On a CUPS network, this device acts only as a UP. When executing operation commands in this chapter (commands except the display commands), follow these restrictions and guidelines:

· If a command is tagged with (on UPs), this command can be executed only on a UP. Before executing this command on a UP, make sure you are fully aware of the impact of this command on the current network and prevent configuration errors from causing network failures.

· If a command does not have any tag, this command can be executed only on a CP by default. To execute this command on a UP, do that under the guidance of professionals, make sure you are fully aware of the impact of this command on the current network, and prevent configuration errors from causing network failures.

allow l2tp

Use allow l2tp to configure an L2TP network server (LNS) to accept Layer 2 Tunneling Protocol (L2TP) tunneling requests from an L2TP access concentrator (LAC), and to specify a VT interface for tunnel setup.

Use undo allow to prevent setting up sessions with users with the specified domain name or users without domain names on an LAC.

Syntax

In the view of L2TP group 1:

allow l2tp virtual-template virtual-template-number [ local ip-address | remote remote-name ] [ domain domain-name ]

undo allow [ domain domain-name ]

In the view of an L2TP group except group 1:

allow l2tp virtual-template virtual-template-number { local ip-address | remote remote-name } [ domain domain-name ]

undo allow [ domain domain-name ]

Default

An LNS denies L2TP tunneling requests from any LACs.

Views

L2TP group (LNS mode) view

Predefined user roles

network-admin

Parameters

virtual-template virtual-template-number: Specifies a VT interface by its number. The value range for the virtual-template-number argument is 0 to 1023. An LNS dynamically creates PPP sessions based on the configuration of a VT interface. Each PPP session is used to carry data for a different L2TP session.

local ip-address: Specifies the IP address of the local tunnel.

remote remote-name: Specifies the name of the tunnel peer (LAC) initiating tunneling requests, a case-sensitive string of 1 to 31 characters.

domain domain-name: Allows users with the specified domain name to set up L2TP sessions. The domain-name argument represents the domain name of the user and is a case-sensitive string of 1 to 255 characters. The ISP domain in the username is transmitted to the LNS through PPP proxy information carried in the Incoming-Call-Connection (ICCN) message. ICCN messages are a type of L2TP session setup request.

In NAS-initiated mode, ICCN messages carry PPP proxy information. In this mode, when receiving L2TP session setup requests from the LAC, the LNS compares the following domain names:

· The ISP domain name in the username.

· The domain name specified in an allow l2tp command configured in the L2TP group of the tunnel.

Then LNS performs the following operations depending on the comparison result:

· If a match is found, an L2TP session is set up based on the allow l2tp command configuration.

· If no match is found, the LNS continues to check whether an allow l2tp command without the domain keyword is executed in the L2TP group view.

¡ If the allow l2tp command exists, an L2TP session is set up based on the allow l2tp command configuration.

¡ If the allow l2tp command does not exist, the L2TP session cannot be set up.

In client-initiated mode or LAC-auto-initiated mode, the ICCN messages do not carry PPP proxy information. As a result, the LNS cannot obtain the ISP domain information in usernames. When receiving L2TP session setup requests, the LNS checks for an allow l2tp command without the domain keyword in the L2TP group of the tunnel.

· If a match is found, an L2TP session is set up based on the command configuration.

· If no match is found, the L2TP session cannot be set up.

Usage guidelines

The allow l2tp command is available only on LNSs.

In the view of L2TP group 1:

· With the local keyword specified, the LNS checks whether the destination address in the received requests is the same as the local tunnel address. The LNS accepts the requests only when the two IP addresses are the same. When specifying the local tunnel address, make sure it is the same as a minimum one of the LNS IP addresses specified on the LAC.

· If the remote keyword is specified, the LNS checks whether the LAC name in the received requests is the same as the specified LAC name. The LNS accepts the requests only when the two names are the same. When specifying the LAC name, make sure the specified LAC name is the same as the local tunnel name configured on the LAC.

· If neither local nor remote is specified, L2TP group 1 is the default L2TP group. In this case, the LNS can accept requests from any LAC.

In the view of an L2TP group except group 1:

When receiving a request, the LNS compares the destination address or LAC name in the request with that configured in an L2TP group except group 1.

· If a match is found, the LNS uses the tunnel parameters configured in the L2TP group to set up L2TP tunnels with the LAC. Tunnel parameters include tunnel authentication.

· If no match is found, the LNS checks whether the default L2TP group exists.

¡ If the default L2TP group exists, the LNS uses its tunnel parameters to set up L2TP tunnels with the LAC.

¡ If the default L2TP group does not exist, the LNS cannot set up L2TP tunnels with the LAC.

When the undo form is executed without the domain keyword, the command prevents setting up sessions with users without domain names.

When the undo form is executed with the domain domain-name option, the command prevents setting up sessions with users with the specified domain name.

As a best practice, configure a default L2TP group on the LNS in the following cases:

· LACs (such as hosts with Windows 2000 Beta 2 installed) include blank local names in their tunneling requests.

· The LNS sets up tunnels with multiple LACs by using the same tunnel parameters.

When the command is executed in the same L2TP group, the following rules apply:

· If the first command has the remote remote-name and domain domain-name options specified, all the following commands must have the same remote name specified.

· If the first command has the local ip-address and domain domain-name options specified, all the following commands must have the same local IP address specified.

· For L2TP group 1, if the first command has the domain domain-name option specified and does not have the local ip-address or remote remote-name option specified, all the following commands must not have the local IP address or remote name specified.

· For L2TP group 1, if the command is executed multiple times with the domain domain-name option to specify different domain names and the local ip-address or remote remote-name option is not specified, all these configurations take effect.

· If the command is executed without the domain keyword multiple times, the most recent configuration takes effect.

· If the command is executed with the domain domain-name option multiple times to specify the same domain name, the most recent configuration takes effect.

Examples

# Specify L2TP group 1 as the default L2TP group, and specify Virtual-Template 1 for tunnel setup. For L2TP group 2, configure the LNS to accept the L2TP tunneling request initiated by the LAC named aaa, and specify Virtual-Template 2 for tunnel setup.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lns

[Sysname-l2tp1] allow l2tp virtual-template 1

[Sysname-l2tp1] quit

[Sysname] l2tp-group 2 mode lns

[Sysname-l2tp2] allow l2tp virtual-template 2 remote aaa

Related commands

lns-ip

tunnel name

bandwidth

Use bandwidth to set the expected bandwidth for an interface.

Use undo bandwidth to restore the default.

Syntax

bandwidth bandwidth-value

undo bandwidth

Default

The expected bandwidth (in kbps) is interface baudrate divided by 1000.

Views

Virtual PPP interface view

Predefined user roles

network-admin

Parameters

bandwidth-value: Specifies the expected bandwidth in the range of 1 to 400000000 kbps.

Usage guidelines

The expected bandwidth of an interface affects the link costs in OSPF, OSPFv3, and IS-IS. For more information, see Layer 3—IP Routing Configuration Guide.

Examples

# Set the expected bandwidth of Virtual-PPP 10 to 100 kbps.

<Sysname> system-view

[Sysname] interface virtual-ppp 10

[Sysname-Virtual-PPP10] bandwidth 100

default

Use default to restore the default settings for a virtual PPP interface.

Syntax

default

Views

Virtual PPP interface view

Predefined user roles

network-admin

Usage guidelines

CAUTION:

The default command might interrupt ongoing network services. Make sure you are fully aware of the impact of this command when you execute it on a live network.

‌

This command might fail to restore the default settings for some commands for reasons such as command dependencies or system restrictions. Use the display this command in interface view to identify these commands. Use the undo forms of these commands or follow the command reference to individually restore their default settings. If your restoration attempt still fails, follow the error message instructions to resolve the problem.

Examples

# Restore the default settings for Virtual-PPP 10.

<Sysname> system-view

[Sysname] interface virtual-ppp 10

[Sysname-Virtual-PPP10] default

default-lac-group enable

Use default-lac-group enable to configure an L2TP group as the default L2TP group.

Use undo default-lac-group enable to remove the default L2TP group configuration.

Syntax

default-lac-group enable

undo default-lac-group enable

Default

An L2TP group is not the default L2TP group.

Views

L2TP group (LAC mode) view

Predefined user roles

network-admin

Usage guidelines

You can configure one default L2TP group on the device.

The default L2TP group matches the users that do not match any other L2TP groups on the device. The default L2TP group has the same functions as non-default L2TP groups.

If the RADIUS server issues tunnel attributes to the LAC directly to create a tunnel, the default L2TP group role takes effect. If L2TP tunnels are established in any other method, the default L2TP group role does not take effect.

If the RADIUS server issues tunnel attributes to the LAC directly to create a tunnel, use the default L2TP group for the following purposes:

· Supplement tunnel attributes for the users that do not match any other L2TP groups if the RADIUS server does not issue all required tunnel attributes.

· Supplement tunnel attributes for users in different authentication domains or authorization domains to simplify configuration.

Examples

# Configure L2TP group 1 as the default L2TP group.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] default-lac-group enable

description

Use description to configure the description of an interface.

Use undo description to restore the default.

Syntax

description text

undo description

Default

The description of an interface is the interface-name plus Interface. For example, the default description of Virtual-PPP254 is Virtual-PPP254 Interface.

Views

Virtual PPP interface view

Predefined user roles

network-admin

Parameters

text: Specifies the interface description, a case-sensitive string of 1 to 255 characters.

Examples

# Set the description of Virtual-PPP 10 to virtual-interface.

<Sysname> system-view

[Sysname] interface virtual-ppp 10

[Sysname-Virtual-PPP10] description virtual-interface

display interface bas-interface

Use display interface bas-interface to display information about a BAS interface.

Syntax

display interface [ bas-interface [ interface-number ] ] [ brief [ description | down ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

bas-interface [ interface-number ]: Specifies a BAS interface. The interface-number argument represents the number of a BAS interface. If you do not specify the bas-interface keyword, this command displays information about all interfaces supported by the device. If you specify the bas-interface keyword without specifying an interface number, this command displays information about all existing BAS interfaces.

brief: Displays brief interface information. If you do not specify this keyword, the command displays detailed interface information.

description: Displays complete interface descriptions. If you do not specify this keyword, the command displays only the first 27 characters of interface descriptions.

down: Displays physically down interfaces and their down causes. If you do not specify this keyword, the command displays information about interfaces in all states.

Usage guidelines

BAS interfaces are supported only on LNSs and are not supported on LACs. When you execute the allow l2tp command on an LNS, the device will create the corresponding BAS interface.

