close

keyboard_arrow_left

Table of Contents Expand all

play_arrow Broadband Subscriber Access Network Overview
play_arrow DHCP Subscriber Access Networks
play_arrow PPP Subscriber Access Networks
play_arrow L2TP Subscriber Access Networks
play_arrow Configuring MPLS Pseudowire Subscriber Logical Interfaces
- MPLS Pseudowire Subscriber Logical Interfaces
play_arrow Wi-Fi Access Gateways
- Wi-Fi Access Gateways
play_arrow Fixed Wireless Access Networks
- Fixed Wireless Access Networks
- Tracing Fixed Wireless Access Events for Troubleshooting
play_arrow Configuration Statements and Operational Commands
- Junos CLI Reference Overview

list Table of Contents

English

Configuring an L2TP LNS with Inline Service Interfaces
Applying PPP Attributes to L2TP LNS Subscribers per Inline Service Interface
Applying PPP Attributes to L2TP LNS Subscribers with a User Group Profile
Configuring an L2TP Access Profile on the LNS
Configuring a AAA Local Access Profile on the LNS
Configuring an Address-Assignment Pool for L2TP LNS with Inline Services
Configuring the L2TP LNS Peer Interface
Enabling Inline Service Interfaces
Configuring an Inline Service Interface for L2TP LNS
Configuring Options for the LNS Inline Services Logical Interface
LNS 1:1 Stateful Redundancy Overview
Configuring 1:1 LNS Stateful Redundancy on Aggregated Inline Service Interfaces
Verifying LNS Aggregated Inline Service Interface 1:1 Redundancy
L2TP Session Limits and Load Balancing for Service Interfaces
Example: Configuring an L2TP LNS
Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces
Applying Services to an L2TP Session Without Using RADIUS
Configuring a Pool of Inline Services Interfaces for Dynamic LNS Sessions
Configuring a Dynamic Profile for Dynamic LNS Sessions
Change History Table

keyboard_arrow_right

L2TP LNS Inline Service Interfaces

date_range 06-Dec-23

arrow_backward

arrow_forward

Configuring an L2TP LNS with Inline Service Interfaces

The L2TP LNS feature license must be installed before you begin the configuration. Otherwise, a warning message is displayed when the configuration is committed.

To configure an L2TP LNS with inline service interfaces:

(Optional) Configure a user group profile that defines the PPP configuration for tunnel subscribers.
See Applying PPP Attributes to L2TP LNS Subscribers with a User Group Profile.
(Optional) Configure PPP attributes for subscribers on inline service interfaces.
See Applying PPP Attributes to L2TP LNS Subscribers per Inline Service Interface.
Configure inline IP reassembly.
See Configuring IP Inline Reassembly for L2TP.
Configure an L2TP access profile that defines the L2TP parameters for each LNS client (LAC).
See Configuring an L2TP Access Profile on the LNS.
(Optional) Configure a AAA access profile to override the access profile configured under the routing instance.
See Configuring a AAA Local Access Profile on the LNS.
Configure a pool of addresses to be dynamically assigned to tunneled PPP subscribers.
See Configuring an Address-Assignment Pool for L2TP LNS with Inline Services.
Configure the peer interface to terminate the tunnel and the PPP server-side IPCP address.
See Configuring the L2TP LNS Peer Interface.
Enable inline service interfaces on an MPC.
See Enabling Inline Service Interfaces.
Configure a service interface.
See Configuring an Inline Service Interface for L2TP LNS.
Configure options for each inline service logical interface.
See Configuring Options for the LNS Inline Services Logical Interface.
(Optional) Configure an aggregated inline service interface and 1:1 stateful redundancy.
See Configuring 1:1 LNS Stateful Redundancy on Aggregated Inline Service Interfaces
Configure the L2TP tunnel group.
See Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces.
(Optional) Configure a dynamic profile that dynamically creates L2TP logical interfaces.
See Configuring a Dynamic Profile for Dynamic LNS Sessions.
(Optional) Configure a service interface pool for dynamic LNS sessions.
See Configuring a Pool of Inline Services Interfaces for Dynamic LNS Sessions.
(Optional) Specify how many times L2TP retransmits unacknowledged control messages.
See Configuring Retransmission Attributes for L2TP Control Messages.
(Optional) Specify how long a tunnel can remain idle before being torn down.
See Setting the L2TP Tunnel Idle Timeout.
(Optional) Specify the L2TP receive window size for the L2TP tunnel. The receive window size specifies the number of packets a peer can send before waiting for an acknowledgment from the router.
See Setting the L2TP Receive Window Size.
(Optional) Specify how long the L2TP retains information about terminated dynamic tunnels, sessions, and destinations.
See Setting the L2TP Destruct Timeout.
(Optional) Configure the L2TP destination lockout timeout.
See Configuring the L2TP Destination Lockout Timeout.
(Optional) Configure L2TP tunnel switching.
See Configuring L2TP Tunnel Switching.
(Optional) Prevent the creation of new sessions, destinations, or tunnels for L2TP.
See Configuring L2TP Drain.
(Optional) Configure whether the L2TP failover protocol is negotiated or the silent failover method is used for resynchronization.
See Configuring the L2TP Peer Resynchronization Method.
(Optional) Enable SNMP statistics counters.
See Enabling Tunnel and Global Counters for SNMP Statistics Collection.
(Optional) Configure trace options for troubleshooting the configuration.
See Tracing L2TP Events for Troubleshooting.

You also need to configure CoS for LNS sessions. For more information, see Configuring Dynamic CoS for an L2TP LNS Inline Service.

Applying PPP Attributes to L2TP LNS Subscribers per Inline Service Interface

You can configure PPP attributes that are applied by the LNS on the inline service (si) interface to the PPP subscribers tunneled from the LAC. Because you are configuring the attributes per interface rather than with a user group profile, the attributes for subscribers can be varied with a finer granularity. This configuration matches that used for terminated PPPoE subscribers.

To configure the PPP attributes for dynamically created si interfaces:

Specify the predefined dynamic interface and logical interface variables in the dynamic profile.

content_copy zoom_out_map
[edit dynamic-profiles profile-name]
user@host# edit interfaces "$junos-interface-ifd-name" unit “$junos-interface-unit”

Configure the interval between PPP keepalive messages for the L2TP tunnel terminating on the LNS.

content_copy zoom_out_map
[edit dynamic-profiles profile-name interfaces "$junos-interface-ifd-name" unit “$junos-interface-unit”]
user@host# set keepalives interval seconds

Configure PPP authentication methods that apply to tunneled PPP subscribers at the LNS.

content_copy zoom_out_map
[edit dynamic-profiles profile-name interfaces "$junos-interface-ifd-name" unit “$junos-interface-unit”]
user@host# set ppp-options chap
user@host# set ppp-options pap

Specify a set of AAA options that is used for authentication and authorization of tunneled PPP subscribers at the LNS that are logging in by means of the subscriber and AAA contexts that are specified in the AAA options set.
```
[edit dynamic-profiles profile-name interfaces "$junos-interface-ifd-name" unit “$junos-interface-unit”]
user@host# set ppp-options aaa-options aaa-options-name
```
The option set is configured with the aaa-options aaa-options-name statement at the [edit access] hierarchy level.
Configure the router to prompt Customer Premises Equipment (CPE) to negotiate both primary and secondary DNS addresses during IPCP negotiation for tunneled PPP subscribers at the LNS.
```
[edit dynamic-profiles profile-name interfaces "$junos-interface-ifd-name" unit “$junos-interface-unit”]
user@host# set ppp-options ipcp-suggest-dns-option
```
(Optional) Disable validation of the PPP magic number during LCP negotiation and in LCP keepalive (echo-request/echo-reply) exchanges. Prevents comparison of received magic number with internally generated magic number, so that a mismatch does not cause session termination.
```
[edit dynamic-profiles profile-name interfaces "$junos-interface-ifd-name" unit “$junos-interface-unit”]
user@host# set ppp-options ignore-magic-number-mismatch
```

To configure the PPP attributes for statically created si interfaces:

Specify the logical inline service interface.

content_copy zoom_out_map
[edit interfaces si-slot/pic/port]
user@host# edit unit logical-unit-number

Configure the interval between PPP keepalive messages for the L2TP tunnel terminating on the LNS.
```
[edit interfaces si-slot/pic/port unit logical-unit-number]
user@host# set keepalives interval seconds
```
Configure the number of keepalive packets a destination must fail to receive before the network takes down a link.
```
[edit interfaces si-slot/pic/port unit logical-unit-number]
user@host# set keepalives down-count number
```
Note:
The keepalives up-count option is typically not used for subscriber management.

Configure PPP authentication methods that apply to tunneled PPP subscribers at the LNS.

content_copy zoom_out_map
[edit interfaces si-slot/pic/port unit logical-unit-number]
user@host# set ppp-options chap
user@host# set ppp-options pap

Configure the router to prompt the Customer Premises Equipment (CPE) to negotiate both primary and secondary DNS addresses during IPCP negotiation for tunneled PPP subscribers at the LNS.
```
[edit interfaces si-slot/pic/port unit logical-unit-number]
user@host# set ppp-options ipcp-suggest-dns-option
```

Best Practice:

Although all other statements subordinate to ppp-options—including those subordinate to chap and pap—are supported, they are typically not used for subscriber management. We recommend that you leave these other statements at their default values.

Note:

You can also configure PPP attributes with a user group profile that applies the attributes to all subscribers with that profile on a LAC client. See Applying PPP Attributes to L2TP LNS Subscribers with a User Group Profile for more information. When you configure the PPP attributes for L2TP LNS subscribers both on the si interface and in user group profiles, the inline service interface configuration takes precedence over the user group profile configuration.

Note:

When PPP options are configured in both a group profile and a dynamic profile, the dynamic profile configuration takes complete precedence over the group profile when the dynamic profile includes one or more of the PPP options that can be configured in the group profile. Complete precedence means that there is no merging of options between the profiles. The group profile is applied to the subscriber only when the dynamic profile does not include any PPP option available in the group profile.

Applying PPP Attributes to L2TP LNS Subscribers with a User Group Profile

You can configure a user group profile that enables the LNS to apply PPP attributes to the PPP subscribers tunneled from the LAC. The user group profile is associated with clients (LACs) in the L2TP access profile. Consequently all subscribers handled by a given client share the same PPP attributes.

To configure a user group profile:

Create the profile.

content_copy zoom_out_map
[edit access]
user@host# edit group-profile profile-name

Configure the interval between PPP keepalive messages for the L2TP tunnel terminating on the LNS.
```
[edit access group-profile  profile-name]
user@host# set ppp keepalive seconds
```
Note:
Changes to the keepalive interval in a user group profile affect only new L2TP sessions that come up after the change. Existing sessions are not affected.

Configure PPP authentication methods that apply to tunneled PPP subscribers at the LNS.

