L2TP Command Reference

Command Hierarchies

  1. L2TP Configuration Commands
  2. L2TP Tunnel RADIUS Accounting Commands
  3. Show Commands
  4. Clear Commands
  5. Debug Commands
  6. Tools Commands

L2TP Configuration Commands

configure
— router
— l2tp
df-bit-lac {always | never}
— no df-bit-lac
group tunnel-group-name [create]
— no group tunnel-group-name
df-bit-lac {always | never | default}
— no df-bit-lac
tunnel tunnel-name [create]
— no tunnel tunnel-name
df-bit-lac {always | never | default}
— no df-bit-lac
ignore-avps [sequencing-required]
— no ignore-avps
tunnel-selection-blacklist
add-tunnel never
add-tunnel on reason>[reason...(up to 8 max)]
— no add-tunnel
max-list-length unlimited
max-list-length count
— no max-list-length
max-time minutes
— no max-time
— no timeout-action
timeout-action action
configure
— system
— l2tp
non-multi-chassis-tunnel-id-range start l2tp-tunnel-id end l2tp-tunnel-id
non-multi-chassis-tunnel-id-range default
— no non-multi-chassis-tunnel-id-range
configure
— redundancy
— multi-chassis
— peer
— sync
track-srrp-instances
[no] track-srrp [srrp-instance]
l2tp-tunnel-id-range start l2tp-tunnel-id end l2tp-tunnel-id
— no l2tp-tunnel-id-range
configure
— router
— l2tp
— failover
recovery-max-session-lifetime minutes
— no recovery-max-session-lifetime
recovery-method method
— no recovery-method
recovery-time seconds
— no recovery-time
track-srrp srrp-instance peer ip-address sync-tag tag
[no] track-srrp srrp-instance
group tunnel-group-name [create]
— no group tunnel-group-name
— failover
recovery-method method
— no recovery-method
recovery-time seconds
— no recovery-time
tunnel tunnel-name [create]
— no tunnel tunnel-name
— failover
recovery-method method
— no recovery-method
recovery-time seconds
— no recovery-time
configure
— service
— vprn
— l2tp
ignore-avps [sequencing-required]
— no ignore-avps
— failover
recovery-max-session-lifetime minutes
— no recovery-max-session-lifetime
recovery-method method
— no recovery-method
recovery-time seconds
— no recovery-time
track-srrp srrp-instance peer ip-address sync-tag tag
[no] track-srrp srrp-instance

L2TP Tunnel RADIUS Accounting Commands

configure
— aaa
l2tp-accounting-policy policy-name [create]
— no l2tp-accounting-policy policy-name
accounting-type [session] [tunnel]
— no accounting-type
description description-string
— no description
include-radius-attribute
[no] nas-identifier
nas-port binary-spec
— no nas-port
nas-port-id
nas-port-id [prefix-string string] [suffix suffix-option]
— no nas-port-id
nas-port-type [type]]
— no nas-port-type
radius-accounting-server
access-algorithm {direct | round-robin}
— no access-algorithm
retry count
— no retry
router service-name service-name
router router-instance
— no router
server server-index address ip-address secret key [hash | hash2] [port port ]
— no server server-index
source-address ip-address
— no source-address
timeout seconds
— no timeout
request-script-policy radius-script-policy-name
— no request-script-policy

Show Commands

show
— subscriber-mgmt
ppp-policy [ppp-policy-name [association]]
— service
— id service-id
pppoe
session [interface ip-int-name | ip-address | sap sap-id] [type pppoe-session-type] [session-id session-id] [mac ieee-address] [ip-address ip-address[/mask]] [port port-id] [no-inter-dest-id | inter-dest-id intermediate-destination-id] [detail|statistics]
session l2tp-connection-id connection-id [detail | statistics]
statistics [{sap sap-id | interface ip-int-name | ip-address}
summary
— system
l2tp
— redundancy
— multi-chassis
sync [peer ip-address] [statistics]
sync peer ip-address detail

Clear Commands

clear
— service
— id service-id
pppoe
session all [no-padt]
session {interface ip-int-name | ip-address | sap sap-id} [mac ieee-address] [session-id session-id] [ip-address ip-address[/mask]] [port port-id] [no-inter-dest-id | inter-dest-id intermediate-destination-id] [no-padt]
statistics [{sap sap-id | interface ip-int-name | ip-address}]

