ON THIS PAGE
Applying PPP Attributes to L2TP LNS Subscribers per Inline Service Interface
Applying PPP Attributes to L2TP LNS Subscribers with a User Group Profile
Configuring an Address-Assignment Pool for L2TP LNS with Inline Services
Configuring Options for the LNS Inline Services Logical Interface
Configuring 1:1 LNS Stateful Redundancy on Aggregated Inline Service Interfaces
Verifying LNS Aggregated Inline Service Interface 1:1 Redundancy
L2TP Session Limits and Load Balancing for Service Interfaces
Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces
Configuring a Pool of Inline Services Interfaces for Dynamic LNS Sessions
L2TP LNS Inline Service Interfaces
Configuring an L2TP LNS with Inline Service Interfaces
The L2TP LNS feature license must be installed before you begin the configuration. Otherwise, a warning message is displayed when the configuration is committed.
To configure an L2TP LNS with inline service interfaces:
You also need to configure CoS for LNS sessions. For more information, see Configuring Dynamic CoS for an L2TP LNS Inline Service.
Applying PPP Attributes to L2TP LNS Subscribers per Inline Service Interface
You can configure PPP attributes that are applied by the LNS on the inline service (si) interface to the PPP subscribers tunneled from the LAC. Because you are configuring the attributes per interface rather than with a user group profile, the attributes for subscribers can be varied with a finer granularity. This configuration matches that used for terminated PPPoE subscribers.
To configure the PPP attributes for dynamically created si interfaces:
To configure the PPP attributes for statically created si interfaces:
Specify the logical inline service interface.
[edit interfaces si-slot/pic/port] user@host# edit unit logical-unit-number
Configure the interval between PPP keepalive messages for the L2TP tunnel terminating on the LNS.
[edit interfaces si-slot/pic/port unit logical-unit-number] user@host# set keepalives interval seconds
Configure the number of keepalive packets a destination must fail to receive before the network takes down a link.
[edit interfaces si-slot/pic/port unit logical-unit-number] user@host# set keepalives down-count number
Note:The
keepalives up-countoption is typically not used for subscriber management.Configure PPP authentication methods that apply to tunneled PPP subscribers at the LNS.
[edit interfaces si-slot/pic/port unit logical-unit-number] user@host# set ppp-options chap user@host# set ppp-options pap
Configure the router to prompt the Customer Premises Equipment (CPE) to negotiate both primary and secondary DNS addresses during IPCP negotiation for tunneled PPP subscribers at the LNS.
[edit interfaces si-slot/pic/port unit logical-unit-number] user@host# set ppp-options ipcp-suggest-dns-option
Although all other statements subordinate to ppp-options—including those subordinate to chap and pap—are supported, they are typically not used
for subscriber management. We recommend that you leave these other
statements at their default values.
You can also configure PPP attributes with a user group profile that applies the attributes to all subscribers with that profile on a LAC client. See Applying PPP Attributes to L2TP LNS Subscribers with a User Group Profile for more information. When you configure the PPP attributes for L2TP LNS subscribers both on the si interface and in user group profiles, the inline service interface configuration takes precedence over the user group profile configuration.
When PPP options are configured in both a group profile and a dynamic profile, the dynamic profile configuration takes complete precedence over the group profile when the dynamic profile includes one or more of the PPP options that can be configured in the group profile. Complete precedence means that there is no merging of options between the profiles. The group profile is applied to the subscriber only when the dynamic profile does not include any PPP option available in the group profile.
Applying PPP Attributes to L2TP LNS Subscribers with a User Group Profile
You can configure a user group profile that enables the LNS to apply PPP attributes to the PPP subscribers tunneled from the LAC. The user group profile is associated with clients (LACs) in the L2TP access profile. Consequently all subscribers handled by a given client share the same PPP attributes.
To configure a user group profile:
You can also configure PPP attributes on a per-interface basis. See Applying PPP Attributes to L2TP LNS Subscribers per Inline Service Interface for more information. When you configure the PPP attributes for L2TP LNS subscribers both on the si interface and in user group profiles, the inline service interface configuration takes precedence over the user group profile configuration.
When PPP options are configured in both a group profile and a dynamic profile, the dynamic profile configuration takes complete precedence over the group profile when the dynamic profile includes one or more of the PPP options that can be configured in the group profile. Complete precedence means that there is no merging of options between the profiles. The group profile is applied to the subscriber only when the dynamic profile does not include any PPP option available in the group profile.
Configuring an L2TP Access Profile on the LNS
Access profiles define how to validate Layer 2 Tunneling Protocol (L2TP) connections and session requests. Within each L2TP access profile, you configure one or more clients (LACs). The client characteristics are used to authenticate LACs with matching passwords, and to establish attributes of the client tunnel and session. You can configure multiple access profiles and multiple clients within each profile.
To configure an L2TP access profile:
Configuring a AAA Local Access Profile on the LNS
For some LNS tunnels, you might wish to override the access
profile configured at the routing instance that hosts the tunnel with
a particular RADIUS server configuration. You can configure a local
access profile to do so. You can subsequently use the aaa-access-profile statement to apply the local access profile to a tunnel group or
LAC client.
A local access profile applied to a client overrides a local access profile applied to a tunnel group, which in turn overrides the access profile for the routing instance.
To configure an AAA local access profile:
Configuring an Address-Assignment Pool for L2TP LNS with Inline Services
You can configure pools of addresses that can be dynamically assigned to the tunneled PPP subscribers. The pools must be local to the routing instance where the subscriber comes up. The configured pools are supplied in the RADIUS Framed-Pool and Framed-IPv6-Pool attributes. Pools are optional when Framed-IP-Address is sent by RADIUS.
To configure an address-assignment pool, you must specify the name of the pool and configure the addresses for the pool.
You can optionally configure multiple named ranges, or subsets, of addresses within an address-assignment pool. During dynamic address assignment, a client can be assigned an address from a specific named range. To create a named range, you specify a name for the range and define the address range.
Be sure to use the address-assignment pools (address-assignment) statement rather than the address pools (address-pool) statement.
For more information about address assignment pools, see Address-Assignment Pools Overview and Address-Assignment Pool Configuration Overview.
To configure an IPv4 address-assignment pool for L2TP LNS:
For example, to configure an IPv4 address-assignment pool:
[edit access] user@host# edit address-assignment pool lns-v4-pool family inet [edit access address-assignment pool lns-v4-pool family inet] user@host# set network 192.168.1.1/16 [edit access address-assignment pool lns-v4-pool family inet] user@host# set range lns-v4-pool-range low 192.168.1.1 high 192.168.255.255
To configure an IPv6 address-assignment pool for L2TP LNS:
Configure the name of the pool and specify the IPv6 family.
[edit access] user@host# edit address-assignment pool pool-name family inet6
Configure the IPv6 network prefix for the address pool. The prefix specification is required when you configure an IPv6 address-assignment pool.
[edit access address-assignment pool pool-name family inet6] user@host# set prefix ipv6-prefix
Configure the name of the range and define the range. You can define the range based on the lower and upper boundaries of the prefixes in the range, or based on the length of the prefixes in the range.
[edit access address-assignment pool pool-name family inet6] user@host# set range range-name low lower-limit high upper-limit
For example, to configure an IPv6 address-assignment pool:
[edit access] user@host# edit address-assignment pool lns-v6-pool family inet6 [edit access address-assignment pool lns-v6-pool family inet6] user@host# set prefix 2001:DB8::/32 [edit access address-assignment pool lns-v6-pool family inet6] user@host# set range lns-v6-pool-range low 2001:DB8:1::/48 high 2001:DB8::ffff::/48
Configuring the L2TP LNS Peer Interface
The peer interface connects the LNS to the cloud towards the LACs so that IP packets can be exchanged between the tunnel endpoints. MPLS and aggregated Ethernet can also be used to reach the LACs.
