunnel has been defined for each destination: A, B, C, and D. All destinations are considered reachable, and the preference levels for the tunnels are assigned as follows:
- A and B at preference 0
- C and D at preference 1
When the router attempts to connect to the domain, suppose it randomly selects tunnel B from preference 0. If it fails to connect to the destination, the router excludes tunnel B for five minutes and attempts to connect to a destination with tunnel A. If this attempt also fails, the router drops to preference level 1. Then suppose the router randomly selects tunnel C. If it also fails to connect to a destination with tunnel C, the router excludes tunnel C for five minutes and attempts to connect with tunnel D. If this connection attempt fails, then the router attempts to use tunnel B again, the original selection. If that attempt fails, the user session is rejected.
Tunnel Selection and Maximum Sessions per Tunnel
When the maximum number of sessions allowed per tunnel is configured, the router takes that setting into consideration during the tunnel selection process. The maximum number of sessions per tunnel can be configured through a RADIUS Tunnel-Max-Sessions VSA [26-64] or by including the max-sessions statement in a tunnel profile.
If a randomly selected tunnel has a current session count equal to its maximum session count, the router does not attempt to connect to a destination with that tunnel. Instead, it selects an alternate tunnel from the set of reachable tunnels at the same preference level. If no additional reachable tunnels exist at the current preference level, the router drops to the next lower preference level to make the selection. This process is consistent, regardless of which fail-over scheme is currently running on the router.
If the maximum number of sessions is not configured for a tunnel, then that tunnel has no upper limit on the number of sessions it can support. By default, the maximum sessions value is 0 (zero), which allows unlimited sessions in the tunnel.
Tunnel Selection with Weighted Load Balancing
The maximum sessions value for a tunnel is used for weighted load balancing to select among multiple tunnels with the same preference level.
The weight of a tunnel is determined by the tunnel’s maximum session limit and the maximum session limits of the other tunnels at the same preference level. The tunnel with the largest maximum session value has the largest weight. The tunnel with the next largest maximum session value has the next largest weight, and so on. The tunnel with the smallest maximum session value has the smallest weight.