Examples

# Display information about BAS-interface 0.

<Sysname> display interface bas-interface 0

Bas-interface0

Interface index: 17803

Current state: UP

Line protocol state: UP

Description: Bas-interface0 Interface

Bandwidth: 1000000 kbps

Maximum transmission unit: 1500

Hold timer: 10 seconds, retry times: 5

Internet protocol processing: Enabled

Link layer protocol: PPP

Physical: L2TP, baudrate: 1000000 kbps

Last clearing of counters: Never

# Display brief information about BAS-interface 0.

<Sysname> display interface bas-interface 0 brief

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface Link Protocol Primary IP Description

BAS0 UP UP 4.1.1.1

# Display brief information about all BAS interfaces in down state and the causes.

<Sysname> display interface bas-interface brief down

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Interface Link Cause

BAS0 DOWN Not connected

Table 1 Command output

Field	Description
Current state	Physical link state and management state of the interface: · DOWN—The interface is administratively up, but its physical state is down. · UP—The interface is both administratively and physically up.
Line protocol state	Data link layer state of the interface, which is determined through automatic parameter negotiation at the data link layer. · UP—The data link layer protocol is up. · DOWN—The data link layer protocol is down.
Description	Description of the interface.
Bandwidth	Expected bandwidth of the interface.
Maximum transmission unit	MTU of the interface.
Hold timer	Interval at which the interface sends keepalive packets.
retry times	Maximum number of keepalive retransmission attempts. A link is removed after the maximum number of retransmission attempts is reached.
Internet protocol processing: Enabled	The interface can process IP packets.
Link layer protocol: PPP	Link layer protocol of the interface.
Physical	Physical type of the interface.
baudrate	Baudrate of the interface.
Last clearing of counters: Never	Last time when the reset counters interface async command was executed. This field displays Never if this command has not been executed since the device startup.
Brief information on interfaces in route mode	Brief information about Layer 3 interfaces.
Link: ADM - administratively down; Stby - standby	Physical link state of the interface: · ADM—The interface has been manually shut down. To restore the physical state of the interface, use the undo shutdown command. · Stby—The interface is a backup interface in standby state.
Protocol: (s) - spoofing	The (s) attribute means that the data link protocol of the interface is up but the link is an on-demand link or does not exist. Typically, null and loopback interfaces have this attribute.
Interface	Abbreviated interface name.
Link	Physical link state of the interface: · UP—The interface is physically up. · DOWN—The interface is physically down.
Protocol	Data link layer protocol state of the interface: · UP—The data link layer protocol of the interface is up. · DOWN—The data link layer protocol of the interface is down. · UP(s)—The data link layer protocol of the interface is up, but the link is an on-demand link or does not exist. The (s) attribute represents the spoofing flag. Typically, null and loopback interfaces have this attribute.
Primary IP	Primary IP address of the interface. This field displays two hyphens (--) if the interface does not have an IP address.
Description	Description of the interface.
Cause	Cause for the physical link state of an interface to be DOWN. Not connected indicates no physical connection exists (possibly because the network cable is disconnected or faulty).

‌

display interface virtual-ppp

Use display interface virtual-ppp to display information about virtual PPP interfaces.

Syntax

display interface [ virtual-ppp [ interface-number ] ] [ brief [ description | down ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

virtual-ppp [ interface-number ]: Specifies an existing virtual PPP interface by its number in the range of 0 to 255. If you do not specify the virtual-ppp keyword, this command displays information about all interfaces. If you specify the virtual-ppp keyword but you do not specify an interface, this command displays information about all virtual PPP interfaces.

brief: Displays brief interface information. If you do not specify this keyword, the command displays detailed interface information.

description: Displays complete interface descriptions. If you do not specify this keyword, the command displays only the first 27 characters of each interface description.

down: Displays information about the interfaces in physically down state and the causes. If you do not specify this keyword, the command displays information about interfaces in any state.

Examples

# Display detailed information about Virtual-PPP 10.

<Sysname> display interface virtual-ppp 10

Virtual-PPP10

Interface index: 17805

Current state: Administratively DOWN

Line protocol state: DOWN

Description: Virtual-PPP10 Interface

Bandwidth: 100000 kbps

Maximum transmission unit: 1500

Hold timer: 10 seconds, retry times: 5

Internet address: 10.0.0.1/24 (primary)

Link layer protocol: PPP

LCP: initial

Physical: L2TP, baudrate: 100000000 bps

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 154 packets, 1880 bytes, 0 drops

Output: 155 packets, 1875 bytes, 0 drops

Table 2 Command output

Field	Description
Current state	Physical link state of the interface: · Administratively DOWN—The interface has been shut down by using the shutdown command. · DOWN—The interface is administratively up, but its physical state is down (possibly because no physical link exists or the link has failed). · UP—The interface is up both administratively and physically.
Line protocol state	Data link layer state of the interface. The state is determined through automatic parameter negotiation at the data link layer. · UP—The data link layer protocol is up. · UP (spoofing)—The data link layer protocol is up, but the link is an on-demand link or does not exist. This attribute is typical of null interfaces and loopback interfaces. · DOWN—The data link layer protocol is down.
Bandwidth	Expected bandwidth of the interface.
Hold timer	Interval in seconds for the interface to send keepalive packets.
retry times	Maximum number of keepalive retransmission attempts. A link is removed after the maximum number of retransmission attempts is reached.
Internet protocol processing: Disabled	The interface is not assigned an IP address and cannot process IP packets.
Internet address: 10.0.0.1/24 (primary)	Primary IP address of the interface.
Link layer protocol	Link layer protocol of the interface: PPP.
Physical	Physical type of the interface: L2TP.
baudrate	Baud rate of the interface.
Last clearing of counters	Time when the reset counters interface command was last used to clear the interface statistics. This field displays Never if the reset counters interface command has never been used on the interface since device startup.
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec	Average rate of inbound traffic in the last 300 seconds.
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec	Average rate of outbound traffic in the last 300 seconds.
Input: 154 packets, 1880 bytes, 0 drops	Total number of inbound packets, total number of inbound bytes, and total number of dropped inbound packets.
Output: 155 packets, 1875 bytes, 0 drops	Total number of outbound packets, total number of outbound bytes, and total number of dropped outbound packets.

‌

# Display brief information about virtual PPP interface Virtual-PPP 10.

<Sysname> display interface virtual-ppp 10 brief

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface Link Protocol Primary IP Description

VPPP10 ADM DOWN 10.0.0.1

# Display information about the virtual PPP interfaces in physically down state and the causes.

<Sysname> display interface virtual-ppp brief down

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Interface Link Cause

VPPP9 ADM Administratively

VPPP10 ADM Administratively

VPPP12 ADM Administratively

# Display brief information about virtual PPP interface Virtual-PPP 10, including the complete interface description.

<Sysname> display interface Virtual-PPP 10 brief description

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface Link Protocol Primary IP Description

VPPP10 ADM DOWN 10.0.0.1

Table 3 Command output

Field	Description
Brief information on interfaces in route mode	Brief information about Layer 3 interfaces.
Interface	Abbreviated interface name.
Link	Physical link state of the interface: · UP—The interface is physically up. · DOWN—The interface is physically down. · ADM—The interface has been shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command.
Protocol	Data link layer protocol state of the interface: · UP—The data link layer protocol of the interface is up. · DOWN—The data link layer protocol of the interface is down. · UP(s)—The data link layer protocol of the interface is up, but the link is an on-demand link or does not exist. The (s) attribute represents the spoofing flag. This value is typical of null interfaces and loopback interfaces.
Primary IP	Primary IP address of the interface. This field displays two hyphens (--) if the interface does not have an IP address.
Description	Description of the interface.
Cause	Cause for the physical link state of an interface to be DOWN: · Administratively—The interface has been manually shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command. · Not connected—No physical connection exists (possibly because the network cable is disconnected or faulty).

‌

display l2tp aging

Use display l2tp aging to display information about locked LNSs.

Syntax

display l2tp aging

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

Execute this command top view LNS locking configuration and information about locked LNSs.

Examples

# Display LNS locking information.

<Sysname> display l2tp aging

LNS IP Aging(S) VPN

1.1.1.1 128 Not set

2.2.2.2 200 Not set

Table 4 Command output

Field	Description
LNS IP	IP address of the locked LNS.
Aging(S)	Remaining locking time (in seconds).
VPN	VPN instance to which the peer end of the L2TP tunnel belongs. If the tunnel peer belongs to the public network, this field displays Not set.

‌

Related commands

l2tp aging

lns-ip

display l2tp control-packet statistics

Use display l2tp control-packet statistics to display L2TP protocol packet statistics.

Syntax

display l2tp control-packet statistics [ summary | tunnel [ tunnel-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

summary: Specifies summary L2TP protocol packet statistics for all L2TP tunnels.

tunnel [ tunnel-id ]: Specifies L2TP tunnels. The value range for the tunnel-id argument is 1 to 65535. If you specify an L2TP tunnel, this command displays L2TP protocol packet statistics for the specified L2TP tunnel. If you specify only the tunnel keyword, this command displays detailed L2TP protocol packet statistics for all L2TP tunnels.

Usage guidelines

If you do not specify any keyword or argument, the command displays both summary and detailed L2TP protocol packet statistics for all L2TP tunnels.

Examples

# Display both summary and detailed L2TP protocol packet statistics for all L2TP tunnels.

<Sysname> display l2tp control-packet statistics

Summary packet statistics:

Recv SCCRQ : 2 Sent SCCRQ : 0 Rsnt SCCRQ : 4

Recv SCCRP : 0 Sent SCCRP : 0 Rsnt SCCRP : 0

Recv SCCCN : 0 Sent SCCCN : 0 Rsnt SCCCN : 0

Recv STOPCCN: 2 Sent STOPCCN: 0 Rsnt STOPCCN: 0

Recv HELLO : 0 Sent HELLO : 0 Rsnt HELLO : 0

Recv ICRQ : 0 Sent ICRQ : 0 Rsnt ICRQ : 0

Recv ICRP : 0 Sent ICRP : 0 Rsnt ICRP : 0

Recv ICCN : 0 Sent ICCN : 0 Rsnt ICCN : 0

Recv CDN : 0 Sent CDN : 0 Rsnt CDN : 0

Tunnel packet statistics: (LocalAddr 1.2.1.1, LocalTID 10567)

Recv SCCRQ : 1 Sent SCCRQ : 0 Rsnt SCCRQ : 2

Recv SCCRP : 0 Sent SCCRP : 0 Rsnt SCCRP : 0

Recv SCCCN : 0 Sent SCCCN : 0 Rsnt SCCCN : 0

Recv STOPCCN: 1 Sent STOPCCN: 0 Rsnt STOPCCN: 0

Recv HELLO : 0 Sent HELLO : 0 Rsnt HELLO : 0

Recv ICRQ : 0 Sent ICRQ : 0 Rsnt ICRQ : 0

Recv ICRP : 0 Sent ICRP : 0 Rsnt ICRP : 0

Recv ICCN : 0 Sent ICCN : 0 Rsnt ICCN : 0

Recv CDN : 0 Sent CDN : 0 Rsnt CDN : 0

Tunnel packet statistics: (LocalAddr 1.2.1.1, LocalTID 8956)

Recv SCCRQ : 1 Sent SCCRQ : 0 Rsnt SCCRQ : 2

Recv SCCRP : 0 Sent SCCRP : 0 Rsnt SCCRP : 0

Recv SCCCN : 0 Sent SCCCN : 0 Rsnt SCCCN : 0

Recv STOPCCN: 1 Sent STOPCCN: 0 Rsnt STOPCCN: 0

Recv HELLO : 0 Sent HELLO : 0 Rsnt HELLO : 0

Recv ICRQ : 0 Sent ICRQ : 0 Rsnt ICRQ : 0

Recv ICRP : 0 Sent ICRP : 0 Rsnt ICRP : 0

Recv ICCN : 0 Sent ICCN : 0 Rsnt ICCN : 0

Recv CDN : 0 Sent CDN : 0 Rsnt CDN : 0

# Display detailed L2TP protocol packet statistics for all L2TP tunnels.

<Sysname> display l2tp control-packet statistics tunnel

Tunnel packet statistics: (LocalAddr 1.2.1.1, LocalTID 10567)