On MX Series routers, you must configure the peer interface on an MPC.
To configure the LNS peer interface:
Enabling Inline Service Interfaces
The inline service interface is a virtual physical interface
that resides on the Packet Forwarding Engine. This si interface,
referred to as an anchor interface, makes it
possible to provide L2TP services without a special services PIC.
The inline service interface is supported only by MPCs on MX Series
routers. Four inline service interfaces are configurable per MPC-occupied
chassis slot.
On MX80 and MX104 routers, you can configure only four inline services physical interfaces as anchor interfaces for L2TP LNS sessions: si-1/0/0, si-1/1/0, si-1/2/0, and si-1/3/0. You cannot configure si-0/0/0 for this purpose on MX80 and MX104 routers.
Although the range of bandwidth values is 1 Gbps through 400 Gbps, you cannot configure the bandwidth in absolute numbers such as 12,345,878,000 bps. You must use the options available in the CLI statement:
1g10gthrough100gin 10 Gbps increments:10g,20g,30g,40g,50g,60g,70g,80g,90g,100g100gthrough400gin 100 Gbps increments:100g,200g,300g,400g
The maximum bandwidth available varies among MPCs, as shown in Table 1. A system log message is generated when you configure a bandwidth higher than is supported on the MPC.
MPC |
Maximum Supported Bandwidth |
|---|---|
|
MPC2E NG, MPC2E NG Q, |
80 Gbps |
MPC3E NG, MPC3E NG Q |
130 Gbps |
100GE and 40GE MPC3 and MICs |
40 Gbps |
MPC4E |
130 Gbps |
MPC5E |
130 Gbps |
MPC6E |
130 Gbps |
MPC7E |
240 Gbps |
MPC8E |
240 Gbps 400 Gbps in 1.6 Tbps upgraded mode |
MPC9E |
400 Gbps |
To enable inline service interfaces:
Configuring an Inline Service Interface for L2TP LNS
The inline service interface is a virtual physical service interface
that resides on the Packet Forwarding Engine. This si interface,
referred to as an anchor interface, makes it
possible to provide L2TP services without a special services PIC.
The inline service interface is supported only by MPCs on MX Series
routers. Four inline service interfaces are configurable per MPC-occupied
chassis slot.
You can maximize the number of sessions that can be shaped in one service interface by setting the maximum number of hierarchy levels to two. In this case, each LNS session consumes one L3 node in the scheduler hierarchy for shaping.
If you do not specify the number of levels (two is the only option), then the number of LNS sessions that can be shaped on the service interface is limited to the number of L2 nodes, or 4096 sessions. Additional sessions still come up, but they are not shaped.
To configure an inline service interface:
Configuring Options for the LNS Inline Services Logical Interface
You must specify characteristics—dial-options—for each of the inline services logical interfaces that you
configure for the LNS. LNS on MX Series routers supports only one
session per logical interface, so you must configure it as a dedicated interface; the shared option is not supported.
(LNS on M Series routers supports dedicated and shared options.) You also configure an identifying name for the logical
interface that matches the name you specify in the access profile.
You must specify the inet address family for each
static logical interface or in the dynamic profile for dynamic LNS
interfaces. Although the CLI accepts either inet or inet6 for static logical interfaces, the subscriber cannot
log in successfully unless the address family inet is configured.
For dynamic interface configuration, see Configuring a Dynamic Profile for Dynamic LNS Sessions.
To configure the static logical interface options:
LNS 1:1 Stateful Redundancy Overview
By default, when an inline service (si) anchor interface goes down—for example, when the card hosting the interface fails or restarts—L2TP subscriber traffic is lost. When the PPP keepalive timer for the tunnel subsequently expires, the control plane goes down and the PPP client is disconnected. Consequently, the client must then reconnect.
You can avoid traffic loss in these circumstances by configuring an aggregated inline service interface (asi) bundle to provide 1:1 stateful redundancy, also called hot standby or active-backup redundancy. The bundle consists of a pair of si physical interfaces, the primary (active) member link and the secondary (standby or backup) member link. These interfaces must be configured on different MPCs; redundancy is not achievable if you configure the primary and secondary interface on the same MPC because both member interfaces go down if the card goes down.
When subscribers log in and 1:1 redundancy is configured, the L2TP session is established over an underlying virtual logical interface (asix.0) over the asi0 physical interface. Individual subscriber logical interfaces are created on the underlying interface in the format, asiX.logical-unit-number. The session remains up in the event of a failure or a restart on the MPC hosting the primary member link interface. All the data traffic destined for this L2TP session automatically moves over to the secondary member link interface on the other MPC.
Configuring 1:1 LNS Stateful Redundancy on Aggregated Inline Service Interfaces
You can create an aggregated inline service interface
(asi) bundle to provide 1:1 LNS stateful redundancy for inline service
(si) anchor interfaces. The bundle pairs two interfaces that reside
on different MPCs as primary and secondary links. LNS sessions are
subsequently established over a virtual logical interface, asiX.logical-unit-number. LNS session
failover occurs when either the primary anchor interface goes down
or the card is restarted with the request chassis fpc restart command. When this happens, the secondary link—on a different
MPC—becomes active and all the LNS data traffic destined for
the session automatically moves over to the secondary interface. The
subscriber session remains up on the asiX.logical-unit-number virtual interface. No traffic statistics
are lost. When this redundancy is not configured, subscriber traffic
is lost, the keepalives expire, and the PPP client is disconnected
and must reconnect.
Before you begin, you must do the following:
Confirm that enhanced subscriber management is enabled.
Create inline service interfaces on different MPCs to be aggregated in the bundle.
See Enabling Inline Service Interfaces and Configuring an Inline Service Interface for L2TP LNS.
If you are using pools of service interfaces, define the service pools.
Follow these guidelines:
You must configure
unit 0 family inetfor each bundle; otherwise, the session fails to come up.The primary (active) and secondary (backup) interfaces must be on different MPCs.
The bandwidth configured at the
[edit chassis fpc slot pic number inline-services bandwidth]hierarchy level must be the same for both member links.An si interface configured as a member of an aggregated inline service interface bundle cannot be configured as a member of another bundle group.
An si interface configured as a member of an aggregated inline service interface bundle cannot also be used for any function that is not related to aggregated services; for example, it cannot be used for inline IP reassembly.
When you configure an si interface as a member of an aggregated inline services bundle, you can no longer configure that si interface independently. You can configure only the parent bundle; the bundle’s configuration is applied immediately to all member interfaces.
To configure 1:1 LNS stateful redundancy:
The following sample configuration creates bundle asi0 with member links on MPCs in slot 1 and slot 2, then assigns the bundle to provide redundancy for L2TP sessions on tunnel group tg1:
[edit interfaces asi0] user@host# set aggregated-inline-services-options primary-interface si-1/0/0 user@host# set aggregated-inline-services-options secondary-interface si-2/0/0 user@host# set unit 0 family inet [edit chassis fpc 1 pic 0 inline-services] user@host# set bandwidth 10g [edit chassis fpc 2 pic 0 inline-services] user@host# set bandwidth 10g [edit services l2tp tunnel-group tg1] user@host# set service-interface asi0
Verifying LNS Aggregated Inline Service Interface 1:1 Redundancy
Purpose
View information about aggregated inline service interface bundles, individual member links, and redundancy status.