[edit access group-profile  profile-name]
user@host# set ppp ppp-options chap
user@host# set ppp ppp-options pap

Specify a set of AAA options that is used for authentication and authorization of tunneled PPP subscribers at the LNS that are logging in by means of the subscriber and AAA contexts that are specified in the AAA options set.
```
[edit access group-profile  profile-name]
user@host# set ppp ppp-options  aaa-options aaa-options-name
```
The option set is configured with the aaa-options aaa-options-name statement at the [edit access] hierarchy level.
Configure the router to prompt the Customer Premises Equipment (CPE) to negotiate both primary and secondary DNS addresses during IPCP negotiation for tunneled PPP subscribers at the LNS.
```
[edit access group-profile  profile-name]
user@host# set ppp ppp-options ipcp-suggest-dns-option
```
(Optional) Disable the Packet Forwarding Engine from performing a validation check for PPP magic numbers received from a remote peer in LCP keepalive (Echo-Request/Echo-Reply) exchanges. This prevents PPP from terminating the session when the number does not match the value agreed upon during LCP negotiation. This capability is useful when the remote PPP peers include arbitrary magic numbers in the keepalive packets. Configuring this statement has no effect on LCP magic number negotiation or on the exchange of keepalives when the remote peer magic number is the expected negotiated number.
```
[edit access group-profile profile-name]
user@host# set ppp ppp-options ignore-magic-number-mismatch
```
Configure how long the PPP subscriber session can be idle before it is considered to have timed out.
```
[edit access group-profile  profile-name]
user@host# set ppp idle-timeout 200
```

Note:

You can also configure PPP attributes on a per-interface basis. See Applying PPP Attributes to L2TP LNS Subscribers per Inline Service Interface for more information. When you configure the PPP attributes for L2TP LNS subscribers both on the si interface and in user group profiles, the inline service interface configuration takes precedence over the user group profile configuration.

Note:

Configuring an L2TP Access Profile on the LNS

Access profiles define how to validate Layer 2 Tunneling Protocol (L2TP) connections and session requests. Within each L2TP access profile, you configure one or more clients (LACs). The client characteristics are used to authenticate LACs with matching passwords, and to establish attributes of the client tunnel and session. You can configure multiple access profiles and multiple clients within each profile.

To configure an L2TP access profile:

Create the access profile.

content_copy zoom_out_map
[edit access]
user@host# edit profile access-profile-name

Configure characteristics for one or more clients (LACs).
```
[edit access profile access-profile-name]
user@host# client client-name
```
Note:
Except for the special case of the default client, the LAC client name that you configure in the access profile must match the hostname of the LAC. In the case of a Juniper Networks router acting as the LAC, the hostname is configured in the LAC tunnel profile with the gateway gateway-name statement at the [edit access tunnel-profile profile-name tunnel tunnel-id source-gateway] hierarchy level. Alternatively, the client name can be returned from RADIUS in the attribute, Tunnel-Client-Auth-Id [90].

Note:
Use default as the client name when you want to define a default tunnel client. The default client enables the authentication of multiple LACs with the same secret and L2TP attributes. This behavior is useful when, for example, many new LACs are added to the network, because it enables the LACs to be used without additional LNS profile configuration.

Use default only on MX Series routers. The equivalent client name on M Series routers is *.
(Optional) Specify a local access profile that overrides the global access profile and the tunnel group AAA access profile to configure RADIUS server settings for the client.
```
[edit access profile access-profile-name client client-name]
user@host# set l2tp aaa-access-profile
```
Configure the LNS to renegotiate the link control protocol (LCP) with the PPP client. tunneled from the client.
```
[edit access profile access-profile-name client client-name]
user@host# set l2tp lcp-renegotiation
```
Configure one or more dynamic service profiles to apply services to all subscribers on the LAC. You can optionally pass parameter to the services in the same statement.
```
[edit access profile access-profile-name client client-name]
user@host# set l2tp service-profile profile-name(parameter)&profile-name
```

Configure the maximum number of sessions allowed in a tunnel from the client (LAC).

content_copy zoom_out_map
[edit access profile access-profile-name client client-name]
user@host# set l2tp maximum-sessions-per-tunnel number

Configure the LNS to override result codes 4 and 5 with result code 2 in CDN messages it sends to the LAC when the number of L2TP sessions reaches the configured maximum value. Some third-party LACs cannot fail over to another LNS unless the result code has a value of 2.
```
[edit access profile access-profile-name client client-name]
user@host# set l2tp override-result-code session-out-of-resource
```

Configure the tunnel password used to authenticate the client (LAC).

content_copy zoom_out_map
[edit access profile access-profile-name client client-name]
user@host# set l2tp shared-secret shared-secret

(Optional) Associate a group profile containing PPP attributes to apply for the PPP sessions being tunneled from this LAC client.
```
[edit access profile access-profile-name client client-name]
user@host# set user-group-profile group-profile-name
```
Note:
If user-group-profile is modified or deleted, the existing LNS subscribers, which were using this Layer 2 Tunneling Protocol client configuration, go down.

Configuring a AAA Local Access Profile on the LNS

For some LNS tunnels, you might wish to override the access profile configured at the routing instance that hosts the tunnel with a particular RADIUS server configuration. You can configure a local access profile to do so. You can subsequently use the aaa-access-profile statement to apply the local access profile to a tunnel group or LAC client.

A local access profile applied to a client overrides a local access profile applied to a tunnel group, which in turn overrides the access profile for the routing instance.

To configure an AAA local access profile:

Create the access profile.

content_copy zoom_out_map
[edit access]
user@host# edit profile local-aaa-profile-name

Configure the order of AAA authentication methods.

content_copy zoom_out_map
[edit access profile local-aaa-profile-name]
user@host# set authentication-order radius

Configure the RADIUS server attributes, such as the authentication password.

content_copy zoom_out_map
[edit access profile local-aaa-profile-name]
user@host# set radius-server server-address secret password

Configuring an Address-Assignment Pool for L2TP LNS with Inline Services

You can configure pools of addresses that can be dynamically assigned to the tunneled PPP subscribers. The pools must be local to the routing instance where the subscriber comes up. The configured pools are supplied in the RADIUS Framed-Pool and Framed-IPv6-Pool attributes. Pools are optional when Framed-IP-Address is sent by RADIUS.

To configure an address-assignment pool, you must specify the name of the pool and configure the addresses for the pool.

You can optionally configure multiple named ranges, or subsets, of addresses within an address-assignment pool. During dynamic address assignment, a client can be assigned an address from a specific named range. To create a named range, you specify a name for the range and define the address range.

Note:

Be sure to use the address-assignment pools (address-assignment) statement rather than the address pools (address-pool) statement.

For more information about address assignment pools, see Address-Assignment Pools Overview and Address-Assignment Pool Configuration Overview.

To configure an IPv4 address-assignment pool for L2TP LNS:

Configure the name of the pool and specify the IPv4 family.
```
[edit access]
user@host# edit address-assignment pool  pool-name family inet
```

Configure the network address and the prefix length of the addresses in the pool.

content_copy zoom_out_map
[edit access address-assignment pool pool-name family inet]
user@host# set network ip-prefix</prefix-length>

Configure the name of the range and the lower and upper boundaries of the addresses in the range.

content_copy zoom_out_map
[edit access address-assignment pool pool-name family inet]
user@host# set range range-name low lower-limit high upper-limit

For example, to configure an IPv4 address-assignment pool:

content_copy zoom_out_map
[edit access]
user@host# edit address-assignment pool lns-v4-pool family inet
[edit access address-assignment pool lns-v4-pool family inet]
user@host# set network 192.168.1.1/16 
[edit access address-assignment pool lns-v4-pool family inet]
user@host# set range lns-v4-pool-range low 192.168.1.1 high 192.168.255.255

To configure an IPv6 address-assignment pool for L2TP LNS:

Configure the name of the pool and specify the IPv6 family.

content_copy zoom_out_map
[edit access]
user@host# edit address-assignment pool  pool-name family inet6

Configure the IPv6 network prefix for the address pool. The prefix specification is required when you configure an IPv6 address-assignment pool.
```
[edit access address-assignment pool pool-name family inet6]
user@host# set prefix ipv6-prefix
```
Configure the name of the range and define the range. You can define the range based on the lower and upper boundaries of the prefixes in the range, or based on the length of the prefixes in the range.
```
[edit access address-assignment pool pool-name family inet6]
user@host# set range range-name low lower-limit high upper-limit
```

For example, to configure an IPv6 address-assignment pool:

content_copy zoom_out_map
[edit access]
user@host# edit address-assignment pool  lns-v6-pool family inet6
[edit access address-assignment pool lns-v6-pool family inet6]
user@host# set prefix 2001:DB8::/32
[edit access address-assignment pool lns-v6-pool family inet6]
user@host# set range lns-v6-pool-range low 2001:DB8:1::/48 high 2001:DB8::ffff::/48

Configuring the L2TP LNS Peer Interface

The peer interface connects the LNS to the cloud towards the LACs so that IP packets can be exchanged between the tunnel endpoints. MPLS and aggregated Ethernet can also be used to reach the LACs.

Note:

On MX Series routers, you must configure the peer interface on an MPC.

To configure the LNS peer interface:

Specify the interface name.

content_copy zoom_out_map
[edit interfaces]
user@host# edit interface-name

Enable VLANs.

content_copy zoom_out_map
[edit interfaces interface-name]
user@host# set vlan-tagging

Specify the logical interface, bind a VLAN tag ID to the interface, and configure the address family and the IP address for the logical interface.
```
[edit interfaces interface-name]
user@host# edit unit logical-unit-number
[edit interfaces interface-name unit logical-unit-number]
user@host# set vlan-id number
user@host# set family family address ip-address
```
Note:
The IPv6 address family is not supported as a tunnel endpoint.

Enabling Inline Service Interfaces

The inline service interface is a virtual physical interface that resides on the Packet Forwarding Engine. This si interface, referred to as an anchor interface, makes it possible to provide L2TP services without a special services PIC. The inline service interface is supported only by MPCs on MX Series routers. Four inline service interfaces are configurable per MPC-occupied chassis slot.

Note:

On MX80 and MX104 routers, you can configure only four inline services physical interfaces as anchor interfaces for L2TP LNS sessions: si-1/0/0, si-1/1/0, si-1/2/0, and si-1/3/0. You cannot configure si-0/0/0 for this purpose on MX80 and MX104 routers.

Although the range of bandwidth values is 1 Gbps through 400 Gbps, you cannot configure the bandwidth in absolute numbers such as 12,345,878,000 bps. You must use the options available in the CLI statement:

1g
10g through 100g in 10 Gbps increments: 10g, 20g, 30g, 40g, 50g, 60g, 70g, 80g, 90g, 100g
100g through 400g in 100 Gbps increments: 100g, 200g, 300g, 400g

The maximum bandwidth available varies among MPCs, as shown in Table 1. A system log message is generated when you configure a bandwidth higher than is supported on the MPC.

Table 1: Maximum Bandwidth for Inline Services per MPC
MPC	Maximum Supported Bandwidth
MPC2E NG, MPC2E NG Q,	80 Gbps
MPC3E NG, MPC3E NG Q	130 Gbps
100GE and 40GE MPC3 and MICs	40 Gbps
MPC4E	130 Gbps
MPC5E	130 Gbps
MPC6E	130 Gbps
MPC7E	240 Gbps
MPC8E	240 Gbps 400 Gbps in 1.6 Tbps upgraded mode
MPC9E	400 Gbps

To enable inline service interfaces:

Access an MPC-occupied slot and the PIC where the interface is to be enabled.
```
[edit chassis]
user@host# edit fpc slot-number pic number
```
Enable the interface and optionally specify the amount of bandwidth reserved on each Packet Forwarding Engine for tunnel traffic using inline services. Starting in Junos OS Release 16.2, you are not required to explicitly specify a bandwidth for L2TP LNS tunnel traffic using inline services. When you do not specify a bandwidth, the maximum bandwidth supported on the PIC is automatically available for the inline services; inline services can use up to this maximum value. In earlier releases, you must specify a bandwidth when you enable inline services with the inline-services statement.
```
[edit chassis fpc slot-number pic number]
user@host# set inline-services bandwidth bandwidth-value
```

Configuring an Inline Service Interface for L2TP LNS

The inline service interface is a virtual physical service interface that resides on the Packet Forwarding Engine. This si interface, referred to as an anchor interface, makes it possible to provide L2TP services without a special services PIC. The inline service interface is supported only by MPCs on MX Series routers. Four inline service interfaces are configurable per MPC-occupied chassis slot.

