IBM Books

Access Integration Services Using and Configuring Features Version 3.3

Configuring and Monitoring Layer 2 Tunneling Protocols

This chapter describes the Layer 2 tunneling (L2T) configuration and operational commands. L2T includes Layer 2 Tunneling Protocol (L2TP), Layer 2 Forwarding Protocol (L2F), and Point-to-Point Tunneling Protocol (PPTP). Sections in this chapter include:

Accessing the L2T Interface Configuration Prompt

To access the L2T interface configuration prompt:

  1. Enter talk 6 at the OPCON (*) prompt.
  2. Enter add dev layer-2-tunneling at the Config> prompt (or use the add l2-nets command. See "Add").
  3. Enter n interface# at the Config> prompt. 
Config> add device layer-2-tunneling
Enter the number of Layer-2-Tunneling interfaces [1]
Adding device as interface 8
Defaulting Data-link protocol to PPP
Config> n 8
Session configuration 
L2T config:   8>

L2 Tunneling Interface Configuration Commands

Table 49 summarizes the L2T interface configuration commands. Enter these commands at the L2T Config n> prompt (where n is the net number).

Table 49. L2 Tunneling Interface Configuration Commands
Command Function
? (Help) Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Disable Disables outgoing calls.
Enable Enables outgoing calls.
Encapsulator Allows you to configure PPP parameters the L2T interface.
Note:The encapsulator option is only available if an interface has a remote-hostname configured.
List Displays information about the L2T interface.
Set Allows you to set various L2T interface parameters.
Exit Returns you to the previous command level. See "Exiting a Lower Level Environment".

Disable

Use the disable command to disable outbound calls from the L2TP access concentrator (LAC).

Syntax:   disable 
outbound-calls-from-lac

outbound-calls-from-lac
Prevents the LNS from initiating a dial signal from the LAC through an L2TP tunnel.

Enable

Use the enable command to enable outbound calls from the L2TP access concentrator (LAC). This command should only be used with L2TP.

Syntax:

  enable 
outbound-calls-from-lac

outbound-calls-from-lac
Allows the LNS to initiate a dial signal from the LAC through an L2TP tunnel.

Example: 

L2T 10> enable outbound-call-from-lac
        Outbound Call Type (ISDN)? [ISDN]
        Outbound calling address: 1234
        Outbound calling subaddress:
L2T 10>

Encapsulator

Use the encapsulator command to configure the PPP parameters for the L2T interface.

Syntax:
encapsulator

This command is available only when a remote-hostname has been configured. For a list of commands available at the ppp-L2tp config>prompt, see Encapsulator.

List

Use the list command to display the state of the various L2T interface configuration parameters.

Syntax:
list 
Layer-2-Tunneling Config>list
CONNECTION TYPE
---------- -----
  Connection Direction            INBOUND
  Remote Tunnel Hostname           *ANY*

Set

Use the set command to configure the L2T interface operational parameters.

Syntax:  set 
any-remote-hostname
connection-direction
idle
remote-hostname

any-remote-hostname
Clears the outbound remote hostname and disables inbound remote host name matching on this net.

connection-direction [inbound] or [outbound] or [both]
Specifies whether the connection can be initiated by the peer (inbound), the local device (outbound) or either the peer or the local device (both) on this net. If you specify both, you cannot specify zero for the idle time.

Default value: inbound

idle-time seconds
Specifies the number of seconds of inactivity after which L2 tunneling will disconnect the tunnel session on this net. A value of zero indicates that the tunnel is fixed and should not be disconnected.

Valid values: 0 to 1024

Default value: 0

remote-hostname hostname
Specifies the tunnel hostname of the peer.

For an outbound tunnel, the hostname specifies a tunnel profile configured in the AAA subsystem. This should be the tunnel hostname that the peer uses to identify itself.

For an inbound tunnel, only tunnel peers that identify themselves by this hostname can connect to this interface.

Valid values: Any name from 1 to 64 ASCII characters

Default value: Name

Accessing the L2 Tunneling Feature Configuration Prompt

To access the L2 tunneling feature configuration prompt:

  1. Enter talk 6 at the OPCON (*) prompt.
  2. Enter feature layer-2-tunneling at the Config> prompt.

L2 Tunneling Feature Configuration Commands

Table 50 summarizes the L2 tunneling feature configuration commands and the rest of this section explains the commands. Enter these commands at the Layer-2-Tunneling Config> prompt.