Action
To view summary information about an aggregated inline service interface bundle:
user@host> show interfaces asi0 terse Interface Admin Link Proto Local Remote asi0 up up asi0.0 up up inet
To view detailed information about an aggregated inline service interface bundle:
user@host> show interfaces asi0 extensive Physical interface: asi0, Enabled, Physical link is Up Interface index: 223, SNMP ifIndex: 734, Generation: 226 Type: Adaptive-Services, Link-level type: Adaptive-Services, MTU: 9192, Clocking: Unspecified, Speed: 20000mbps Device flags : Present Running Interface flags: Point-To-Point SNMP-Traps Internal: 0x4000 Link type : Full-Duplex Link flags : None Physical info : Unspecified Hold-times : Up 0 ms, Down 0 ms Current address: Unspecified, Hardware address: Unspecified Alternate link address: Unspecified Last flapped : 2014-01-20 23:35:02 PST (00:03:25 ago) Statistics last cleared: Never Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0, Policed discards: 0, Resource errors: 0 Output errors: Carrier transitions: 0, Errors: 0, Drops: 0, MTU errors: 0, Resource errors: 0 Logical interface asi0.0 (Index 356) (SNMP ifIndex 52241) (Generation 165) Flags: Point-To-Point SNMP-Traps 0x4000 Encapsulation: Adaptive-Services Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Protocol inet, MTU: 9192, Generation: 198, Route table: 0 Flags: Sendbcast-pkt-to-reTo view information about an individual member interface in an aggregated inline service interface bundle:
user@host> show interfaces si-1/0/0 Physical interface: si-1/0/0, Enabled, Physical link is Up Interface index: 165, SNMP ifIndex: 630 Type: Adaptive-Services, Link-level type: Adaptive-Services, MTU: 9192, Speed: 10000mbps Device flags : Present Running Interface flags: Point-To-Point SNMP-Traps Internal: 0x4000 Link type : Full-Duplex Link flags : None Last flapped : Never Input rate : 0 bps (0 pps) Output rate : 0 bps (0 pps) Logical interface si-1/0/0.0 (Index 357) (SNMP ifIndex 52229) Flags: Point-To-Point SNMP-Traps 0x4000 Encapsulation: Adaptive-Services Input packets : 0 Output packets: 0 Protocol asi, AS bundle: asi0.0 Flags: Function2To view redundancy status for aggregated inline service interface bundles:
user@host> show interfaces redundancy Interface State Last change Primary Secondary Current status asi0 On secondary 1d 23:56 si-1/0/0 si-2/0/0 primary down asi1 On primary 10:10:27 si-3/0/0 si-4/0/0 secondary down ae0 On primary 00:00:02 ge-1/0/0 ge-3/0/1 backup down ae2 On primary 00:00:01 ge-2/0/0 ge-4/0/1 both up
That sample output shows that both aggregated Ethernet and aggregated inline service interfaces are configured for redundancy. To display only one of the aggregated inline service interface bundles:
user@host> show interfaces redundancy asi0 Interface State Last change Primary Secondary Current status asi0 On secondary 1d 23:56 si-1/0/0 si-2/0/0 primary down
To view detailed information about all configured redundancy interfaces:
user@host> show interfaces redundancy detail Redundancy interfaces detail Interface : asi0 State : On primary Last change : 00:00:36 Primary : si-1/0/0 Secondary : si-3/0/0 Current status: both up Interface : ae0 State : On primary Last change : 00:01:30 Primary : ge-1/0/0 Secondary : ge-3/0/1 Current status : backup down
L2TP Session Limits and Load Balancing for Service Interfaces
The LNS load balances subscriber sessions across the available service interfaces in a device pool based on the number of sessions currently active on the interfaces. You can configure a maximum limit per service interface (si) and per aggregated service interface (asi). In the case of asi interfaces, you cannot configure a limit for the individual si member interfaces in the bundle.
Session Limits on Service Interfaces
When an L2TP session request is initiated for a service interface,
the LNS checks the number of current active sessions on that interface
against the maximum number of sessions allowed for the individual
service interface or aggregated service interface. The LNS determines
whether the current session count (displayed by the show services
l2tp summary command) is less than the configured limit. When
that is true or when no limit is configured, the check passes and
the session can be established. If the current session count is equal
to the configured limit, then the LNS rejects the session request.
No subsequent requests can be accepted on that interface until the
number of active requests drops below the configured maximum. When
a session request is rejected for an si or asi interface, the LNS
returns a CDN message with the result code set to 2 and the error
code set to 4.
For example, suppose a single service interface is configured in the tunnel group. The current L2TP session count is 1500, with a configured limit of 2000 sessions. When a new session is requested, the limit check passes and the session request is accepted.
Interface |
Configured Session Limit |
Current Session Count |
Session Limit Check Result |
|---|---|---|---|
si-0/0/0 |
2000 |
1500 |
Pass |
The limit check continues to pass and session requests are accepted until 500 requests have been accepted, making the current session count 2000, which matches the configured maximum. The session limit check fails for all subsequent requests and all requests are rejected until the current session count on the interface drops below 2000, so that the limit check can pass.
Interface |
Configured Session Limit |
Current Session Count |
Session Limit Check Result |
|---|---|---|---|
si-0/0/0 |
2000 |
2000 |
Fail |
When the session limit is set to zero for an interface , no session requests can be accepted. If that is the only interface in the tunnel group, then all session requests in the group are rejected until the session limit is increased from zero or another service interface is added to the tunnel group.
When a service interface In a service device pool has reached the maximum configured limit or it has a configured limit of zero, the LNS skips that interface when a session request is made and selects another interface in the pool to check the session limit. This continues until an interface passes and the session is accepted or no other interface remains in the pool to be selected.
Session Load Balancing Across Service Interfaces
The behavior for session load distribution in a service device pool changed in Junos OS Release 16.2. When a service interface has a lower session count than another interface in the pool and both interfaces are below their maximum session limit, subsequent sessions are distributed to the interface with fewer sessions.
In earlier releases, sessions are distributed in a strictly round-robin manner, regardless of session count. The old behavior can result in uneven session distribution when the Packet Forwarding Engine is rebooted or a service interface goes down and comes back up.
For example, consider the following scenario using the old round-robin distribution behavior for a pool with two service interfaces:
Two hundred sessions are evenly distributed across the two service interfaces.
si-0/0/0 has 100 sessions.
si-1/0/0 has 100 sessions.
The si-1/0/0 interface reboots. When it comes back, initially sessions are up only on si-0/0/0.
si-0/0/0 has 100 sessions.
si-1/0/0 has 0 sessions.
As the sessions formerly on si-1/0/0 reconnect, they are distributed equally across both service interfaces. When all 100 sessions are back up, the distribution is significantly unbalanced.
si-0/0/0 has 150 sessions.
si-1/0/0 has 50 sessions.
After 100 new sessions connect, si-0/0/0 reaches its maximum limit. Subsequent sessions are accepted only on si-1/0/0.
si-0/0/0 has 200 sessions.
si-1/0/0 has 100 sessions.
After 100 more sessions connect, si-1/0/0 reaches its maximum limit. No more sessions can be accepted until the session count drops below 200 for one of the interfaces.
si-0/0/0 has 200 sessions.
si-1/0/0 has 200 sessions.
Now consider the same scenario using the current load distribution behavior based on the number of attached sessions. The device pool again has two service interfaces each with a configured maximum limit of 200 sessions:
Two hundred sessions are evenly distributed across the two service interfaces.
si-0/0/0 has 100 sessions.
si-1/0/0 has 100 sessions.
The si-1/0/0 interface reboots. When it comes back up, sessions are up initially only on si-0/0/0.
si-0/0/0 has 100 sessions.
si-1/0/0 has 0 sessions.
As the sessions formerly on si-1/0/0 reconnect, they are distributed according to the session load on each interface. Because both interfaces are below their maximum limit, and si-1/0/0 has fewer sessions than si-0/0/0, sessions are initially distributed only to si-1/0/0.
