Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

Example: Configuring an L2TP LNS

Requirements

• MX Series 3D Universal Edge Router
• One or more MPCs
• Junos OS Release 11.4 or later

No special configuration beyond device initialization is required before you can configure this feature.

You must configure certain standard RADIUS attributes and Juniper Networks VSAs in the attribute return list on the AAA server associated with the LNS for this example to work. Table 1 lists the attributes with their required order setting and values. We recommend that you use the most current Juniper Networks RADIUS dictionary, available in the Downloads box on the Junos OS Subscriber Management page for the current release at https://www.juniper.net/techpubs/en_US/junos/information-products/pathway-pages/subscriber-access/index.html.

Overview

• A 30-second interval between PPP keepalive messages for L2TP tunnels from the client LAC terminating on the LNS.
• A 200-second interval that defines how long the PPP subscriber session can be idle before it is considered to have timed out.
• Both PAP and CHAP as the PPP authentication methods that apply to tunneled PPP subscribers at the LNS.

The L2TP access profile ce-l2tp-profile defines a set of L2TP parameters for each client LAC. In this example, the user group profile ce-l2tp-group-profile is associated with both clients, lac1 and lac2. Both clients are configured to have the LNS renegotiate the link control protocol (LCP) with the PPP client rather than accepting the pre-negotiated LCP parameters that the LACs pass to the LNS. LCP renegotiation also causes authentication to be renegotiated by the LNS; the authentication method is specified in the user group profile. The maximum number of sessions allowed per tunnel is set to 1000 for lac1 and to 4000 for lac2. A different password is configured for each LAC.

A local AAA access profile, aaa-profile, enables you to override the global AAA access profile, so that you can specify an authentication order, a RADIUS server that you want to use for L2TP, and a password for the server.

In this example, an address pool defines a range of IP addresses that the LNS allocates to the tunneled PPP sessions. This example defines ranges of IPv4 and IPv6 addresses.

Two inline service interfaces are enabled on the MPC located in slot 5 of the router. For each interface, 10 Gbps of bandwidth is reserved for tunnel traffic on the interface’s associated PFE. These anchor interfaces serve as the underlying physical interface. To enable CoS queue support on the individual logical inline service interfaces, you must configure both services encapsulation (generic-services) and hierarchical scheduling support on the anchors. The IPv4 address family is configured for both anchor interfaces. Both anchor interfaces are specified in the lns_p1 service device pool. The LNS can balance traffic loads across the two anchor interfaces when the tunnel group includes the pool.

This example uses the dynamic profile dyn-lns-profile2 to specify characteristics of the L2TP sessions that are created or assigned dynamically when a subscriber is tunneled to the LNS. For many of the characteristics, a predefined variable is set; the variables are dynamically replaced with the appropriate values when a subscriber is tunneled to the LNS.

The interface to which the tunneled PPP client connects ($junos-interface-name) is dynamically created in the routing instance ($junos-routing-instance) assigned to the subscriber. Routing options for access routes include the route’s next hop address ($junos-framed-route-nexthop), metric ($junos-framed-route-cost), and preference ($junos-framed-route-distance). For access-internal routes, a dynamic IP address variable ($junos-subscriber-ip-address) is set.

The logical inline service interfaces are defined by the name of a configured anchor interface ($junos-interface-ifd-name) and a logical unit number ($junos-interface-unit). The profile assigns l2tp-encapuslation as the identifier for the logical interface and specifies that each interface can be used for only a single session at a time.

The IPv4 address is set to a value returned from the AAA server. For IPv4 traffic an input firewall filter $junos-input-filter and an output firewall filter $junos-output-filter are attached to the interface. The loopback variable ($junos-loopback-interface) derives an IP address from a loopback interface (lo) configured in the routing instance and uses it in IPCP negotiation as the PPP server address. Because this is a dual-stack configuration, the IPv6 address family is also set, with the addresses provided by the $junos-ipv6-address variable.

The $junos-ipv6-address variable is used because Router Advertisement Protocol is also configured. This variable enables AAA to allocate the first address in the prefix to be reserved as the local address for the interface. The minimal configuration for the Router Advertisement Protocol in the dynamic profile specifies the $junos-interface-name and $junos-ipv6-ndra-prefix variables to dynamically assign a prefix value in IPv6 neighbor discovery router advertisements.