Table 50. L2 Tunneling Feature Configuration Commands
Command Function
? (Help) Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Add Adds L2 tunneling nets and peers.
Disable Disables L2 tunneling functions.
Enable Enables L2 tunneling functions.
Encapsulator Allows you to configure PPP parameters for all of the L2 tunneling nets that are not configured with a remote-hostname (ANY).
List Displays information about the L2 tunneling configuration.
Set Allows you to set buffers, the call receive window, and other L2 tunneling parameters.
Exit Returns you to the previous command level. See "Exiting a Lower Level Environment".

Add

Use the add command to add L2-Nets. One L2-Net is required for each concurrent PPP session that ends on this router. The end of a tunneled PPP session is the LNS end point of the tunnel.

Syntax: add
L2-nets

L2-nets
Note:This command can be entered entirely in lower case. The initial character is shown in upper case for clarity.

Adds L2-Nets to the L2 tunneling configuration. One L2-Net is required for each concurrent PPP session that is to be terminated at this router. If this router is to be used strictly as an LAC, no virtual L2-Nets are necessary. When you enter this command, you are prompted for the number of additional nets and whether to add unnumbered IP addresses for each L2 net.

The number of additional nets refers to how many nets are automatically added at this time. These nets are in addition to any L2-Nets that already exist.

Adding unnumbered IP addresses for each L2-Net automatically adds unnumbered IP entries into the IP routing table for each of the L2-Nets. Unnumbered IP addresses are the preferred mode of operation. If you need numbered addresses for the L2-Nets, you can alter them in the IP protocol configuration environment (refer to the chapter entitled "Configuring IP" in the Protocol Configuration and Monitoring Reference Volume 1).

Disable

Use the disable command to disable L2 tunneling functions.

Syntax:   disable 
call-rcv-window
fixed-udp-source-port
force-chap-challenge
hiding-for-pap-attributes
L2f
L2tp
pptp
proxy-auth
proxy-lcp
tunnel-auth

call-rcv-window
L2 tunneling can queue packets for each call in order to perform sequencing and congestion control. Each call has its own window, which is the number of packets that can be sent before an ACK is received. Disabling the call-rcv-window turns off flow control and sequencing for all session. This might be desirable when the connection between the LAC and LNS is known to be of high quality, sufficient bandwidth, and not prone to packet reordering.

fixed-udp-source-port
Clears using a fixed UDP port. Disabling this parameter forces you to configure IP Security filters between the LAC and the LNS by IP address.

force-chap-challenge
Disables the LNS CHAP rechallenge of a client. You might need to disable the CHAP rechallenge if the PPP client has difficulty with CHAP rechallenges.

hiding-for-pap-attributes
Disables the encryption of Proxy PAP information between the LAC and LNS.

L2f
Disables L2F protocol on this router.

L2tp
Disables L2TP protocol on this router.

pptp
Disables PPTP protocol on this router.

proxy-auth
Disables sending PPP proxy-authentication from LAC to LNS.

proxy-lcp
Disables sending LCP information from LAC to LNS.

tunnel-auth
Disables tunnel peer authentication based on a shared secret for this router.

Enable

Use the enable command to enable L2 tunneling functions.

Syntax:

  enable 
fixed-udp-source-port
force-chap-challenge
hiding-for-pap-attributes
L2f
L2tp
pptp
proxy-auth
proxy-lcp
tunnel-auth

fixed-udp-source-port
Enabling this parameter allows you to configure IP Security filters by UDP port for L2 tunneling so you can encrypt or authenticate L2 tunneling traffic easily. Sets the UDP port at 1701 for L2TP.

force-chap-challenge
Enables the LNS CHAP rechallenge of a client even if the LNS receives a proxy CHAP. This is preferable from a security standpoint, if it is known that the client can handle such a rechallenge without problems.

hiding-for-pap-attributes
Enables the encryption of Proxy PAP information between the LAC and LNS.

L2f
Enables L2F on this router.

L2tp
Enables L2TP on this router.

pptp
Enables PPTP on this router.

proxy-auth
Enables sending PPP proxy-authentication from LAC to LNS.

proxy-lcp
Enables sending LCP information from LAC to LNS.

tunnel-auth
Enables tunnel peer authentication based on a shared secret for this router.

Encapsulator

Use the encapsulator command to access the ppp-L2tp config> prompt in order to configure the PPP parameters for all Layer 2 Tunneling interfaces that are configured as inbound and *any* remote-hostname.

Syntax:
encapsulator

List

Use the list command to display the state of the various L2 tunneling configuration parameters.

