Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 10-L2TP commands | 181.03 KB |
display l2tp control-packet statistics
display l2tp packet-limit configuration
display l2tp packet-limit statistics
display l2tp session temporary
reset counters interface virtual-ppp
reset l2tp control-packet statistics
reset l2tp packet-limit statistics
L2TP commands
Only CSPEX (except CSPEX-1104-E)/CEPC cards support L2TP.
allow l2tp
Use allow l2tp to configure an L2TP network server (LNS) to accept Layer 2 Tunneling Protocol (L2TP) tunneling requests from an L2TP access concentrator (LAC), and to specify a VT interface for tunnel setup.
Use undo allow to prevent setting up sessions with users with the specified domain name or users without domain names on an LAC.
Syntax
allow l2tp virtual-template virtual-template-number [ local ip-address | remote remote-name ] [ domain domain-name ]
undo allow [ domain domain-name ]
In the view of an L2TP group except group 1:
allow l2tp virtual-template virtual-template-number { local ip-address | remote remote-name } [ domain domain-name ]
undo allow [ domain domain-name ]
Default
An LNS denies L2TP tunneling requests from any LACs.
Views
L2TP group view
Predefined user roles
network-admin
Parameters
virtual-template virtual-template-number: Specifies a VT interface by its number in the range of 0 to 1023. An LNS dynamically creates PPP sessions based on the configuration of a VT interface. Each PPP session is used to carry data for a different L2TP session.
local ip-address: Specifies the IP address of the local tunnel.
remote remote-name: Specifies the name of the tunnel peer (LAC) initiating tunneling requests, a case-sensitive string of 1 to 31 characters.
domain domain-name: Allows users with the specified domain name to set up L2TP sessions. The domain-name argument represents the domain name of the user and is a case-sensitive string of 1 to 255 characters. The ISP domain in the username is transmitted to the LNS through PPP proxy information carried in the Incoming-Call-Connection (ICCN) message. ICCN messages are a type of L2TP session setup request.
In NAS-initiated mode, ICCN messages carry PPP proxy information. In this mode, when receiving L2TP session setup requests from the LAC, the LNS compares the following domain names:
· The ISP domain name in the the username.
· The domain name specified in an allow l2tp command configured in the L2TP group of the tunnel.
Then LNS performs the following operations depending on the comparison result:
· If a match is found, an L2TP session is set up based on the allow l2tp command configuration.
· If no match is found, the LNS continues to check whether an allow l2tp command without the domain keyword is executed in the L2TP group view.
¡ If the allow l2tp command exists, an L2TP session is set up based on the allow l2tp command configuration.
¡ If the allow l2tp command does not exist, the L2TP session cannot be set up.
In client-initiated mode or LAC-auto-initiated mode, the ICCN messages do not carry PPP proxy information. As a result, the LNS cannot obtain the ISP domain information in usernames. When receiving L2TP session setup requests, the LNS checks for an allow l2tp command without the domain keyword in the L2TP group of the tunnel.
· If a match is found, an L2TP session is set up based on the command configuration.
· If no match is found, the L2TP session cannot be set up.
Usage guidelines
The allow l2tp command is available only on LNSs.
In the view of L2TP group 1:
· With the local keyword specified, the LNS checks whether the destination address in the received requests is the same as the local tunnel address. The LNS accepts the requests only when the two IP addresses are the same. When specifying the local tunnel address, make sure it is the same as a minimum one of the LNS IP addresses specified on the LAC.
· If the remote keyword is specified, the LNS checks whether the LAC name in the received requests is the same as the specified LAC name. The LNS accepts the requests only when the two names are the same. When specifying the LAC name, make sure the specified LAC name is the same as the local tunnel name configured on the LAC.
· If neither local nor remote is specified, L2TP group 1 is the default L2TP group. In this case, the LNS can accept requests from any LAC.
In the view of an L2TP group except group 1:
When receiving a request, the LNS compares the destination address or LAC name in the request with that configured in an L2TP group except group 1.
· If a match is found, the LNS uses the tunnel parameters (for example, tunnel authentication) configured in the L2TP group to set up L2TP tunnels with the LAC.
· If no match is found, the LNS checks whether the default L2TP group exists.
¡ If the default L2TP group exists, the LNS uses its tunnel parameters to set up L2TP tunnels with the LAC.
¡ If the default L2TP group does not exist, the LNS cannot set up L2TP tunnels with the LAC.
When the undo form is executed without the domain keyword, the command prevents setting up sessions with users without domain names.
When the undo form is executed with the domain domain-name option, the command prevents setting up sessions with users with the specified domain name.
As a best practice, configure a default L2TP group on the LNS in the following cases:
· LACs (such as hosts with Windows 2000 Beta 2 installed) include blank local names in their tunneling requests.
· The LNS sets up tunnels with multiple LACs by using the same tunnel parameters.
The allow l2tp command is available only on L2TP groups in LNS mode. When the command is executed in the same L2TP group, the following rules apply:
· If the first command has the remote remote-name option specified, all the following commands must have the same option specified.
· If the first command has the local ip-address option specified, all the following commands must have the same option specified.
· If the first command does not have the remote or local keyword specified, all the following commands cannot have the remote or local keyword specified.
· If the command is executed without the domain keyword multiple times, the most recent configuration takes effect.
· If the command is executed with the domain domain-name option multiple times to specify multiple domain names, all these configurations take effect.
· If the command is executed with the domain domain-name option multiple times to specify the same domain name, the most recent configuration takes effect.
Examples
# Specify L2TP group 1 as the default L2TP group, and specify Virtual-Template 1 for tunnel setup. For L2TP group 2, configure the LNS to accept the L2TP tunneling request initiated by the LAC named aaa, and specify Virtual-Template 2 for tunnel setup.
<Sysname> system-view
[Sysname] l2tp-group 1 mode lns
[Sysname-l2tp1] allow l2tp virtual-template 1
[Sysname-l2tp1] quit
[Sysname] l2tp-group 2 mode lns
[Sysname-l2tp2] allow l2tp virtual-template 2 remote aaa
lns-ip
tunnel name
bandwidth
Use bandwidth to set the expected bandwidth for an interface.
Use undo bandwidth to restore the default.
Syntax
bandwidth bandwidth-value
undo bandwidth
Default
The expected bandwidth (in kbps) is interface baudrate divided by 1000.
Views
Virtual PPP interface view
Predefined user roles
network-admin
Parameters
bandwidth-value: Specifies the expected bandwidth in the range of 1 to 400000000 kbps.
Usage guidelines
The expected bandwidth of an interface affects the link costs in OSPF, OSPFv3, and IS-IS. For more information, see Layer 3—IP Routing Configuration Guide.
Examples
# Set the expected bandwidth of Virtual-PPP 10 to 100 kbps.
<Sysname> system-view
[Sysname] interface virtual-ppp 10
[Sysname-Virtual-PPP10] bandwidth 100
default
Use default to restore the default settings for a virtual PPP interface.
Syntax
default
Views
Virtual PPP interface view
Predefined user roles
network-admin
Usage guidelines
|
|
CAUTION: The default command might interrupt ongoing network services. Make sure you are fully aware of the impact of this command when you execute it on a live network. |
This command might fail to restore the default settings for some commands for reasons such as command dependencies or system restrictions. Use the display this command in interface view to identify these commands. Use the undo forms of these commands or follow the command reference to individually restore their default settings. If your restoration attempt still fails, follow the error message instructions to resolve the problem.
Examples
# Restore the default settings for Virtual-PPP 10.
<Sysname> system-view
[Sysname] interface virtual-ppp 10
[Sysname-Virtual-PPP10] default
description
Use description to configure the description of an interface.
Use undo description to restore the default.
Syntax
description text
undo description
Default
The description of an interface is the interface-name plus Interface. For example, the default description of Virtual-PPP254 is Virtual-PPP254 Interface.
Views
Virtual PPP interface view
Predefined user roles
network-admin
Parameters
text: Specifies the interface description, a case-sensitive string of 1 to 255 characters.
Examples
# Set the description of Virtual-PPP 10 to virtual-interface.
<Sysname> system-view
[Sysname] interface virtual-ppp 10
[Sysname-Virtual-PPP10] description virtual-interface
display interface virtual-ppp
Use display interface virtual-ppp to display information about virtual PPP interfaces.
Syntax
display interface [ virtual-ppp [ interface-number ] ] [ brief [ description | down ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
virtual-ppp [ interface-number ]: Specifies an existing virtual PPP interface by its number in the range of 0 to 255. If you do not specify the virtual-ppp keyword, this command displays information about all interfaces. If you specify the virtual-ppp keyword but you do not specify an interface, this command displays information about all virtual PPP interfaces.
brief: Displays brief interface information. If you do not specify this keyword, the command displays detailed interface information.
description: Displays complete interface descriptions. If you do not specify this keyword, the command displays only the first 27 characters of each interface description.
down: Displays information about the interfaces in physically down state and the causes. If you do not specify this keyword, the command displays information about interfaces in any state.