Recv SCCRQ : 1 Sent SCCRQ : 0 Rsnt SCCRQ : 2

Recv SCCRP : 0 Sent SCCRP : 0 Rsnt SCCRP : 0

Recv SCCCN : 0 Sent SCCCN : 0 Rsnt SCCCN : 0

Recv STOPCCN: 1 Sent STOPCCN: 0 Rsnt STOPCCN: 0

Recv HELLO : 0 Sent HELLO : 0 Rsnt HELLO : 0

Recv ICRQ : 0 Sent ICRQ : 0 Rsnt ICRQ : 0

Recv ICRP : 0 Sent ICRP : 0 Rsnt ICRP : 0

Recv ICCN : 0 Sent ICCN : 0 Rsnt ICCN : 0

Recv CDN : 0 Sent CDN : 0 Rsnt CDN : 0

Tunnel packet statistics: (LocalAddr 1.2.1.1, LocalTID 8956)

Recv SCCRQ : 1 Sent SCCRQ : 0 Rsnt SCCRQ : 2

Recv SCCRP : 0 Sent SCCRP : 0 Rsnt SCCRP : 0

Recv SCCCN : 0 Sent SCCCN : 0 Rsnt SCCCN : 0

Recv STOPCCN: 1 Sent STOPCCN: 0 Rsnt STOPCCN: 0

Recv HELLO : 0 Sent HELLO : 0 Rsnt HELLO : 0

Recv ICRQ : 0 Sent ICRQ : 0 Rsnt ICRQ : 0

Recv ICRP : 0 Sent ICRP : 0 Rsnt ICRP : 0

Recv ICCN : 0 Sent ICCN : 0 Rsnt ICCN : 0

Recv CDN : 0 Sent CDN : 0 Rsnt CDN : 0

# Display L2TP protocol packet statistics for L2TP tunnel 10567.

<Sysname> display l2tp control-packet statistics tunnel 10567

Tunnel packet statistics: (LocalAddr 1.2.1.1, LocalTID 10567)

Recv SCCRQ : 1 Sent SCCRQ : 0 Rsnt SCCRQ : 2

Recv SCCRP : 0 Sent SCCRP : 0 Rsnt SCCRP : 0

Recv SCCCN : 0 Sent SCCCN : 0 Rsnt SCCCN : 0

Recv STOPCCN: 1 Sent STOPCCN: 0 Rsnt STOPCCN: 0

Recv HELLO : 0 Sent HELLO : 0 Rsnt HELLO : 0

Recv ICRQ : 0 Sent ICRQ : 0 Rsnt ICRQ : 0

Recv ICRP : 0 Sent ICRP : 0 Rsnt ICRP : 0

Recv ICCN : 0 Sent ICCN : 0 Rsnt ICCN : 0

Recv CDN : 0 Sent CDN : 0 Rsnt CDN : 0

Table 5 Command output

Field	Description
Summary packet statistics	Summary L2TP protocol packet statistics for all L2TP tunnels.
Tunnel packet statistics	L2TP protocol packet statistics for an L2TP tunnel.
LocalAddr	Local L2TP tunnel IP address.
LocalTID	Local L2TP tunnel ID.
Recv SCCRQ	Number of received SCCRQ packets.
Recv SCCRP	Number of received SCCRP packets.
Recv SCCCN	Number of received SCCCN packets.
Recv STOPCCN	Number of received STOPCCN packets.
Recv HELLO	Number of received HELLO packets.
Recv ICRQ	Number of received ICRQ packets.
Recv ICRP	Number of received ICRP packets.
Recv ICCN	Number of received ICCN packets.
Recv CDN	Number of received CDN packets.
Sent SCCRQ	Number of transmitted SCCRQ packets.
Sent SCCRP	Number of transmitted SCCRP packets.
Sent SCCCN	Number of transmitted SCCCN packets.
Sent STOPCCN	Number of transmitted STOPCCN packets.
Sent HELLO	Number of transmitted HELLO packets.
Sent ICRQ	Number of transmitted ICRQ packets.
Sent ICRP	Number of transmitted ICRP packets.
Sent ICCN	Number of transmitted ICCN packets.
Sent CDN	Number of transmitted CDN packets.
Rsnt SCCRQ	Number of retransmitted SCCRQ packets.
Rsnt SCCRP	Number of retransmitted SCCRP packets.
Rsnt SCCCN	Number of retransmitted SCCCN packets.
Rsnt STOPCCN	Number of retransmitted STOPCCN packets.
Rsnt HELLO	Number of retransmitted HELLO packets.
Rsnt ICRQ	Number of retransmitted ICRQ packets.
Rsnt ICRP	Number of retransmitted ICRP packets.
Rsnt ICCN	Number of retransmitted ICCN packets.
Rsnt CDN	Number of retransmitted CDN packets.

Related commands

reset l2tp control-packet statistics

display l2tp packet-limit configuration

Use display l2tp packet-limit configuration to display the packet rate limit configuration on the LNS.

Syntax

display l2tp packet-limit configuration

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

You can use this command to view the l2tp sccrq-limit and l2tp icrq-limit command configuration on the LNS.

Examples

# Display the packet rate limit configuration on the LNS.

<Sysname> display l2tp packet-limit configuration

ICRQ limit: 1000 packets/sec

SCCRQ limit: 500 packets/sec minlimit: 200 packets/sec

Table 6 Command output

Field	Description
ICRQ limit	Maximum number of ICRQ packets that the LNS can process per second.
SCCRQ limit	Maximum and minimum numbers of SCCRQ packets that the LNS can process per second.

Related commands

l2tp icrq-limit

l2tp sccrq-limit

display l2tp packet-limit statistics

Use display l2tp packet-limit statistics to display the packet rate limit statistics on the LNS.

Syntax

display l2tp packet-limit statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the packet rate limit statistics on the LNS.

<Sysname> display l2tp packet-limit statistics

Dropped ICRQ : 0

Dropped SCCRQ: 0

Peak dropped ICRQ : 0

Peak dropped SCCRQ: 0

Table 7 Command output

Field	Description
Dropped ICRQ	Number of ICRQ packets dropped on the LNS.
Dropped SCCRQ	Number of SCCRQ packets dropped on the LNS.
Peak dropped ICRQ	Peak number of ICRQ packets dropped.
Peak dropped SCCRQ	Peak number of SCCRQ packets dropped.

Related commands

reset l2tp packet-limit statistics

display l2tp session

Use display l2tp session to display information about L2TP sessions.

Syntax

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

lac: Specifies LACs.

lns: Specifies LNSs.

local-address local-address: Specifies a local tunnel IP address.

tunnel-id tunnel-id: Specifies a local tunnel ID in the range of 1 to 65535.

session-id session-id: Specifies a local session ID in the range of 1 to 65535.

remote-address remote-address: Specifies a remote tunnel IP address.

username username: Specifies a username, a case sensitive string of 1 to 80 characters.

statistics: Displays statistics for L2TP sessions.

verbose: Displays detailed information about L2TP sessions.

Usage guidelines

If you do not specify the statistics or verbose keyword, this command displays brief information about L2TP sessions.

Examples

# Display statistics for L2TP sessions.

<Sysname> display l2tp session statistics

Total number of sessions: 1

# Display brief information about all L2TP sessions.

<Sysname> display l2tp session

LocalSID RemoteSID LocalTID State

Username

89 36245 10878 Established

user1@d1

Table 8 Command output

Field	Description
LocalSID	Local session ID.
RemoteSID	Remote session ID.
LocalTID	Local tunnel ID.
State	Session state: · Idle. · Wait-tunnel—Waits for the tunnel to be established. · Wait-reply—Waits for an Incoming-Call-Reply (ICRP) message indicating the call is accepted. · Wait-connect—Waits for an Incoming-Call-Connected (ICCN) message. · Established.
Username	PPP username. This field is insignificant and always displays N/A in client-initiated mode or LAC-auto-initiated mode.

# Display detailed information about an L2TP session with session ID 32502 and tunnel ID 45277.

<Sysname> display l2tp session tunnel-id 45277 session-id 32502 verbose

Local tunnel ID : 45277

Local session ID : 32502

Remote session ID : 14670

PPP index : 0xb0dd7ef6800001c1

User name : N/A

Call serial number : 32502

LIP address : 32768

Session mode : LAC

Session state : Established

Flow control : Disabled

LAC-Auto-Initiated : Yes

Age flag : 0

Phy interface : N/A

Bas interface : N/A

User trace switch : Disabled

Table 9 Command output

Field	Description
User name	PPP username. This field is insignificant and always displays N/A in client-initiated mode or LAC-auto-initiated mode.
Call serial number	Call number for an L2TP session.
LIP address	The system uses this address to record the location of an L2TP session.
Session mode	L2TP session modes: · LAC—L2TP sessions on LACs. · LNS—L2TP sessions on LNSs.
Session state	Session state: · Idle. · Wait-tunnel—Waits for the tunnel to be established. · Wait-reply—Waits for an Incoming-Call-Reply (ICRP) message indicating the call is accepted. · Wait-connect—Waits for an Incoming-Call-Connected (ICCN) message. · Established.
Flow control	This field is not supported in the current software version. L2TP session flow control status: · Enabled. · Disabled.
LAC-Auto-Initiated	Whether the LAC-Auto-Initiated tunneling mode is used: · Yes. · No.
Age flag	Flag for a session that ages out due to negotiation failure. When the session does not age out, this field displays 0.
Phy interface	Physical interface that is the incoming interface for the LNS. This field is insignificant and always displays N/A on an LAC.
Bas interface	BAS interface. This field is insignificant and always displays N/A on an LAC.
User trace switch	Service tracing object status (whether the trace access-user command is used to create a service tracing object): · Enabled. · Disabled.

display l2tp session temporary

Use display l2tp session temporary to display information about temporary L2TP sessions.

Syntax

display l2tp session temporary

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

#Display information about temporary L2TP sessions.

<Sysname> display l2tp session temporary

Total number of temporary sessions: 6

LocalSID RemoteSID LocalTID LocalAddress State

2298 0 19699 20.1.1.2 Wait-tunnel

42805 0 19699 20.1.1.2 Wait-tunnel

17777 0 19699 20.1.1.2 Wait-tunnel

58284 0 19699 20.1.1.2 Wait-tunnel

33256 0 19699 20.1.1.2 Wait-tunnel

8228 0 19699 20.1.1.2 Wait-tunnel

Table 10 Command output

Field	Description
LocalSID	Local session ID.
RemoteSID	Remote session ID.
LocalTID	Local tunnel ID.
LocalAddress	Local tunnel IP address.
State	Session state: · Idle. · Wait-tunnel—Waits for the tunnel to be established. · Wait-reply—Waits for an ICRP message indicating the call is accepted. · Wait-connect—Waits for an ICCN message.

display l2tp statistics

Use display l2tp statistics to display L2TP statistics.

Syntax

In standalone mode:

display l2tp statistics { { all | failure-reason } [ slot slot-number [ cpu cpu-number ] ] }

In IRF mode:

display l2tp statistics { { all | failure-reason } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all L2TP statistics.

failure-reason: Specifies statistics about L2TP online failure reasons and offline reasons.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries on all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# Display statistics about L2TP online failure reasons and offline reasons.