You can maximize the number of sessions that can be shaped in one service interface by setting the maximum number of hierarchy levels to two. In this case, each LNS session consumes one L3 node in the scheduler hierarchy for shaping.

If you do not specify the number of levels (two is the only option), then the number of LNS sessions that can be shaped on the service interface is limited to the number of L2 nodes, or 4096 sessions. Additional sessions still come up, but they are not shaped.

To configure an inline service interface:

Access the service interface.

content_copy zoom_out_map
[edit interfaces]
user@host# edit si-slot/pic/port

(Optional; for per-session shaping only) Enable the inline service interface for hierarchical schedulers and limit the number of scheduler levels to two.
```
[edit interfaces si-slot/pic/port]
user@host# set hierarchical-scheduler maximum-hierarchy-levels 2
```
(Optional; for per-session shaping only) Configure services encapsulation for inline service interface.
```
[edit interfaces si-slot/pic/port]
user@host# set encapsulation generic-services
```
Configure the IPv4 family on the reserved unit 0 logical interface.
```
[edit interfaces si-slot/pic/port]
user@host# set unit 0 family inet
```

Configuring Options for the LNS Inline Services Logical Interface

You must specify characteristics—dial-options—for each of the inline services logical interfaces that you configure for the LNS. LNS on MX Series routers supports only one session per logical interface, so you must configure it as a dedicated interface; the shared option is not supported. (LNS on M Series routers supports dedicated and shared options.) You also configure an identifying name for the logical interface that matches the name you specify in the access profile.

You must specify the inet address family for each static logical interface or in the dynamic profile for dynamic LNS interfaces. Although the CLI accepts either inet or inet6 for static logical interfaces, the subscriber cannot log in successfully unless the address family inet is configured.

Note:

For dynamic interface configuration, see Configuring a Dynamic Profile for Dynamic LNS Sessions.

To configure the static logical interface options:

Access the inline services logical interface.

content_copy zoom_out_map
[edit]
user@host# edit interfaces si-fpc/pic/port unit logical-unit-number

Specify an identifier for the logical interface.

content_copy zoom_out_map
[edit interfaces si-fpc/pic/port unit logical-unit-number]
user@host# set dial-options l2tp-interface-id name

Configure the logical interface to be used for only one session at a time.

content_copy zoom_out_map
[edit interfaces si-fpc/pic/port unit logical-unit-number]
user@host# set dial-options dedicated

Configure the address family for each logical interface and enable the local address on the LNS that provides local termination for the L2TP tunnel to be derived from the specified interface name.
```
[edit interfaces si-fpc/pic/port unit logical-unit-number]
user@host# set family inet unnumbered-address lo0.0
```

LNS 1:1 Stateful Redundancy Overview

By default, when an inline service (si) anchor interface goes down—for example, when the card hosting the interface fails or restarts—L2TP subscriber traffic is lost. When the PPP keepalive timer for the tunnel subsequently expires, the control plane goes down and the PPP client is disconnected. Consequently, the client must then reconnect.

You can avoid traffic loss in these circumstances by configuring an aggregated inline service interface (asi) bundle to provide 1:1 stateful redundancy, also called hot standby or active-backup redundancy. The bundle consists of a pair of si physical interfaces, the primary (active) member link and the secondary (standby or backup) member link. These interfaces must be configured on different MPCs; redundancy is not achievable if you configure the primary and secondary interface on the same MPC because both member interfaces go down if the card goes down.

When subscribers log in and 1:1 redundancy is configured, the L2TP session is established over an underlying virtual logical interface (asix.0) over the asi0 physical interface. Individual subscriber logical interfaces are created on the underlying interface in the format, asiX.logical-unit-number. The session remains up in the event of a failure or a restart on the MPC hosting the primary member link interface. All the data traffic destined for this L2TP session automatically moves over to the secondary member link interface on the other MPC.

Configuring 1:1 LNS Stateful Redundancy on Aggregated Inline Service Interfaces

You can create an aggregated inline service interface (asi) bundle to provide 1:1 LNS stateful redundancy for inline service (si) anchor interfaces. The bundle pairs two interfaces that reside on different MPCs as primary and secondary links. LNS sessions are subsequently established over a virtual logical interface, asiX.logical-unit-number. LNS session failover occurs when either the primary anchor interface goes down or the card is restarted with the request chassis fpc restart command. When this happens, the secondary link—on a different MPC—becomes active and all the LNS data traffic destined for the session automatically moves over to the secondary interface. The subscriber session remains up on the asiX.logical-unit-number virtual interface. No traffic statistics are lost. When this redundancy is not configured, subscriber traffic is lost, the keepalives expire, and the PPP client is disconnected and must reconnect.

Before you begin, you must do the following:

Confirm that enhanced subscriber management is enabled.
Create inline service interfaces on different MPCs to be aggregated in the bundle.

See Enabling Inline Service Interfaces and Configuring an Inline Service Interface for L2TP LNS.
If you are using pools of service interfaces, define the service pools.

Best Practice:

Follow these guidelines:

You must configure unit 0 family inet for each bundle; otherwise, the session fails to come up.
The primary (active) and secondary (backup) interfaces must be on different MPCs.
The bandwidth configured at the [edit chassis fpc slot pic number inline-services bandwidth] hierarchy level must be the same for both member links.
An si interface configured as a member of an aggregated inline service interface bundle cannot be configured as a member of another bundle group.
An si interface configured as a member of an aggregated inline service interface bundle cannot also be used for any function that is not related to aggregated services; for example, it cannot be used for inline IP reassembly.
When you configure an si interface as a member of an aggregated inline services bundle, you can no longer configure that si interface independently. You can configure only the parent bundle; the bundle’s configuration is applied immediately to all member interfaces.

To configure 1:1 LNS stateful redundancy:

On one MPC, specify the primary (active) inline services member link in the bundle.
```
[edit interfaces asix aggregated-inline-services-options]
user@host# set primary-interface
```
Configure the amount of bandwidth reserved on this MPC for tunnel traffic using the primary inline service interface.
```
[edit chassis fpc slot pic number inline-services]
user@host# set bandwidth (1g | 10g)
```
On a different MPC, specify the secondary(backup) inline services member link in the bundle.
```
[edit interfaces asix aggregated-inline-services-options]
user@host# set secondary-interface
```
Note:
If you configure the active and backup member links on the same MPC, the subsequent commit of the configuration fails.
Configure the amount of bandwidth reserved on this MPC for tunnel traffic using the secondary inline service interface.
```
[edit chassis fpc slot pic number inline-services]
user@host# set bandwidth (1g | 10g)
```
Assign the aggregated inline service interface bundle to an L2TP tunnel group by either of the following methods:
- Assign a single bundle by specifying the name of the aggregated inline service physical interface.
  [edit services l2tp tunnel-group name] user@host# set service-interface interface-name
- Assign one or more pools of bundles to the tunnel group.
  [edit services l2tp tunnel-group name] user@host# set service-device-pool pool-name
  Note:
  A pool can be mixed; that is, it can include both aggregated inline service interface bundles and individual inline service interfaces. The individual interfaces must not be members of existing bundles.

The following sample configuration creates bundle asi0 with member links on MPCs in slot 1 and slot 2, then assigns the bundle to provide redundancy for L2TP sessions on tunnel group tg1:

[edit interfaces asi0]
user@host# set aggregated-inline-services-options primary-interface si-1/0/0
user@host# set aggregated-inline-services-options secondary-interface si-2/0/0
user@host# set unit 0 family inet

[edit chassis fpc 1 pic 0 inline-services]
user@host# set bandwidth 10g

[edit chassis fpc 2 pic 0 inline-services]
user@host# set bandwidth 10g

[edit services l2tp tunnel-group tg1]
user@host# set service-interface asi0

Verifying LNS Aggregated Inline Service Interface 1:1 Redundancy

Purpose
Action

Purpose

View information about aggregated inline service interface bundles, individual member links, and redundancy status.

Action

To view summary information about an aggregated inline service interface bundle:

content_copy zoom_out_map
user@host> show interfaces asi0 terse
Interface               Admin Link Proto    Local                 Remote
asi0                    up    up
asi0.0                  up    up   inet

To view detailed information about an aggregated inline service interface bundle:

content_copy zoom_out_map
user@host> show interfaces asi0 extensive
Physical interface: asi0, Enabled, Physical link is Up
  Interface index: 223, SNMP ifIndex: 734, Generation: 226
  Type: Adaptive-Services, Link-level type: Adaptive-Services, MTU: 9192, Clocking: Unspecified, Speed: 20000mbps
  Device flags   : Present Running
  Interface flags: Point-To-Point SNMP-Traps Internal: 0x4000
  Link type      : Full-Duplex
  Link flags     : None
Physical info  : Unspecified
  Hold-times     : Up 0 ms, Down 0 ms
  Current address: Unspecified, Hardware address: Unspecified
  Alternate link address: Unspecified
  Last flapped   : 2014-01-20 23:35:02 PST (00:03:25 ago)
  Statistics last cleared: Never
  Traffic statistics:
   Input  bytes  :                    0
   Output bytes  :                    0
   Input  packets:                    0
   Output packets:                    0
   IPv6 transit statistics:
    Input  bytes  :                   0
    Output bytes  :                   0
    Input  packets:                   0
    Output packets:                   0
  Input errors:
    Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0, Policed discards: 0, Resource errors: 0
  Output errors:
    Carrier transitions: 0, Errors: 0, Drops: 0, MTU errors: 0, Resource errors: 0

  Logical interface asi0.0 (Index 356) (SNMP ifIndex 52241) (Generation 165)
    Flags: Point-To-Point SNMP-Traps 0x4000 Encapsulation: Adaptive-Services
    Traffic statistics:
     Input  bytes  :                    0
     Output bytes  :                    0
     Input  packets:                    0
     Output packets:                    0
    Local statistics:
     Input  bytes  :                    0
     Output bytes  :                    0
     Input  packets:                    0
     Output packets:                    0
    Transit statistics:
     Input  bytes  :                    0
     Output bytes  :                    0
     Input  packets:                    0
     Output packets:                    0
    Protocol inet, MTU: 9192, Generation: 198, Route table: 0
      Flags: Sendbcast-pkt-to-re

To view information about an individual member interface in an aggregated inline service interface bundle:

content_copy zoom_out_map
user@host> show interfaces si-1/0/0
Physical interface: si-1/0/0, Enabled, Physical link is Up
  Interface index: 165, SNMP ifIndex: 630
  Type: Adaptive-Services, Link-level type: Adaptive-Services, MTU: 9192, Speed: 10000mbps
  Device flags   : Present Running
  Interface flags: Point-To-Point SNMP-Traps Internal: 0x4000
  Link type      : Full-Duplex
  Link flags     : None
  Last flapped   : Never
  Input rate     : 0 bps (0 pps)
  Output rate    : 0 bps (0 pps)