The dynamic profile also includes the class of service configuration that is applied to the tunnel traffic. The traffic control profile (tc-profile) includes variables for the scheduler map ($junos-cos-scheduler-map), shaping rate ($junos-cos-shaping-rate), overhead accounting ($junos-cos-shaping-mode), and byte adjustment $junos-cos-byte-adjust). The dynamic profile applies the CoS configuration—including the forwarding class, the output traffic control profile, and the rewrite rules—to the dynamic service interfaces.

The tg-dynamic tunnel group configuration specifies the access profile ce-l2tp-profile, the local AAA profile aaa-profile, and the dynamic profile dyn-lns-profile2 that are used to dynamically create LNS sessions and define the characteristics of the sessions. The lns_p1 service device pool associates a pool of service interfaces with the group to enable LNS to balance traffic across the interfaces. The local gateway address 11.1.1.2 corresponds to the remote gateway address that is configured on the LAC.

Note: This example does not show all possible configuration choices.

Configuration

CLI Quick Configuration

To quickly configure an L2TP LNS, copy the following commands, paste them in a text file, remove any line breaks, and then copy and paste the commands into the CLI.

Step-by-Step Procedure

1. Configure a user group profile that defines the PPP configuration for tunnel subscribers.
   [edit access]user@host# edit group-profile ce-l2tp-group-profile[edit access group-profile ce-l2tp-group-profile]user@host# set ppp keepalive 30user@host# set ppp idle-timeout 200user@host# set ppp ppp-options chapuser@host# set ppp ppp-options pap
2. Configure an L2TP access profile that defines the L2TP parameters for each client LAC. This includes associating a user group profile with the client and specifying the identifier for the inline services logical interface that represents an L2TP session on the LNS.
   [edit access profile ce-l2tp-profile client lac1]user@host# set l2tp interface-id l2tp-encapsulationuser@host# set l2tp maximum-sessions-per-tunnel 1000user@host# set l2tp shared-secret "lac1-secret"user@host# set l2tp lcp-renegotiationuser@host# set user-group-profile ce-l2tp-group-profile[edit access profile ce-l2tp-profile client lac2]user@host# set l2tp interface-id interface-iduser@host# set l2tp maximum-sessions-per-tunnel 4000user@host# set l2tp shared-secret "lac2-secret"user@host# set l2tp lcp-renegotiationuser@host# set user-group-profile ce-l2tp-group-profile
3. Configure a AAA access profile to override the global access profile for the order of AAA authentication methods and server attributes.
   [edit access profile aaa-profile]user@host# set authentication-order radiususer@host# set radius-server 172.21.146.93 secret "aaa-secret”
4. Configure IPv4 and IPv6 address-assignment pools to allocate addresses for the clients (LACs).
   [edit access address-assignment pool client-pool1 family inet]user@host# set network 192.168.1.1/16user@host# set range lns-v4-pool-range low 192.168.1.1 high 192.168.255.255[edit access address-assignment pool client-ipv6-pool2 family inet6]user@host# set prefix 2010:DB8::/32user@host# set range lns-v6-pool-range low 2010:DB8:1::/48user@host# set range lns-v6-pool-range high 2010:DB8:ffff::/48
5. Configure the peer interface to terminate the tunnel and the PPP server-side IPCP address (loopback address).
   [edit interfaces ge-5/0/1user@host# set vlan-tagginguser@host# set unit 11[edit interfaces ge-5/0/1.11user@host# set vlan-id 11user@host# set family inet address 11.1.1.2/24[edit interfaces lo0]user@host# set unit 0 family inet address 127.0.0.1/32
6. Enable inline service interfaces on an MPC.
   [edit chassis fpc 5]user@host# set pic 0 inline-services bandwidth 10guser@host# set pic 2 inline-services bandwidth 10g
7. Configure the anchor service interfaces with services encapsulation, hierarchical scheduling, and the address family.