<Sysname> display l2tp statistics failure-reason slot 0

L2TP failure reason statistics in slot 0:

L2TP disabled: 1

Online with RADIUS authorization while configured with VSRP: 0

Failed to get tunnel source IP: 0

Failed to get L2TP group: 0

Tunnel creation failed: 0

Session creation failed: 1

SCCRQ check success but not accept: 1

SCCRQ check failed: 0

SCCRP check success but not accept: 0

Insufficient resources when process SCCRP: 0

SCCRP check failed: 0

SCCRN check success but not accept: 0

Insufficient resources when process SCCRN: 0

SCCRN check failed: 0

ICRQ check success but not accept: 0

ICRQ check failed: 0

ICRP check success but not accept: 0

Insufficient resources when process ICRP: 0

ICRP check failed: 0

ICCN check success but not accept: 0

Insufficient resources when process ICCN: 0

ICCN check failed: 0

AVP message check failed: 0

AVP header check failed: 0

Received CDN: 1

Received StopCCN: 0

NS sequence number larger than expected: 0

NS sequence number smaller than expected: 0

Tunnel ACK timeout: 0

Tunnel keep alive timeout: 1

ICRQ limit exceeded: 0

Packet illegal: 0

Smoothing failed: 1

Table 11 Command output

Field	Description
L2TP disabled	L2TP is not enabled.
Online with RADIUS authorization while configured with VSRP	This field is not supported in the current software version. A user comes online through RADIUS authorization when VSRP is configured.
Failed to get tunnel source IP	Failed to obtain the L2TP tunnel source IP.
Failed to get L2TP group	Failed to obtain the L2TP group.
Tunnel creation failed	Failed to create the L2TP tunnel.
Session creation failed	Failed to create the L2TP session.
SCCRQ check success but not accept	SCCRQ message check succeeded but the message cannot be accepted (for example, because the message carries an AVP attribute that does not meet the requirements).
SCCRQ check failed	SCCRQ message check failed.
SCCRP check success but not accept	The SCCRP message check succeeded but the message cannot be accepted.
Insufficient resources when process SCCRP	Insufficient resources for processing SCCRP messages.
SCCRP check failed	SCCRP message check failed.
SCCRN check success but not accept	The SCCRN message check succeeded but the message cannot be accepted.
Insufficient resources when process SCCRN	Insufficient resources for processing SCCRN messages.
SCCRN check failed	SCCRN message check failed.
ICRQ check success but not accept	The ICRQ message check succeeded but the message cannot be accepted.
ICRQ check failed	ICRQ message check failed.
ICRP check success but not accept	The ICRP message check succeeded but the message cannot be accepted.
Insufficient resources when process ICRP	Insufficient resources for processing ICRP messages.
ICRP check failed	ICRP message check failed.
ICCN check success but not accept	The ICCN message check succeeded but the message cannot be accepted.
Insufficient resources when process ICCN	Insufficient resources for processing ICCN messages.
ICCN check failed	ICCN message check failed.
AVP message check failed	AVP message field check failed.
AVP header check failed	AVP header check failed.
Received CDN	A user goes offline because a CDN message was received.
Received StopCCN	A user goes offline because a StopCCN message was received.
NS sequence number larger than expected	The NS of a received message was greater than expected.
NS sequence number smaller than expected	The NS of a received message was smaller than expected.
Tunnel ACK timeout	A user goes offline because the tunnel acknowledgment message timed out.
Tunnel keep alive timeout	A user goes offline because the tunnel keepalive timer timed out.
ICRQ limit exceeded	The ICRQ message exceeded the limit.
Packet illegal	Invalid message, for example, the L2TP message length is invalid.
Smoothing failed	A user goes offline because L2TP smoothing failed.

Related commands

reset l2tp statistics

display l2tp tunnel

Use display l2tp tunnel to display information about L2TP tunnels.

Syntax

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

lac: Specifies LACs.

lns: Specifies LNSs.

group-name group-name: Specifies an L2TP group by its name, a case insensitive string of 1 to 32 characters.

group-number group-number: Specifies an L2TP group by its number in the range of 1 to 65535.

local-address local-address: Specifies a local tunnel IP address.

tunnel-id tunnel-id: Specifies a local L2TP tunnel ID in the range of 1 to 65535.

remote-address remote-address: Specifies a remote tunnel IP address.

tunnel-name remote-name: Specifies a remote L2TP tunnel name, a case sensitive string of 1 to 31 characters.

statistics: Displays statistics for L2TP tunnels.

verbose: Displays detailed L2TP tunnel information.

Usage guidelines

If you do not specify the statistics or verbose keyword, this command displays brief information of L2TP tunnels.

Examples

# Display statistics for L2TP tunnels.

<Sysname> display l2tp tunnel statistics

Total number of tunnels: 1

# Display brief information about all L2TP tunnels.

<Sysname> display l2tp tunnel

LocalTID RemoteTID State Sessions RemoteAddress RemotePort

RemoteName

10878 21 Established 1 20.1.1.2 1701

lns

Table 12 Command output

Field	Description
LocalTID	Local tunnel ID.
RemoteTID	Remote tunnel ID.
State	Tunnel state: · Idle. · Wait-reply. · Wait-connect. · Established. · Stopping.
Sessions	Number of sessions within the tunnel.
RemoteAddress	IP address of the peer.
RemotePort	UDP port number of the peer.
RemoteName	Name of the tunnel peer.

# Display detailed information about an L2TP tunnel with tunnel ID 10878.

<Sysname> display l2tp tunnel tunnel-id 10878 verbose

Group number : 1

Group mode : LNS

Tunnel state : Established

Tunnel type : Group

Local tunnel ID : 10878

Remote tunnel ID : 28143

Local IP address : 20.1.1.1 (Dynamic)

Remote IP address : 20.1.1.2

Sessions : 1

Send window size : 1024

Send win lower-limit : 5922

Send win upper-limit : 5921

Recv window size : 1024

Control message Nr : 5924

Latest hello packet Ns: 5923

Recv same hello times : 0

Ack timeout times : 0

Remote framing cap : Both

Remote bearer cap : Both

Remote protocol ver : 1

Remote port : 1701

Remote tunnel name : LAC

Remote vendor name : Sysname

Tunnel auth : Disabled

Assignment ID : N/A

Table 13 Command output

Field	Description
Group number	L2TP group number.
Group mode	L2TP group mode: · LAC—The device acts as the LAC to initiates tunneling requests to the LNS. · LNS—The device acts as the LNS to receive tunneling requests from the LAC.
Tunnel state	Tunnel state: · Idle. · Wait-reply—Waits for an SCCRP message. · Wait-connect—Waits for an SCCCN message. · Established. · Stopping—Coming offline.
Tunnel type	Tunnel establishment methods: · Group—A tunnel can be established by creating an L2TP group. · Radius—The RADIUS server issues tunnel attributes to the LAC directly to create a tunnel.
Disconnection cause	L2TP tunnel disconnection causes (this field is displayed only when a tunnel is disconnected): · L2TP fail—L2TP negotiation fails. For example, error packets are received in L2TP negotiation. · L2TP cut command—The tunnel is locally disconnected. For example, the administrator executes the reset l2tp tunnel command. · L2TP peer clear—Tunnel disconnection is triggered by the peer. For example, STOPCCN packets are received from the peer. · L2TP no response—No response is received from the peer. For example, local packets are retransmitted multiple times, but no correct response packet is received. · N/A—Unknown causes.
Local IP address	Local tunnel IP address. (The Dynamic field is supported only on a UP backup network. This field is displayed only when the source IP address of the L2TP tunnel on the LAC is dynamically obtained from an IP address pool of the L2TP tunnel type.) In an LAC CUPS network, this field displayed on the LAC CP is the source IP address used by the peer LAC UP for establishing a tunnel and the peer LAC UP ID; this field displayed on the LNS CP is the source IP address used by the peer LNS UP for establishing a tunnel and the peer LNS UP ID.
Sessions	Number of sessions in this tunnel.
Send window size	Sending window size for an L2TP tunnel.
Send win lower-limit	Lower limit of the sending window size.
Send win upper-limit	Upper limit of the sending window size.
Recv window size	Receiving window size for an L2TP tunnel.
Control message Nr	Sequence number expected in the next control message to be received.
Latest hello packet Ns	Sequence number of the most recent Hello packet received.
Recv same hello times	Times for receiving Hello packets with the same sequence number.
Ack timeout times	Times of ACK timer timeout.
Remote framing cap	Frame types supported, accepted, or required by the peer end: · Sync—Synchronous. · Async—Asynchronous. · Both—Synchronous and asynchronous. This field is displayed only on LNSs.
Remote bearer cap	Channels used by the peer end to send L2TP packets: · Digital—Digital channel. · Analog—Analogue channel. · Both—Digital and analogue channels.
Remote protocol ver	Remote L2TP version number.
Tunnel auth	L2TP tunnel authentication status: · Enabled. · Disabled.
Assignment ID	Assignment ID issued by AAA to identify tunnels on which sessions are carried. If AAA does not issue an assignment ID, this field displays N/A.

Related commands

reset l2tp tunnel

display l2tp-group

Use display l2tp-group to display information about L2TP groups.

Syntax

display l2tp-group [ group-number | group-name group-name ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-number: Specifies an L2TP group by its number in the range of 1 to 65535.

group-name group-name: Specifies an L2TP group by its name, a case insensitive string of 1 to 32 characters.

verbose: Displays detailed L2TP group information. If you do not specify this keyword, this command displays brief L2TP group information.

Usage guidelines

If you do not specify any keyword or argument, this command displays brief information for all L2TP groups.

Examples

# Display brief information about all L2TP groups.

<Sysname> display l2tp-group

Group-Number Group-Mode Group-Name Tunnels Sessions

1 LNS group1 2 20

2 LAC N/A 3 120

3 LAC (default) N/A 4 60

Table 14 Command output

Field	Description
Group-Number	L2TP group number.
Group-Mode	L2TP group mode: · LAC. · LAC (default). · LNS.
Group-Name	L2TP group name. When the L2TP group name is null, this field displays N/A.
Tunnels	Number of tunnels in an L2TP group.
Sessions	Number of sessions in an L2TP group.

#Display detailed information about L2TP group 1.