Examples
# Display detailed information about Virtual-PPP 10.
<Sysname> display interface virtual-ppp 10
Virtual-PPP10
Current state: Administratively DOWN
Line protocol state: DOWN
Description: Virtual-PPP10 Interface
Bandwidth: 100000 kbps
Maximum transmission unit: 1500
Hold timer: 10 seconds, retry times: 5
Internet address: 10.0.0.1/24 (primary)
Link layer protocol: PPP
LCP: initial
Physical: L2TP, baudrate: 100000000 bps
Last clearing of counters: Never
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 154 packets, 1880 bytes, 0 drops
Output: 155 packets, 1875 bytes, 0 drops
Table 1 Command output
|
Field |
Description |
|
Current state |
Physical link state of the interface: · Administratively DOWN—The interface has been shut down by using the shutdown command. · DOWN—The interface is administratively up, but its physical state is down (possibly because no physical link exists or the link has failed). · UP—The interface is up both administratively and physically. |
|
Line protocol state |
Data link layer state of the interface. The state is determined through automatic parameter negotiation at the data link layer. · UP—The data link layer protocol is up. · UP (spoofing)—The data link layer protocol is up, but the link is an on-demand link or does not exist. This attribute is typical of null interfaces and loopback interfaces. · DOWN—The data link layer protocol is down. |
|
Bandwidth |
Expected bandwidth of the interface. |
|
Hold timer |
Interval in seconds for the interface to send keepalive packets. |
|
retry times |
Maximum number of keepalive retransmission attempts. A link is removed after the maximum number of retransmission attempts is reached. |
|
Internet protocol processing: Disabled |
The interface is not assigned an IP address and cannot process IP packets. |
|
Internet address: 10.0.0.1/24 (primary) |
Primary IP address of the interface. |
|
Link layer protocol |
Link layer protocol of the interface: PPP. |
|
Physical |
Physical type of the interface: L2TP. |
|
baudrate |
Baud rate of the interface. |
|
Last clearing of counters |
Time when the reset counters interface command was last used to clear the interface statistics. This field displays Never if the reset counters interface command has never been used on the interface since device startup. |
|
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec |
Average rate of inbound traffic in the last 300 seconds. |
|
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec |
Average rate of outbound traffic in the last 300 seconds. |
|
Input: 154 packets, 1880 bytes, 0 drops |
Total number of inbound packets, total number of inbound bytes, and total number of dropped inbound packets. |
|
Output: 155 packets, 1875 bytes, 0 drops |
Total number of outbound packets, total number of outbound bytes, and total number of dropped outbound packets. |
# Display summary information about virtual PPP interface Virtual-PPP 10.
<Sysname> display interface virtual-ppp 10 brief
Brief information on interfaces in route mode:
Link: ADM - administratively down; Stby - standby
Protocol: (s) - spoofing
Interface Link Protocol Primary IP Description
VPPP10 ADM DOWN 10.0.0.1
# Display information about the virtual PPP interfaces in physically down state and the causes.
<Sysname> display interface virtual-ppp brief down
Brief information on interfaces in route mode:
Link: ADM - administratively down; Stby - standby
Interface Link Cause
VPPP9 ADM Administratively
VPPP10 ADM Administratively
VPPP12 ADM Administratively
# Display summary information about virtual PPP interface Virtual-PPP 10, including the complete interface description.
<Sysname> display interface Virtual-PPP 10 brief description
Brief information on interfaces in route mode:
Link: ADM - administratively down; Stby - standby
Protocol: (s) - spoofing
Interface Link Protocol Primary IP Description
VPPP10 ADM DOWN 10.0.0.1
Table 2 Command output
|
Field |
Description |
|
Brief information on interfaces in route mode |
Summary information about Layer 3 interfaces. |
|
Interface |
Abbreviated interface name. |
|
Link |
Physical link state of the interface: · UP—The interface is physically up. · DOWN—The interface is physically down. · ADM—The interface has been shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command. · Stby—The interface is a backup interface in standby state. |
|
Protocol |
Data link layer protocol state of the interface: · UP—The data link layer protocol of the interface is up. · DOWN—The data link layer protocol of the interface is down. · UP(s)—The data link layer protocol of the interface is up, but the link is an on-demand link or does not exist. The (s) attribute represents the spoofing flag. This value is typical of null interfaces and loopback interfaces. |
|
Primary IP |
Primary IP address of the interface. This field displays two hyphens (--) if the interface does not have an IP address. |
|
Description |
Description of the interface. |
|
Cause |
Cause for the physical link state of an interface to be DOWN: · Administratively—The interface has been manually shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command. · Not connected—No physical connection exists (possibly because the network cable is disconnected or faulty). |
display l2tp control-packet statistics
Use display l2tp control-packet statistics to display L2TP protocol packet statistics.
Syntax
display l2tp control-packet statistics [ summary | tunnel [ tunnel-id ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
summary: Specifies summary L2TP protocol packet statistics for all L2TP tunnels.
tunnel [ tunnel-id ]: Specifies L2TP tunnels. The value range for the tunnel-id argument is 1 to 65535. If you specify an L2TP tunnel, this command displays L2TP protocol packet statistics for the specified L2TP tunnel. If you specify only the tunnel keyword, this command displays detailed L2TP protocol packet statistics for all L2TP tunnels.
Usage guidelines
If you do not specify any keyword or argument, the command displays both summary and detailed L2TP protocol packet statistics for all L2TP tunnels.
Examples
# Display both summary and detailed L2TP protocol packet statistics for all L2TP tunnels.
<Sysname> display l2tp control-packet statistics
Summary packet statistics:
Recv SCCRQ : 2 Sent SCCRQ : 0 Rsnt SCCRQ : 4
Recv SCCRP : 0 Sent SCCRP : 0 Rsnt SCCRP : 0
Recv SCCCN : 0 Sent SCCCN : 0 Rsnt SCCCN : 0
Recv STOPCCN: 2 Sent STOPCCN: 0 Rsnt STOPCCN: 0
Recv HELLO : 0 Sent HELLO : 0 Rsnt HELLO : 0
Recv ICRQ : 0 Sent ICRQ : 0 Rsnt ICRQ : 0
Recv ICRP : 0 Sent ICRP : 0 Rsnt ICRP : 0
Recv ICCN : 0 Sent ICCN : 0 Rsnt ICCN : 0
Recv CDN : 0 Sent CDN : 0 Rsnt CDN : 0
Tunnel packet statistics: (LocalAddr 1.2.1.1, LocalTID 10567)
Recv SCCRQ : 1 Sent SCCRQ : 0 Rsnt SCCRQ : 2
Recv SCCRP : 0 Sent SCCRP : 0 Rsnt SCCRP : 0
Recv SCCCN : 0 Sent SCCCN : 0 Rsnt SCCCN : 0
Recv STOPCCN: 1 Sent STOPCCN: 0 Rsnt STOPCCN: 0
Recv HELLO : 0 Sent HELLO : 0 Rsnt HELLO : 0
Recv ICRQ : 0 Sent ICRQ : 0 Rsnt ICRQ : 0
Recv ICRP : 0 Sent ICRP : 0 Rsnt ICRP : 0
Recv ICCN : 0 Sent ICCN : 0 Rsnt ICCN : 0
Recv CDN : 0 Sent CDN : 0 Rsnt CDN : 0
Tunnel packet statistics: (LocalAddr 1.2.1.1, LocalTID 8956)