  Logical interface si-1/0/0.0 (Index 357) (SNMP ifIndex 52229)
    Flags: Point-To-Point SNMP-Traps 0x4000 Encapsulation: Adaptive-Services
    Input packets : 0
    Output packets: 0
    Protocol asi, AS bundle: asi0.0
      Flags: Function2

To view redundancy status for aggregated inline service interface bundles:

content_copy zoom_out_map
user@host> show interfaces redundancy
Interface State         Last change Primary    Secondary Current status
asi0       On secondary  1d 23:56     si-1/0/0   si-2/0/0   primary down
asi1       On primary    10:10:27     si-3/0/0   si-4/0/0   secondary down 
ae0        On primary    00:00:02     ge-1/0/0   ge-3/0/1   backup down
ae2        On primary    00:00:01     ge-2/0/0   ge-4/0/1   both up

That sample output shows that both aggregated Ethernet and aggregated inline service interfaces are configured for redundancy. To display only one of the aggregated inline service interface bundles:

content_copy zoom_out_map
user@host> show interfaces redundancy asi0
Interface State         Last change Primary    Secondary Current status
asi0       On secondary  1d 23:56     si-1/0/0   si-2/0/0   primary down

To view detailed information about all configured redundancy interfaces:

content_copy zoom_out_map
user@host> show interfaces redundancy detail
Redundancy interfaces detail
Interface        : asi0
  State          : On primary
  Last change    : 00:00:36
  Primary        : si-1/0/0
  Secondary      : si-3/0/0
  Current status: both up

Interface        : ae0
  State          : On primary
  Last change    : 00:01:30
  Primary        : ge-1/0/0
  Secondary      : ge-3/0/1
  Current status : backup down

L2TP Session Limits and Load Balancing for Service Interfaces

The LNS load balances subscriber sessions across the available service interfaces in a device pool based on the number of sessions currently active on the interfaces. You can configure a maximum limit per service interface (si) and per aggregated service interface (asi). In the case of asi interfaces, you cannot configure a limit for the individual si member interfaces in the bundle.

Session Limits on Service Interfaces
Session Load Balancing Across Service Interfaces

Session Limits on Service Interfaces

When an L2TP session request is initiated for a service interface, the LNS checks the number of current active sessions on that interface against the maximum number of sessions allowed for the individual service interface or aggregated service interface. The LNS determines whether the current session count (displayed by the show services l2tp summary command) is less than the configured limit. When that is true or when no limit is configured, the check passes and the session can be established. If the current session count is equal to the configured limit, then the LNS rejects the session request. No subsequent requests can be accepted on that interface until the number of active requests drops below the configured maximum. When a session request is rejected for an si or asi interface, the LNS returns a CDN message with the result code set to 2 and the error code set to 4.

For example, suppose a single service interface is configured in the tunnel group. The current L2TP session count is 1500, with a configured limit of 2000 sessions. When a new session is requested, the limit check passes and the session request is accepted.

Interface	Configured Session Limit	Current Session Count	Session Limit Check Result
si-0/0/0	2000	1500	Pass

The limit check continues to pass and session requests are accepted until 500 requests have been accepted, making the current session count 2000, which matches the configured maximum. The session limit check fails for all subsequent requests and all requests are rejected until the current session count on the interface drops below 2000, so that the limit check can pass.

Interface	Configured Session Limit	Current Session Count	Session Limit Check Result
si-0/0/0	2000	2000	Fail

When the session limit is set to zero for an interface , no session requests can be accepted. If that is the only interface in the tunnel group, then all session requests in the group are rejected until the session limit is increased from zero or another service interface is added to the tunnel group.

When a service interface In a service device pool has reached the maximum configured limit or it has a configured limit of zero, the LNS skips that interface when a session request is made and selects another interface in the pool to check the session limit. This continues until an interface passes and the session is accepted or no other interface remains in the pool to be selected.

Session Load Balancing Across Service Interfaces

The behavior for session load distribution in a service device pool changed in Junos OS Release 16.2. When a service interface has a lower session count than another interface in the pool and both interfaces are below their maximum session limit, subsequent sessions are distributed to the interface with fewer sessions.

In earlier releases, sessions are distributed in a strictly round-robin manner, regardless of session count. The old behavior can result in uneven session distribution when the Packet Forwarding Engine is rebooted or a service interface goes down and comes back up.

For example, consider the following scenario using the old round-robin distribution behavior for a pool with two service interfaces:

Two hundred sessions are evenly distributed across the two service interfaces.
- si-0/0/0 has 100 sessions.
- si-1/0/0 has 100 sessions.
The si-1/0/0 interface reboots. When it comes back, initially sessions are up only on si-0/0/0.
- si-0/0/0 has 100 sessions.
- si-1/0/0 has 0 sessions.
As the sessions formerly on si-1/0/0 reconnect, they are distributed equally across both service interfaces. When all 100 sessions are back up, the distribution is significantly unbalanced.
- si-0/0/0 has 150 sessions.
- si-1/0/0 has 50 sessions.
After 100 new sessions connect, si-0/0/0 reaches its maximum limit. Subsequent sessions are accepted only on si-1/0/0.
- si-0/0/0 has 200 sessions.
- si-1/0/0 has 100 sessions.
After 100 more sessions connect, si-1/0/0 reaches its maximum limit. No more sessions can be accepted until the session count drops below 200 for one of the interfaces.
- si-0/0/0 has 200 sessions.
- si-1/0/0 has 200 sessions.

Now consider the same scenario using the current load distribution behavior based on the number of attached sessions. The device pool again has two service interfaces each with a configured maximum limit of 200 sessions:

Two hundred sessions are evenly distributed across the two service interfaces.
- si-0/0/0 has 100 sessions.
- si-1/0/0 has 100 sessions.
The si-1/0/0 interface reboots. When it comes back up, sessions are up initially only on si-0/0/0.
- si-0/0/0 has 100 sessions.
- si-1/0/0 has 0 sessions.
As the sessions formerly on si-1/0/0 reconnect, they are distributed according to the session load on each interface. Because both interfaces are below their maximum limit, and si-1/0/0 has fewer sessions than si-0/0/0, sessions are initially distributed only to si-1/0/0.
1. After 1 new session:
  - si-0/0/0 has 100 sessions.
  - si-1/0/0 has 1 session.
2. After 10 new sessions:
  - si-0/0/0 has 100 sessions.
  - si-1/0/0 has 10 sessions.
3. After 100 new sessions:
  - si-0/0/0 has 100 sessions.
  - si-1/0/0 has 100 sessions.
Because both interfaces now have the same session count, the next session (#101) is distributed randomly between the two interfaces. The next session after that (#102) goes to the interface with the lower session count. That makes the interfaces equal again, so the next session (#103) is randomly distributed. This pattern repeats until the maximum limit of 200 sessions for both interfaces.
- si-0/0/0 has 200 sessions.
- si-1/0/0 has 200 sessions.
No more sessions can be accepted on either interface until the number of sessions drops below 200 on one of the interfaces.

The load balancing behavior is the same for aggregated service interfaces. An asi interface is selected from a pool based on the current session count for the asi interface. When that count is less than the maximum, the LNS checks current session count for the active si interface in the asi bundle. When that count is less than the maximum, the session can be established on the asi interface.

In a mixed device pool that has both service interfaces and aggregated service interfaces, sessions are distributed to the interface, either asi or si, that has the lowest session count. When the session count of an interface of either type reaches its limit, it can no longer accept sessions until the count drops below the maximum.

You can use the session limit configuration to achieve a session limit on particular Packet Forwarding Engines. Suppose you want a limit of 100 sessions on a PFE0, which has two service interfaces. You can set the max limit on each interface to 50, or any other combination that adds up to 100 to establish the PFE0 limit.

Example: Configuring an L2TP LNS

This example shows how you can configure an L2TP LNS on an MX Series router to provide tunnel endpoints for an L2TP LAC in your network. This configuration includes a dynamic profile for dual-stack subscribers.

Requirements
Overview
Configuration

Requirements

This L2TP LNS example requires the following hardware and software:

MX Series 5G Universal Routing Platform
One or more MPCs
Junos OS Release 11.4 or later

No special configuration beyond device initialization is required before you can configure this feature.

You must configure certain standard RADIUS attributes and Juniper Networks VSAs in the attribute return list on the AAA server associated with the LNS for this example to work. Table 2 lists the attributes with their required order setting and values. We recommend that you use the most current Juniper Networks RADIUS dictionary, available in the Downloads box on the Junos OS Subscriber Management page at https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/subscriber-access/index.html.

Table 2: VSA and Standard RADIUS Attribute Names, Order, and Values Required for Example
VSA Name [Number]	Order	Value
CoS-Parameter-Type [26–108]	1	T01 Multiplay
CoS-Parameter-Type [26–108]	2	T02 10m
CoS-Parameter-Type [26–108]	3	T08 -36
CoS-Parameter-Type [26–108]	4	T07 cell-mode
Framed-IPv6-Pool [100]	0	jnpr_ipv6_pool
Framed-Pool [88]	0	jnpr_pool
Egress-Policy-Name [26-11]	0	classify
Ingress-Policy-Name [26-10]	0	classify
Virtual-Router [26-1]	0	default

Overview

The LNS employs user group profiles to apply PPP attributes to the PPP subscribers that are tunneled from the LAC. LACs in the network are clients of the LNS. The clients are associated with user group profiles in the L2TP access profile configured on the LNS. In this example, the user group profile ce-l2tp-group-profile specifies the following PPP attributes:

A 30-second interval between PPP keepalive messages for L2TP tunnels from the client LAC terminating on the LNS.
A 200-second interval that defines how long the PPP subscriber session can be idle before it is considered to have timed out.
Both PAP and CHAP as the PPP authentication methods that apply to tunneled PPP subscribers at the LNS.

The L2TP access profile ce-l2tp-profile defines a set of L2TP parameters for each client LAC. In this example, the user group profile ce-l2tp-group-profile is associated with both clients, lac1 and lac2. Both clients are configured to have the LNS renegotiate the link control protocol (LCP) with the PPP client rather than accepting the pre-negotiated LCP parameters that the LACs pass to the LNS. LCP renegotiation also causes authentication to be renegotiated by the LNS; the authentication method is specified in the user group profile. The maximum number of sessions allowed per tunnel is set to 1000 for lac1 and to 4000 for lac2. A different password is configured for each LAC.

A local AAA access profile, aaa-profile, enables you to override the global AAA access profile, so that you can specify an authentication order, a RADIUS server that you want to use for L2TP, and a password for the server.

In this example, an address pool defines a range of IP addresses that the LNS allocates to the tunneled PPP sessions. This example defines ranges of IPv4 and IPv6 addresses.

Two inline service interfaces are enabled on the MPC located in slot 5 of the router. For each interface, 10 Gbps of bandwidth is reserved for tunnel traffic on the interface’s associated PFE. These anchor interfaces serve as the underlying physical interface. To enable CoS queue support on the individual logical inline service interfaces, you must configure both services encapsulation (generic-services) and hierarchical scheduling support on the anchors. The IPv4 address family is configured for both anchor interfaces. Both anchor interfaces are specified in the lns_p1 service device pool. The LNS can balance traffic loads across the two anchor interfaces when the tunnel group includes the pool.