<Sysname> display l2tp-group 1 verbose

Group number : 1

Group name : lac1

Group mode : LAC

Tunnels : 2

Sessions : 20

Tunnel auth : Disabled

Local tunnel name : lac

Tunnel recv window: 1024

Tunnel send window: 0

AVP hidden : No

Hello interval(s) : 60

IP DSCP : 0

Flow control : Disabled

VPN instance : N/A

Working mode : Master-backup

LNS IP : 190.1.1.5 (weight 1)

190.1.1.6 (weight 2)

Source IP : 0.0.0.0

Tunnel per user : No

Trigger : Fullusername (user1)

VSRP source IP : 0.0.0.0

VSRP instance : N/A

# Display detailed information about L2TP group 2.

<Sysname> display l2tp-group 2 verbose

Group number : 2

Group name : lns1

Group mode : LNS

Tunnels : 2

Sessions : 20

Tunnel auth : Disabled

Local tunnel name : lns

Tunnel recv window: 1024

Tunnel send window: 0

AVP hidden : No

Hello interval(s) : 60

IP DSCP : 0

Flow control : Disabled

VPN instance : N/A

Local IP address : 190.1.1.2

Remote tunnel name: N/A

Mandatory CHAP : No

Mandatory LCP : No

Table 15 Command output

Field	Description
Group number	L2TP group number.
Group-Name	L2TP group name. When the L2TP group name is null, this field displays N/A.
Group mode	L2TP group mode: · LAC—The device acts as the LAC to initiates tunneling requests to the LNS. · LAC (default). · LNS—The device acts as the LNS to receive tunneling requests from the LAC.
Tunnel auth	L2TP tunnel authentication status: · Enabled. · Disabled.
Local tunnel name	Local L2TP tunnel name. By default, the local L2TP tunnel name is the device name.
Tunnel recv window	Receiving window size for L2TP tunnels.
Tunnel send window	Sending window size for L2TP tunnels.
AVP hidden	Whether transferring AVP data in hidden mode is enabled: · Yes. · No.
Hello interval(s)	Hello intervals, in seconds.
IP DSCP	DSCP value of L2TP packets.
Flow control	This field is not supported in the current software version. L2TP session flow control status: · Enabled. · Disabled.
VPN instance	VPN to which a tunnel peer belongs. If a tunnel peer belongs to the public network, this field displays N/A.
Working mode	LAC operating mode: · Master-backup. · Load-sharing.
LNS IP	LNS IP address and weight configured on the LAC. The weight information is displayed only when the LAC operates in load sharing mode.
Source IP	L2TP tunnel source IP address, which is used as the source IP address of L2TP tunnel packets.
Tunnel per user	Whether each L2TP user can use an L2TP tunnel exclusively: · Yes. · No.
Trigger	Conditions that trigger the LAC to initiate tunneling requests to the LNS: · Domain (domain-name)—The domain name of a user matches a configured domain name. The domain-name parameter represents the configured domain name. · Fullusername (user-name)—The username of a user matches a configured full username. The user-name parameter represents the configured full username.
VSRP source IP	This field is not supported in the current software version. L2TP tunnel source address when VSRP is enabled. The source address is used as the source IP address of L2TP tunnel packets. If the source address does not exist, this field displays 0.0.0.0.
VSRP instance	This field is not supported in the current software version. VSRP instance with which the L2TP group is associated. If the L2TP group is not associated with any VSRP instance, this field displays N/A.
Local IP address	Local tunnel IP address. This field displays 0.0.0.0 if no local tunnel IP address is specified.
Remote tunnel name	Name of the tunnel peer that initiates tunneling requests. If you do not configure a name of the tunnel peer that initiates tunneling requests, this field displays N/A.
Mandatory CHAP	Whether the LNS is forced to perform CHAP authentication for users: · Yes. · No.
Mandatory LCP	Whether the LNS is forced to perform LCP negotiation with users: · Yes. · No.

Related commands

l2tp group

interface virtual-ppp

Use interface virtual-ppp to create a virtual PPP interface and enter its view, or enter the view of an existing virtual PPP interface.

Use undo interface virtual-ppp to delete a virtual PPP interface.

Syntax

interface virtual-ppp interface-number

undo interface virtual-ppp interface-number

Default

No virtual PPP interface exists.

Views

System view

Predefined user roles

network-admin

Parameters

interface-number: Specifies a virtual PPP interface by its number in the range of 0 to 255.

Usage guidelines

A virtual PPP interface is required on the LAC for establishing an LAC-auto-initiated L2TP tunnel.

Examples

# Create Virtual-PPP 10 and enter its view.

<Sysname> system-view

[Sysname] interface virtual-ppp 10

[Sysname-Virtual-PPP10]

ip dscp

Use ip dscp to set the DSCP value of L2TP packets.

Use undo ip dscp to restore the default.

Syntax

ip dscp dscp-value

undo ip dscp

Default

The DSCP value of L2TP packets is 0.

Views

L2TP group view

Predefined user roles

network-admin

Parameters

dscp-value: Specifies the DSCP value of L2TP packets, in the range of 0 to 63.

Usage guidelines

The DSCP field is the first 6 bits of the IP ToS byte. This field marks the priority of IP packets for forwarding. This command sets the DSCP value for the IP packet when L2TP encapsulates a PPP frame into an IP packet.

Examples

# Set the DSCP value of L2TP packets to 50.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] ip dscp 50

l2tp aging

Use l2tp aging to configure the time for which a LAC locks LNSs.

Use undo l2tp aging to restore the default.

Syntax

l2tp aging seconds

undo l2tp aging

Default

A LAC locks LNSs for 300 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

seconds: Specifies the time for which a LAC locks LNSs, in the range of 1 to 3600 seconds.

Usage guidelines

If a LAC fails to establish an L2TP tunnel to an LNS, the LAC will lock the LNS for a period of time. Within the locking period, the LAC will not try to establish an L2TP tunnel to the LNS. After the locking period times out, the LAC will try to establish an L2TP tunnel to the LNS again.

This command takes effect only on newly locked LNSs and does not affect LNSs that have already been locked.

Examples

# Configure the LAC to lock LNSs for 200 seconds.

<Sysname> system-view

[Sysname] l2tp aging 200

Related commands

display l2tp aging

lns-ip

reset l2tp aging

l2tp enable

Use l2tp enable to enable L2TP.

Use undo l2tp enable to disable L2TP.

Syntax

l2tp enable

undo l2tp enable

Default

L2TP is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

For L2TP configurations to take effect, you must enable L2TP.

When UDP port number 1701 for L2TP is used by other services on the device, L2TP will fail to enabled. To view the UDP port usage information, execute the display udp command. For more information about the display udp command, see IP performance optimization commands in Layer 3—IP Services Command Reference.

You cannot enable L2TP on a device configured to operate in user plane mode by using the work-mode user-plane command.

Examples

# Enable L2TP.

<Sysname> system-view

[Sysname] l2tp enable

Related commands

work-mode user-plane (BRAS Services Command Reference)

l2tp icrq-limit

Use l2tp icrq-limit to set the maximum number of incoming call request (ICRQ) packets that the LNS can process per second.

Use undo l2tp icrq-limit to restore the default.

Syntax

l2tp icrq-limit number

undo l2tp icrq-limit

Default

The maximum number of ICRQ packets that the LNS can process per second is not limited on a device.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the ICRQ packet processing limit in the range of 1 to 60000.

Usage guidelines

To avoid device performance degradation and make sure the LNS can process ICRQ requests correctly, use this command to adjust the ICRQ packet processing rate limit.

Examples

# Set the maximum number of ICRQ packets that the LNS can process per second to 200.

<Sysname> system-view

[Sysname] l2tp icrq-limit 200

l2tp sccrq-limit

Use l2tp sccrq-limit to set the maximum number and minimum number of start control connection request (SCCRQ) packets that the LNS can process per second.

Use undo l2tp sccrq-limit to restore the default.

Syntax

l2tp sccrq-limit max-number [ minimum min-number ]

undo l2tp sccrq-limit

Default

The maximum number and minimum number of SCCRQ packets that the LNS can process per second are not limited.

Views

System view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of SCCRQ packets that can be processed per second, in the range of 1 to 10000. The maximum number cannot be smaller than the minimum number.

minimum min-number: Specifies the minimum number of SCCRQ packets that can be processed per second, in the range of 1 to 10000. The default is 1.

Usage guidelines

If multiple LACs are connected to one LNS, the LACs might send L2TP tunnel establishment requests at the same time. A large number of session establishment requests are also sent through each tunnel. In this case, you can specify the maximum number and minimum number of SCCRQ packets that the LNS can process per second.

· If the maximum number is too large, the LNS device performance is affected, and users cannot come online because the LNS fails to process request packets timely.

· If the minimum number is too small, users cannot come online because a large number of request packets cannot be processed timely.

To avoid device performance degradation and ensure that the LNS can process SCCRQ requests correctly, set the maximum number and minimum number according to the actual conditions.

With this command executed, the device increase the number of SCCRQ packets processed per second gradually from the minimum number to the maximum number through a certain algorithm rather than immediately uses the maximum number for rate limiting. Before the number of SCCRQ packets processed per second reaches the maximum number, SCCRQ packets might be dropped even when the number of SCCRQ packets received per second is smaller than the maximum number.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the maximum number and minimum number of SCCRQ packets that the LNS can process per second to 500 and 200, respectively.

<Sysname> system-view

[Sysname] l2tp sccrq-limit 500 minimum 200

l2tp session-threshold

Use l2tp session-threshold to configure the online L2TP session count alarm thresholds on the device.

Use undo l2tp session-threshold to restore the default.

Syntax

l2tp session-threshold { lower-limit lower-limit-value | upper-limit upper-limit-value }

undo l2tp session-threshold { lower-limit | upper-limit }

Default

The upper online L2TP session count alarm threshold is 100, and the lower online L2TP session count alarm threshold is 0.

Views

System view

Predefined user roles

network-admin

Parameters

lower-limit lower-limit-value: Specifies the lower online L2TP session count alarm threshold in the range of 0 to 99. The configured value is a percentage of the maximum number of online L2TP sessions allowed.

upper-limit upper-limit-value: Specifies the upper online L2TP session count alarm threshold in the range of 1 to 100. The configured value is a percentage of the maximum number of online L2TP sessions allowed.

Usage guidelines

(In standalone mode.) The online L2TP session count on the device refers to the total number of online L2TP sessions on the device.

(In IRF mode.) The online L2TP session count on the device refers to the total number of online L2TP sessions on the whole IRF system.

You can use this command to set the upper alarm threshold and lower alarm threshold for the online L2TP session count. When the online L2TP session count exceeds the upper alarm threshold or drops below the lower threshold, an alarm is triggered automatically. Then, the administrator can promptly know the online user conditions of the network. Additionally, the administrator can use the display l2tp session statistics command to view the total number of online L2TP sessions.

Suppose the maximum number of online L2TP sessions allowed on the device is a, the upper alarm threshold is b, and the lower alarm threshold is c. The following rules apply:

· When the online L2TP session count exceeds a×b or drops below a×c, the corresponding alarm information is output.

· When the online L2TP session count returns between the upper alarm threshold and lower alarm threshold, the alarm clearing information is output.

In some special cases, the online L2TP session count frequently changes in the critical range, which causes frequently output of alarm information and alarm clearing information. To avoid this problem, the system introduces a buffer area when the online L2TP session count recovers from the upper or lower threshold. The buffer area size is 10% of the difference between the upper threshold and the lower threshold. Suppose the buffer area size is d. Then, d=a×(b-c)÷10. When the online L2TP session count drops below a×b-d or exceeds a×c+d, the alarm information is output.

For example, suppose a is 1000, b is 80%, and c is 20%. Then, d= a×(b-c)÷10=1000×(80%-20%)÷10=1000×60%÷10=600÷10=60.

· When the online L2TP session count exceeds the upper threshold a×b=1000×80%=800, the upper threshold alarm is output. When the online L2TP session count restores to be smaller than a×b-d=800-60=740, the alarm clearing information is output.

· When the online L2TP session count drops below the lower threshold a×c=1000×20%=200, the lower threshold alarm is output. When the online L2TP session count restores to be greater than a×c+d=200+60=260, the alarm clearing information is output.