Debug Commands

debug
— service
— id service-id
[no] ppp
[no] event
dhcp-client [terminate-only]
— no dhcp-client
ppp [terminate-only]
— no ppp
[no] mac ieee-address
[no] packet
detail-level {low | medium | high}
— no detail-level
[no] dhcp-client
discovery [padi] [pado] [padr] [pads] [padt]
— no discovery
mode {dropped-only | ingr-and-dropped |egr-ingr-and-dropped}
— no mode
ppp [lcp] [pap] [chap] [ipcp]
— no ppp
[no] sap sap-id
— router [router-instance]
[no] l2tp
assignment-id assignment-id
[no] event
[no] recovery
[no] recovery-failed
[no] event
[no] recovery
[no] recovery-failed
group tunnel-group-name
[no] event
[no] recovery
[no] recovery-failed
peer ip-address [udp-port port]
[no] event
[no] recovery
[no] recovery-failed
tunnel connection-id
[no] event
[no] recovery
[no] recovery-failed

Tools Commands

tools
perform
subscriber-mgmt
edit-ppp-session sap sap-id [user-name user-name] [mac mac-address] [session-id session-id] [ip-address ip-address] [subscriber sub-ident-string] [sub-profile-string sub-profile-string] [sla-profile-string sla-profile-string] [inter-dest-id intermediate-destination-id] [ancp-string ancp-string] [app-profile-string app-profile-string]
edit-ppp-session svc-id service-id [user-name user-name] [mac mac-address] [session-id session-id] [ip-address ip-address] [subscriber sub-ident-string] [sub-profile-string sub-profile-string] [sla-profile-string sla-profile-string] [inter-dest-id intermediate-destination-id] [ancp-string ancp-string] [app-profile-string app-profile-string]
eval-lease-state [svc-id service-id] [sap sap-id] [subscriber sub-ident-string] [ip ip-address] [mac ieee-address]
local-user-db local-user-db-name [mac ieee-address]
ipoe
host-lookup [mac ieee-address] [remote-id remote-id-ascii] [sap-id sap-id] [service-id service-id] [string vso-string] [system-id system-id] [option60 option-60-ascii] [circuit-id circuit-id-ascii] [circuit-id-hex circuit-id-hex] [option60-hex option60-hex] [remote-id-hex remote-id-hex] [derived-id derived-id] [ip-prefix ip-prefix/ip-prefix-length]
ppp
authentication password password [mac ieee-address] [remote-id remote-id] [circuit-id circuit-id] user-name user-name [service-name service-name]
authentication password password [mac ieee-address] [remote-id remote-id] [circuit-id-hex circuit-id-hex] user-name user-name [service-name service-name]
host-lookup [circuit-id circuit-id] [circuit-id-hex circuit-id-hex] [derived-id derived-id] [mac ieee-address] [remote-id remote-id] [remote-id-hex remote-id-hex] [sap-id sap-id] [service-name service-name] [user-name user-name]

Command Descriptions

L2TP Configuration Commands

Global Commands

description

Syntax 
description description-string
no description
Context 
config>aaa>l2tp-acct-plcy
Description 

This command creates a text description stored in the configuration file for a configuration context.

The description command associates a text string with a configuration context to help identify the content in the configuration file.

The no form of this command removes the string from the configuration.

Default 

No description associated with the configuration context.

Parameters 
description-string—
The description character string. Allowed values are any string up to 80 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes.

shutdown

Syntax 
[no] shutdown
Context 
config>aaa>l2tp-acct-plcy
Description 

This command administratively disables an entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics.

The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

The no form of this command places the entity into an administratively enabled state.

L2TP Tunnel Account Commands

next-attempt

Syntax 
next-attempt {same-preference-level | next-preference-level}
no next-attempt
Context 
config>router>l2tp
config>service>vprn>l2tp
Description 

This command enables tunnel selection algorithm based on the tunnel preference level.

Parameters 
same-preference-level—
In case that the tunnel-spec selection algorithm evaluates into a tunnel that is currently unavailable (for example tunnel in a blacklist) then the next elected tunnel, if available, it will be chosen within the same preference-level as the last attempted tunnel. Only when all tunnels within the same preference level are exhausted, the tunnel selection algorithm will move to the next preference level.