   [edit interfaces si-5/0/0]user@host# set hierarchical-scheduler maximum hierarchy-levels 2user@host# set encapsulation generic-servicesuser@host# set unit 0 family inet[edit interfaces si-5/2/0]user@host# set hierarchical-scheduler maximum hierarchy-levels 2user@host# set encapsulation generic-servicesuser@host# set unit 0 family inet
8. Configure a pool of service interfaces for dynamic LNS sessions.
   [edit services service-device-pools pool lns_p1]user@host# set interface si-5/0/0user@host# set interface si-5/2/0
9. Configure a dynamic profile that dynamically creates L2TP logical interfaces for dual-stack subscribers.
   [edit dynamic-profiles dyn-lns-profile2]user@host# edit routing-instances $junos-routing-instanceuser@host# set interface $junos-interface-name[edit dynamic-profiles dyn-lns-profile2 routing-instances “$junos-routing-instance”]user@host# edit routing-options access route $junos-framed-route-ip-address-prefix[edit dynamic-profiles dyn-lns-profile2 routing-instances “$junos-routing-instance” routing-options access route “$junos-framed-route-ip-address-prefix”]user@host# set next-hop $junos-framed-route-nexthopuser@host# set metric $junos-framed-route-costuser@host# set preference $junos-framed-route-distance[edit dynamic-profiles dyn-lns-profile2 routing-instances “$junos-routing-instance” routing-options access-internal]user@host# set route $junos-subscriber-ip-address qualified-next-hop $junos-interface-name[edit dynamic-profiles dyn-lns-profile2 interfaces “$junos-interface-ifd-name” unit “$junos-interface-unit”]user@host# set dial-options l2tp-interface-id l2tp-encapsulationuser@host# set dial-options dedicateduser@host# set family inet unnumbered-address $junos-loopback-interfaceuser@host# set family inet filter input $junos-input-filteruser@host# set family inet filter output $junos-output-filteruser@host# set family inet6 address $junos-ipv6-addressset family inet6 filter input $junos-input-ipv6-filterset family inet6 filter output $junos-output-ipv6-filter[edit dynamic-profiles dyn-lns-profile2 protocols router-advertisement]user@host# set interface $junos-interface-name prefix $junos-ipv6-ndra-prefix
10. Configure shaping, scheduling, and rewrite rules, and apply in the dynamic profile to tunnel traffic.
    [edit class-of-service]user@host# edit rewrite-rules dscp rewriteDSCP forwarding-class expedited-forwardinguser@host# set loss-priority high code-point af11user@host# set loss-priority high code-point af12[edit dynamic-profiles dyn-lns-profile2 class-of-service traffic-control-profiles tc-profile]user@host# set scheduler-map $junos-cos-scheduler-mapuser@host# set shaping-rate $junos-cos-shaping-rateuser@host# set overhead-accounting $junos-cos-shaping-modeuser@host# set overhead-accounting bytes $junos-cos-byte-adjust[edit dynamic-profiles dyn-lns-profile2 class-of-service interfaces “$junos-interface-ifd-name” unit "$junos-interface-unit"]user@host# set forwarding-class expedited-forwardinguser@host# set output-traffic-control-profile tc-profileuser@host# set rewrite-rules dscp rewriteDSCP[edit class-of-service interfaces si-5/0/0]user@host# set output-traffic-control-profile-remaining tc-profile
11. Configure the L2TP tunnel group to bring up dynamic LNS sessions using the pool of inline service interfaces to enable load-balancing.
    [edit services l2tp tunnel-group tg-dynamic]user@host# set l2tp-access-profile ce-l2tp-profileuser@host# set local-gateway address 11.1.1.2user@host# set aaa-access-profile aaa-profileuser@host# set dynamic-profile dyn-lns-profile2user@host# set service-device-pool lns_p1

Results

From configuration mode, confirm the access profile, group profile, AAA profile, and address-assignment pools configuration by entering the show access command. Confirm the inline services configuration by entering the show chassis command. Confirm the interface configuration by entering the show interfaces command. Confirm the dynamic profile configuration by entering the show dynamic-profiles command. Confirm the tunnel group configuration by entering the show services l2tp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

When you are done configuring the device, enter commit from configuration mode.