Syntax:
list 
Layer-2-Tunneling Config>list
GENERAL ADMINISTRATION
------- --------------
  L2TP                                 = Enabled
  L2F                                  = Disabled
  PPTP                                 = Disabled
  Maximum number of tunnels            = 20
  Maximum number of calls (total)      = 50
  Buffers Requested                    = 300
 
CONTROL CHANNEL SETTINGS
------- ------- --------
  Tunnel Auth                          = Enabled
  Tunnel Rcv Window                    = 4
  Retransmit Retries                   = 6
  Local Hostname                       = Host6
 
DATA CHANNEL SETTINGS
---- ------- --------
  Force CHAP Challenge (extra security)= Disabled
  Hiding for PAP Attributes            = Disabled
  Hardware Error Polling Period (Sec)  = 120
  Call Rcv Window                      = 6
 
MISCELLANEOUS
-------------
  SEND PROXY-LCP FROM LAC              = Enabled
  SEND PROXY-AUTH FROM LAC             = Enabled
  Fixed UDP Source Port (1701)         = Disabled

Set

Use the set command to configure the L2 tunneling operational parameters.

Syntax:  set 
buffers
call-rcv-window
error-check-direction
host-lookup-password
local-hostname
max-calls
max-tunnels
transmit-retries
tunnel-rcv-window

buffers
Specifies the number of requested internal L2 tunneling buffers. If there is not enough memory to satisfy the request, only a portion of the buffers will be available upon reboot. To confirm the amount of memory while L2T is active, use the memory command (see Memory).

Valid values: 1 to 1000

Default value: 200

call-rcv-window
Specifies the number of packets to be used as a receive window and enables the call-rcv-window. If flow control is enabled on the data channel, a receive window size must be designated, both for use by the protocol on this router and for communication to the peer using start-up messages. The value configured is for all calls initiated by this router. The value of zero means sequence-only (no flow control).

Valid values: 0 to 100

Default value: 0

error-check-period [seconds]
Specifies the LAC's hardware error polling period. Each polling period will result in a WAN Error Notify message transmitted from LAC to LNS. The range is from 60 to 65000 seconds.

Default value: 120 seconds.

host-lookup-password
Specifies the shared secret for RADIUS tunnel authorization. This must match the secret configured on the server.

Default value: None.

local-hostname
Specifies the hostname string identifying the local router that is sent in tunnel setup messages.

Default value: IBM

max-calls
Specifies the maximum number of calls across all tunnels that can be active at a given time either as LAC or LNS.

Valid values: 1 to 500

Default value: 100

max-tunnels
Specifies the maximum number of tunnels that can be active at a given time either as LAC or LNS.

Valid values: 1 to 100

Default value: 30

transmit-retries
Specifies the number of times an L2TP packet is retransmitted on the control channel before the session or tunnel is declared inactive and is shut down.

Valid values: 2 to 100

Default value: 6

tunnel-rcv-window
Specifies the L2TP receive window size for the reliable control connections transport. This transport transmits and receives the messages necessary for tunnel or session setup, tear down, and maintenance.

Valid values: 1 to 100

Default value: 4

Accessing the L2 Tunneling Monitoring Prompt

To access the L2 tunneling monitoring prompt:

  1. Enter talk 5 at the OPCON (*) prompt.
  2. Enter feature layer-2-tunneling at the GWCON (+) prompt.

L2 Tunneling Monitoring Commands

This section summarizes and then describes the L2 tunneling monitoring commands. Enter the commands at the Layer-2-Tunneling Console> prompt.

Table 51 summarizes the L2 tunneling monitoring commands.

Table 51. L2 Tunneling Monitoring Commands
Command Function
? (Help) Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Call Displays statistics and information about each call in progress.
Kill Ends a tunnel immediately.
Memory Displays the current L2 tunneling buffer allocation and use.
Start Starts a tunnel with another peer.
Stop Stops a tunnel and allows each peer to perform any needed administration.
Tunnel Displays statistics and information on each existing tunnel.
Exit Returns you to the previous command level. See "Exiting a Lower Level Environment".

Call

Use the call command to display call statistics and information.

Syntax:  call 
errors
physical-errors
queue
state
statistics

errors
Displays the general transmission errors that occurred on the calls.

Example: 

Layer-2-Tunneling Console> call errors
CallID | Serial # | ACK-timeout | Dropped pkts
 56744 |        1 |          0  |        0

CallID
The local identifier associated with this call.

Serial #
The number used for logging this call.

ACK-timeout
The number of times a timeout notification has been received from the peer.

Dropped pkts
The number of packets that have been declared lost for this call. These are packets which should have been received, but were signalled as lost by the peer.

physical-errors
Displays the data errors that occurred on the calls.