The upper threshold alarm information output and the alarm clearing information output both contain logs and traps. For traps to be correctly sent to the NMS host, you must execute the snmp-agent trap enable user-warning-threshold command in addition to configuring the SNMP alarm feature correctly.

Examples

# Set the upper online L2TP session count threshold to 80% on the device.

<Sysname> system-view

[Sysname] l2tp session-threshold upper-limit 80

Related commands

snmp-agent trap enable user-warning-threshold (BRAS Services Command Reference)

l2tp tsa-id

Use l2tp tsa-id to set the TSA ID for the L2TP tunnel switching (LTS) device and enable L2TP loop detection on the LTS device.

Use undo l2tp tsa-id to restore the default.

Syntax

l2tp tsa-id tsa-id

undo l2tp tsa-id

Default

The TSA ID of the LTS device is not set, and L2TP loop detection is disabled on the LTS device.

Views

System view

Predefined user roles

network-admin

Parameters

tsa-id: Specifies a TSA ID that uniquely identifies the LTS device. This argument is a case-sensitive string of 1 to 64 characters.

Usage guidelines

The LTS device compares the configured TSA ID with each TSA ID Attribute Value Pair (AVP) in a received ICRQ packet for loop detection.

· If a match is found, a loop exists. The LTS immediately tears down the session.

· If no match is found, the LTS performs the following operations:

a. Encapsulates the configured TSA ID into a new TSA ID AVP.

b. Appends the new TSA ID AVP to the packet.

c. Sends the packet to the next hop LTS.

To avoid loop detection errors, make sure the TSA ID of each LTS device is unique.

Examples

# Set the TSA ID of the LTS device to lts0, and enable L2TP loop detection on the LTS device.

<Sysname> system-view

[Sysname] l2tp tsa-id lts0

l2tp tunnel-id

Use l2tp tunnel-id to specify an L2TP tunnel ID range.

Use undo l2tp tunnel-id to restore the default.

Syntax

l2tp tunnel-id low-id high-id

undo l2tp tunnel-id

Default

The L2TP tunnel ID is in the range of 1 to 65535.

Views

System view

Predefined user roles

network-admin

Parameters

low-id: Specifies the lower limit of the L2TP tunnel ID. The value range is 1 to 65535.

high-id: Specifies the upper limit of the L2TP tunnel ID. The value range is 1 to 65535. The upper limit must be greater than or equal to the lower limit.

Usage guidelines

You cannot change the L2TP tunnel ID range for an LAC when it has an L2TP tunnel.

Examples

# Specify a L2TP tunnel ID range from 1 to 200 on the LAC.

<Sysname> system-view

[Sysname] l2tp tunnel-id 1 200

l2tp-auto-client

Use l2tp-auto-client to trigger an LAC to automatically establish an L2TP tunnel.

Use undo l2tp-auto-client to delete the automatically established L2TP tunnel.

Syntax

l2tp-auto-client l2tp-group group-number

undo l2tp-auto-client

Default

An LAC does not automatically establish an L2TP tunnel.

Views

Virtual PPP interface view

Predefined user roles

network-admin

Parameters

l2tp-group group-number: Specifies an L2TP group by its number in the range of 1 to 65535. The LAC uses tunnel parameters of the L2TP group to establish the tunnel.

Usage guidelines

For this command to take effect, make sure the L2TP group is an existing one in LAC mode.

After this command is executed, the LAC will immediately start L2TP tunnel establishment.

· If L2TP tunnel establishment fails but the LNS locking conditions are not meet, the LAC will periodically send L2TP tunnel establishment requests to the LNS until the L2TP tunnel is successfully established.

· If the LNS locking conditions are met when the L2TP tunnel is still not established, the LAC will lock the LNS for a period of time. Within the locking period, the LAC will not try to establish an L2TP tunnel to the LNS. After the LNS locking period times out, the LAC will repeat the steps above to try to establish L2TP tunnel to the LNS again.

An L2TP tunnel automatically established in LAC-auto-initiated mode exists until you delete the tunnel by using the undo l2tp-auto-client or reset l2tp tunnel command.

Examples

# Trigger the LAC to automatically establish an L2TP tunnel by using the tunnel parameters of L2TP group 10.

<Sysname> system-view

[Sysname] interface virtual-ppp 1

[Sysname-Virtual-PPP1] l2tp-auto-client l2tp-group 10

Related commands

l2tp aging

l2tp-group

Use l2tp-group to create an L2TP group and enter its view, or enter the view of an existing L2TP group.

Use undo l2tp-group to delete an L2TP group.

Syntax

l2tp-group group-number [ group-name group-name ] [ mode { lac | lns } ]

undo l2tp-group group-number

Default

No L2TP group exists.

Views

System view

Predefined user roles

network-admin

Parameters

group-number: Specifies an L2TP group by its number in the range of 1 to 65535.

group-name group-name: Specifies an L2TP group name, a case insensitive string of 1 to 32 characters. If you do not specify this option, the created L2TP group does not have a name.

mode: Specifies a mode for the L2TP group.

lac: Specifies the LAC mode.

lns: Specifies the LNS mode.

Usage guidelines

To create a new L2TP group, you must specify the mode keyword. To enter the view of an existing L2TP group, you do not need to specify this keyword.

In L2TP group view, you can configure L2TP tunnel parameters, such as tunnel authentication.

A device can have L2TP groups in both LAC and LNS modes at the same time.

Examples

# Create L2TP group 2 with group name g1 in LAC mode, and enter its view.

<Sysname> system-view

[Sysname] l2tp-group 2 group-name g1 mode lac

[Sysname-l2tp2]

Related commands

allow l2tp

lns-ip

user

lns-ip

Use lns-ip to specify LNS IP addresses on an LAC.

Use undo lns-ip to remove the specified LNS IP addresses on an LAC.

Syntax

lns-ip { ip-address [ weight lns-weight ] }&<1-5>

undo lns-ip

Default

No LNS IP addresses are specified on an LAC.

Views

L2TP group (LAC mode) view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the LNS IP address.

weight lns-weight: Specifies the LNS weight in the range of 1 to 10. The default is 5. A greater value indicates a higher priority. The parameter configuration takes effect only when the LAC operates in load sharing mode.

&<1-5> indicates that you can enter the ip-address [ weight lns-weight ] parameter for a maximum of five times.

Usage guidelines

An LAC can operate in master/backup mode or load sharing mode.

In master/backup mode, when the lns-ip command is executed to configure multiple LNS addresses, the LAC tries to establish a connection to an LNS in the LNS address configuration order until a connection to an LNS is successfully established. The LNS that successfully establishes a connection is called the master LNS, and the other LNSs are backup LNSs. A LAC tries to establish a connection to a backup LNS until the master LNS fails.

In load sharing mode, when the lns-ip command is executed to configure multiple LNS addresses, the LAC distributes the L2TP services among the specified LNSs according to their weights.

If you execute this command multiple times for an L2TP group, the most recent configuration takes effect.

Examples

# Specify the LNS IP address as 202.1.1.1.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] lns-ip 202.1.1.1

Examples

tunnel load-sharing

mandatory-chap

Use mandatory-chap to force the LNS to perform CHAP authentication for users.

Use undo mandatory-chap to restore the default.

Syntax

mandatory-chap

undo mandatory-chap

Default

An LNS does not perform CHAP authentication for users.

Views

L2TP group (LNS mode) view

Predefined user roles

network-admin

Usage guidelines

The LNS uses the LAC as an authentication proxy. The LAC sends the LNS all user authentication information from users and the authentication method configured on the LAC itself. The LNS then checks the user validity according to the received information and the locally configured authentication method.

When mandatory CHAP authentication is configured, a user who depends on an LAC to initiate tunneling requests is authenticated by both the LAC and the LNS for increased security. Some users might not support the authentication on the LNS. In this situation, do not configure this command, because CHAP authentication on the LNS will fail.

This command takes effect only on NAS-initiated L2TP tunnels.

The mandatory-lcp command takes precedence over this command. If both commands are configured for an L2TP group, the LNS performs LCP renegotiation with the user.

Examples

# Force the LNS to perform CHAP authentication for users.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lns

[Sysname-l2tp1] mandatory-chap

Related commands

mandatory-lcp

Use mandatory-lcp to force an LNS to perform LCP negotiation with users.

Use undo mandatory-lcp to restore the default.

Syntax

mandatory-lcp

undo mandatory-lcp

Default

An LNS does not perform LCP negotiation with users.

Views

L2TP group (LNS mode) view

Predefined user roles

network-admin

Usage guidelines

By default, to establish a NAS-initiated tunnel, the user performs LCP negotiation with the LAC. If the negotiation succeeds, the LAC initiates a tunneling request and sends the negotiation results (including authentication information) to the LNS. Then, the LNS determines whether the user is valid based on the information received instead of performing LCP renegotiation with the user.

If you do not expect the LNS to accept LCP negotiation parameters, configure this command to perform an LCP negotiation between the LNS and the user. In this case, the information sent by the LAC will be ignored.

Some users might not support LCP negotiation. In this case, do not configure this command because LCP negotiation will fail.

This command takes effect only on NAS-initiated L2TP tunnels.

This command takes precedence over the mandatory-chap command. If both commands are configured for an L2TP group, the LNS performs LCP negotiation with the user.

Examples

# Force an LNS to perform LCP negotiation with users.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lns

[Sysname-l2tp1] mandatory-lcp

Related commands

mandatory-chap

mtu

Use mtu to set the MTU size of an interface.

Use undo mtu to restore the default.

Syntax

mtu size

undo mtu

Default

The MTU size of a virtual PPP interface is 1500 bytes.

Views

Virtual PPP interface view

Predefined user roles

network-admin

Parameters

size: Specifies the MTU size in bytes. The value range is 128 to 1500.

Usage guidelines

The MTU size of an interface affects the fragmentation and reassembly of IP packets on the interface.

For the configured MTU size to take effect, you must execute the shutdown command and then the undo shutdown command on the interface.

Examples

# Set the MTU size of Virtual-PPP 10 to 1400 bytes.

<Sysname> system-view

[Sysname] interface virtual-ppp 10

[Sysname-Virtual-PPP10] mtu 1400

reset counters interface virtual-ppp

Use reset counters interface virtual-ppp to clear the statistics for virtual PPP interfaces.

Syntax

reset counters interface [ virtual-ppp [ interface-number ] ]

Views

User view

Predefined user roles

network-admin

Parameters

virtual-ppp [ interface-number ]: Specifies a virtual PPP interface by its number in the range of 0 to 255. If you specify neither virtual-ppp nor interface-number, this command clears the statistics for all interfaces. If you specify virtual-ppp but not interface-number, this command clears the statistics for all virtual PPP interfaces. If you specify both virtual-ppp and interface-number, this command clears the statistics for the specified virtual PPP interface.

Usage guidelines

Use this command to clear history statistics if you want to collect traffic statistics for a specific time period.

Examples

# Clear the statistics for Virtual-PPP 10.

<Sysname> reset counters interface virtual-ppp 10

reset l2tp aging

Use reset l2tp aging to clear the locking state of LNSs.