Recv SCCRQ : 1 Sent SCCRQ : 0 Rsnt SCCRQ : 2
Recv SCCRP : 0 Sent SCCRP : 0 Rsnt SCCRP : 0
Recv SCCCN : 0 Sent SCCCN : 0 Rsnt SCCCN : 0
Recv STOPCCN: 1 Sent STOPCCN: 0 Rsnt STOPCCN: 0
Recv HELLO : 0 Sent HELLO : 0 Rsnt HELLO : 0
Recv ICRQ : 0 Sent ICRQ : 0 Rsnt ICRQ : 0
Recv ICRP : 0 Sent ICRP : 0 Rsnt ICRP : 0
Recv ICCN : 0 Sent ICCN : 0 Rsnt ICCN : 0
Recv CDN : 0 Sent CDN : 0 Rsnt CDN : 0
# Display detailed L2TP protocol packet statistics for all L2TP tunnels.
<Sysname> display l2tp control-packet statistics tunnel
Tunnel packet statistics: (LocalAddr 1.2.1.1, LocalTID 10567)
Recv SCCRQ : 1 Sent SCCRQ : 0 Rsnt SCCRQ : 2
Recv SCCRP : 0 Sent SCCRP : 0 Rsnt SCCRP : 0
Recv SCCCN : 0 Sent SCCCN : 0 Rsnt SCCCN : 0
Recv STOPCCN: 1 Sent STOPCCN: 0 Rsnt STOPCCN: 0
Recv HELLO : 0 Sent HELLO : 0 Rsnt HELLO : 0
Recv ICRQ : 0 Sent ICRQ : 0 Rsnt ICRQ : 0
Recv ICRP : 0 Sent ICRP : 0 Rsnt ICRP : 0
Recv ICCN : 0 Sent ICCN : 0 Rsnt ICCN : 0
Recv CDN : 0 Sent CDN : 0 Rsnt CDN : 0
Tunnel packet statistics: (LocalAddr 1.2.1.1, LocalTID 8956)
Recv SCCRQ : 1 Sent SCCRQ : 0 Rsnt SCCRQ : 2
Recv SCCRP : 0 Sent SCCRP : 0 Rsnt SCCRP : 0
Recv SCCCN : 0 Sent SCCCN : 0 Rsnt SCCCN : 0
Recv STOPCCN: 1 Sent STOPCCN: 0 Rsnt STOPCCN: 0
Recv HELLO : 0 Sent HELLO : 0 Rsnt HELLO : 0
Recv ICRQ : 0 Sent ICRQ : 0 Rsnt ICRQ : 0
Recv ICRP : 0 Sent ICRP : 0 Rsnt ICRP : 0
Recv ICCN : 0 Sent ICCN : 0 Rsnt ICCN : 0
Recv CDN : 0 Sent CDN : 0 Rsnt CDN : 0
# Display L2TP protocol packet statistics for L2TP tunnel 10567.
<Sysname> display l2tp control-packet statistics tunnel 10567
Tunnel packet statistics: (LocalAddr 1.2.1.1, LocalTID 10567)
Recv SCCRQ : 1 Sent SCCRQ : 0 Rsnt SCCRQ : 2
Recv SCCRP : 0 Sent SCCRP : 0 Rsnt SCCRP : 0
Recv SCCCN : 0 Sent SCCCN : 0 Rsnt SCCCN : 0
Recv STOPCCN: 1 Sent STOPCCN: 0 Rsnt STOPCCN: 0
Recv HELLO : 0 Sent HELLO : 0 Rsnt HELLO : 0
Recv ICRQ : 0 Sent ICRQ : 0 Rsnt ICRQ : 0
Recv ICRP : 0 Sent ICRP : 0 Rsnt ICRP : 0
Recv ICCN : 0 Sent ICCN : 0 Rsnt ICCN : 0
Recv CDN : 0 Sent CDN : 0 Rsnt CDN : 0
Table 3 Command output
|
Field |
Description |
|
Summary packet statistics |
Summary L2TP protocol packet statistics for all L2TP tunnels. |
|
Tunnel packet statistics |
L2TP protocol packet statistics for an L2TP tunnel. |
|
LocalAddr |
Local L2TP tunnel IP address. |
|
LocalTID |
Local L2TP tunnel ID. |
|
Recv SCCRQ |
Number of received SCCRQ packets. |
|
Recv SCCRP |
Number of received SCCRP packets. |
|
Recv SCCCN |
Number of received SCCCN packets. |
|
Recv STOPCCN |
Number of received STOPCCN packets. |
|
Recv HELLO |
Number of received HELLO packets. |
|
Recv ICRQ |
Number of received ICRQ packets. |
|
Recv ICRP |
Number of received ICRP packets. |
|
Recv ICCN |
Number of received ICCN packets. |
|
Recv CDN |
Number of received CDN packets. |
|
Sent SCCRQ |
Number of transmitted SCCRQ packets. |
|
Sent SCCRP |
Number of transmitted SCCRP packets. |
|
Sent SCCCN |
Number of transmitted SCCCN packets. |
|
Sent STOPCCN |
Number of transmitted STOPCCN packets. |
|
Sent HELLO |
Number of transmitted HELLO packets. |
|
Sent ICRQ |
Number of transmitted ICRQ packets. |
|
Sent ICRP |
Number of transmitted ICRP packets. |
|
Sent ICCN |
Number of transmitted ICCN packets. |
|
Sent CDN |
Number of transmitted CDN packets. |
|
Rsnt SCCRQ |
Number of retransmitted SCCRQ packets. |
|
Rsnt SCCRP |
Number of retransmitted SCCRP packets. |
|
Rsnt SCCCN |
Number of retransmitted SCCCN packets. |
|
Rsnt STOPCCN |
Number of retransmitted STOPCCN packets. |
|
Rsnt HELLO |
Number of retransmitted HELLO packets. |
|
Rsnt ICRQ |
Number of retransmitted ICRQ packets. |
|
Rsnt ICRP |
Number of retransmitted ICRP packets. |
|
Rsnt ICCN |
Number of retransmitted ICCN packets. |
|
Rsnt CDN |
Number of retransmitted CDN packets. |
Related commands
reset l2tp control-packet statistics
display l2tp packet-limit configuration
Use display l2tp packet-limit configuration to display the packet rate limit configuration on the LNS.
Syntax
display l2tp packet-limit configuration
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
You can use this command to view the l2tp sccrq-limit and l2tp icrq-limit command configuration on the LNS.
# Display the packet rate limit configuration on the LNS.
<Sysname> display l2tp packet-limit configuration
ICRQ limit: 1000 packets/sec
SCCRQ limit: 200 packets/sec
Table 4 Command output
|
Field |
Description |
|
ICRQ limit |
Maximum number of ICRQ packets that the LNS can process per second. |
|
SCCRQ limit |
Maximum number of SCCRQ packets that the LNS can process per second. |
Related commands
l2tp icrq-limit
l2tp sccrq-limit
display l2tp packet-limit statistics
Use display l2tp packet-limit statistics to display the packet rate limit statistics on the LNS.
Syntax
display l2tp packet-limit statistics
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the packet rate limit statistics on the LNS.
<Sysname> display l2tp packet-limit statistics
Dropped ICRQ : 0
Dropped SCCRQ: 0
Peak dropped ICRQ : 0
Peak dropped SCCRQ: 0
Table 5 Command output
|
Field |
Description |
|
Dropped ICRQ |
Number of ICRQ packets dropped on the LNS. |
|
Dropped SCCRQ |
Number of SCCRQ packets dropped on the LNS. |
|
Peak dropped ICRQ |
Peak number of ICRQ packets dropped. |
|
Peak dropped SCCRQ |
Peak number of SCCRQ packets dropped. |
Related commands
reset l2tp packet-limit statistics
display l2tp session
Use display l2tp session to display information about L2TP sessions.
Syntax
display l2tp session [ [ lac | lns ] [ [ local-address local-address | tunnel-id tunnel-id [ session-id session-id ] ] * | remote-address remote-address | username username ] ] [ verbose | statistics ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
lac: Specifies LACs.
lns: Specifies LNSs.
local-address local-address: Specifies a local tunnel IP address.
tunnel-id tunnel-id: Specifies a local tunnel ID in the range of 1 to 65535.
session-id session-id: Specifies a local session ID in the range of 1 to 65535.
remote-address remote-address: Specifies a remote tunnel IP address.
username username: Specifies a username, a case sensitive string of 1 to 80 characters.
verbose: Displays detailed information about L2TP sessions. If you do not specify this keyword, this command displays brief information about L2TP sessions.
statistics: Displays statistics for L2TP sessions.
Examples
# Display statistics for L2TP sessions.
<Sysname> display l2tp session statistics
Total number of sessions: 1
# Display information about all L2TP sessions.
<Sysname> display l2tp session
LocalSID RemoteSID LocalTID State Username
89 36245 10878 Established user1@d1
Table 6 Command output
|
Field |
Description |
|
Total number of sessions |
Total number of L2TP sessions. |
|
LocalSID |
Local session ID. |
|
RemoteSID |
Remote session ID. |
|
LocalTID |
Local tunnel ID. |
|
State |
Session state: · Idle. · Wait-tunnel—Waits for the tunnel to be established. · Wait-reply—Waits for an Incoming-Call-Reply (ICRP) message indicating the call is accepted. · Wait-connect—Waits for an Incoming-Call-Connected (ICCN) message. · Established. |
|
Username |
PPP username. This field is insignificant and always displays N/A in client-initiated mode or LAC-auto-initiated mode. |
# Display detailed information about an L2TP session with session ID 32502 and tunnel ID 45277.
<Sysname> display l2tp session tunnel-id 45277 session-id 32502 verbose
Local tunnel ID : 45277
Local session ID : 32502
Remote session ID : 14670
PPP index : 0xb0dd7ef6800001c1
User name : N/A
Call serial number : 32502
LIP address : 32768
Session mode : LAC
Session state : Established
Flow control : Disabled
LAC-Auto-Initiated : Yes
Wait channel num : 0
Age flag : 0
Phy interface : N/A
Bas interface : N/A
User trace switch : Disabled
Table 7 Command output
|
Field |
Description |
|
User name |
PPP username. This field is insignificant and always displays N/A in client-initiated mode or LAC-auto-initiated mode. |
|
Call serial number |
Call number for an L2TP session. |
|
LIP address |
The system uses this address to record the location of an L2TP session. |
|
Session mode |
L2TP session modes: · LAC—L2TP sessions on LACs. · LNS—L2TP sessions on LNSs. |
|
Session state |
Session state: · Idle. · Wait-tunnel—Waits for the tunnel to be established. · Wait-reply—Waits for an Incoming-Call-Reply (ICRP) message indicating the call is accepted. · Wait-connect—Waits for an Incoming-Call-Connected (ICCN) message. · Established. |
|
Flow control |
L2TP session flow control status: · Enabled. · Disabled. |
|
LAC-Auto-Initiated |
Whether the LAC-Auto-Initiated tunneling mode is used: · Yes. · No. |
|
Wait channel num |
Number of slots on which drivers reside. The drivers wait for sessions issued by the CPU. Each channel has a corresponding slot. |
|
Age flag |
Flag for a session that ages out due to negotiation failure. When the session does not age out, this field displays 0. |
|
Phy interface |
Physical interface that is the incoming interface for the LNS. This field is insignificant and always displays N/A on an LAC. |
|
Bas interface |
BAS interface. This field is insignificant and always displays N/A on an LAC. |
|
User trace switch |
Service tracing object status (whether the trace access-user command is used to create a service tracing object): · Enabled. · Disabled. |
display l2tp session temporary
Use display l2tp session temporary to display information about temporary L2TP sessions.