Example: 

Layer-2-Tunneling Console> call physical-errors
CallID | Serial# | CRC   |framing|  HW   | buffer|timeout| align-| time since
       |         | Errors| Errors|overrun|overrun| Errors| ment  | updated
 56744 |       1 |     0 |     0 |     0 |     0 |     0 |     0 |

CallID
The local identifier associated with this call.

Serial #
The number used for logging this call.

CRC Errors
The number of packets on which the CRC did not match.

framing errors
The number of packets with a framing error.

HW overrun
The number of times a hardware overrun occurred.

buffer overrun
The number of times a buffer overrun occurred.

timeout errors
The number of times an interface timed out.

alignment
The number of times an alignment error occurred.

time since updated
The elapsed time since last poll for errors.

queue
Displays information about the queue for each call.

Example: 

Layer-2-Tunneling Console> call queue
CallID | Serial # |Tx Win|Rx Win|   Ns   |   Nr   |Rx Q|Tx Q|priority| out Q
 56744 |       1  |    4 |    4 |    100 |   200  |  0 |  0 |     0  |    0

CallID
The local identifier associated with this call.

Serial #
The number used for logging this call.

Tx Win
The peer's maximum receive window for data.

Rx Win
The local maximum transmit window.

Ns
The next packet sequence number to send for this call.

Nr
The next packet sequence number expected to be received for this call.

Rx Q
The current number of packets on the receive queue.

Tx Q
The current number of packets on the transmit queue.

priority
The number of priority PPP packets waiting to be transmitted by L2TP.

out Q
The number of regular PPP packets waiting to be transmitted by L2TP.

state
Displays the current state of each call.

Example: 

Layer-2-Tunneling Console> call state
CallID | Serial # | Net #  |    State    | Time Since Chg | PeerID | TunnelID
 56744 |       1  |     2  | Established |   00:00:00     |  345   | 45678

CallID
The local identifier associated with this call.

Serial #
The number used for logging this call.

Net #
The device number associated with this call. For an LNS call, this is the L2-Net. For an LAC call, this is the PPP device that received the initial call.

State
The current call state. Valid call states are:

Established
Ready for tunneled network traffic.

Idle
The call is idle.

Wait Cs Answer
Waiting for the communication link to open.

Wait Reply
Waiting for a reply from the peer.

Wait Tunnel
Waiting for tunnel establishment.

Time since chg
The elapsed time since the last state change.

PeerID
The Peer's call ID.

TunnelID
The local tunnel associated with this call.

statistics
Displays statistics about the data transmission for each call.

Example: 

Layer-2-Tunneling Console> call statistics
CallID | Serial # | Tx Pkts | Tx Bytes | Rx Pkts | Rx Bytes |  RTT  | ATO
 56744 |       1  |     34  |    1056  |     45  |    1567  |   10  | 34

CallID
The local identifier associated with this call.

Serial #
The number used for logging this call.

Tx Pkts
The number of packets transmitted for this call.

Tx Bytes
The number of bytes transmitted for this call.

Rx Pkts
The number of packets received for this call.

Rx Bytes
The number of bytes received for this call.

RTT
The currently calculated round trip time for this call.

ATO
The currently calculated adaptive time out for this call.

Kill

Use the kill to immediately end a tunnel. This command releases all of the local resources for a tunnel thereby forcing the end of the connection. No notification of the end of the tunnel is sent to the peer.
Note:Use this command only if the stop command is unable to end a tunnel.

Syntax:  kill 
tunnel tunnelid

tunnel tunnelid
Specifies the tunnel to end.

Memory

Use the memory command to display L2TP's current memory utilization.

Syntax:
memory

Example: 
Layer-2-Tunneling Console> mem
Number of layer-2-tunneling buffers: Requested = 2000, Total = 1200, Free
= 1000

In this example, you configured 2000 buffers but were able to allocate only 1200. Currently, 200 buffers are in use leaving 1000 free.

Start

Use the start command to start a tunnel with another peer.

Syntax:  start 
(no parameters will prompt for hostname)
tunnel hostname

hostname
The name of the host with which L2T establishes the tunnel.

Stop

Use the stop command to stop a tunnel. Any required cleanup is completed before the tunnel ends.

Syntax:  sto
tunnel tunnelid

tunnel tunnelid
Specifies the tunnel to end.

Tunnel

Use the tunnel command to display statistics and information about all tunnels.

Syntax:  tunnel 
call
errors
peer
queue
state
statistics
transport

calls
Displays all tunnels and the call state for each call within each tunnel.

errors
Displays the errors that have occurred on a tunnel.

