L2TP Profile Configuration

The Layer 2 Tunnel Protocol (L2TPv2) profile configuration is an optional step in subscriber management configuration which is mandatory to enable L2TP tunneling.

The way that the L2TP profile configuration relates to all subscriber management configuration tasks is shown in the picture below.

ngaccess cli2 l2tp profile
Figure 1. L2TPv2 Profile Configuration

Configuring the L2TP Profile

supervisor@switch: cfg> set access l2tp-profile
  <profile-name>        Name of the L2TP profile

supervisor@switch: cfg> set access l2tp-profile l2tp-default
  <cr>
  client-ipv4                Default value for L2TP tunnel client IPv4 address
  client-name                Default value for L2TP tunnel client name
  connect-speed-update       Enable L2TP Connect-Speed-Update-Notification (CSUN)
  dead-timeout-interval      L2TP tunnel dead timeout interval in seconds
  hello-interval             L2TP tunnel hello interval in seconds
  hide-authentication        Hide L2TP tunnel authentication
  idle-timeout-interval      L2TP tunnel idle timeout interval in seconds
  inactive-timeout-interval  L2TP tunnel inactive timeout interval in seconds
  instance                   Instance name
  pon-access-line-version    PON Access Line Information Version
  pool-name                  L2TP tunnel pool name
  receive-window             L2TP tunnel receive window
  request-retries            L2TP session request retries
  request-timeout-interval   L2TP session request timeout interval in seconds
  retransmit-interval        L2TP tunnel retransmission interval in seconds
  selection-algorithm        L2TP tunnel selection algorithm
  service-label              MPLS service label
  session-limit              L2TP tunnel session limit

The following example shows a typical L2TPv2 LAC configuration profile.

supervisor@switch: cfg> show config access l2tp-profile l2tp-default
{
  "rtbrick-config:l2tp-profile": {
    "profile-name": "l2tp-default",
    "session-limit": 4000,
    "hello-interval": 60,
    "client-name": "BNG",
    "client-ipv4": "198.51.100.200",
    "hide-authentication": true
    "service-label": 1234
  }
}
Attribute Description

client-ipv4

This is the default value for the local L2TP tunnel client (LAC) IPv4 address if not explicitly provided for the tunnel via L2TP pool or RADIUS.

client-name

This is the default value for the local L2TP tunnel client (LAC) hostname if not explicitly provided for the tunnel via L2TP pool or RADIUS.

Default: system hostname

instance

The routing instance in which the L2TP endpoint (LNS) is reachable.

Default: default

service-label

The service label must be defined to support L2TP over MPLS (Configuring L2TP over MPLS).
Supported MPLS label values are 0 - 1048575. The reserved MPLS label range is 0 - 15. In RBFS, BGP uses the label range 20000 - 100000. It is recommended to assign label values outside of these reserved ranges to avoid conflicts.

selection-algorithm

This defines how to select a tunnel from a pool of available LNS servers as described in [L2TP Tunnel Selection].

The RANDOM algorithm selects the tunnel randomly whereas BALANCED selects the least filled tunnel based on number of sessions.

Default:: BALANCED Values: BALANCED, RANDOM

session-limit

This is the default tunnel session limit if not further specified. Tunnels with session limit reached are not considered for further sessions.

Default: 64000 Range: 1 - 65535

pool-name

This attribute allows to assign a default L2TP tunnel pool ([L2TP Tunnel Pool Configuration]) which can be overwritten by user defined pool names from local user profiles ([User Profile Configuration]) or received via RADIUS attribute RtBrick-L2TP-Pool (VSA 26-50058-40).

hello-interval

L2TP tunnel hello interval in seconds where 0 means disabled.

The HELLO keep alive messages are part of the L2TP control channel ([L2TP Control Channel]) and only send if there is no other message send if queue is empty and no other message send during the hello interval.

Default: 30 Range: 0 - 86400

idle-timeout-interval

This interval defines the maximum time in seconds to keep a tunnel without sessions established. The session will remain forever if this value is set to 0.

Default: 600 Range: 0 - 4294966

dead-timeout-interval

This interval defines the time in seconds to keep an unreachable tunnel in DEAD state. After interval expiration the tunnel changes back to DOWN state to be available for new sessions.