This example uses the dynamic profile dyn-lns-profile2 to specify characteristics of the L2TP sessions that are created or assigned dynamically when a subscriber is tunneled to the LNS. For many of the characteristics, a predefined variable is set; the variables are dynamically replaced with the appropriate values when a subscriber is tunneled to the LNS.

The interface to which the tunneled PPP client connects ($junos-interface-name) is dynamically created in the routing instance ($junos-routing-instance) assigned to the subscriber. Routing options for access routes include the route’s next hop address ($junos-framed-route-nexthop), metric ($junos-framed-route-cost), and preference ($junos-framed-route-distance). For access-internal routes, a dynamic IP address variable ($junos-subscriber-ip-address) is set.

The logical inline service interfaces are defined by the name of a configured anchor interface ($junos-interface-ifd-name) and a logical unit number ($junos-interface-unit). The profile assigns l2tp-encapuslation as the identifier for the logical interface and specifies that each interface can be used for only a single session at a time.

The IPv4 address is set to a value returned from the AAA server. For IPv4 traffic an input firewall filter $junos-input-filter and an output firewall filter $junos-output-filter are attached to the interface. The loopback variable ($junos-loopback-interface) derives an IP address from a loopback interface (lo) configured in the routing instance and uses it in IPCP negotiation as the PPP server address. Because this is a dual-stack configuration, the IPv6 address family is also set, with the addresses provided by the $junos-ipv6-address variable.

The $junos-ipv6-address variable is used because Router Advertisement Protocol is also configured. This variable enables AAA to allocate the first address in the prefix to be reserved as the local address for the interface. The minimal configuration for the Router Advertisement Protocol in the dynamic profile specifies the $junos-interface-name and $junos-ipv6-ndra-prefix variables to dynamically assign a prefix value in IPv6 neighbor discovery router advertisements.

The dynamic profile also includes the class of service configuration that is applied to the tunnel traffic. The traffic-control profile (tc-profile) includes variables for the scheduler map ($junos-cos-scheduler-map), shaping rate ($junos-cos-shaping-rate), overhead accounting ($junos-cos-shaping-mode), and byte adjustment $junos-cos-byte-adjust). The dynamic profile applies the CoS configuration—including the forwarding class, the output traffic-control profile, and the rewrite rules—to the dynamic service interfaces.

The tg-dynamic tunnel group configuration specifies the access profile ce-l2tp-profile, the local AAA profile aaa-profile, and the dynamic profile dyn-lns-profile2 that are used to dynamically create LNS sessions and define the characteristics of the sessions. The lns_p1 service device pool associates a pool of service interfaces with the group to enable LNS to balance traffic across the interfaces. The local gateway address 203.0.113.2 corresponds to the remote gateway address that is configured on the LAC. The local gateway name ce-lns corresponds to the remote gateway name that is configured on the LAC.

Note:

This example does not show all possible configuration choices.

Configuration

CLI Quick Configuration

To quickly configure an L2TP LNS, copy the following commands, paste them in a text file, remove any line breaks, and then copy and paste the commands into the CLI.

content_copy zoom_out_map
[edit]
edit access group-profile ce-l2tp-group-profile
set ppp idle-timeout 200
set ppp ppp-options pap
set ppp ppp-options chap
set ppp keepalive 30
top
edit access profile ce-l2tp-profile
set client lac1 l2tp maximum-sessions-per-tunnel 1000
set client lac1 l2tp interface-id l2tp-encapsulation-1
set client lac1 l2tp lcp-renegotiation
set client lac1 l2tp shared-secret "lac1-$ABC123"
set client lac1 user-group-profile ce-l2tp-group-profile
set client lac2 l2tp maximum-sessions-per-tunnel 4000
set client lac2 l2tp interface-id l2tp-encap-2
set client lac2 l2tp lcp-renegotiation
set client lac2 l2tp shared-secret "lac2-$ABC123"
set client lac2 user-group-profile ce-l2tp-group-profile
top
edit access profile aaa-profile
set authentication-order radius
set radius authentication-server 198.51.100.193
set radius-server 198.51.100.193 secret "$ABC123”
top
edit access address-assignment pool client-pool1 family inet
set network 192.168.1.1/16
set range lns-v4-pool-range low 192.168.1.1
set range lns-v4-pool-range high 192.168.255.255
top
edit access address-assignment pool client-ipv6-pool2 family inet6
set prefix 2001:DB8::/32
set range lns-v6-pool-range low 2001:DB8:1::/48
set range lns-v6-pool-range high 2001:DB8:ffff::/48
top
set interfaces ge-5/0/1 unit 11 vlan-id 11
set interfaces ge-5/0/1 unit 11 family inet address 203.0.113.2/24
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
top
set chassis fpc 5 pic 0 inline-services bandwidth 10g
set chassis fpc 5 pic 2 inline-services bandwidth 10g
top
edit interfaces si-5/0/0
set hierarchical-scheduler maximum-hierarchy-levels 2
set encapsulation generic-services
set unit 0 family inet
top
edit interfaces si-5/2/0
set hierarchical-scheduler maximum-hierarchy-levels 2
set encapsulation generic-services
set unit 0 family inet
top
set services service-device-pools pool lns_p1 interface si-5/0/0
set services service-device-pools pool lns_p1 interface si-5/2/0
top
edit dynamic-profiles dyn-lns-profile2 routing-instances $junos-routing-instance
set interface $junos-interface-name
edit routing-options access route $junos-framed-route-ip-address-prefix
set next-hop $junos-framed-route-nexthop
set metric $junos-framed-route-cost
set preference $junos-framed-route-distance
up 2
edit access-internal route $junos-subscriber-ip-address
set qualified-next-hop $junos-interface-name
up 5
edit interfaces $junos-interface-ifd-name unit $junos-interface-unit
set dial-options l2tp-interface-id l2tp-encapsulation
set dial-options dedicated
set family inet filter input $junos-input-filter
set family inet filter output $junos-output-filter
set family inet unnumbered-address $junos-loopback-interface
set family inet6 address $junos-ipv6-address
set family inet6 filter input $junos-input-ipv6-filter
set family inet6 filter output $junos-output-ipv6-filter
up 3
edit protocols router-advertisement
set interface $junos-interface-name prefix $junos-ipv6-ndra-prefix
top
[edit class-of-service]
edit rewrite-rules dscp rewriteDSCP forwarding-class expedited-forwarding
set loss-priority high code-point af11
set loss-priority high code-point af12
top
edit dynamic-profiles dyn-lns-profile2 class-of-service traffic-control-profiles tc-profile
set scheduler-map $junos-cos-scheduler-map
set shaping-rate $junos-cos-shaping-rate
set overhead-accounting $junos-cos-shaping-mode
set overhead-accounting bytes $junos-cos-byte-adjust
up
edit interfaces $junos-interface-ifd-name unit $junos-interface-unit
set forwarding-class expedited-forwarding
set output-traffic-control-profile tc-profile
set rewrite-rules dscp rewriteDSCP
edit interfaces si-5/0/0
set output-control-profile-remaining tc-profile
top
set services l2tp tunnel-group tg-dynamic l2tp-access-profile ce-l2tp-profile
set services l2tp tunnel-group tg-dynamic aaa-access-profile aaa-profile
set services l2tp tunnel-group tg-dynamic local-gateway address 203.0.113.2
set services l2tp tunnel-group tg-dynamic local-gateway gateway-name ce-lns
set services l2tp tunnel-group tg-dynamic service-device-pool lns_p1
set services l2tp tunnel-group tg-dynamic dynamic-profile dyn-lns-profile2

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure an L2TP LNS with inline service interfaces:

Configure a user group profile that defines the PPP configuration for tunnel subscribers.

content_copy zoom_out_map
[edit access]
user@host# edit group-profile ce-l2tp-group-profile
[edit access group-profile ce-l2tp-group-profile]
user@host# set ppp keepalive 30
user@host# set ppp idle-timeout 200
user@host# set ppp ppp-options chap
user@host# set ppp ppp-options pap

Configure an L2TP access profile that defines the L2TP parameters for each client LAC. This includes associating a user group profile with the client and specifying the identifier for the inline services logical interface that represents an L2TP session on the LNS.

content_copy zoom_out_map
[edit access profile ce-l2tp-profile client lac1]
user@host# set l2tp interface-id l2tp-encapsulation
user@host# set l2tp maximum-sessions-per-tunnel 1000
user@host# set l2tp shared-secret "lac1-$ABC123"
user@host# set l2tp lcp-renegotiation
user@host# set user-group-profile ce-l2tp-group-profile
[edit access profile ce-l2tp-profile client lac2]
user@host# set l2tp interface-id interface-id
user@host# set l2tp maximum-sessions-per-tunnel 4000
user@host# set l2tp shared-secret "lac2-$ABC123"
user@host# set l2tp lcp-renegotiation
user@host# set user-group-profile ce-l2tp-group-profile

Note:

If user-group-profile is modified or deleted, the existing LNS subscribers, which were using this Layer 2 Tunneling Protocol client configuration, go down.

Configure a AAA access profile to override the global access profile for the order of AAA authentication methods and server attributes.

content_copy zoom_out_map
[edit access profile aaa-profile]
user@host# set authentication-order radius
user@host# set radius authentication-server 198.51.100.193
user@host# set radius-server 198.51.100.193 secret "$ABC123”

Configure IPv4 and IPv6 address-assignment pools to allocate addresses for the clients (LACs).

content_copy zoom_out_map
[edit access address-assignment pool client-pool1 family inet]
user@host# set network 192.168.1.1/16
user@host# set range lns-v4-pool-range low 192.168.1.1 high 192.168.255.255
[edit access address-assignment pool client-ipv6-pool2 family inet6]
user@host# set prefix 2001:DB8::/32
user@host# set range lns-v6-pool-range low 2001:DB8:1::/48
user@host# set range lns-v6-pool-range high 2001:DB8:ffff::/48

Configure the peer interface to terminate the tunnel and the PPP server-side IPCP address (loopback address).

content_copy zoom_out_map
[edit interfaces ge-5/0/1
user@host# set vlan-tagging
user@host# set unit 11
[edit interfaces ge-5/0/1.11
user@host# set vlan-id 11
user@host# set family inet address 10.1.1.2/24
[edit interfaces lo0]
user@host# set unit 0 family inet address 127.0.0.1/32

Enable inline service interfaces on an MPC.

content_copy zoom_out_map
[edit chassis fpc 5]
user@host# set pic 0 inline-services bandwidth 10g
user@host# set pic 2 inline-services bandwidth 10g

Configure the anchor service interfaces with services encapsulation, hierarchical scheduling, and the address family.

content_copy zoom_out_map
[edit interfaces si-5/0/0]
user@host# set hierarchical-scheduler maximum hierarchy-levels 2
user@host# set encapsulation generic-services
user@host# set unit 0 family inet
[edit interfaces si-5/2/0]
user@host# set hierarchical-scheduler maximum hierarchy-levels 2
user@host# set encapsulation generic-services
user@host# set unit 0 family inet

Configure a pool of service interfaces for dynamic LNS sessions.

content_copy zoom_out_map
[edit services service-device-pools pool lns_p1]
user@host# set interface si-5/0/0
user@host# set interface si-5/2/0

Configure a dynamic profile that dynamically creates L2TP logical interfaces for dual-stack subscribers.