Syntax
display l2tp session temporary
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display information about temporary L2TP sessions.
<Sysname> display l2tp session temporary
Total number of temporary sessions: 6
LocalSID RemoteSID LocalTID LocalAddress State
2298 0 19699 20.1.1.2 Wait-tunnel
42805 0 19699 20.1.1.2 Wait-tunnel
17777 0 19699 20.1.1.2 Wait-tunnel
58284 0 19699 20.1.1.2 Wait-tunnel
33256 0 19699 20.1.1.2 Wait-tunnel
8228 0 19699 20.1.1.2 Wait-tunnel
Table 8 Command output
|
Field |
Description |
|
LocalSID |
Local session ID. |
|
RemoteSID |
Remote session ID. |
|
LocalTID |
Local tunnel ID. |
|
LocalAddress |
Local tunnel IP address. |
|
State |
Session state: · Idle. · Wait-tunnel—Waits for the tunnel to be established. · Wait-reply—Waits for an ICRP message indicating the call is accepted. · Wait-connect—Waits for an ICCN message. |
display l2tp tunnel
Use display l2tp tunnel to display information about L2TP tunnels.
Syntax
display l2tp tunnel [ [ lac | lns ] [ group-number group-number | group-name group-name | [ local-address local-address | tunnel-id tunnel-id ] * | remote-address remote-address | tunnel-name remote-name ] ] [ verbose | statistics ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
lac: Specifies LACs.
lns: Specifies LNSs.
group-number group-number: Specifies an L2TP group by its number in the range of 1 to 65535.
group-name group-name: Specifies an L2TP group by its name, a case insensitive string of 1 to 32 characters.
local-address local-address: Specifies a local tunnel IP address.
tunnel-id tunnel-id: Specifies a local L2TP tunnel ID in the range of 1 to 65535.
remote-address remote-address: Specifies a remote tunnel IP address.
tunnel-name remote-name: Specifies a remote L2TP tunnel name, a case sensitive string of 1 to 31 characters.
verbose: Displays detailed L2TP tunnel information. If you do not specify this keyword, this command displays brief L2TP tunnel information.
statistics: Displays statistics for L2TP tunnels.
Usage guidelines
If you do not specify any parameter, this command displays brief information of all L2TP tunnels.
Examples
# Display statistics for L2TP tunnels.
<Sysname> display l2tp tunnel statistics
Total number of tunnels: 1
# Display brief information about all L2TP tunnels.
<Sysname> display l2tp tunnel
LocalTID RemoteTID State Sessions RemoteAddress RemotePort RemoteName
10878 21 Established 1 20.1.1.2 1701 lns
Table 9 Command output
|
Field |
Description |
|
LocalTID |
Local tunnel ID. |
|
RemoteTID |
Remote tunnel ID. |
|
State |
Tunnel state: · Idle. · Wait-reply. · Wait-connect. · Established. · Stopping. |
|
Sessions |
Number of sessions within the tunnel. |
|
RemoteAddress |
IP address of the peer. |
|
RemotePort |
UDP port number of the peer. |
|
RemoteName |
Name of the tunnel peer. |
# Display detailed information about an L2TP tunnel with tunnel ID 10878.
<Sysname> display l2tp tunnel tunnel-id 10878 verbose
Group number : 1
Group mode : LNS
Tunnel state : Established
Tunnel type : Group
Local tunnel ID : 10878
Remote tunnel ID : 28143
Local IP address : 20.1.1.1
Remote IP address : 20.1.1.2
Sessions : 1
Send window size : 1024
Send win lower-limit : 5922
Send win upper-limit : 5921
Recv window size : 1024
Control message Nr : 5924
Latest hello packet Ns: 5923
Recv same hello times : 0
Ack timeout times : 0
Remote framing cap : Both
Remote bearer cap : Both
Remote protocol ver : 1
Remote port : 1701
Remote tunnel name : LAC
Remote vendor name : H3C Simware32
Tunnel auth : Disabled
Assignment ID : N/A
Table 10 Command output
|
Field |
Description |
|
Group number |
L2TP group number. |
|
Group mode |
L2TP group mode: · LAC—The device acts as the LAC to initiates tunneling requests to the LNS. · LNS—The device acts as the LNS to receive tunneling requests from the LAC. |
|
Tunnel state |
Tunnel state: · Idle. · Wait-reply—Waits for an SCCRP message. · Wait-connect—Waits for an SCCCN message. · Established. · Stopping—Coming offline. |
|
Tunnel type |
Tunnel establishment methods: · Group—A tunnel can be established by creating an L2TP group. · Radius—The RADIUS server issues tunnel attributes to the LAC directly to create a tunnel. |
|
Disconnect cause code |
L2TP tunnel disconnection causes (this field is displayed only when a tunnel is disconnected): · L2TP fail—L2TP negotiation fails. For example, error packets are received in L2TP negotiation. · L2TP cut command—The tunnel is locally disconnected. For example, the administrator executes the reset l2tp tunnel command. · L2TP peer clear—Tunnel disconnection is triggered by the peer. For example, STOPCCN packets are received from the peer. · L2TP no response—No response is received from the peer. For example, local packets are retransmitted multiple times, but no correct response packet is received. · N/A—Unknown causes. |
|
Sessions |
Number of sessions in this tunnel. |
|
Send window size |
Sending window size for an L2TP tunnel. |
|
Send win lower-limit |
Lower limit of the sending window size. |
|
Send win upper-limit |
Upper limit of the sending window size. |
|
Recv window size |
Receiving window size for an L2TP tunnel. |
|
Control message Nr |
Sequence number expected in the next control message to be received. |
|
Latest hello packet Ns |
Sequence number of the most recent Hello packet received. |
|
Recv same hello times |
Times for receiving Hello packets with the same sequence number. |
|
Ack timeout times |
Times of ACK timer timeout. |
|
Remote framing cap |
Frame types supported, accepted, or required by the peer end: · Sync—Synchronous. · Async—Asynchronous. · Both—Synchronous and asynchronous. This field is displayed only on the LNS. |
|
Remote bearer cap |
Channels used by the peer end to send L2TP packets: · Digital—Digital channel. · Analog—Analogue channel. · Both—Digital and analogue channels. |
|
Remote protocol ver |
Remote L2TP version number. |
|
Tunnel auth |
L2TP tunnel authentication status: · Enabled. · Disabled. |
|
Assignment ID |
Assignment ID issued by AAA to identify tunnels on which sessions are carried. If AAA does not issue an assignment ID, this field displays N/A. |
Related commands
reset l2tp tunnel
display l2tp-group
Use display l2tp-group to display information about L2TP groups.
Syntax
display l2tp-group [ group-number | group-name group-name ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
group-number: Specifies an L2TP group by its number in the range of 1 to 65535.
group-name group-name: Specifies an L2TP group by its name, a case insensitive string of 1 to 32 characters.
verbose: Displays detailed L2TP group information. If you do not specify this keyword, this command displays brief L2TP group information.
Usage guidelines
If you do not specify any keyword or argument, this command displays brief information for all L2TP groups.