After 1 new session:
si-0/0/0 has 100 sessions.
si-1/0/0 has 1 session.
After 10 new sessions:
si-0/0/0 has 100 sessions.
si-1/0/0 has 10 sessions.
After 100 new sessions:
si-0/0/0 has 100 sessions.
si-1/0/0 has 100 sessions.
Because both interfaces now have the same session count, the next session (#101) is distributed randomly between the two interfaces. The next session after that (#102) goes to the interface with the lower session count. That makes the interfaces equal again, so the next session (#103) is randomly distributed. This pattern repeats until the maximum limit of 200 sessions for both interfaces.
si-0/0/0 has 200 sessions.
si-1/0/0 has 200 sessions.
No more sessions can be accepted on either interface until the number of sessions drops below 200 on one of the interfaces.
The load balancing behavior is the same for aggregated service interfaces. An asi interface is selected from a pool based on the current session count for the asi interface. When that count is less than the maximum, the LNS checks current session count for the active si interface in the asi bundle. When that count is less than the maximum, the session can be established on the asi interface.
In a mixed device pool that has both service interfaces and aggregated service interfaces, sessions are distributed to the interface, either asi or si, that has the lowest session count. When the session count of an interface of either type reaches its limit, it can no longer accept sessions until the count drops below the maximum.
You can use the session limit configuration to achieve a session limit on particular Packet Forwarding Engines. Suppose you want a limit of 100 sessions on a PFE0, which has two service interfaces. You can set the max limit on each interface to 50, or any other combination that adds up to 100 to establish the PFE0 limit.
Example: Configuring an L2TP LNS
This example shows how you can configure an L2TP LNS on an MX Series router to provide tunnel endpoints for an L2TP LAC in your network. This configuration includes a dynamic profile for dual-stack subscribers.
Requirements
This L2TP LNS example requires the following hardware and software:
MX Series 5G Universal Routing Platform
One or more MPCs
Junos OS Release 11.4 or later
No special configuration beyond device initialization is required before you can configure this feature.
You must configure certain standard RADIUS attributes and Juniper Networks VSAs in the attribute return list on the AAA server associated with the LNS for this example to work. Table 2 lists the attributes with their required order setting and values. We recommend that you use the most current Juniper Networks RADIUS dictionary, available in the Downloads box on the Junos OS Subscriber Management page at https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/subscriber-access/index.html.
VSA Name [Number] |
Order |
Value |
|---|---|---|
CoS-Parameter-Type [26–108] |
1 |
T01 Multiplay |
CoS-Parameter-Type [26–108] |
2 |
T02 10m |
CoS-Parameter-Type [26–108] |
3 |
T08 -36 |
CoS-Parameter-Type [26–108] |
4 |
T07 cell-mode |
Framed-IPv6-Pool [100] |
0 |
jnpr_ipv6_pool |
Framed-Pool [88] |
0 |
jnpr_pool |
Egress-Policy-Name [26-11] |
0 |
classify |
Ingress-Policy-Name [26-10] |
0 |
classify |
Virtual-Router [26-1] |
0 |
default |
Overview
The LNS employs user group profiles to apply PPP attributes
to the PPP subscribers that are tunneled from the LAC. LACs in the
network are clients of the LNS. The clients are associated with user
group profiles in the L2TP access profile configured on the LNS. In
this example, the user group profile ce-l2tp-group-profile specifies the following PPP attributes:
A 30-second interval between PPP keepalive messages for L2TP tunnels from the client LAC terminating on the LNS.
A 200-second interval that defines how long the PPP subscriber session can be idle before it is considered to have timed out.
Both PAP and CHAP as the PPP authentication methods that apply to tunneled PPP subscribers at the LNS.
The L2TP access profile ce-l2tp-profile defines a
set of L2TP parameters for each client LAC. In this example, the user
group profile ce-l2tp-group-profile is associated with
both clients, lac1 and lac2. Both clients are
configured to have the LNS renegotiate the link control protocol (LCP)
with the PPP client rather than accepting the pre-negotiated LCP parameters
that the LACs pass to the LNS. LCP renegotiation also causes authentication
to be renegotiated by the LNS; the authentication method is specified
in the user group profile. The maximum number of sessions allowed
per tunnel is set to 1000 for lac1 and to 4000 for lac2. A different password is configured for each LAC.
A local AAA access profile, aaa-profile, enables
you to override the global AAA access profile, so that you can specify
an authentication order, a RADIUS server that you want to use for
L2TP, and a password for the server.
In this example, an address pool defines a range of IP addresses that the LNS allocates to the tunneled PPP sessions. This example defines ranges of IPv4 and IPv6 addresses.
Two inline service interfaces are enabled on the MPC located
in slot 5 of the router. For each interface, 10 Gbps of bandwidth
is reserved for tunnel traffic on the interface’s associated
PFE. These anchor interfaces serve as the underlying
physical interface. To enable CoS queue support on the individual
logical inline service interfaces, you must configure both services
encapsulation (generic-services) and hierarchical scheduling
support on the anchors. The IPv4 address family is configured for
both anchor interfaces. Both anchor interfaces are specified in the lns_p1 service device pool. The LNS can balance traffic loads
across the two anchor interfaces when the tunnel group includes the
pool.
This example uses the dynamic profile dyn-lns-profile2 to specify characteristics of the L2TP sessions that are created
or assigned dynamically when a subscriber is tunneled to the LNS.
For many of the characteristics, a predefined variable is set; the
variables are dynamically replaced with the appropriate values when
a subscriber is tunneled to the LNS.
The interface to which the tunneled PPP client connects ($junos-interface-name) is dynamically created in the routing
instance ($junos-routing-instance) assigned to the subscriber.
Routing options for access routes include the route’s next hop
address ($junos-framed-route-nexthop), metric ($junos-framed-route-cost), and preference ($junos-framed-route-distance). For
access-internal routes, a dynamic IP address variable ($junos-subscriber-ip-address) is set.
The logical inline service interfaces are defined by the name
of a configured anchor interface ($junos-interface-ifd-name) and a logical unit number ($junos-interface-unit).
The profile assigns l2tp-encapuslation as the identifier
for the logical interface and specifies that each interface can be
used for only a single session at a time.
The IPv4 address is set to a value returned from the AAA server.
For IPv4 traffic an input firewall filter $junos-input-filter and an output firewall filter $junos-output-filter are
attached to the interface. The loopback variable ($junos-loopback-interface) derives an IP address from a loopback interface (lo) configured in the routing instance and uses it in IPCP negotiation
as the PPP server address. Because this is a dual-stack configuration,
the IPv6 address family is also set, with the addresses provided by
the $junos-ipv6-address variable.
The $junos-ipv6-address variable is used because
Router Advertisement Protocol is also configured. This variable enables
AAA to allocate the first address in the prefix to be reserved as
the local address for the interface. The minimal configuration for
the Router Advertisement Protocol in the dynamic profile specifies
the $junos-interface-name and $junos-ipv6-ndra-prefix variables to dynamically assign a prefix value in IPv6 neighbor
discovery router advertisements.
The dynamic profile also includes the class of service configuration
that is applied to the tunnel traffic. The traffic-control profile
(tc-profile) includes variables for the scheduler map ($junos-cos-scheduler-map), shaping rate ($junos-cos-shaping-rate), overhead accounting ($junos-cos-shaping-mode), and
byte adjustment $junos-cos-byte-adjust). The dynamic profile
applies the CoS configuration—including the forwarding class,
the output traffic-control profile, and the rewrite rules—to
the dynamic service interfaces.