content_copy zoom_out_map
[edit dynamic-profiles dyn-lns-profile2]
user@host# edit routing-instances $junos-routing-instance
user@host# set interface $junos-interface-name
[edit dynamic-profiles dyn-lns-profile2 routing-instances “$junos-routing-instance”]
user@host# edit routing-options access route $junos-framed-route-ip-address-prefix
[edit dynamic-profiles dyn-lns-profile2 routing-instances “$junos-routing-instance” routing-options access route “$junos-framed-route-ip-address-prefix”]
user@host# set next-hop $junos-framed-route-nexthop
user@host# set metric $junos-framed-route-cost
user@host# set preference $junos-framed-route-distance
[edit dynamic-profiles dyn-lns-profile2 routing-instances “$junos-routing-instance” routing-options access-internal]
user@host# set route $junos-subscriber-ip-address qualified-next-hop $junos-interface-name
[edit dynamic-profiles dyn-lns-profile2 interfaces “$junos-interface-ifd-name” unit “$junos-interface-unit”]
user@host# set dial-options l2tp-interface-id l2tp-encapsulation
user@host# set dial-options dedicated
user@host# set family inet unnumbered-address $junos-loopback-interface
user@host# set family inet filter input $junos-input-filter
user@host# set family inet filter output $junos-output-filter
user@host# set family inet6 address $junos-ipv6-address
set family inet6 filter input $junos-input-ipv6-filter
set family inet6 filter output $junos-output-ipv6-filter
[edit dynamic-profiles dyn-lns-profile2 protocols router-advertisement]
user@host# set interface $junos-interface-name prefix $junos-ipv6-ndra-prefix

Configure shaping, scheduling, and rewrite rules, and apply in the dynamic profile to tunnel traffic.

content_copy zoom_out_map
[edit class-of-service]
user@host# edit rewrite-rules dscp rewriteDSCP forwarding-class expedited-forwarding
user@host# set loss-priority high code-point af11
user@host# set loss-priority high code-point af12
[edit dynamic-profiles dyn-lns-profile2 class-of-service traffic-control-profiles tc-profile]
user@host# set scheduler-map $junos-cos-scheduler-map
user@host# set shaping-rate $junos-cos-shaping-rate
user@host# set overhead-accounting $junos-cos-shaping-mode
user@host# set overhead-accounting bytes $junos-cos-byte-adjust
[edit dynamic-profiles dyn-lns-profile2 class-of-service interfaces “$junos-interface-ifd-name” unit "$junos-interface-unit"]
user@host# set forwarding-class expedited-forwarding
user@host# set output-traffic-control-profile tc-profile
user@host# set rewrite-rules dscp rewriteDSCP
[edit class-of-service interfaces si-5/0/0]
user@host# set output-traffic-control-profile-remaining tc-profile

Configure the L2TP tunnel group to bring up dynamic LNS sessions using the pool of inline service interfaces to enable load-balancing.

content_copy zoom_out_map
[edit services l2tp tunnel-group tg-dynamic]
user@host# set l2tp-access-profile ce-l2tp-profile
user@host# set local-gateway address 10.1.1.2
user@host# set local-gateway gateway-name ce-lns
user@host# set aaa-access-profile aaa-profile
user@host# set dynamic-profile dyn-lns-profile2
user@host# set service-device-pool lns_p1

Results

From configuration mode, confirm the access profile, group profile, AAA profile, and address-assignment pools configuration by entering the show access command. Confirm the inline services configuration by entering the show chassis command. Confirm the interface configuration by entering the show interfaces command. Confirm the dynamic profile configuration by entering the show dynamic-profiles command. Confirm the tunnel group configuration by entering the show services l2tp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show access
group-profile ce-l2tp-group-profile {
    ppp {
        idle-timeout 200;
        ppp-options {
            pap;
            chap;
        }
        keepalive 30;
    }
}
profile ce-l2tp-profile {
    client lac1 {
        l2tp {
            maximum-sessions-per-tunnel 1000;
            interface-id l2tp-encapsulation-1;
            lcp-renegotiation;
            shared-secret "lac1-$ABC123"; ## SECRET-DATA
        }
        user-group-profile ce-l2tp-group-profile;
    }
    client lac2 {
        l2tp {
            maximum-sessions-per-tunnel 4000;
            interface-id l2tp-encap-2;
            lcp-renegotiation;
            shared-secret "lac2-$ABC123"; ## SECRET-DATA
        }
        user-group-profile ce-l2tp-group-profile;
    }
}
profile aaa-profile {
    authentication-order radius;
    radius-server {
        198.51.100.193 secret "$ABC123"; ## SECRET-DATA
    }
}
address-assignment {
    pool client-pool1 {
        family inet {
            network 192.168.1.1/16;
            range lns-v4-pool-range {
                low 192.168.1.1;
                high 192.168.255.255;
            }
        }
    }
    pool client-ipv6-pool2 {
        family inet6 {
            prefix 2001:DB8::/32;
            range lns-v6-pool-range {
                low 2001:DB8:1::/48;
                high 2001:DB8:ffff::/48;
            }
        }
    }
}


[edit]
user@host# show chassis
fpc 5 {
    pic 0 {
        inline-services {
            bandwidth 10g;
        }
    }
    pic 2 {
        inline-services {
            bandwidth 10g;
        }
    }
}


[edit]
user@host# show interfaces
ge-5/0/1 {
    vlan-tagging;;
    unit 11 {
        vlan-id 11;
        family inet {
            address 203.0.113.2/24;
        }
    }
}
si-5/0/0 {
    hierarchical-scheduler maximum-hierarchy-levels 2;
    encapsulation generic-services;
    unit 0 {
        family inet;
    }
}
si-5/2/0 {
    hierarchical-scheduler maximum-hierarchy-levels 2;
    encapsulation generic-services;
    unit 0 {
        family inet;
    }
}
lo0 {
    unit 0 {
        family inet {
            address 127.0.0.1/32;
        }
    }
}


[edit]
user@host# show dynamic-profiles
dyn-lns-profile2 {
    routing-instances {
        "$junos-routing-instance" {
            interface "$junos-interface-name";
            routing-options {
                access {
                    route $junos-framed-route-ip-address-prefix {
                        next-hop "$junos-framed-route-nexthop";
                        metric "$junos-framed-route-cost";
                        preference "$junos-framed-route-distance";
                    }
                }
                access-internal {
                    route $junos-subscriber-ip-address {
                        qualified-next-hop "$junos-interface-name";
                    }
                }
            }
        }
    }
    interfaces {
        "$junos-interface-ifd-name" {
            unit "$junos-interface-unit" {
                dial-options {
                    l2tp-interface-id l2tp-encapsulation;
                    dedicated;
                }
                family inet {
                    filter {
                        input "$junos-input-filter";
                        output "$junos-output-filter";
                    }
                    unnumbered-address "$junos-loopback-interface";
                }
                family inet6 {
                    address $junos-ipv6-address;
                    input $junos-input-ipv6-filter;
                    output $junos-output-ipv6-filter;
                }
            }
        }
    }
    protocols {
        router-advertisement {
            interface "$junos-interface-name" {
                prefix $junos-ipv6-ndra-prefix;
            }
        }
    }
    class-of-service {
        rewrite-rules {
            dscp rewriteDSCP {
                forwarding-class expedited-forwarding {
                    loss-priority high code-point af11
                    loss-priority high code-point af12
                }
            }
        }
        traffic-control-profiles {
            tc-profile {
                scheduler-map "$junos-cos-scheduler-map";
                shaping-rate "$junos-cos-shaping-rate";
                overhead-accounting "$junos-cos-shaping-mode" bytes "$junos-cos-byte-adjust";
            }
        }
        interfaces {
            "$junos-interface-ifd-name" {
                unit "$junos-interface-unit" {
                    forwarding-class expedited-forwarding;
                    output-traffic-control-profile tc-profile;
                    rewrite-rules {
                        dscp rewriteDSCP;
                    }
                }
            }
        }
    }
}


[edit]
user@host# show services l2tp
tunnel-group tg-dynamic {
    l2tp-access-profile ce-l2tp-profile;
    aaa-access-profile aaa-profile;
    local-gateway {
        address 203.0.113.2;
        gateway-name ce-lns;
    }
    service-device-pool lns_p1;
    dynamic-profile dyn-lns-profile2;
}

When you are done configuring the device, enter commit from configuration mode.

Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces

The L2TP tunnel group specifies attributes that apply to L2TP tunnels and sessions from a group of LAC clients. These attributes include the access profile used to validate L2TP connection requests made to the LNS on the local gateway address, a local access profile that overrides the global access profile, the keepalive timer, and whether the IP ToS value is reflected.

Note:

If you delete a tunnel group, all L2TP sessions in that tunnel group are terminated. If you change the value of the local-gateway-address, service-device-pool, or service-interface statements, all L2TP sessions using those settings are terminated. If you change or delete other statements at the [edit services l2tp tunnel-group name] hierarchy level, new tunnels you establish use the updated values but existing tunnels and sessions are not affected.

To configure the LNS tunnel group:

Create the tunnel group.
```
[edit services l2tp]
user@host# edit tunnel-group group-name
```
Note:
You can create up to 256 tunnel groups.
Specify the service anchor interface responsible for L2TP processing on the LNS.
```
[edit services l2tp tunnel-group name]
user@host# set service-interface interface-name
```
This service anchor interface is required for static LNS sessions, and for dynamic LNS sessions that do not balance traffic across a pool of anchor interfaces. The interface is configured at the [edit interfaces] hierarchy level.
(Optional; for load-balancing dynamic LNS sessions only) Specify a pool of inline service anchor interfaces to enable load-balancing of L2TP traffic across the interfaces.
```
[edit services l2tp tunnel-group group-name]
user@host# set service-device-pool pool-name
```
The pool is defined at the [edit services service-device-pools] hierarchy level.
(For dynamic LNS sessions only) Specify the name of the dynamic profile that defines and instantiates inline service interfaces for L2TP tunnels
```
[edit services l2tp tunnel-group group-name]
user@host# set dynamic-profile profile-name
```
The profile is defined at the [edit dynamic-profiles] hierarchy level.
Specify the access profile that validates all L2TP connection requests to the local gateway address.
```
[edit services l2tp tunnel-group group-name]
user@host# set l2tp-access-profile profile-name
```
Configure the local gateway address on the LNS; corresponds to the IP address that is used by LACs to identify the LNS.
```
[edit services l2tp tunnel-group group-name]
user@host# set local-gateway address address
```
(Optional) Configure the local gateway name on the LNS, returned in the SCCRP message to the LAC. The name must match the remote gateway name configured on the LAC, or the tunnel cannot be created.
```
[edit services l2tp tunnel-group group-name]
user@host# set local-gateway gateway-name gateway-name
```
(Optional) Configure the interval at which the LNS sends hello messages if it has received no messages from the LAC.
```
[edit services l2tp tunnel-group group-name]
user@host# set hello-interval seconds
```
(Optional) Specify a local access profile that overrides the global access profile to configure RADIUS server settings for the tunnel group.
```
[edit services l2tp tunnel-group group-name]
user@host# set aaa-access-profile profile-name
```
This local profile is configured at the [edit access profile] hierarchy level.
(Optional) Configure the LNS to reflect the IP ToS value from the inner IP header to the outer IP header (applies to CoS configurations).
```
[edit services l2tp tunnel-group group-name]
user@host# set tos-reflect
```
(Optional) Specify a dynamic service profile to be applied to the L2TP session at login, along with any parameters to pass to the service.
```
[edit services l2tp tunnel-group group-name]
user@host# set service-profile profile-name(parameter)&profile-name
```

Applying Services to an L2TP Session Without Using RADIUS

Services are applied to L2TP sessions for activation or later modified by vendor-specific attributes (VSAs) from the RADIUS server or in RADIUS Change of Authorization (CoA) requests. Starting in Junos OS Release 18.1R1, you can apply services to L2TP sessions by means of dynamic service profiles without involving RADIUS. In multivendor environments, customers might use only standard RADIUS attributes to simplify management by avoiding the use of VSAs from multiple vendors. However, this complicates the application of services to L2TP sessions because VSAs are generally required to apply services. Local dynamic service profile activation enables you to avoid that problem. You can also use local service profile activation to provide default services when RADIUS servers are down.