Examples
# Display brief information about all L2TP groups.
<Sysname> display l2tp-group
Group-Number Group-Name Tunnels Sessions
1 group1 2 20
2 N/A 3 120
Table 11 Command output
|
Field |
Description |
|
Group-Number |
L2TP group number. |
|
Group-Name |
L2TP group name. When the L2TP group name is null, this field displays N/A. |
|
Tunnels |
Number of tunnels in an L2TP group. |
|
Sessions |
Number of sessions in an L2TP group. |
# Display detailed information about L2TP group 1.
<Sysname> display l2tp-group 1 verbose
Group number : 1
Group name : lac1
Group mode : LAC
Tunnels : 2
Sessions : 20
Tunnel auth : Disabled
Local tunnel name : lac
Tunnel recv window: 1024
Tunnel send window: 0
AVP hidden : No
Hello interval(s) : 60
IP DSCP : 0
Flow control : Disabled
VPN instance : N/A
Working mode : load-sharing
LNS IP : 190.1.1.5 (weight 1)
190.1.1.6 (weight 2)
Source IP : 190.1.1.1
Tunnel per user : No
Trigger : Fullusername (user1)
VSRP source IP : 0.0.0.0
VSRP instance : N/A
# Display detailed information about L2TP group 2.
<Sysname> display l2tp-group 2 verbose
Group number : 2
Group name : lns1
Group mode : LNS
Tunnels : 2
Sessions : 20
Tunnel auth : Disabled
Local tunnel name : lns
Tunnel recv window: 1024
Tunnel send window: 0
AVP hidden : No
Hello interval(s) : 60
IP DSCP : 0
Flow control : Disabled
VPN instance : N/A
Local IP address : 190.1.1.2
Remote tunnel name: lac
Mandatory CHAP : No
Mandatory LCP : No
Table 12 Command output
|
Field |
Description |
|
Group number |
L2TP group number. |
|
Group-Name |
L2TP group name. When the L2TP group name is null, this field displays N/A. |
|
Group mode |
L2TP group mode: · LAC—The device acts as the LAC to initiates tunneling requests to the LNS. · LNS—The device acts as the LNS to receive tunneling requests from the LAC. |
|
Tunnel auth |
L2TP tunnel authentication status: · Enabled. · Disabled. |
|
Local tunnel name |
Local L2TP tunnel name. By default, the local L2TP tunnel name is the device name. |
|
Tunnel recv window |
Receiving window size for L2TP tunnels. |
|
Tunnel send window |
Sending window size for L2TP tunnels. |
|
AVP hidden |
Whether transferring AVP data in hidden mode is enabled: · Yes. · No. |
|
Hello interval(s) |
Hello intervals, in seconds. |
|
IP DSCP |
DSCP value of L2TP packets. |
|
Flow control |
L2TP session flow control status: · Enabled. · Disabled. |
|
VPN instance |
VPN to which a tunnel peer belongs. If a tunnel peer belongs to the public network, this field displays N/A. |
|
Working mode |
LAC operating mode: · Master-backup—Master/backup mode. · Load-sharing—Weighted load sharing mode. |
|
LNS IP |
LNS IP addresses and their respective weights configured on the LAC. The weights are displayed only when the LAC operates in load sharing mode. |
|
Source IP |
L2TP tunnel source address, which is used as the source IP address of L2TP tunnel packets. |
|
Tunnel per user |
Whether each L2TP user can use an L2TP tunnel exclusively: · Yes. · No. |
|
Trigger |
Conditions that trigger the LAC to initiate tunneling requests to the LNS: · Domain (domain-name)—The domain name of a user matches a configured domain name. The domain-name parameter represents the configured domain name. · Fullusername (user-name)—The username of a user matches a configured full username. The user-name parameter represents the configured full username. |
|
VSRP source IP |
L2TP tunnel source address when VSRP is enabled. The source address is used as the source IP address of L2TP tunnel packets. This field is not supported in the current software version. |
|
VSRP instance |
VSRP instance with which the L2TP group is associated. This field is not supported in the current software version. If the L2TP group is not associated with any VSRP instance, this field displays N/A. |
|
Local IP address |
Local tunnel IP address. |
|
Remote tunnel name |
Name of the tunnel peer that initiates tunneling requests. If you do not configure a name of the tunnel peer that initiates tunneling requests, this field displays N/A. |
|
Mandatory CHAP |
Whether the LNS is forced to perform CHAP authentication for users: · Yes. · No. |
|
Mandatory LCP |
Whether the LNS is forced to perform LCP negotiation with users: · Yes. · No. |
Related commands
l2tp group
interface virtual-ppp
Use interface virtual-ppp to create a virtual PPP interface and enter its view, or enter the view of an existing virtual PPP interface.
Use undo interface virtual-ppp to delete a virtual PPP interface.
Syntax
interface virtual-ppp interface-number
undo interface virtual-ppp interface-number
Default
No virtual PPP interface exists.
Views
System view
Predefined user roles
network-admin
Parameters
interface-number: Specifies a virtual PPP interface by its number in the range of 0 to 255.
Usage guidelines
A virtual PPP interface is required on the LAC for establishing an LAC-auto-initiated L2TP tunnel.
Examples
# Create Virtual-PPP 10 and enter its view.
<Sysname> system-view
[Sysname] interface virtual-ppp 10
ip dscp
Use ip dscp to set the DSCP value of L2TP packets.
Use undo ip dscp to restore the default.
Syntax
ip dscp dscp-value
undo ip dscp
Default
The DSCP value of L2TP packets is 0.
Views
L2TP group view
Predefined user roles
network-admin
Parameters
dscp-value: Specifies the DSCP value of L2TP packets, in the range of 0 to 63.
Usage guidelines
The DSCP field is the first 6 bits of the IP ToS byte. This field marks the priority of IP packets for forwarding. This command sets the DSCP value for the IP packet when L2TP encapsulates a PPP frame into an IP packet.
Examples
# Set the DSCP value of L2TP packets to 50.
<Sysname> system-view
[Sysname] l2tp-group 1 mode lac
[Sysname-l2tp1] ip dscp 50
l2tp enable
Use l2tp enable to enable L2TP.
Use undo l2tp enable to disable L2TP.
Syntax
l2tp enable
undo l2tp enable
Default
L2TP is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
For L2TP configurations to take effect, you must enable L2TP.
Examples
# Enable L2TP.
<Sysname> system-view
[Sysname] l2tp enable
l2tp icrq-limit
Use l2tp icrq-limit to set the maximum number of incoming call request (ICRQ) packets that the LNS can process per second.
Use undo l2tp icrq-limit to restore the default.
Syntax
l2tp icrq-limit number
undo l2tp icrq-limit
Default
The maximum number of ICRQ packets that the LNS can process per second is not limited.
Views
System view
Predefined user roles
network-admin
Parameters
number: Specifies the ICRQ packet processing limit in the range of 1 to 60000.
Usage guidelines
To avoid device performance degradation and make sure the LNS can process ICRQ requests correctly, use this command to limit the ICRQ packet processing rate.
Examples
# Set the maximum number of ICRQ packets that the LNS can process per second to 200.
<Sysname> system-view
[Sysname] l2tp icrq-limit 200
l2tp sccrq-limit
Use l2tp sccrq-limit to set the maximum number of start control connection request (SCCRQ) packets that the LNS can process per second.
Use undo l2tp sccrq-limit to restore the default.
Syntax
l2tp sccrq-limit number
undo l2tp sccrq-limit
Default
The maximum number of SCCRQ packets that the LNS can process per second is not limited.
Views
System view
Predefined user roles
network-admin
Parameters
number: Specifies the SCCRQ packet processing limit in the range of 1 to 10000.
Usage guidelines
If multiple LACs are connected to one LNS, the LACs might send L2TP tunnel establishment requests at the same time. A large number of session establishment requests are also sent through each tunnel. In this situation, users cannot come online because the LNS fails to process request packets correctly. To avoid device performance degradation and make sure the LNS can process SCCRQ requests correctly, use this command to limit the SCCRQ packet processing rate.
The device uses algorithms to gradually increase the SCCRQ packet processing limit from 1 to the configured value. Before the SCCRQ packet processing limit reaches the configured value, SCCRQ packet loss might occur even if the number of received SCCRQ packets is less than the configured limit.
Examples
# Set the maximum number of SCCRQ packets that the LNS can process per second to 200.
<Sysname> system-view
[Sysname] l2tp sccrq-limit 200
l2tp session-threshold
Use l2tp session-threshold to configure the online L2TP session count alarm thresholds on the device.
Use undo l2tp session-threshold to restore the default.
Syntax
l2tp session-threshold { lower-limit lower-limit-value | upper-limit upper-limit-value }
undo l2tp session-threshold { lower-limit | upper-limit }
Default
The upper online L2TP session count alarm threshold is 100, and the lower online L2TP session count alarm threshold is 0.
Views
System view
Predefined user roles
network-admin
Parameters
lower-limit lower-limit-value: Specifies the lower online L2TP session count alarm threshold in the range of 0 to 99. The configured value is a percentage of the maximum number of online L2TP sessions allowed.
upper-limit upper-limit-value: Specifies the upper online L2TP session count alarm threshold in the range of 1 to 100. The configured value is a percentage of the maximum number of online L2TP sessions allowed.
Usage guidelines
The online L2TP session count on the device refers to the number of L2TP sessions on the device. (In standalone mode.)
The online L2TP session count on the device refers to the number of L2TP sessions on the whole IRF fabric. (In IRF mode.)
You can use this command to set the upper alarm threshold and lower alarm threshold for the online L2TP session count. When the online L2TP session count exceeds the upper alarm threshold or drops below the lower threshold, an alarm is triggered automatically. Then, the administrator can promptly know the online user conditions of the network. Additionally, the administrator can use the display l2tp session statistics command to view the total number of online L2TP sessions.
The maximum number of L2TP sessions that can be created varies by device model.
Suppose the maximum number of online L2TP sessions allowed is a, the upper alarm threshold is b, and the lower alarm threshold is c. The following rules apply:
· When the online L2TP session count exceeds a×b or drops below a×c, the corresponding alarm information is output.