The tg-dynamic tunnel group configuration specifies
the access profile ce-l2tp-profile, the local AAA profile aaa-profile, and the dynamic profile dyn-lns-profile2 that are used to dynamically create LNS sessions and define the
characteristics of the sessions. The lns_p1 service device
pool associates a pool of service interfaces with the group to enable
LNS to balance traffic across the interfaces. The local gateway address 203.0.113.2 corresponds to the remote gateway address that
is configured on the LAC. The local gateway name ce-lns corresponds to the remote gateway name that is configured on the
LAC.
This example does not show all possible configuration choices.
Configuration
Procedure
CLI Quick Configuration
To quickly configure an L2TP LNS, copy the following commands, paste them in a text file, remove any line breaks, and then copy and paste the commands into the CLI.
[edit] edit access group-profile ce-l2tp-group-profile set ppp idle-timeout 200 set ppp ppp-options pap set ppp ppp-options chap set ppp keepalive 30 top edit access profile ce-l2tp-profile set client lac1 l2tp maximum-sessions-per-tunnel 1000 set client lac1 l2tp interface-id l2tp-encapsulation-1 set client lac1 l2tp lcp-renegotiation set client lac1 l2tp shared-secret "lac1-$ABC123" set client lac1 user-group-profile ce-l2tp-group-profile set client lac2 l2tp maximum-sessions-per-tunnel 4000 set client lac2 l2tp interface-id l2tp-encap-2 set client lac2 l2tp lcp-renegotiation set client lac2 l2tp shared-secret "lac2-$ABC123" set client lac2 user-group-profile ce-l2tp-group-profile top edit access profile aaa-profile set authentication-order radius set radius authentication-server 198.51.100.193 set radius-server 198.51.100.193 secret "$ABC123” top edit access address-assignment pool client-pool1 family inet set network 192.168.1.1/16 set range lns-v4-pool-range low 192.168.1.1 set range lns-v4-pool-range high 192.168.255.255 top edit access address-assignment pool client-ipv6-pool2 family inet6 set prefix 2001:DB8::/32 set range lns-v6-pool-range low 2001:DB8:1::/48 set range lns-v6-pool-range high 2001:DB8:ffff::/48 top set interfaces ge-5/0/1 unit 11 vlan-id 11 set interfaces ge-5/0/1 unit 11 family inet address 203.0.113.2/24 set interfaces lo0 unit 0 family inet address 127.0.0.1/32 top set chassis fpc 5 pic 0 inline-services bandwidth 10g set chassis fpc 5 pic 2 inline-services bandwidth 10g top edit interfaces si-5/0/0 set hierarchical-scheduler maximum-hierarchy-levels 2 set encapsulation generic-services set unit 0 family inet top edit interfaces si-5/2/0 set hierarchical-scheduler maximum-hierarchy-levels 2 set encapsulation generic-services set unit 0 family inet top set services service-device-pools pool lns_p1 interface si-5/0/0 set services service-device-pools pool lns_p1 interface si-5/2/0 top edit dynamic-profiles dyn-lns-profile2 routing-instances $junos-routing-instance set interface $junos-interface-name edit routing-options access route $junos-framed-route-ip-address-prefix set next-hop $junos-framed-route-nexthop set metric $junos-framed-route-cost set preference $junos-framed-route-distance up 2 edit access-internal route $junos-subscriber-ip-address set qualified-next-hop $junos-interface-name up 5 edit interfaces $junos-interface-ifd-name unit $junos-interface-unit set dial-options l2tp-interface-id l2tp-encapsulation set dial-options dedicated set family inet filter input $junos-input-filter set family inet filter output $junos-output-filter set family inet unnumbered-address $junos-loopback-interface set family inet6 address $junos-ipv6-address set family inet6 filter input $junos-input-ipv6-filter set family inet6 filter output $junos-output-ipv6-filter up 3 edit protocols router-advertisement set interface $junos-interface-name prefix $junos-ipv6-ndra-prefix top [edit class-of-service] edit rewrite-rules dscp rewriteDSCP forwarding-class expedited-forwarding set loss-priority high code-point af11 set loss-priority high code-point af12 top edit dynamic-profiles dyn-lns-profile2 class-of-service traffic-control-profiles tc-profile set scheduler-map $junos-cos-scheduler-map set shaping-rate $junos-cos-shaping-rate set overhead-accounting $junos-cos-shaping-mode set overhead-accounting bytes $junos-cos-byte-adjust up edit interfaces $junos-interface-ifd-name unit $junos-interface-unit set forwarding-class expedited-forwarding set output-traffic-control-profile tc-profile set rewrite-rules dscp rewriteDSCP edit interfaces si-5/0/0 set output-control-profile-remaining tc-profile top set services l2tp tunnel-group tg-dynamic l2tp-access-profile ce-l2tp-profile set services l2tp tunnel-group tg-dynamic aaa-access-profile aaa-profile set services l2tp tunnel-group tg-dynamic local-gateway address 203.0.113.2 set services l2tp tunnel-group tg-dynamic local-gateway gateway-name ce-lns set services l2tp tunnel-group tg-dynamic service-device-pool lns_p1 set services l2tp tunnel-group tg-dynamic dynamic-profile dyn-lns-profile2
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure an L2TP LNS with inline service interfaces:
Configure a user group profile that defines the PPP configuration for tunnel subscribers.
[edit access] user@host# edit group-profile ce-l2tp-group-profile [edit access group-profile ce-l2tp-group-profile] user@host# set ppp keepalive 30 user@host# set ppp idle-timeout 200 user@host# set ppp ppp-options chap user@host# set ppp ppp-options pap
Configure an L2TP access profile that defines the L2TP parameters for each client LAC. This includes associating a user group profile with the client and specifying the identifier for the inline services logical interface that represents an L2TP session on the LNS.
[edit access profile ce-l2tp-profile client lac1] user@host# set l2tp interface-id l2tp-encapsulation user@host# set l2tp maximum-sessions-per-tunnel 1000 user@host# set l2tp shared-secret "lac1-$ABC123" user@host# set l2tp lcp-renegotiation user@host# set user-group-profile ce-l2tp-group-profile [edit access profile ce-l2tp-profile client lac2] user@host# set l2tp interface-id interface-id user@host# set l2tp maximum-sessions-per-tunnel 4000 user@host# set l2tp shared-secret "lac2-$ABC123" user@host# set l2tp lcp-renegotiation user@host# set user-group-profile ce-l2tp-group-profile
Note:If
user-group-profileis modified or deleted, the existing LNS subscribers, which were using this Layer 2 Tunneling Protocol client configuration, go down.Configure a AAA access profile to override the global access profile for the order of AAA authentication methods and server attributes.
[edit access profile aaa-profile] user@host# set authentication-order radius user@host# set radius authentication-server 198.51.100.193 user@host# set radius-server 198.51.100.193 secret "$ABC123”
Configure IPv4 and IPv6 address-assignment pools to allocate addresses for the clients (LACs).
[edit access address-assignment pool client-pool1 family inet] user@host# set network 192.168.1.1/16 user@host# set range lns-v4-pool-range low 192.168.1.1 high 192.168.255.255 [edit access address-assignment pool client-ipv6-pool2 family inet6] user@host# set prefix 2001:DB8::/32 user@host# set range lns-v6-pool-range low 2001:DB8:1::/48 user@host# set range lns-v6-pool-range high 2001:DB8:ffff::/48
Configure the peer interface to terminate the tunnel and the PPP server-side IPCP address (loopback address).
[edit interfaces ge-5/0/1 user@host# set vlan-tagging user@host# set unit 11 [edit interfaces ge-5/0/1.11 user@host# set vlan-id 11 user@host# set family inet address 10.1.1.2/24 [edit interfaces lo0] user@host# set unit 0 family inet address 127.0.0.1/32
Enable inline service interfaces on an MPC.