You can apply services to all subscribers in a tunnel group or to all subscribers using a particular LAC. You can configure a maximum of 12 services per tunnel group or LAC hostname.

After configuring one or more dynamic service profiles that define services, you apply them in the tunnel group or in the access profile configuration for a LAC client by specifying the service profile names. You can list more than one profile to be activated, separated by an ampersand (&). You can also specify parameters to be used by the service profile that might override values configured in the profile itself, such as a downstream shaping rate for a CoS service.

The locally configured list of services (via service profiles) serves as local authorization that is applied by authd during client session activation. This list of services is subject to the same validation and processing as services originating from external authority, such as RADIUS. These services are presented during subscriber login.

You can still use RADIUS VSAs or CoA requests in concert with the service profiles. If services are sourced from an external authority as authorization during authentication or during subscriber session provisioning (activation), the services from the external authority take strict priority over those in the local configuration. If a service applied with RADIUS is the same as a service applied with a service profile in the CLI, but with different parameters, the RADIUS service is applied with a new session ID and takes precedence over the earlier service profile.

You can issue commands to deactivate or reactivate any service you have previously activated for a tunnel group or LAC.

Define the dynamic service profiles that you want to later apply to a tunnel group or LAC.

To apply service profiles to all subscribers in a tunnel group:

Specify one or more service profiles and any parameters to be passed to the services.

[edit services l2tp tunnel-group group-name]
user@host# set service-profile profile-name(parameter)&profile-name

To apply service profiles to all subscribers for a particular LAC:

Specify one or more service profiles and any parameters to be passed to the services.
```
[edit access profile profile-name client client-name l2tp]
user@host# set service-profile profile-name(parameter)&profile-name
```
Note:
When service profiles are configured for a LAC client and for a tunnel group that uses that client, only the LAC client service profile is applied. It overrides the tunnel group configuration. For example, in the following configuration, the tunnel group, tg-LAC-3, uses the LAC client, LAC-3, so the LAC3 configuration overrides the tunnel group configuration. Consequently only the cos-A3 service is activated for subscribers in the tunnel group, rather than Cos2 and fw1. The shaping rate passed for the service is 24 Mbps.
[edit] user@host# set services l2tp tunnel-group tg-LAC-3 service-profile cos2(31000000)&fw1 user@host# set access profile prof-lac client LAC-3 l2tp service-profile cos-A3(24000000)

You can deactivate any service applied to a subscriber session by issuing the following command:

content_copy zoom_out_map
user@host> request network-access aaa subscriber delete session-id  subscriber-session-id service-profile profile-name

You can reactivate any service applied to a subscriber session by issuing the following command:

content_copy zoom_out_map
user@host> request network-access aaa subscriber add session-id subscriber-session-id service-profile profile-name

To display the services sessions for all current subscriber sessions, use the show subscribers extensive or show network-access aaa subscribers session-id id-number detail command.

To understand how local service application works, the following examples illustrate the various configuration possibilities. First, consider the following dynamic service profile configurations, cos2 and fw1:

content_copy zoom_out_map
dynamic-profiles {
    cos2 {
        variables {
            shaping-rate default-value 10m;
            shaping-rate-in default-value 10m;
            data-in-filter uid;
            data-in-policer uid;
        }
        interfaces {
            "$junos-interface-ifd-name" {
                unit "$junos-interface-unit" {
                    family inet;
                }
            }
        }
        class-of-service {
            traffic-control-profiles {
                TrafficShaper {
                    scheduler-map a;
                    shaping-rate "$shaping-rate";
                }
            }
            interfaces {
                "$junos-interface-ifd-name" {
                    unit "$junos-interface-unit" {
                        output-traffic-control-profile TrafficShaper;
                    }
                }
            }
        }
    }
|

content_copy zoom_out_map
dynamic-profiles {
    fw1 {
        variables {
            v6input default-value v6ingress;
            v6output default-value v6egress;
            input default-value upstrm-filter;
            output default-value dwnstrm-filter;
        }
        interfaces {
            "$junos-interface-ifd-name" {
                unit "$junos-interface-unit" {
                    family inet;
                }
            }
        }
    }
}

The following statement applies both services to all subscribers in tunnel group tg1; a parameter value of 31 Mbps is passed to the cos2 service:

content_copy zoom_out_map
[edit]
user@host# set services l2tp tunnel-group tg1 service-profile cos2(31000000)&fw1

In the cos2 service profile, the shaping rate is provided by a user-defined variable with a default value of 10m, or 1Mbps. After the L2TP session is up, cos2 and fw1 are activated with service session IDs of 34 and 35, respectively.

content_copy zoom_out_map
user@host1> show subscribers extensive
...

 Service Session ID: 34
   Service Session Name: cos2
   State: Active
   Family: inet
   Service Activation time: 2018-02-15 15:44:16 IST
   
   Service Session ID: 35
   Service Session Name: fw1   
   State: Active
   Family: inet
   Service Activation time: 2018-02-15 15:44:16 IST
   Dynamic configuration: 
     input: upstrm-filter
     output: dwnstrm-filter
     v6input: v6ingress
     v6output: v6egress

The parameter passed to cos2 is used as the value for $shaping-rate; consequently the shaping rate for the service is adjusted from the default value of 10 Mbps to 31 Mbps, as shown in the following command output. Although the output indicates the adjusting application is RADIUS CoA, the adjustment is a consequence of the parameter passed to the service profile. That operation uses the same internal framework as a CoA and is reported as such.

content_copy zoom_out_map
user@host1> show class-of-service interface si-1/0/0.3221225492
  Logical interface: si-1/0/0.3221225492, Index: 3221225492
Object                  Name                   Type                    Index
Traffic-control-profile subscriber-tcp-2       Output                  23571
Scheduler-map           a                      Output              4294967354
Classifier              dscp-ipv6-compatibility dscp-ipv6                  9
Classifier              ipprec-compatibility   ip                         13

    Adjusting application: RADIUS CoA
      Adjustment type: absolute
      configured-shaping-rate: 31000000  
      adjustment-value: 31000000
      Adjustment overhead-accounting mode: frame mode
      Adjustment overhead bytes: 0
      Adjustment target: node
      Adjustment priority: 1

Now the cos2 service is deactivated from the CLI for subscriber session 27.

content_copy zoom_out_map
user@host1> request network-access aaa subscriber delete service-profile cos2 session-id 27
Successful completion

The following output shows cos2 is gone, leaving only fw1 as an active service.

content_copy zoom_out_map
user@host1> show subscribers extensive
Type: L2TP
User Name: user@example.com
IP Address: 192.0.2.103
IP Netmask: 255.255.255.255
Logical System: default
Routing Instance: default
Interface: si-1/0/0.3221225492
Interface type: Dynamic
Underlying Interface: si-1/0/0.3221225492
Dynamic Profile Name: dyn-lns-profile
State: Active
Radius Accounting ID: 27
Session ID: 27
PFE Flow ID: 42
Login Time: 2017-08-30 07:29:39 IST
Service Sessions: 1
IP Address Pool: ipv4_pool
Accounting interval: 600
Frame/cell mode: Frame
Overhead accounting bytes: -38
Calculated downstream data rate: 1000000 kbps
Adjusted downstream data rate: 1000000 kbps

   Service Session ID: 35
   Service Session Name: fw1
   State: Active
   Family: inet
   Service Activation time: 2018-02-15 15:44:16 IST
   Dynamic configuration: 
     input: upstrm-filter
     output: dwnstrm-filter
     v6input: v6ingress
     v6output: v6egress

The following command reactivates cos2 for subscriber session 27.

content_copy zoom_out_map
user@host1> request network-access aaa subscriber add service-profile cos2 session-id 27
Successful completion

The reactivated cos2 service has a new service session ID of 36.

content_copy zoom_out_map
user@host1> show subscribers extensive
...
   Service Session ID: 35
   Service Session Name: fw1
   State: Active
   Family: inet
   Service Activation time: 2018-02-15 15:44:16 IST
   Dynamic configuration: 
     input: upstrm-filter
     output: dwnstrm-filter
     v6input: v6ingress
     v6output: v6egress

 Service Session ID: 36
   Service Session Name: cos2
   State: Active
   Family: inet
   Service Activation time: 2018-02-15 15:58:23 IST

The reactivated cos2 service uses the default shaping rate, 10 Mbps, from the service profile.

content_copy zoom_out_map
user@host1> show class-of-service interface si-1/0/0.3221225492
  Logical interface: si-1/0/0.3221225492, Index: 3221225492
Object                  Name                   Type                    Index
Traffic-control-profile subscriber-tcp-2       Output                  23571
Scheduler-map           a                      Output              4294967354
Classifier              dscp-ipv6-compatibility dscp-ipv6                  9
Classifier              ipprec-compatibility   ip                         13

    Adjusting application: RADIUS CoA
      Adjustment type: absolute
      configured-shaping-rate: 10000000  
      adjustment-value: 10000000
      Adjustment overhead-accounting mode: frame mode
      Adjustment overhead bytes: 0
      Adjustment target: node
      Adjustment priority: 1

Next, a RADIUS CoA request is received, which includes the Activate-Service VSA (26-65). The VSA specifies and activates the service and specifies a change in the shaping rate of cos2 from the default 10 Mbps to 12 Mbps. The cos2 service session 36 still appears in the output, but is superseded by the new service session initiated by the CoA, 49.

content_copy zoom_out_map
user@host1> show subscribers extensive
...
   Service Session ID: 35
   Service Session Name: fw1
   State: Active
   Family: inet
   Service Activation time: 2018-02-15 15:44:16 IST
   Dynamic configuration: 
     input: upstrm-filter
     output: dwnstrm-filter
     v6input: v6ingress
     v6output: v6egress

 Service Session ID: 36
   Service Session Name: cos2
   State: Active
   Family: inet
   Service Activation time: 2018-02-15 15:58:23 IST

 Service Session ID: 49
   Service Session Name: cos2
   State: Active
   Family: inet
   Service Activation time: 2018-02-15 16:25:04 IST
   Dynamic configuration: 
     shaping-rate: 12000000
     shaping-rate-in: 10m

content_copy zoom_out_map
user@host1> show class-of-service interface si-1/0/0.3221225492
  Logical interface: si-1/0/0.3221225492, Index: 3221225492
Object                  Name                   Type                    Index
Traffic-control-profile subscriber-tcp-2       Output                  23571
Scheduler-map           a                      Output              4294967354
Classifier              dscp-ipv6-compatibility dscp-ipv6                  9
Classifier              ipprec-compatibility   ip                         13