· When the online L2TP session count returns between the upper alarm threshold and lower alarm threshold, the alarm clearing information is output.
In some special cases, the online L2TP session count frequently changes in the critical range, which causes frequently output of alarm information and alarm clearing information. To avoid this problem, the system introduces a buffer area when the online L2TP session count recovers from the upper or lower threshold. The buffer area size is 10% of the difference between the upper threshold and the lower threshold. Suppose the buffer area size is d. Then, d=a×(b-c)÷10. When the online L2TP session count drops below a×b-d or exceeds a×c+d, the alarm clearing information is output.
For example, suppose a is 1000, b is 80%, and c is 20%. Then, d= a×(b-c)÷10=1000×(80%-20%)÷10=1000×60%÷10=600÷10=60.
When the online L2TP session count exceeds the upper threshold a×b=1000×80%=800, the upper threshold alarm is output. When the online L2TP session count restores to be smaller than a×b-d=800-60=740, the alarm clearing information is output.
When the online L2TP session count drops below the lower threshold a×c=1000×20%=200, the lower threshold alarm is output. When the online L2TP session count restores to be greater than a×c+d=200+60=260, the alarm clearing information is output.
Examples
# Set the upper online L2TP session count threshold to 80% on the device.
<Sysname> system-view
[Sysname] l2tp session-threshold upper-limit 80
l2tp tsa-id
Use l2tp tsa-id to set the TSA ID for the L2TP tunnel switching (LTS) device.
Use undo l2tp tsa-id to restore the default.
Syntax
l2tp tsa-id tsa-id
undo l2tp tsa-id
Default
The device name of the LTS device is used as the TAS ID.
Views
System view
Predefined user roles
network-admin
Parameters
tsa-id: Specifies a TSA ID that uniquely identifies the LTS device. This argument is a case-sensitive string of 1 to 64 characters.
Usage guidelines
The LTS device compares the configured TSA ID with each TSA ID Attribute Value Pair (AVP) in a received ICRQ packet for loop detection.
· If a match is found, a loop exists. The LTS immediately tears down the session.
· If no match is found, the LTS performs the following operations:
a. Encapsulates the configured TSA ID into a new TSA ID AVP.
b. Appends the new TSA ID AVP to the packet.
c. Sends the packet to the next hop LTS.
To avoid loop detection errors, make sure the TSA ID of each LTS device is unique.
To avoid loop detection errors, make sure the device name of each LTS device is unique when the default TSA IDs are used.
Examples
# Set the TSA ID of the LTS device to lts0.
<Sysname> system-view
[Sysname] l2tp tsa-id lts0
l2tp-auto-client
Use l2tp-auto-client to trigger an LAC to automatically establish an L2TP tunnel.
Use undo l2tp-auto-client to delete the automatically established L2TP tunnel.
Syntax
l2tp-auto-client l2tp-group group-number
undo l2tp-auto-client
Default
An LAC does not automatically establish an L2TP tunnel.
Views
Virtual PPP interface view
Predefined user roles
network-admin
Parameters
l2tp-group group-number: Specifies an L2TP group by its number in the range of 1 to 65535. The LAC uses tunnel parameters of the L2TP group to establish the tunnel.
Usage guidelines
The L2TP group specified must be an existing one in LAC mode.
An L2TP tunnel automatically established in LAC-auto-initiated mode exists until you delete the tunnel by using the undo l2tp-auto-client or reset l2tp tunnel command.
Examples
# Trigger the LAC to automatically establish an L2TP tunnel by using the tunnel parameters of L2TP group 10.
<Sysname> system-view
[Sysname] interface virtual-ppp 1
[Sysname-Virtual-PPP1] l2tp-auto-client l2tp-group 10
Related commands
l2tp-group
l2tp-group
Use l2tp-group to create an L2TP group and enter its view, or enter the view of an existing L2TP group.
Use undo l2tp-group to delete an L2TP group.
Syntax
l2tp-group group-number [ group-name group-name ] [ mode { lac | lns } ]
undo l2tp-group group-number
Default
No L2TP group exists.
Views
System view
Predefined user roles
network-admin
Parameters
group-number: Specifies an L2TP group by its number in the range of 1 to 65535.
group-name group-name: Specifies an L2TP group name, a case insensitive string of 1 to 32 characters. If you do not specify this option, the created L2TP group does not have a name.
mode: Specifies a mode for the L2TP group.
lac: Specifies the LAC mode.
lns: Specifies the LNS mode.
Usage guidelines
To create a new L2TP group, you must specify the mode keyword. To enter the view of an existing L2TP group, you do not need to specify this keyword.
In L2TP group view, you can configure L2TP tunnel parameters, such as tunnel authentication.
A device can have L2TP groups in both LAC and LNS modes at the same time.
Examples
# Create L2TP group 2 named g1 in LAC mode, and enter its view.
<Sysname> system-view
[Sysname] l2tp-group 2 group-name g1 mode lac
[Sysname-l2tp2]
allow l2tp
lns-ip
user
lns-ip
Use lns-ip to specify LNS IP addresses on an LAC.
Use undo lns-ip to remove the specified LNS IP addresses on an LAC.
Syntax
lns-ip { ip-address [ weight lns-weight ] }&<1-5>
undo lns-ip
Default
No LNS IP addresses are specified on an LAC.
Views
L2TP group view
Predefined user roles
network-admin
Parameters
ip-address: Specifies an LNS IP address.
weight lns-weight: Specifies the LNS weight in the range of 1 to 10. The default is 5. A greater value means a higher priority. The weight configuration takes effect only when the LAC operates in load sharing mode.
&<1-5>: Indicates that you can enter a maximum of five IP addresses.
Usage guidelines
In master/backup mode, when the lns-ip command is executed to configure multiple LNS IP addresses, the LNS initiates L2TP tunneling requests to these specified LNSs consecutively in their configuration order until it receives an acknowledgement from an LNS. The LNS becomes the master LNS, and the other LNSs are backup LNSs. The LAC tries to set up a tunnel to a backup LNS only when the master LNS fails.
In load sharing mode, when the lns-ip command is executed to configure multiple LNS IP addresses, the LAC allocates L2TP traffic to these LNSs based on their weights.
The lns-ip command is available only on L2TP groups in LAC mode.
If you execute this command multiple times for an L2TP group, the most recent configuration takes effect.
Examples
# Specify the LNS IP address as 202.1.1.1.
<Sysname> system-view
[Sysname] l2tp-group 1 mode lac
[Sysname-l2tp1] lns-ip 202.1.1.1
Related commands
tunnel load-sharing
mandatory-chap
Use mandatory-chap to force the LNS to perform CHAP authentication for users.
Use undo mandatory-chap to restore the default.
Syntax
mandatory-chap
undo mandatory-chap
Default
An LNS does not perform CHAP authentication for users.
Views
L2TP group view
Predefined user roles
network-admin
Usage guidelines
The LNS uses the LAC as an authentication proxy. The LAC sends the LNS all user authentication information from users and the authentication method configured on the LAC itself. The LNS then checks the user validity according to the received information and the locally configured authentication method.
When mandatory CHAP authentication is configured, a user who depends on an LAC to initiate tunneling requests is authenticated by both the LAC and the LNS for increased security. Some users might not support the authentication on the LNS. In this situation, do not configure this command, because CHAP authentication on the LNS will fail.
This command is available only on L2TP groups in LNS mode.
This command takes effect only on NAS-initiated L2TP tunnels.
The mandatory-lcp command takes precedence over this command. If both commands are configured for an L2TP group, the LNS performs LCP renegotiation with the user.
Examples
# Force the LNS to perform CHAP authentication for users.
<Sysname> system-view
[Sysname] l2tp-group 1 mode lns
[Sysname-l2tp1] mandatory-chap
mandatory-lcp
mandatory-lcp
Use mandatory-lcp to force an LNS to perform LCP negotiation with users.
Use undo mandatory-lcp to restore the default.
Syntax
mandatory-lcp
undo mandatory-lcp
Default
An LNS does not perform LCP negotiation with users.
Views
L2TP group view
Predefined user roles
network-admin
Usage guidelines
By default, to establish a NAS-initiated tunnel, the user performs LCP negotiation with the LAC. If the negotiation succeeds, the LAC initiates a tunneling request and sends the negotiation results (including authentication information) to the LNS. Then, the LNS determines whether the user is valid based on the information received instead of performing LCP renegotiation with the user.
If you do not expect the LNS to accept LCP negotiation parameters, configure this command to perform an LCP negotiation between the LNS and the user. In this case, the information sent by the LAC will be ignored.
Some users might not support LCP negotiation. In this case, do not configure this command because LCP negotiation will fail.
This command is available only on L2TP groups in LNS mode.
This command takes effect only on NAS-initiated L2TP tunnels.
This command takes precedence over the mandatory-chap command. If both commands are configured for an L2TP group, the LNS performs LCP negotiation with the user.