[edit chassis fpc 5] user@host# set pic 0 inline-services bandwidth 10g user@host# set pic 2 inline-services bandwidth 10g
Configure the anchor service interfaces with services encapsulation, hierarchical scheduling, and the address family.
[edit interfaces si-5/0/0] user@host# set hierarchical-scheduler maximum hierarchy-levels 2 user@host# set encapsulation generic-services user@host# set unit 0 family inet [edit interfaces si-5/2/0] user@host# set hierarchical-scheduler maximum hierarchy-levels 2 user@host# set encapsulation generic-services user@host# set unit 0 family inet
Configure a pool of service interfaces for dynamic LNS sessions.
[edit services service-device-pools pool lns_p1] user@host# set interface si-5/0/0 user@host# set interface si-5/2/0
Configure a dynamic profile that dynamically creates L2TP logical interfaces for dual-stack subscribers.
[edit dynamic-profiles dyn-lns-profile2] user@host# edit routing-instances $junos-routing-instance user@host# set interface $junos-interface-name [edit dynamic-profiles dyn-lns-profile2 routing-instances “$junos-routing-instance”] user@host# edit routing-options access route $junos-framed-route-ip-address-prefix [edit dynamic-profiles dyn-lns-profile2 routing-instances “$junos-routing-instance” routing-options access route “$junos-framed-route-ip-address-prefix”] user@host# set next-hop $junos-framed-route-nexthop user@host# set metric $junos-framed-route-cost user@host# set preference $junos-framed-route-distance [edit dynamic-profiles dyn-lns-profile2 routing-instances “$junos-routing-instance” routing-options access-internal] user@host# set route $junos-subscriber-ip-address qualified-next-hop $junos-interface-name [edit dynamic-profiles dyn-lns-profile2 interfaces “$junos-interface-ifd-name” unit “$junos-interface-unit”] user@host# set dial-options l2tp-interface-id l2tp-encapsulation user@host# set dial-options dedicated user@host# set family inet unnumbered-address $junos-loopback-interface user@host# set family inet filter input $junos-input-filter user@host# set family inet filter output $junos-output-filter user@host# set family inet6 address $junos-ipv6-address set family inet6 filter input $junos-input-ipv6-filter set family inet6 filter output $junos-output-ipv6-filter [edit dynamic-profiles dyn-lns-profile2 protocols router-advertisement] user@host# set interface $junos-interface-name prefix $junos-ipv6-ndra-prefix
Configure shaping, scheduling, and rewrite rules, and apply in the dynamic profile to tunnel traffic.
[edit class-of-service] user@host# edit rewrite-rules dscp rewriteDSCP forwarding-class expedited-forwarding user@host# set loss-priority high code-point af11 user@host# set loss-priority high code-point af12 [edit dynamic-profiles dyn-lns-profile2 class-of-service traffic-control-profiles tc-profile] user@host# set scheduler-map $junos-cos-scheduler-map user@host# set shaping-rate $junos-cos-shaping-rate user@host# set overhead-accounting $junos-cos-shaping-mode user@host# set overhead-accounting bytes $junos-cos-byte-adjust [edit dynamic-profiles dyn-lns-profile2 class-of-service interfaces “$junos-interface-ifd-name” unit "$junos-interface-unit"] user@host# set forwarding-class expedited-forwarding user@host# set output-traffic-control-profile tc-profile user@host# set rewrite-rules dscp rewriteDSCP [edit class-of-service interfaces si-5/0/0] user@host# set output-traffic-control-profile-remaining tc-profile
Configure the L2TP tunnel group to bring up dynamic LNS sessions using the pool of inline service interfaces to enable load-balancing.
[edit services l2tp tunnel-group tg-dynamic] user@host# set l2tp-access-profile ce-l2tp-profile user@host# set local-gateway address 10.1.1.2 user@host# set local-gateway gateway-name ce-lns user@host# set aaa-access-profile aaa-profile user@host# set dynamic-profile dyn-lns-profile2 user@host# set service-device-pool lns_p1
Results
From configuration mode, confirm the access profile,
group profile, AAA profile, and address-assignment pools configuration
by entering the show access command. Confirm the inline
services configuration by entering the show chassis command.
Confirm the interface configuration by entering the show interfaces command. Confirm the dynamic profile configuration by entering the show dynamic-profiles command. Confirm the tunnel group configuration
by entering the show services l2tp command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show access
group-profile ce-l2tp-group-profile {
ppp {
idle-timeout 200;
ppp-options {
pap;
chap;
}
keepalive 30;
}
}
profile ce-l2tp-profile {
client lac1 {
l2tp {
maximum-sessions-per-tunnel 1000;
interface-id l2tp-encapsulation-1;
lcp-renegotiation;
shared-secret "lac1-$ABC123"; ## SECRET-DATA
}
user-group-profile ce-l2tp-group-profile;
}
client lac2 {
l2tp {
maximum-sessions-per-tunnel 4000;
interface-id l2tp-encap-2;
lcp-renegotiation;
shared-secret "lac2-$ABC123"; ## SECRET-DATA
}
user-group-profile ce-l2tp-group-profile;
}
}
profile aaa-profile {
authentication-order radius;
radius-server {
198.51.100.193 secret "$ABC123"; ## SECRET-DATA
}
}
address-assignment {
pool client-pool1 {
family inet {
network 192.168.1.1/16;
range lns-v4-pool-range {
low 192.168.1.1;
high 192.168.255.255;
}
}
}
pool client-ipv6-pool2 {
family inet6 {
prefix 2001:DB8::/32;
range lns-v6-pool-range {
low 2001:DB8:1::/48;
high 2001:DB8:ffff::/48;
}
}
}
}
[edit]
user@host# show chassis
fpc 5 {
pic 0 {
inline-services {
bandwidth 10g;
}
}
pic 2 {
inline-services {
bandwidth 10g;
}
}
}
[edit]
user@host# show interfaces
ge-5/0/1 {
vlan-tagging;;
unit 11 {
vlan-id 11;
family inet {
address 203.0.113.2/24;
}
}
}
si-5/0/0 {
hierarchical-scheduler maximum-hierarchy-levels 2;
encapsulation generic-services;
unit 0 {
family inet;
}
}
si-5/2/0 {
hierarchical-scheduler maximum-hierarchy-levels 2;
encapsulation generic-services;
unit 0 {
family inet;
}
}
lo0 {
unit 0 {
family inet {
address 127.0.0.1/32;
}
}
}
[edit]
user@host# show dynamic-profiles
dyn-lns-profile2 {
routing-instances {
"$junos-routing-instance" {
interface "$junos-interface-name";
routing-options {
access {
route $junos-framed-route-ip-address-prefix {
next-hop "$junos-framed-route-nexthop";
metric "$junos-framed-route-cost";
preference "$junos-framed-route-distance";
}
}
access-internal {
route $junos-subscriber-ip-address {
qualified-next-hop "$junos-interface-name";
}
}
}
}
}
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-interface-unit" {
dial-options {
l2tp-interface-id l2tp-encapsulation;
dedicated;
}
family inet {
filter {
input "$junos-input-filter";
output "$junos-output-filter";
}
unnumbered-address "$junos-loopback-interface";
}
family inet6 {
address $junos-ipv6-address;
input $junos-input-ipv6-filter;
output $junos-output-ipv6-filter;
}
}
}
}
protocols {
router-advertisement {
interface "$junos-interface-name" {
prefix $junos-ipv6-ndra-prefix;
}
}
}
class-of-service {
rewrite-rules {
dscp rewriteDSCP {
forwarding-class expedited-forwarding {
loss-priority high code-point af11
loss-priority high code-point af12
}
}
}
traffic-control-profiles {
tc-profile {
scheduler-map "$junos-cos-scheduler-map";
shaping-rate "$junos-cos-shaping-rate";
overhead-accounting "$junos-cos-shaping-mode" bytes "$junos-cos-byte-adjust";
}
}
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-interface-unit" {
forwarding-class expedited-forwarding;
output-traffic-control-profile tc-profile;
rewrite-rules {
dscp rewriteDSCP;
}
}
}
}
}
}
[edit]
user@host# show services l2tp
tunnel-group tg-dynamic {
l2tp-access-profile ce-l2tp-profile;
aaa-access-profile aaa-profile;
local-gateway {
address 203.0.113.2;
gateway-name ce-lns;
}
service-device-pool lns_p1;
dynamic-profile dyn-lns-profile2;
}
When you are done configuring the device, enter commit from configuration mode.
Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces
The L2TP tunnel group specifies attributes that apply to L2TP tunnels and sessions from a group of LAC clients. These attributes include the access profile used to validate L2TP connection requests made to the LNS on the local gateway address, a local access profile that overrides the global access profile, the keepalive timer, and whether the IP ToS value is reflected.
If you delete a tunnel group, all L2TP sessions in that
tunnel group are terminated. If you change the value of the local-gateway-address, service-device-pool, or service-interface statements, all L2TP sessions using those settings are terminated.
If you change or delete other statements at the [edit services
l2tp tunnel-group name] hierarchy level,
new tunnels you establish use the updated values but existing tunnels
and sessions are not affected.
To configure the LNS tunnel group:
Applying Services to an L2TP Session Without Using RADIUS
Services are applied to L2TP sessions for activation or later modified by vendor-specific attributes (VSAs) from the RADIUS server or in RADIUS Change of Authorization (CoA) requests. Starting in Junos OS Release 18.1R1, you can apply services to L2TP sessions by means of dynamic service profiles without involving RADIUS. In multivendor environments, customers might use only standard RADIUS attributes to simplify management by avoiding the use of VSAs from multiple vendors. However, this complicates the application of services to L2TP sessions because VSAs are generally required to apply services. Local dynamic service profile activation enables you to avoid that problem. You can also use local service profile activation to provide default services when RADIUS servers are down.
You can apply services to all subscribers in a tunnel group or to all subscribers using a particular LAC. You can configure a maximum of 12 services per tunnel group or LAC hostname.
After configuring one or more dynamic service profiles that define services, you apply them in the tunnel group or in the access profile configuration for a LAC client by specifying the service profile names. You can list more than one profile to be activated, separated by an ampersand (&). You can also specify parameters to be used by the service profile that might override values configured in the profile itself, such as a downstream shaping rate for a CoS service.
The locally configured list of services (via service profiles) serves as local authorization that is applied by authd during client session activation. This list of services is subject to the same validation and processing as services originating from external authority, such as RADIUS. These services are presented during subscriber login.
You can still use RADIUS VSAs or CoA requests in concert with the service profiles. If services are sourced from an external authority as authorization during authentication or during subscriber session provisioning (activation), the services from the external authority take strict priority over those in the local configuration. If a service applied with RADIUS is the same as a service applied with a service profile in the CLI, but with different parameters, the RADIUS service is applied with a new session ID and takes precedence over the earlier service profile.
You can issue commands to deactivate or reactivate any service you have previously activated for a tunnel group or LAC.
Define the dynamic service profiles that you want to later apply to a tunnel group or LAC.
To apply service profiles to all subscribers in a tunnel group:
Specify one or more service profiles and any parameters to be passed to the services.
[edit services l2tp tunnel-group group-name] user@host# set service-profile profile-name(parameter)&profile-name
To apply service profiles to all subscribers for a particular LAC:
Specify one or more service profiles and any parameters to be passed to the services.
[edit access profile profile-name client client-name l2tp] user@host# set service-profile profile-name(parameter)&profile-name
Note:When service profiles are configured for a LAC client and for a tunnel group that uses that client, only the LAC client service profile is applied. It overrides the tunnel group configuration. For example, in the following configuration, the tunnel group, tg-LAC-3, uses the LAC client, LAC-3, so the LAC3 configuration overrides the tunnel group configuration. Consequently only the cos-A3 service is activated for subscribers in the tunnel group, rather than Cos2 and fw1. The shaping rate passed for the service is 24 Mbps.
[edit] user@host# set services l2tp tunnel-group tg-LAC-3 service-profile cos2(31000000)&fw1 user@host# set access profile prof-lac client LAC-3 l2tp service-profile cos-A3(24000000)
You can deactivate any service applied to a subscriber session by issuing the following command:
user@host> request network-access aaa subscriber delete session-id subscriber-session-id service-profile profile-name
You can reactivate any service applied to a subscriber session by issuing the following command:
user@host> request network-access aaa subscriber add session-id subscriber-session-id service-profile profile-name
To display the services sessions for all current subscriber sessions, use the show subscribers extensive or show network-access aaa subscribers session-id id-number detail command.
To understand how local service application works, the following examples illustrate the various configuration possibilities. First, consider the following dynamic service profile configurations, cos2 and fw1:
dynamic-profiles {
cos2 {
variables {
shaping-rate default-value 10m;
shaping-rate-in default-value 10m;
data-in-filter uid;
data-in-policer uid;
}
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-interface-unit" {
family inet;
}
}
}
class-of-service {
traffic-control-profiles {
TrafficShaper {
scheduler-map a;
shaping-rate "$shaping-rate";
}
}
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-interface-unit" {
output-traffic-control-profile TrafficShaper;
}
}
}
}
}
|
dynamic-profiles {
fw1 {
variables {
v6input default-value v6ingress;
v6output default-value v6egress;
input default-value upstrm-filter;
output default-value dwnstrm-filter;
}
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-interface-unit" {
family inet;
}
}
}
}
}
The following statement applies both services to all subscribers in tunnel group tg1; a parameter value of 31 Mbps is passed to the cos2 service:
[edit] user@host# set services l2tp tunnel-group tg1 service-profile cos2(31000000)&fw1
In the cos2 service profile, the shaping rate is provided by a user-defined variable with a default value of 10m, or 1Mbps. After the L2TP session is up, cos2 and fw1 are activated with service session IDs of 34 and 35, respectively.
user@host1> show subscribers extensive
...
Service Session ID: 34
Service Session Name: cos2
State: Active
Family: inet
Service Activation time: 2018-02-15 15:44:16 IST
Service Session ID: 35
Service Session Name: fw1
State: Active
Family: inet
Service Activation time: 2018-02-15 15:44:16 IST
Dynamic configuration:
input: upstrm-filter
output: dwnstrm-filter
v6input: v6ingress
v6output: v6egressThe parameter passed to cos2 is used as the value for $shaping-rate; consequently the shaping rate for the service is adjusted from the default value of 10 Mbps to 31 Mbps, as shown in the following command output. Although the output indicates the adjusting application is RADIUS CoA, the adjustment is a consequence of the parameter passed to the service profile. That operation uses the same internal framework as a CoA and is reported as such.
user@host1> show class-of-service interface si-1/0/0.3221225492
Logical interface: si-1/0/0.3221225492, Index: 3221225492
Object Name Type Index
Traffic-control-profile subscriber-tcp-2 Output 23571
Scheduler-map a Output 4294967354
Classifier dscp-ipv6-compatibility dscp-ipv6 9
Classifier ipprec-compatibility ip 13
Adjusting application: RADIUS CoA
Adjustment type: absolute
configured-shaping-rate: 31000000
adjustment-value: 31000000
Adjustment overhead-accounting mode: frame mode
Adjustment overhead bytes: 0
Adjustment target: node
Adjustment priority: 1Now the cos2 service is deactivated from the CLI for subscriber session 27.