Default: 300 Range: 1 - 4294966

inactive-timeout-interval

This interval defines the time in seconds to keep an inactive tunnel before removal. This interval is reset with every new session request which considers this tunnel as potential candidate.

Default: 900 Range: 1 - 4294966

receive-window

This value specifies the receive window size being offered to the remote peer trough Receive Window Size AVP (10) in SCCRQ, SCCRP.

Suppose advertising a receive window size of 8 in the SCCRQ or SCCRP messages. The remote peer is now allowed to have up to 8 outstanding control messages. Once 8 have been sent, it must wait for an acknowledgment that advances the window before sending new control messages.

Default: 8 Range: 1 - 256

request-retries

This value is explained together with request-timeout-interval.

Default: 5 Range: 1 - 600

request-timeout-interval

This interval multiplied with the request-retries defines the maximum time in seconds to wait for selected tunnel to become established before selecting another tunnel from list.

Default: 1 Range: 1 - 30

The values for request-retries and request-timeout-interval should changed with caution!

retransmit-interval

This value specifies the retransmission interval in seconds.

Each subsequent retransmission of a message employ an exponential backoff interval. Thus, if the first retransmission occurred after 1 second, the next retransmission occur after 2 seconds has elapsed, then 4 seconds, 8 seconds, 16 seconds, 32 seconds and finally 64 seconds. This maximum value is reached after maximum 6 retransmissions resulting in max 64 seconds for an retransmit interval of 1, 128 seconds for 2, etc.

Default: 1 Range: 1 - 30

hide-authentication

If enabled, the L2TP proxy authentication response AVP will be hidden if authentication type is PAP to not transmit the password in clear text.

Default: false

pon-access-line-version

Adding additional PON attributes to the L2TP access line information ([L2TP Access Line Information (RFC5515)]) as defined in draft-lihawi-ancp-protocol-access-extension which can be optionally enabled using this configuration attribute.

RFC and draft compliance are partial except as specified.

The value DRAFT-LIHAWI-00 enables PON attributes based on the definition in draft-lihawi-ancp-protocol-access-extension-00 whereas DRAFT-LIHAWI-04 uses draft-lihawi-ancp-protocol-access-extension-04.

Default:: DISABLED Values: DRAFT-LIHAWI-00, DRAFT-LIHAWI-04

connect-speed-update

Enable L2TP Connect-Speed-Update-Notification (CSUN) requests as defined in RFC5515 ([Connect-Speed-Update-Notification (CSUN)]).

CSUN is an L2TP control message sent by the LAC to the LNS to provide transmit and receive connection speed updates for one or more sessions which is disabled per default and can be enabled using this configuration.

Default: false

Configuring L2TP over MPLS

L2TP over MPLS requires a dedicated L2TP service label which needs to be configured manually.

Following an example L2TP configuration with L2TP service label.

set access l2tp-profile l2tp-default service-label 1234

Advertising this label via BGP must be configured manually as shown in the example below. The exact policy configuration depends on the actual network and existing policy concept.

supervisor@switch: cfg> show config policy
{
    "rtbrick-config:policy": {
      "statement": [
        {
          "name": "L2TP_MPLS",
          "ordinal": [
            {
              "ordinal": 1,
              "match": {
                "rule": [
                  {
                    "rule": 1,
                    "type": "ipv4-prefix",
                    "value-type": "discrete",
                    "match-type": "exact",
                    "value": "198.51.100.200/24"
                  }
                ]
              },
              "action": {
                "rule": [
                  {
                    "rule": 1,
                    "type": "label",
                    "operation": "overwrite",
                    "value": "label:1337,bos:1"
                  }
                ]
              }
            },
            {
              "ordinal": 2,
              "action": {
                "rule": [
                  {
                    "rule": 1,
                    "operation": "return-permit"
                  }
                ]
              }
            }
          ]
        }
      ]
    }
  }


supervisor@switch: cfg> show config instance internet
{
  "rtbrick-config:instance": {
    "name": "internet",
    "address-family": [
      {
        "afi": "ipv4",
        "safi": "unicast",
        "policy": {
          "export": "L2TP_MPLS"
        }
      }
    ]
  }
}