    Adjusting application: RADIUS CoA
      Adjustment type: absolute
      configured-shaping-rate: 12000000  
      adjustment-value: 12000000
      Adjustment overhead-accounting mode: frame mode
      Adjustment overhead bytes: 0
      Adjustment target: node
      Adjustment priority: 1

When a service is applied by both the CLI configuration and a RADIUS VSA (26-65), but with different parameters, the RADIUS configuration overrides the CLI configuration. In the following example, the CLI configuration applies the cos2 service profile with a value of 31 Mbps for the shaping rate.

content_copy zoom_out_map
[edit]
user@host# set services l2tp tunnel-group tg1 service-profile cos2(31000000)

The RADIUS Access-Accept message service activation VSA (26-65) applies cos2 with a value of 21 Mbps for the shaping rate.

content_copy zoom_out_map
l2tp@l2tp.com   User-Password := "bras"
        Auth-Type = Local,
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        ERX-Service-Activate:1 += 'cos2(21000000)',

The CLI configuration activates service session 22 with a shaping rate of 31 Mbps. The RADIUS VSA activates service session 23 with a shaping rate of 21 Mbps.

content_copy zoom_out_map
user@host1> show subscribers extensive
...
   Service Session ID: 22
   Service Session Name: cos2
   State: Active
   Family: inet
   Service Activation time: 2018-02-16 08:22:03 IST
   Dynamic configuration: 
     shaping-rate: 31000000
     shaping-rate-in: 10m

   Service Session ID: 23
   Service Session Name: cos2
   State: Active
   Family: inet
   Service Activation time: 2018-02-16 08:22:03 IST
   Dynamic configuration: 
     shaping-rate: 21000000
     shaping-rate-in: 10m

content_copy zoom_out_map
user@host1> show class-of-service interface si-1/0/0.3221225492
  Logical interface: si-1/0/0.3221225492, Index: 3221225492
Object                  Name                   Type                    Index
Traffic-control-profile subscriber-tcp-2       Output                  23571
Scheduler-map           a                      Output              4294967354
Classifier              dscp-ipv6-compatibility dscp-ipv6                  9
Classifier              ipprec-compatibility   ip                         13

    Adjusting application: RADIUS CoA
      Adjustment type: absolute
      configured-shaping-rate: 21000000  
      adjustment-value: 21000000
      Adjustment overhead-accounting mode: frame mode
      Adjustment overhead bytes: 0
      Adjustment target: node
      Adjustment priority: 1

Configuring a Pool of Inline Services Interfaces for Dynamic LNS Sessions

You can create a pool of inline service interfaces, also known as a service device pool, to enable load-balancing of L2TP traffic across the interfaces. The pool is supported for dynamic LNS configurations, where it provides a set of logical interfaces that can be dynamically created and allocated to L2TP sessions on the LNS. The pool is assigned to an LNS tunnel group. L2TP maintains the state of each inline service interface and uses a round-robin method to evenly distribute the load among available interfaces when new session requests are accepted.

Note:

Load balancing is available only for dynamically created subscriber interfaces.

LNS sessions anchored on an MPC are not affected by a MIC failure as long as some other path to the peer LACs exists. If the MPC hosting the peer interface fails and there is no path to peer LACs, the failure initiates termination and clean-up of all the sessions on the MPC.

If the MPC anchoring the LNS sessions itself fails, the Routing Engine does not relocate sessions to another slot and all sessions are terminated immediately. New sessions can come up on another available interface when the client retries.

To configure the service device pool:

Create the pool.

content_copy zoom_out_map
[edit services service-device-pools]
user@host# edit pool pool-name

Specify the inline service interfaces that make up the pool.

content_copy zoom_out_map
[edit services service-device-pools pool pool-name]
user@host# set interface service-interface-name
user@host# set interface service-interface-name

Configuring a Dynamic Profile for Dynamic LNS Sessions

You can configure L2TP to dynamically assign inline service interfaces for L2TP tunnels. You must define one or more dynamic profiles and assign a profile to each tunnel group. The LNS supports IPv4-only, IPv6-only, and dual-stack IPv4/IPv6 sessions.

To configure the L2TP dynamic profile:

Create the dynamic profile.

content_copy zoom_out_map
[edit]
user@host# edit dynamic-profiles profile-name

Configure the interface to be dynamically assigned to the routing instance used by the tunneled PPP clients.

content_copy zoom_out_map
[edit dynamic-profiles profile-name routing-instances “$junos-routing-instance”]
user@host# set interface $junos-interface-name

Configure the routing options for access routes in the routing instance.

content_copy zoom_out_map
[edit dynamic-profiles profile-name routing-instances “$junos-routing-instance” routing-options access]
user@host# set route next-hop $junos-framed-route-nexthop
user@host# set route metric $junos-framed-route-cost
user@host# set route preference $junos-framed-route-distance

Configure the routing options for access-internal routes in the routing instance.

content_copy zoom_out_map
[edit dynamic-profiles profile-name routing-instances “$junos-routing-instance” routing-options access-internal]
user@host# set route $junos-subscriber-ip-address 

Define the interfaces used by the dynamic profile. The variable is dynamically replaced by one of the configured inline service interfaces.
```
[edit dynamic-profiles profile-name]
user@host# set interfaces $junos-interface-ifd-name
```

Configure the inline services logical interfaces to be dynamically instantiated.

content_copy zoom_out_map
[edit dynamic-profiles profile-name interfaces “$junos-interface-ifd-name”]
user@host# set unit $junos-interface-unit

Specify an identifier for the logical interfaces.

content_copy zoom_out_map
[edit dynamic-profiles profile-name interfaces “$junos-interface-ifd-name” unit “$junos-interface-unit]
user@host# set dial-options l2tp-interface-id name

Configure each logical interface to be used for only one session at a time.

content_copy zoom_out_map
[edit dynamic-profiles profile-name interfaces “$junos-interface-ifd-name” unit “$junos-interface-unit]
user@host# set dial-options dedicated

Configure the address family for the logical interfaces and enable the local address on the LNS that provides local termination for the L2TP tunnel to be derived from the specified interface name.
Note:
Dynamic LNS sessions require you to include the dial-options statement in the dynamic profile, which in turn requires you to include the family inet statement. This has the following consequences:

You must always configure family inet regardless of whether you configure IPv4-only, IPv6-only, or dual-stack interfaces in the profile.

When you configure IPv4-only interfaces, you configure only family inet and you must configure the interface address under family inet.

When you configure IPv6-only interfaces , you must also configure family inet6 and you must configure the interface address under family inet6. You do not configure the address under family inet.

When you configure dual-stack, IPv4/IPv6 interfaces, you configure both family inet and family inet6 and an interface address under each family.
For IPv4-only interfaces:
```
[edit dynamic-profiles profile-name interfaces “$junos-interface-ifd-name” unit “$junos-interface-unit]
user@host# set family inet unnumbered-address $junos-loopback-interface
```
For IPv6-only interfaces:
```
[edit dynamic-profiles profile-name interfaces “$junos-interface-ifd-name” unit “$junos-interface-unit]
user@host# set family inet
user@host# set family inet6 unnumbered-address $junos-loopback-interface 
```
For dual-stack IPv4/IPv6 interfaces:
```
[edit dynamic-profiles profile-name interfaces “$junos-interface-ifd-name” unit “$junos-interface-unit]
user@host# set family inet unnumbered-address $junos-loopback-interface
user@host# set family inet6 unnumbered-address $junos-loopback-interface 
```
Note:
If Router Advertisement Protocol is configured, then you configure a numbered address rather than an unnumbered address for the IPv6 local address:

user@host# set family inet6 address $junos-ipv6-address

See Broadband Subscriber Sessions User Guide for information about using variables for IPv6-only and dual-stack addressing in dynamic profiles.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release

Description

18.1R1

Starting in Junos OS Release 18.1R1, you can apply services to L2TP sessions by means of dynamic service profiles without involving RADIUS.

16.2R1

Starting in Junos OS Release 16.2, you are not required to explicitly specify a bandwidth for L2TP LNS tunnel traffic using inline services.

arrow_backward PREVIOUS L2TP Subscriber Access Lines and Connection Speeds

NEXT arrow_forward IP Packet Reassembly on Inline Service Interfaces

Broadband Subscriber Access Protocols User Guide

ON THIS PAGE

L2TP LNS Inline Service Interfaces

Configuring an L2TP LNS with Inline Service Interfaces

Applying PPP Attributes to L2TP LNS Subscribers per Inline Service Interface

Applying PPP Attributes to L2TP LNS Subscribers with a User Group Profile

Configuring an L2TP Access Profile on the LNS

Configuring a AAA Local Access Profile on the LNS

Configuring an Address-Assignment Pool for L2TP LNS with Inline Services

Configuring the L2TP LNS Peer Interface

Enabling Inline Service Interfaces

Configuring an Inline Service Interface for L2TP LNS

Configuring Options for the LNS Inline Services Logical Interface

LNS 1:1 Stateful Redundancy Overview

Configuring 1:1 LNS Stateful Redundancy on Aggregated Inline Service Interfaces

Verifying LNS Aggregated Inline Service Interface 1:1 Redundancy

Purpose

Action

L2TP Session Limits and Load Balancing for Service Interfaces

Session Limits on Service Interfaces

Session Load Balancing Across Service Interfaces

Example: Configuring an L2TP LNS

Requirements

Overview

Configuration

Procedure

CLI Quick Configuration

Step-by-Step Procedure

Results

Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces

Applying Services to an L2TP Session Without Using RADIUS

Configuring a Pool of Inline Services Interfaces for Dynamic LNS Sessions

Configuring a Dynamic Profile for Dynamic LNS Sessions

Change History Table

Stay in touch

Helped me install or use the product
Accelerated my deployment

Discuss the product with a co-worker
Make a purchase inquiry

Broadband Subscriber Access Protocols User Guide

ON THIS PAGE

L2TP LNS Inline Service Interfaces

Configuring an L2TP LNS with Inline Service Interfaces

Applying PPP Attributes to L2TP LNS Subscribers per Inline Service Interface

Applying PPP Attributes to L2TP LNS Subscribers with a User Group Profile

Configuring an L2TP Access Profile on the LNS

Configuring a AAA Local Access Profile on the LNS

Configuring an Address-Assignment Pool for L2TP LNS with Inline Services

Configuring the L2TP LNS Peer Interface

Enabling Inline Service Interfaces

Configuring an Inline Service Interface for L2TP LNS

Configuring Options for the LNS Inline Services Logical Interface

LNS 1:1 Stateful Redundancy Overview

Configuring 1:1 LNS Stateful Redundancy on Aggregated Inline Service Interfaces

Verifying LNS Aggregated Inline Service Interface 1:1 Redundancy

Purpose

Action

L2TP Session Limits and Load Balancing for Service Interfaces

Session Limits on Service Interfaces

Session Load Balancing Across Service Interfaces

Example: Configuring an L2TP LNS

Requirements

Overview

Configuration

Procedure

CLI Quick Configuration

Step-by-Step Procedure

Results

Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces

Applying Services to an L2TP Session Without Using RADIUS

Configuring a Pool of Inline Services Interfaces for Dynamic LNS Sessions

Configuring a Dynamic Profile for Dynamic LNS Sessions

Related Documentation

Change History Table

Stay in touch