user@host1> request network-access aaa subscriber delete service-profile cos2 session-id 27 Successful completion
The following output shows cos2 is gone, leaving only fw1 as an active service.
user@host1> show subscribers extensive
Type: L2TP
User Name: user@example.com
IP Address: 192.0.2.103
IP Netmask: 255.255.255.255
Logical System: default
Routing Instance: default
Interface: si-1/0/0.3221225492
Interface type: Dynamic
Underlying Interface: si-1/0/0.3221225492
Dynamic Profile Name: dyn-lns-profile
State: Active
Radius Accounting ID: 27
Session ID: 27
PFE Flow ID: 42
Login Time: 2017-08-30 07:29:39 IST
Service Sessions: 1
IP Address Pool: ipv4_pool
Accounting interval: 600
Frame/cell mode: Frame
Overhead accounting bytes: -38
Calculated downstream data rate: 1000000 kbps
Adjusted downstream data rate: 1000000 kbps
Service Session ID: 35
Service Session Name: fw1
State: Active
Family: inet
Service Activation time: 2018-02-15 15:44:16 IST
Dynamic configuration:
input: upstrm-filter
output: dwnstrm-filter
v6input: v6ingress
v6output: v6egress
The following command reactivates cos2 for subscriber session 27.
user@host1> request network-access aaa subscriber add service-profile cos2 session-id 27 Successful completion
The reactivated cos2 service has a new service session ID of 36.
user@host1> show subscribers extensive
...
Service Session ID: 35
Service Session Name: fw1
State: Active
Family: inet
Service Activation time: 2018-02-15 15:44:16 IST
Dynamic configuration:
input: upstrm-filter
output: dwnstrm-filter
v6input: v6ingress
v6output: v6egress
Service Session ID: 36
Service Session Name: cos2
State: Active
Family: inet
Service Activation time: 2018-02-15 15:58:23 IST
The reactivated cos2 service uses the default shaping rate, 10 Mbps, from the service profile.
user@host1> show class-of-service interface si-1/0/0.3221225492
Logical interface: si-1/0/0.3221225492, Index: 3221225492
Object Name Type Index
Traffic-control-profile subscriber-tcp-2 Output 23571
Scheduler-map a Output 4294967354
Classifier dscp-ipv6-compatibility dscp-ipv6 9
Classifier ipprec-compatibility ip 13
Adjusting application: RADIUS CoA
Adjustment type: absolute
configured-shaping-rate: 10000000
adjustment-value: 10000000
Adjustment overhead-accounting mode: frame mode
Adjustment overhead bytes: 0
Adjustment target: node
Adjustment priority: 1
Next, a RADIUS CoA request is received, which includes the Activate-Service VSA (26-65). The VSA specifies and activates the service and specifies a change in the shaping rate of cos2 from the default 10 Mbps to 12 Mbps. The cos2 service session 36 still appears in the output, but is superseded by the new service session initiated by the CoA, 49.
user@host1> show subscribers extensive
...
Service Session ID: 35
Service Session Name: fw1
State: Active
Family: inet
Service Activation time: 2018-02-15 15:44:16 IST
Dynamic configuration:
input: upstrm-filter
output: dwnstrm-filter
v6input: v6ingress
v6output: v6egress
Service Session ID: 36
Service Session Name: cos2
State: Active
Family: inet
Service Activation time: 2018-02-15 15:58:23 IST
Service Session ID: 49
Service Session Name: cos2
State: Active
Family: inet
Service Activation time: 2018-02-15 16:25:04 IST
Dynamic configuration:
shaping-rate: 12000000
shaping-rate-in: 10m
user@host1> show class-of-service interface si-1/0/0.3221225492
Logical interface: si-1/0/0.3221225492, Index: 3221225492
Object Name Type Index
Traffic-control-profile subscriber-tcp-2 Output 23571
Scheduler-map a Output 4294967354
Classifier dscp-ipv6-compatibility dscp-ipv6 9
Classifier ipprec-compatibility ip 13
Adjusting application: RADIUS CoA
Adjustment type: absolute
configured-shaping-rate: 12000000
adjustment-value: 12000000
Adjustment overhead-accounting mode: frame mode
Adjustment overhead bytes: 0
Adjustment target: node
Adjustment priority: 1
When a service is applied by both the CLI configuration and a RADIUS VSA (26-65), but with different parameters, the RADIUS configuration overrides the CLI configuration. In the following example, the CLI configuration applies the cos2 service profile with a value of 31 Mbps for the shaping rate.
[edit] user@host# set services l2tp tunnel-group tg1 service-profile cos2(31000000)
The RADIUS Access-Accept message service activation VSA (26-65) applies cos2 with a value of 21 Mbps for the shaping rate.
l2tp@l2tp.com User-Password := "bras"
Auth-Type = Local,
Service-Type = Framed-User,
Framed-Protocol = PPP,
ERX-Service-Activate:1 += 'cos2(21000000)',
The CLI configuration activates service session 22 with a shaping rate of 31 Mbps. The RADIUS VSA activates service session 23 with a shaping rate of 21 Mbps.
user@host1> show subscribers extensive
...
Service Session ID: 22
Service Session Name: cos2
State: Active
Family: inet
Service Activation time: 2018-02-16 08:22:03 IST
Dynamic configuration:
shaping-rate: 31000000
shaping-rate-in: 10m
Service Session ID: 23
Service Session Name: cos2
State: Active
Family: inet
Service Activation time: 2018-02-16 08:22:03 IST
Dynamic configuration:
shaping-rate: 21000000
shaping-rate-in: 10m
user@host1> show class-of-service interface si-1/0/0.3221225492
Logical interface: si-1/0/0.3221225492, Index: 3221225492
Object Name Type Index
Traffic-control-profile subscriber-tcp-2 Output 23571
Scheduler-map a Output 4294967354
Classifier dscp-ipv6-compatibility dscp-ipv6 9
Classifier ipprec-compatibility ip 13
Adjusting application: RADIUS CoA
Adjustment type: absolute
configured-shaping-rate: 21000000
adjustment-value: 21000000
Adjustment overhead-accounting mode: frame mode
Adjustment overhead bytes: 0
Adjustment target: node
Adjustment priority: 1
Configuring a Pool of Inline Services Interfaces for Dynamic LNS Sessions
You can create a pool of inline service interfaces, also known as a service device pool, to enable load-balancing of L2TP traffic across the interfaces. The pool is supported for dynamic LNS configurations, where it provides a set of logical interfaces that can be dynamically created and allocated to L2TP sessions on the LNS. The pool is assigned to an LNS tunnel group. L2TP maintains the state of each inline service interface and uses a round-robin method to evenly distribute the load among available interfaces when new session requests are accepted.
Load balancing is available only for dynamically created subscriber interfaces.
LNS sessions anchored on an MPC are not affected by a MIC failure as long as some other path to the peer LACs exists. If the MPC hosting the peer interface fails and there is no path to peer LACs, the failure initiates termination and clean-up of all the sessions on the MPC.
If the MPC anchoring the LNS sessions itself fails, the Routing Engine does not relocate sessions to another slot and all sessions are terminated immediately. New sessions can come up on another available interface when the client retries.
To configure the service device pool:
Configuring a Dynamic Profile for Dynamic LNS Sessions
You can configure L2TP to dynamically assign inline service interfaces for L2TP tunnels. You must define one or more dynamic profiles and assign a profile to each tunnel group. The LNS supports IPv4-only, IPv6-only, and dual-stack IPv4/IPv6 sessions.
To configure the L2TP dynamic profile:
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.