Example: 

Layer-2-Tunneling Console> tunnel errors
Tunnel ID | Type |ACK-timeouts
 96785    | L2TP |    0
 43690    | PPTP |    2
 96785    | L2F  |    0

Tunnel ID
The local identifier associated with a tunnel.

Type
The type of tunneling protocol being used.

ACK-timeouts
The number of times a timeout notification has been received from the peer.

peer
Displays the tunnels and the peers associated with the tunnels.

Example: 

Layer-2-Tunneling Console> tunnel peer
Tunnel ID | Type | Peer ID | Peer Hostname
 96785    | L2TP |   89777 | peer1 
 11264    | L2F  |   46538 | peer2 
 34653    | L2F  |   11209 | peer3 
 87511    | PPTP |   55377 | peer4

Tunnel ID
The local identifier associated with a tunnel.

Type
The type of tunneling protocol being used.

Peer ID
The peer's tunnel identifier assigned to this tunnel.

Peer Hostname
The hostname of the peer as it appears in the local database.

queue
Displays information about the queue for each tunnel.

Example: 

Layer-2-Tunneling Console> tunnel queue
Tunnel ID | Type | Rx Win | Tx Win |   Ns   |   Nr   |  Rx Q |  Tx Q
 96785    | L2TP |      4 |      4 |      5 |      6 |     0 |     0
 76488    | L2F  |      4 |      4 |      5 |      6 |     0 |     0
 22209    | PPTP |      4 |      4 |      5 |      6 |     0 |     0

Tunnel ID
The local identifier associated with a tunnel.

Type
The type of tunneling protocol being used.

Rx Win
The local maximum number of packets that constitute the receive window.

Tx Win
The peer's maximum number of packets that constitute the receive window.

Ns
The sequence number of the next packet to send.

Nr
The sequence number of the next packet to receive.

Rx Q
The number of packets currently on the receive queue.

Tx Q
The number of packets currently on the transmit queue.

state
Displays the current state of all the tunnels.

Example: 

Layer-2-Tunneling Console> tunnel state
Tunnel ID | Type | Peer ID |    State    | Time Since Chg | # Calls | Flags
 17404    | PPTP |  0      | Established |   00:00:00     |      1  |  0 
 96785    | L2TP |  0      | Established |   00:02:05     |      2  |  0 
 38237    | L2F  |  0      | Established |   00:00:00     |      1  |  0

Tunnel ID
The local identifier associated with a tunnel.

Type
The type of tunneling protocol being used.

Peer ID
The peer's tunnel identifier assigned to this tunnel.

State
The current tunnel state. Valid tunnel states are:

Established
The tunnel is established.

Idle
The tunnel is idle.

Wait Ctrl Reply
The host is waiting for a reply from the peer.

Wait Ctrl Conn
The host is waiting for a connection indication.

Time since chg
The elapsed time since the last state change.

# Calls
The number of active calls on this tunnel.

Flags
The flags used to control the connection messages on this tunnel.

statistics
Displays the statistics associated with the tunnels.

Example: 

Layer-2-Tunneling Console> tunnel statistics
Tunnel ID | Type | Tx Pkts | Tx Bytes | Rx Pkts | Rx Bytes |  RTT  | ATO
 96785    | L2TP |      4  |      78  |      5  |     89   |    10 | 31
 96366    | L2F  |   9344  |   34578  |    305  |   4300   |    10 | 31
 12344    | PPTP |     24  |     478  |    115  |    2745  |    10 | 31

Tunnel ID
The local identifier associated with a tunnel.

Type
The type of tunneling protocol being used.

Tx Pkts
The number of packets transmitted.

Tx Bytes
The number of bytes transmitted.

Rx Pkts
The number of packets received.

Rx Bytes
The number of bytes received.

RTT
The currently calculated round trip time for tunnel control connection messages.

ATO
The currently calculated adaptive timeout for tunnel control connection messages.

transport
Displays UDP information about the tunnels.

Example: 

Layer-2-Tunneling Console> tunnel transport
Tunnel ID | Type | Peer IP Address | UDP Src | UDP Dest
 96785    | L2TP |  11.0.0.102     |  1056   |   1089
 30000    | L2F  |  11.0.0.104     |  1058   |   1090
 45772    | PPTP |  11.4.4.027     |  1345   |   1020

Tunnel ID
The local identifier associated with a tunnel.

Type
The type of tunneling protocol being used.

Peer IP address
The peer's IP address for this tunnel.

UDP Src
The UDP source port for this tunnel.

UDP Dest
The UDP destination port for this tunnel.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]