Examples
# Force an LNS to perform LCP negotiation with users.
<Sysname> system-view
[Sysname] l2tp-group 1 mode lns
[Sysname-l2tp1] mandatory-lcp
mandatory-chap
reset counters interface virtual-ppp
Use reset counters interface virtual-ppp to clear the statistics for virtual PPP interfaces.
Syntax
reset counters interface [ virtual-ppp [ interface-number ] ]
Views
User view
Predefined user roles
network-admin
Parameters
virtual-ppp [ interface-number ]: Specifies a virtual PPP interface by its number in the range of 0 to 255. If you specify neither virtual-ppp nor interface-number, this command clears the statistics for all interfaces. If you specify virtual-ppp but not interface-number, this command clears the statistics for all virtual PPP interfaces. If you specify both virtual-ppp and interface-number, this command clears the statistics for the specified virtual PPP interface.
Usage guidelines
Use this command to clear history statistics if you want to collect traffic statistics for a specific time period.
Examples
# Clear the statistics for Virtual-PPP 10.
<Sysname> reset counters interface virtual-ppp 10
reset l2tp control-packet statistics
Use reset l2tp control-packet statistics to clear L2TP protocol packet statistics.
Syntax
reset l2tp control-packet statistics [ summary | tunnel [ tunnel-id ] ]
Views
User view
Predefined user roles
network-admin
Parameters
summary: Clears summary L2TP protocol packet statistics for all L2TP tunnels.
tunnel [ tunnel-id ]: Specifies L2TP tunnels. The value range for the tunnel-id argument is 1 to 65535. If you specify an L2TP tunnel, this command clears L2TP protocol packet statistics for the specified L2TP tunnel. If you specify only the tunnel keyword, this command clears detailed L2TP protocol packet statistics for all L2TP tunnels.
Usage guidelines
If you do not specify any keyword or argument, the command clears both summary and detailed L2TP protocol packet statistics for all L2TP tunnels.
Examples
# Clear both summary and detailed L2TP protocol packet statistics for all L2TP tunnels.
<Sysname> reset l2tp control-packet statistics
Related commands
display l2tp control-packet statistics
reset l2tp packet-limit statistics
Use reset l2tp packet-limit statistics to clear packet rate limit statistics on the LNS.
Syntax
reset l2tp packet-limit statistics
Views
User view
Predefined user roles
network-admin
Examples
# Clear packet rate limit statistics on the LNS.
<Sysname> reset l2tp packet-limit statistics
Related commands
display l2tp packet-limit statistics
reset l2tp tunnel
Use reset l2tp tunnel to disconnect tunnels and all sessions within the tunnels.
Syntax
reset l2tp tunnel [ [ local-address local-address | tunnel-id tunnel-id ] * | tunnel-name remote-name ]
Views
User view
Predefined user roles
network-admin
Parameters
local-address local-address: Specifies a local tunnel IP address.
tunnel-id tunnel-id: Specifies a tunnel by its local ID in the range of 1 to 65535.
tunnel-name remote-name: Specifies L2TP tunnels by the tunnel peer name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
When the number of user connections is 0 or a network fault occurs, you can disconnect the L2TP tunnel by using this command on either the LAC or LNS. After the tunnel is disconnected, all sessions within it are disconnected.
If you specify a tunnel peer name, all tunnels with the tunnel peer name will be disconnected. If no tunnel with the tunnel peer name exists, nothing happens.
A tunnel disconnected by force can be re-established when a client makes a call.
If you do not specify any parameter, this command disconnects all L2TP tunnels on the device.
Examples
# Disconnect all tunnels with the tunnel peer name of aaa.
<Sysname> reset l2tp tunnel tunnel-name aaa
display l2tp tunnel
shutdown
Use shutdown to shut down a virtual PPP interface.
Use undo shutdown to bring up a virtual PPP interface.
Syntax
shutdown
undo shutdown
Default
A virtual PPP interface is up.
Views
Virtual PPP interface view
Predefined user roles
network-admin
Examples
# Shut down Virtual-PPP 10.
<Sysname> system-view
[Sysname] interface virtual-ppp 10
[Sysname-Virtual-PPP10] shutdown
source-ip
Use source-ip to configure the source IP address of L2TP tunnel packets.
Use undo source-ip to restore the default.
Syntax
source-ip ip-address
undo source-ip
Default
The source IP address of L2TP tunnel packets is the IP address of the egress interface.
Views
L2TP group view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the source IP address of L2TP tunnel packets.
Usage guidelines
This command is available only on an L2TP group in LAC mode.
For high availability, as a best practice, use the IP address of a loopback interface as the source IP address of L2TP tunnel packets.
Examples
# Configure the source IP address of L2TP tunnel packets as 2.2.2.2.
<Sysname> system-view
[Sysname] l2tp-group 1 mode lac
[Sysname-l2tp1] source-ip 2.2.2.2
timer-hold
Use timer-hold to set the keepalive interval.
Use undo timer-hold to restore the default.
Syntax
timer-hold seconds
undo timer-hold
Default
The keepalive interval is 10 seconds.
Views
Virtual PPP interface view
Predefined user roles
network-admin
Parameters
seconds: Specifies the interval at which the LAC or the LNS sends keepalive packets, in the range of 0 to 32767 seconds.
Usage guidelines
A virtual PPP interface sends keepalive packets at keepalive intervals to detect the availability of the peer. If the interface fails to receive keepalive packets when the keepalive retry limit is reached, it determines that the link fails and reports a link layer down event.
To set the keepalive retry limit, use the timer-hold retry command.
On a slow link, increase the keepalive interval to prevent false shutdown of the interface. This situation might occur when keepalive packets are delayed because a large packet is being transmitted on the link.
Examples
# Set the keepalive interval to 20 seconds for Virtual-PPP 10.
<Sysname> system-view
[Sysname] interface virtual-ppp 10
[Sysname-Virtual-PPP10] timer-hold 20
Related commands
timer-hold retry
timer-hold retry
Use timer-hold retry to set the keepalive retry limit.
Use undo timer-hold retry to restore the default.
Syntax
timer-hold retry retries
undo timer-hold retry
Default
The keepalive retry limit is 5.
Views
Virtual PPP interface view
Predefined user roles
network-admin
Parameters
retries: Specifies the maximum number of keepalive attempts in the range of 1 to 255.
Usage guidelines
A virtual PPP interface sends keepalive packets at keepalive intervals to detect the availability of the peer. If the interface fails to receive keepalive packets when the keepalive retry limit is reached, it determines that the link fails and reports a link layer down event.
To set the keepalive interval, use the timer-hold command.
On a slow link, increase the keepalive retry limit to prevent false shutdown of the interface. This situation might occur when keepalive packets are delayed because a large packet is being transmitted on the link.
Examples
# Set the keepalive retry limit to 10 for Virtual-PPP 10.
<Sysname> system-view
[Sysname] interface virtual-ppp 10
[Sysname-Virtual-PPP10] timer-hold retry 10
Related commands
timer-hold
tunnel authentication
Use tunnel authentication to enable L2TP tunnel authentication.
Use undo tunnel authentication to disable L2TP tunnel authentication.
Syntax
tunnel authentication
undo tunnel authentication
Default
L2TP tunnel authentication is enabled.
Views
L2TP group view
Predefined user roles
network-admin
Usage guidelines
Tunnel authentication prevents the local end from establishing L2TP tunnels with illegal remote ends.
You can enable tunnel authentication on both sides or either side.
To ensure a successful tunnel establishment when tunnel authentication is enabled on both sides or either side, set the same non-null key on the LAC and the LNS. To set the tunnel authentication key, use the tunnel password command.
When neither side is enabled with tunnel authentication, the key settings of the LAC and the LNS do not affect the tunnel establishment.
For tunnel security, enable tunnel authentication.
Examples
# Enable L2TP tunnel authentication.
<Sysname> system-view
[Sysname] l2tp-group 1 mode lns
[Sysname-l2tp1] tunnel authentication
tunnel password
tunnel avp-hidden
Use tunnel avp-hidden to enable transferring AVP data in hidden mode.
Use undo tunnel avp-hidden to restore the default.
Syntax
tunnel avp-hidden
undo tunnel avp-hidden
Default
AVP data is transferred over the tunnel in plaintext mode.
Views
L2TP group view
Predefined user roles
network-admin
Usage guidelines
L2TP uses AVPs to transmit tunnel negotiation parameters, session negotiation parameters, and user authentication information. This feature can hide sensitive AVP data, such as user passwords. This feature encrypts AVP data with the key configured by using the tunnel password command before transmission.
The tunnel avp-hidden command can be configured for L2TP groups in both LAC and LNS modes. However, it does not take effect on L2TP groups in LNS mode.
For this command to take effect, you must enable tunnel authentication by using the tunnel authentication command.
Examples
# Enable transferring AVP data in hidden mode.
<Sysname> system-view
[Sysname] l2tp-group 1 mode lac
[Sysname-l2tp1] tunnel avp-hidden
Related commands
tunnel authentication
tunnel password
tunnel load-sharing
Use tunnel load-sharing to configure an LAC to operate in load sharing mode.