Syntax

reset l2tp aging [ ip-address [ vpn-instance vpn-instance-name ] ]

Views

User view

Predefined user roles

network-admin

Parameters

ip-address: Specifies an LNS by its IP address. If you do not specify this option, the command clears the locking state of all LNSs.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the LNS resides on the public network.

Usage guidelines

By default, once an LNS is locked after the locking conditions are met, the LNS can be unlocked until the locking period times out. During the locking period, the LAC does not try to establish an L2TP tunnel to the LNS.

Execute this command to manually clear the locking state of an LNS. Then, the LAC can try to establish an L2TP tunnel to this LNS when necessary.

Examples

# Clear the locking state of LNS at IP address 1.1.1.2.

<Sysname> reset l2tp aging 1.1.1.2

Related commands

display l2tp aging

l2tp aging

reset l2tp control-packet statistics

Use reset l2tp control-packet statistics to clear L2TP protocol packet statistics.

Syntax

reset l2tp control-packet statistics [ summary | tunnel [ tunnel-id ] ]

Views

User view

Predefined user roles

network-admin

Parameters

summary: Clears summary L2TP protocol packet statistics for all L2TP tunnels.

tunnel [ tunnel-id ]: Specifies L2TP tunnels. The value range for the tunnel-id argument is 1 to 65535. If you specify an L2TP tunnel, this command clears L2TP protocol packet statistics for the specified L2TP tunnel. If you specify only the tunnel keyword, this command clears detailed L2TP protocol packet statistics for all L2TP tunnels.

Usage guidelines

If you do not specify any keyword or argument, the command clears both summary and detailed L2TP protocol packet statistics for all L2TP tunnels.

Examples

# Clear both summary and detailed L2TP protocol packet statistics for all L2TP tunnels.

<Sysname> reset l2tp control-packet statistics

Related commands

display l2tp control-packet statistics

reset l2tp packet-limit statistics

Use reset l2tp packet-limit statistics to clear packet rate limit statistics on the LNS.

Syntax

reset l2tp packet-limit statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear packet rate limit statistics on the LNS.

<Sysname> reset l2tp packet-limit statistics

Related commands

display l2tp packet-limit statistics

reset l2tp statistics

Use reset l2tp statistics to clear L2TP statistics.

Syntax

In standalone mode:

reset l2tp statistics { { all | failure-reason } [ slot slot-number [ cpu cpu-number ] ] }

In IRF mode:

reset l2tp statistics { { all | failure-reason } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] }

Views

User view

Predefined user roles

network-admin

Parameters

all: Specifies all L2TP statistics.

failure-reason: Specifies statistics about L2TP online failure reasons and offline reasons.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears entries on all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

In a VSRP network, you can clear the L2TP VSRP statistics on both the master and backup devices.

Examples

# Clear all L2TP statistics.

<Sysname> reset l2tp statistics all

Related commands

display l2tp statistics

reset l2tp tunnel

Use reset l2tp tunnel to disconnect tunnels and all sessions within the tunnels.

Syntax

reset l2tp tunnel [ [ local-address local-address | tunnel-id tunnel-id ] * | tunnel-name remote-name ]

Views

User view

Predefined user roles

network-admin

Parameters

local-address local-address: Specifies a local tunnel IP address.

tunnel-id tunnel-id: Specifies a tunnel by its local ID in the range of 1 to 65535.

tunnel-name remote-name: Specifies L2TP tunnels by the tunnel peer name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

When the number of user connections is 0 or a network fault occurs, you can disconnect the L2TP tunnel by using this command on either the LAC or LNS. After the tunnel is disconnected, all sessions within it are disconnected.

If you specify a tunnel peer name, all tunnels with the tunnel peer name will be disconnected. If no tunnel with the tunnel peer name exists, nothing happens.

A tunnel disconnected by force can be re-established when a client makes a call.

If you do not specify any parameter, this command disconnects all L2TP tunnels on the device.

Examples

# Disconnect all tunnels with the tunnel peer name of aaa.

<Sysname> reset l2tp tunnel tunnel-name aaa

Related commands

display l2tp tunnel

shutdown

Use shutdown to shut down a virtual PPP interface.

Use undo shutdown to bring up a virtual PPP interface.

Syntax

shutdown

undo shutdown

Default

A virtual PPP interface is up.

Views

Virtual PPP interface view

Predefined user roles

network-admin

Usage guidelines

Using this command to shut down a virtual PPP interface will invalidate the L2TP functions based on the current virtual PPP interface. As a best practice, make sure you know the impact on the network before using this command.

Examples

# Shut down Virtual-PPP 10.

<Sysname> system-view

[Sysname] interface virtual-ppp 10

[Sysname-Virtual-PPP10] shutdown

snmp-agent trap enable l2tp

Use snmp-agent trap enable l2tp to enable SNMP notifications for L2TP session addition failure.

Use undo snmp-agent trap enable l2tp to disable SNMP notifications for L2TP session addition failure.

Syntax

snmp-agent trap enable l2tp [ add-session-failed ]

undo snmp-agent trap enable l2tp [ add-session-failed ]

Default

SNMP notifications are disabled for L2TP session addition failure.

Views

System view

Predefined user roles

network-admin

Parameters

add-session-failed: Enables SNMP notifications for L2TP session addition failure.

Usage guidelines

With SNMP notifications enabled for L2TP session addition failure, when an L2TP session fails to be added on the device (for example, because the number of existing L2TP sessions has exceeded the maximum value allowed), traps will be generated. The generated traps are sent to the SNMP module of the device. You can specify how the traps are output through setting the trap output parameters in SNMP. For more information about traps, see SNMP configuration in Network Management and Monitoring Configuration Guide.

Both the snmp-agent trap l2tp command and the snmp-agent trap enable l2tp add-session-failed command can enable SNMP notifications for L2TP session addition failure.

Examples

# Enables SNMP notifications for L2TP session addition failure.

<Sysname> system-view

[Sysname] snmp-agent trap enable l2tp add-session-failed

source-ip

Use source-ip to configure the source IP address of L2TP tunnel packets.

Use undo source-ip to restore the default.

Syntax

source-ip ip-address

undo source-ip

Default

The source IP address of L2TP tunnel packets is the IP address of the egress interface.

Views

L2TP group (LAC mode) view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the source IP address of L2TP tunnel packets.

Usage guidelines

For high availability, as a best practice, use the IP address of a loopback interface as the source IP address of L2TP tunnel packets.

Examples

# Configure the source IP address of L2TP tunnel packets as 2.2.2.2.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] source-ip 2.2.2.2

tunnel authentication

Use tunnel authentication to enable L2TP tunnel authentication.

Use undo tunnel authentication to disable L2TP tunnel authentication.

Syntax

tunnel authentication

undo tunnel authentication

Default

L2TP tunnel authentication is enabled.

Views

L2TP group (LAC mode) view

L2TP group (LNS mode) view

Predefined user roles

network-admin

Usage guidelines

Tunnel authentication prevents the local end from establishing L2TP tunnels with illegal remote ends.

You can enable tunnel authentication on both sides or either side.

To ensure a successful tunnel establishment when tunnel authentication is enabled on both sides or either side, set the same non-null key on the LAC and the LNS. To set the tunnel authentication key, use the tunnel password command.

When neither side is enabled with tunnel authentication, the key settings of the LAC and the LNS do not affect the tunnel establishment.

For tunnel security, enable tunnel authentication.

Examples

# Enable L2TP tunnel authentication.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] tunnel authentication

Related commands

tunnel password

tunnel avp-hidden

Use tunnel avp-hidden to enable transferring AVP data in hidden mode.

Use undo tunnel avp-hidden to restore the default.

Syntax

tunnel avp-hidden

undo tunnel avp-hidden

Default

AVP data is transferred over the tunnel in plaintext mode.

Views

L2TP group (LAC mode) view

Predefined user roles

network-admin

Usage guidelines

L2TP uses AVPs to transmit tunnel negotiation parameters, session negotiation parameters, and user authentication information. This feature can hide sensitive AVP data, such as user passwords. This feature encrypts AVP data with the key configured by using the tunnel password command before transmission.

The tunnel avp-hidden command does not take effect on L2TP groups in LNS mode in the current software version.

For this command to take effect, you must enable tunnel authentication by using the tunnel authentication command.

Examples

# Enable transferring AVP data in hidden mode.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] tunnel avp-hidden

Related commands

tunnel authentication

tunnel password

tunnel load-sharing

Use tunnel load-sharing to configure a LAC to operate in load sharing mode.

Use undo tunnel load-sharing to restore the default.

Syntax

tunnel load-sharing

undo tunnel load-sharing

Default

A LAC operates in master/backup mode.

Views

L2TP group (LAC mode) view

Predefined user roles

network-admin

Usage guidelines

A LAC can operates in master/backup mode or load sharing mode.

· Master/backup mode—In master/backup mode, when the lns-ip command is executed to configure multiple LNS addresses, the LAC tries to establish a connection to an LNS in the LNS address configuration order until a connection to an LNS is successfully established. The LNS that successfully establishes a connection is called the master LNS, and the other LNSs are backup LNSs. A LAC tries to establish a connection to a backup LNS until the master LNS fails.

· Load sharing mode—When a single LNS cannot meet large L2TP service requirements, you can configure the LAC to operate in load sharing mode for performance and reliability. In this mode, the LAC distributes the L2TP services among the specified LNSs according to their weights. To configure the LNS weight, specify the weight keyword in the lns-ip command.

Examples

# Configure a LAC to operate in load sharing mode.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] tunnel load-sharing

Related commands

lns-ip

tunnel name

Use tunnel name to specify the local tunnel name.

Use undo tunnel name to restore the default.

Syntax

tunnel name name

undo tunnel name

Default

The local tunnel name is the device name. For more information about the device name, see Fundamentals Configuration Guide.

Views

L2TP group (LAC mode) view

L2TP group (LNS mode) view

Predefined user roles

network-admin

Parameters

name: Specifies the local tunnel name, a case-sensitive string of 1 to 31 characters.

Examples

# Specify the local tunnel name as itsme.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] tunnel name lac

Related commands

sysname (Fundamentals Command Reference)

tunnel password

Use tunnel password to configure the key for tunnel authentication.

Use undo tunnel password to restore the default.

Syntax

tunnel password { cipher | simple } string

undo tunnel password

Default

No key is configured for tunnel authentication.

Views

L2TP group (LAC mode) view

L2TP group (LNS mode) view

Predefined user roles

network-admin

Parameters

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 16 characters. Its encrypted form is a case-sensitive string of 1 to 53 characters.

Usage guidelines

For this command to take effect, you must enable tunnel authentication by using the tunnel authentication command.

For the tunnel authentication key change to take effect, change the tunnel authentication key before tunnel negotiation is performed.

Examples

# Configure the key for tunnel authentication to a plaintext key yougotit.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] tunnel password simple yougotit

Related commands

tunnel authentication

tunnel timer hello

Use tunnel timer hello to set the Hello interval.

Use undo tunnel timer hello to restore the default.

Syntax

tunnel timer hello hello-interval

undo tunnel timer hello

Default

The Hello interval is 60 seconds.

Views

L2TP group (LAC mode) view

L2TP group (LNS mode) view

Predefined user roles

network-admin

Parameters

hello-interval: Specifies the interval at which the LAC or the LNS sends Hello packets, in the range of 60 to 1000 seconds.

Usage guidelines

The device sends Hello packets at the set interval. This prevents the L2TP tunnels and sessions from being removed due to timeouts.

You can set different Hello intervals for the LNS and LAC.

Examples

# Set the Hello interval to 90 seconds.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] tunnel timer hello 90

tunnel window receive

Use tunnel window receive to set the receiving window size for an L2TP tunnel.

Use undo tunnel window receive to restore the default.

Syntax

tunnel window receive size

undo tunnel window receive

Default

The receiving window size for an L2TP tunnel is 1024.

Views

L2TP group (LAC mode) view

L2TP group (LNS mode) view

Predefined user roles

network-admin

Parameters

size: Specifies the receiving window size in the range of 1 to 5000. It is the number of packets that can be buffered at the local end.

Usage guidelines

To enable the device to process a larger number of disordered packets, use this command to enlarge the receiving window size for an L2TP tunnel.

The device uses a receiving window to reorder disordered packets based on packet sequence numbers.

If the sequence number of a packet is within the receiving window but does not equal the minimum value of the window, the device performs the following operations:

1. The device buffers the packet.

2. The minimum value and maximum value of the receiving window increment by one.

3. The device continues to check the next arriving packet.

If the sequence number of a packet equals the minimum value of the receiving window, the device performs the following operations:

1. The device processes the packet.

2. The minimum value and maximum value of the receiving window increment by one.

3. The device checks buffered packets for a packet with the sequence number equal to the new minimum value of the receiving window.

4. If no required packet is found, the device checks the next arriving packet.

If the sequence number of a packet is not within the receiving window, the device drops the packet.

In the L2TP tunnel establishment process, the device uses the value specified in L2TP group view as the receiving window size.

Changing the receiving window size after an L2TP tunnel is established does not affect the established L2TP tunnel.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the receiving window size for L2TP group 1 to 128.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] tunnel window receive 128

Related commands

tunnel window send

Use tunnel window send to set the sending window size for an L2TP tunnel.

Use undo tunnel window send to restore the default.

Syntax

tunnel window send size

undo tunnel window send

Default

The sending window size for an L2TP tunnel is 0, which means using the value of the receiving window size carried in messages sent by the peer end in the tunnel establishment process.

Views

L2TP group (LAC mode) view

L2TP group (LNS mode) view

Predefined user roles

network-admin

Parameters

size: Specifies the sending window size for an L2TP tunnel, in the range of 0 to 1024. It is the maximum number of packets the device can send to a peer end when the device receives no response from the peer end. If the messages from the peer end carry no receiving window size in the tunnel establishment process, the sending window size for the device is 4.

Usage guidelines

The packet processing capability of a peer end might mismatch the receiving window size of the peer end in some networks. For example, the actual packet processing capability of the peer end is 10, but the receiving window size of the peer end is 20. To ensure stable L2TP services, you can adjust the sending window size for the device to match the actual packet processing capability of the peer end.

The sending window size set in L2TP group view is obtained in the L2TP tunnel establishment process.

· If the sending window size is 0, the device uses the default sending window size.

· If the sending window size is not 0, the device uses the specified value as the sending window size.

Changing the sending window size after an L2TP tunnel is established does not affect the established L2TP tunnel.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the sending window size for L2TP group 1 to 128.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] tunnel window send 128

Related commands

tunnel window receive

tunnel-alarm enable

Use tunnel-alarm enable to enable the L2TP tunnel alarms.

Use undo tunnel-alarm enable to disable L2TP tunnel alarms.

Syntax

tunnel-alarm enable

undo tunnel-alarm enable

Default

L2TP tunnel alarms are enabled.

Views

L2TP group (LAC mode) view

L2TP group (LNS mode) view

Predefined user roles

network-admin

Usage guidelines

With L2TP tunnel alarms enabled, the device outputs traps when L2TP tunnels come up or go down. To send the traps to an NMS correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.

L2TP tunnel alarms are resource-intensive. Before you set up or delete L2TP tunnels, disable L2TP tunnel alarms as a best practice to ensure device performance.

Examples

# Enable L2TP tunnel alarms.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] tunnel-alarm enable

tunnel-per-user

Use tunnel-per-user to configure each L2TP user to use an L2TP tunnel exclusively.

Use undo tunnel-per-user to restore the default.

Syntax

tunnel-per-user

undo tunnel-per-user

Default

An L2TP tunnel can be used by multiple L2TP users.

Views

L2TP group (LAC mode) view

Predefined user roles

network-admin

Examples

# Configure each L2TP user to use an L2TP tunnel exclusively on the LAC.

<Sysname> system-view

[Sysname] l2tp-group 2 mode lac

[Sysname-l2tp2] tunnel-per-user

timer-hold

Use timer-hold to set the keepalive interval.

Use undo timer-hold to restore the default.

Syntax

timer-hold seconds

undo timer-hold

Default

The keepalive interval is 10 seconds.

Views

Virtual PPP interface view

Predefined user roles

network-admin

Parameters

seconds: Specifies the interval at which the LAC or the LNS sends keepalive packets, in the range of 0 to 32767 seconds.

Usage guidelines

A virtual PPP interface sends keepalive packets at keepalive intervals to detect the availability of the peer. If the interface fails to receive keepalive packets when the keepalive retry limit is reached, it determines that the link fails and reports a link layer down event.

To set the keepalive retry limit, use the timer-hold retry command.

On a slow link, increase the keepalive interval to prevent false shutdown of the interface. This situation might occur when keepalive packets are delayed because a large packet is being transmitted on the link.

Examples

# Set the keepalive interval to 20 seconds for Virtual-PPP 10.

<Sysname> system-view

[Sysname] interface virtual-ppp 10

[Sysname-Virtual-PPP10] timer-hold 20

Related commands

timer-hold retry

Use timer-hold retry to set the keepalive retry limit.

Use undo timer-hold retry to restore the default.

Syntax

timer-hold retry retries

undo timer-hold retry

Default

The keepalive retry limit is 5.

Views

Virtual PPP interface view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of keepalive attempts in the range of 1 to 255.

Usage guidelines

To set the keepalive interval, use the timer-hold command.

On a slow link, increase the keepalive retry limit to prevent false shutdown of the interface. This situation might occur when keepalive packets are delayed because a large packet is being transmitted on the link.

Examples

# Set the keepalive retry limit to 10 for Virtual-PPP 10.

<Sysname> system-view

[Sysname] interface virtual-ppp 10

[Sysname-Virtual-PPP10] timer-hold retry 10

Related commands

timer-hold

user

Use user to configure the condition for the LAC to initiate tunneling requests.

Use undo user to restore the default.

Syntax

user { domain domain-name | fullusername user-name }

undo user

Default

No condition is configured for the LAC to initiate tunneling requests.

Views

L2TP group (LAC mode) view

Predefined user roles

network-admin

Parameters

domain domain-name: Configures the LAC to initiate tunneling requests to the LNS when the domain name of a user matches a configured domain name. The domain-name argument represents the configured domain name and is an case-insensitive string of 1 to 255 characters.

fullusername user-name: Configures the LAC to initiate tunneling requests to the LNS when the username of a user matches a configured full username. The user-name argument represents the configured full username and is a case-sensitive string of 1 to 255 characters.

Usage guidelines

When a user dials to a LAC and passes authentication, the LAC processes the user as follows:

· If the ISP domain of the dialup user has been configured with an L2TP group by using the l2tp-group command, all users in the ISP domain are considered as L2TP users. After a user passes authentication, the user initiates tunneling requests to the LNS.

· If the ISP domain of the dialup user is not configured with an L2TP group by using the l2tp-group command, the following rules apply:

¡ The LAC compares the username of the dialup user with the full usernames configured by using the fullusername user-name command for all L2TP groups on the LAC. If the username matches the full username of an L2TP group, the user uses the L2TP group to initiate tunneling requests.

¡ If the username does not match the full username of any L2TP group, the LAC compares the ISP domain name of the dialup user with the domain names configured by using the domain domain-name command for all L2TP groups on the LAC. If the ISP domain name matches the domain name of an L2TP group, the user uses the L2TP group to initiate tunneling requests. If no matching domain name is found, the user cannot initiate tunneling requests.

The ISP domain name is selected in the following order for a dialup user:

1. AAA-authorized ISP domain name. If the AAA-authorized ISP domain name does not match the domain name of any L2TP group on the LAC, proceed with the following steps.

2. ISP domain name used in PPP authentication. For how an ISP domain is selected in PPP authentication, see BRAS Services Command Reference.

¡ If the domain name used in PPP authentication is a forced PPP authentication domain name but the domain name does not match the domain name of any L2TP group on the LAC, the following rules apply:

- If the username carries a domain name, the LAC compares the domain name in the username with the domain names of all L2TP groups on the LAC. If the domain name of an L2TP group is matched, the user uses the L2TP group to initiate tunneling requests.

- If no match is found, the user cannot initiate tunneling requests.

- If the username does not carry a domain name, the user cannot initiate tunneling requests.

¡ If the domain name used in PPP authentication is the domain name carried in the username, non-forced PPP authentication domain name, or AAA-authorized domain name, the LAC compares the used domain name with the domain names of all L2TP groups on the LAC.

- If the used domain name matches the domain name of an L2TP group, the user users the L2TP group to initiate tunneling requests.

- If the used domain does not match the domain name of any L2TP group, the user cannot initiate tunneling requests.

If you execute this command multiple times for an L2TP group, the most recent configuration takes effect.

The domain name and full username of an L2TP group must be unique among all L2TP groups.

If the l2tp-user radius-force command has been executed in the ISP domain of users, a PPP user is considered an L2TP user and processed only when the RADIUS server issues attribute 64 (tunnel-type) to the user and the tunnel type is L2TP. For more information about the l2tp-user radius-force command, see BRAS Services Command Reference..

Examples

# Configure the LAC to initiate tunneling requests to the LNS when the username of the user is test@dm1.

<Sysname> system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] user fullusername test@dm1

Related commands

l2tp-user radius-force (BRAS Services Command Reference)

ppp authentication-mode (BRAS Services Command Reference)

vpn-instance

Use vpn-instance to assign a tunnel peer to a VPN.

Use undo vpn-instance to restore the default.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

A tunnel peer belongs to the public network.

Views

L2TP group (LAC mode) view

L2TP group (LNS mode) view

Predefined user roles

network-admin

Parameters

vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

This command enables the device to transmit L2TP control messages and data messages in the specified VPN by searching the routing table in that VPN.

When one L2TP endpoint is in a VPN, assign the peer endpoint to the VPN for correct packet forwarding between the two endpoints.

The tunnel peer and the physical port connecting to the tunnel peer should belong to the same VPN. The VPN to which this physical port belongs is configured by using the ip binding vpn-instance command.

The specified VPN must already exist.

Examples

# Assign the tunnel peer to VPN vpn1.

<Sysname>system-view

[Sysname] l2tp-group 1 mode lac

[Sysname-l2tp1] vpn-instance vpn1

Related commands

ip vpn-instance (MPLS Command Reference)

ip binding vpn-instance (MPLS Command Reference)

17-BRAS Services Command Reference

L2TP commands

display interface virtual-ppp

display l2tp session temporary

interface virtual-ppp

ip dscp

l2tp aging

l2tp session-threshold

l2tp-group

mandatory-chap

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

Company Information

News & Events

Contact Us