Use undo tunnel load-sharing to restore the default.
Syntax
tunnel load-sharing
undo tunnel load-sharing
Default
An LAC operates in master/backup mode.
Views
L2TP group view (LAC mode)
Predefined user roles
network-admin
Usage guidelines
An LAC can operates in master/backup mode or load sharing mode.
In master/backup mode, when the lns-ip command is executed to configure multiple LNS IP addresses, the LNS initiates L2TP tunneling requests to these specified LNSs consecutively in their configuration order until it receives an acknowledgement from an LNS. The LNS becomes the master LNS, and the other LNSs are backup LNSs. The LAC tries to set up a tunnel to a backup LNS only when the master LNS fails.
For performance and reliability reasons, when a single LNS cannot process a large amount of L2TP traffic, you can configure the LAC to operate in load sharing mode. In this mode, the LAC allocates L2TP traffic to multiple LNSs for processing. To configure the weight of an LNS, specify the weight keyword when executing the lns-ip command.
Examples
# Configure a LAC to operate in load sharing mode.
<Sysname> system-view
[Sysname] l2tp-group 1 mode lac
[Sysname-l2tp1] tunnel load-sharing
Related commands
lns-ip
tunnel name
Use tunnel name to specify the local tunnel name.
Use undo tunnel name to restore the default.
Syntax
tunnel name name
undo tunnel name
Default
The local tunnel name is the device name. For more information about the device name, see Fundamentals Configuration Guide.
Views
L2TP group view
Predefined user roles
network-admin
Parameters
name: Specifies the local tunnel name, a case-sensitive string of 1 to 31 characters.
Examples
# Specify the local tunnel name as itsme.
<Sysname> system-view
[Sysname] l2tp-group 1 mode lns
[Sysname-l2tp1] tunnel name itsme
sysname (Fundamentals Command Reference)
tunnel password
Use tunnel password to configure the key for tunnel authentication.
Use undo tunnel password to restore the default.
Syntax
tunnel password { cipher | simple } string
undo tunnel password
Default
No key is configured for tunnel authentication.
Views
L2TP group view
Predefined user roles
network-admin
Parameters
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 16 characters. Its encrypted form is a case-sensitive string of 1 to 53 characters.
Usage guidelines
For this command to take effect, you must enable tunnel authentication by using the tunnel authentication command.
For the tunnel authentication key change to take effect, change the tunnel authentication key before tunnel negotiation is performed.
Examples
# Configure the key for tunnel authentication to a plaintext key yougotit.
<Sysname> system-view
[Sysname] l2tp-group 1 mode lac
[Sysname-l2tp1] tunnel password simple yougotit
Related commands
tunnel authentication
tunnel timer hello
Use tunnel timer hello to set the Hello interval.
Use undo tunnel timer hello to restore the default.
Syntax
tunnel timer hello hello-interval
undo tunnel timer hello
Default
The Hello interval is 60 seconds.
Views
L2TP group view
Predefined user roles
network-admin
Parameters
hello-interval: Specifies the interval at which the LAC or the LNS sends Hello packets, in the range of 60 to 1000 seconds.
Usage guidelines
The device sends Hello packets at the set interval. This prevents the L2TP tunnels and sessions from being removed due to timeouts.
You can set different Hello intervals for the LNS and LAC.
Examples
# Set the Hello interval to 90 seconds.
<Sysname> system-view
[Sysname] l2tp-group 1 mode lac
[Sysname-l2tp1] tunnel timer hello 90
tunnel window receive
Use tunnel window receive to set the receiving window size for an L2TP tunnel.
Use undo tunnel window receive to restore the default.
Syntax
tunnel window receive size
undo tunnel window receive
Default
The receiving window size for an L2TP tunnel is 1024.
Views
L2TP group view
Predefined user roles
network-admin
Parameters
size: Specifies the receiving window size in the range of 1 to 5000. It is the number of packets that can be buffered at the local end.
Usage guidelines
To enable the device to process a larger number of disordered packets, use this command to enlarge the receiving window size for an L2TP tunnel.
The device uses a receiving window to reorder disordered packets based on packet sequence numbers.
If the sequence number of a packet is within the receiving window but does not equal the minimum value of the window, the device performs the following operations:
1. The device buffers the packet.
2. The minimum value and maximum value of the receiving window increment by one.
3. The device continues to check the next arriving packet.
If the sequence number of a packet equals the minimum value of the receiving window, the device performs the following operations:
1. The device processes the packet.
2. The minimum value and maximum value of the receiving window increment by one.
3. The device checks buffered packets for a packet with the sequence number equal to the new minimum value of the receiving window.
4. If no required packet is found, the device checks the next arriving packet.
If the sequence number of a packet is not within the receiving window, the device drops the packet.
In the L2TP tunnel establishment process, the device uses the value specified in L2TP group view as the receiving window size.
Changing the receiving window size after an L2TP tunnel is established does not affect the established L2TP tunnel.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the receiving window size for L2TP group 1 to 128.
<Sysname> system-view
[Sysname] l2tp-group 1 mode lac
[Sysname-l2tp1] tunnel window receive 128
Related commands
tunnel window send
tunnel window send
Use tunnel window send to set the sending window size for an L2TP tunnel.
Use undo tunnel window send to restore the default.
Syntax
tunnel window send size
undo tunnel window send
Default
The sending window size for an L2TP tunnel is 0, which means using the value of the receiving window size carried in messages sent by the peer end in the tunnel establishment process.
Views
L2TP group view
Predefined user roles
network-admin
Parameters
size: Specifies the sending window size for an L2TP tunnel, in the range of 0 to 1024. It is the maximum number of packets the device can send to a peer end when the device receives no response from the peer end. If the messages from the peer end carry no receiving window size in the tunnel establishment process, the sending window size for the device is 4.
Usage guidelines
The packet processing capability of a peer end might mismatch the receiving window size of the peer end in some networks. For example, the actual packet processing capability of the peer end is 10, but the receiving window size of the peer end is 20. To ensure stable L2TP services, you can adjust the sending window size for the device to match the actual packet processing capability of the peer end.
The sending window size set in L2TP group view is obtained in the L2TP tunnel establishment process.
· If the sending window size is 0, the device uses the default sending window size.
· If the sending window size is not 0, the device uses the specified value as the sending window size.
Changing the sending window size after an L2TP tunnel is established does not affect the established L2TP tunnel.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the sending window size for L2TP group 1 to 128.
<Sysname> system-view
[Sysname] l2tp-group 1 mode lac
[Sysname-l2tp1] tunnel window send 128
Related commands
tunnel window receive
tunnel-per-user
Use tunnel-per-user to configure each L2TP user to use an L2TP tunnel exclusively.
Use undo tunnel-per-user to restore the default.
Syntax
tunnel-per-user
undo tunnel-per-user
Default
An L2TP tunnel can be used by multiple L2TP users.
Views
L2TP group view
Predefined user roles
network-admin
Usage guidelines
This command is available only on L2TP groups in LAC mode.
Examples
# Configure each L2TP user to use an L2TP tunnel exclusively on the LAC.
<Sysname> system-view
[Sysname] l2tp-group 2 mode lac
[Sysname-l2tp2] tunnel-per-user
user
Use user to configure the condition for the LAC to initiate tunneling requests.
Use undo user to restore the default.
Syntax
user { domain domain-name | fullusername user-name }
undo user
Default
No condition is configured for the LAC to initiate tunneling requests.
Views
L2TP group view
Predefined user roles
network-admin
Parameters
domain domain-name: Configures the LAC to initiate tunneling requests to the LNS when the domain name of a user matches a configured domain name. The domain-name argument represents the configured domain name and is an case-insensitive string of 1 to 255 characters.
fullusername user-name: Configures the LAC to initiate tunneling requests to the LNS when the username of a user matches a configured full username. The domain-name argument represents the configured full username and is a case-sensitive string of 1 to 255 characters.
Usage guidelines
This command is available only on L2TP groups in LAC mode.
When a domain name is configured for the LAC to initiate tunneling requests, the LAC chooses the following domain names to match the configured domain name in descending order:
1. Domain names authorized by AAA.
2. Domain names used in PPP authentication.
For more information about how domains are used in PPP authentication, see PPP in BRAS Services Command Reference.
If the ISP domain to which a PPP user belongs is configured with the l2tp-user radius-force command, the LAC considers the user as an L2TP user and performs subsequent L2TP processing when the following conditions exist:
· The RADIUS server has authorized attribute 64 (Tunnel-Type) to the user.
· The tunnel type is L2TP.
For more information about the l2tp-user radius-force command, see AAA commands in BRAS Services Command Reference.
If you execute this command multiple times for an L2TP group, the most recent configuration takes effect.
Examples
# Configure the LAC to initiate tunneling requests to the LNS when the username of the user is test@aabbcc.net.
<Sysname> system-view
[Sysname] l2tp-group 1 mode lac
[Sysname-l2tp1] user fullusername test@aabbcc.net test@aabbcc.net
Related commands
ppp authentication-mode (BRAS Services Command Reference)