In case that a new session setup request is received while all tunnels on the same preference level are blacklisted, the L2TP session will try to be established on blacklisted tunnels before the tunnel selection moves to the next preference level.

next-preference-level —
In case that the tunnel-spec selection algorithm evaluates into a tunnel that is currently unavailable (for example tunnel in a blacklist) then the selection algorithm will try to select the tunnel from the next preference level, even though the tunnels on the same preference level might be available for selection.
Values—
next-preference-level

replace-result-code

Syntax 
replace-result-code code [code...(up to 3 max)]
no replace-result-code
Context 
config>router>l2tp
config>service>vprn>l2tp
Description 

This command will replace CDN Result-Code 4, 5 and 6 on LNS with the Result Code 2. This is needed for interoperability with some implementation of LAC which only take action based on CDN Result-Code 2, while ignore CDN Result-Code 4, 5 and 6.

Default 

no replace-result-code

Parameters 
code—
Specifies the L2TP Result codes that need to be replaced.
Values—
cdn-tmp-no-facilities — CDN Result-Code 4 on LNS will be replaced with the result code 2 before it is sent to LAC.
cdn-prem-no-facilities — CDN Result-Code 5 on LNS will be replaced with the result code 2 before it is sent to LAC.
cdn-inv-dest — CDN Result-Code 6 on LNS will be replaced with the result code 2 before it is sent to LAC.

df-bit-lac

Syntax 
df-bit-lac {always | never}
no df-bit-lac
Context 
config>router>l2tp
config>service>vprn>l2tp
Description 

By default, the LAC df-bit-lac is always set and sends all L2TP packets with the DF bit set to 1. The DF bit is configurable to allow downstream routers to fragment the L2TP packets. The LAC itself will not fragment L2TP packets. L2TP packets that have a larger MTU size than what the LAC egress ports allows are dropped.

Default 

df-bit-lac always

Parameters 
always—
Specifies that the LAC will send all L2TP packets with the DF bit set to 1.
never—
Specifies that the LAC will send all L2TP packets with the DF bit set to 0.

df-bit-lac

Syntax 
df-bit-lac {always | never | default}
no df-bit-lac
Context 
config>router/service>vprn>l2tp>group
config>router/service>vprn>l2tp>group>tunnel
Description 

By default, the LAC df-bit-lac is set to default and sends all L2TP packets with the DF bit set to 1. The DF bit is configurable to allow downstream routers to fragment the L2TP packets. The LAC itself will not fragment L2TP packets. L2TP packets that have a larger MTU size than what the LAC egress ports allows are dropped. The configuration of the df-bit can be overridden at different levels: l2tp, tunnel, and group. The configuration at the tunnel level overrides the configuration on both the group and l2tp levels. The configuration at the group level overrides the configuration on l2tp.

Default 

df-bit-lac default

Parameters 
always—
Specifies that the LAC will send all L2TP packets with the DF bit set to 1.
never—
Specifies that the LAC will send all L2TP packets with the DF bit set to 0.
default—
Follows the DF-bit configuration specified on upper levels.

ignore-avps

Syntax 
ignore-avps [sequencing-required]
no ignore-avps
Context 
config>router>l2tp
config>service>vprn>l2tp
Description 

This command specifies the L2TP AVPs that should be ignored in L2TP session control.

Default 

no ignore-avps

Parameters 
sequencing-required—
Ignores the [39] Sequencing Required AVP on LNS when present in the L2TP ICCN message received from LAC. By default, the session at LNS would be disconnected, in this case with the Call Disconnect Notify (CDN) error code unknownMandatoryReceive(8). Note that when configured, to ignore the Sequencing Required AVP there will be no Sequence Numbers inserted into the data channel.

group

Syntax 
group tunnel-group-name [create]
no group tunnel-group-name
Context 
config>router>l2tp
config>service>vprn>l2tp
Description 

This command configures an L2TP tunnel group.

Parameters 
tunnel-group-name—
Specifies a name string to identify a L2TP group up to 63 characters in length.
create—
This keyword is mandatory when creating a tunnel group name. The create keyword requirement can be enabled/disabled in the environment>create context.

tunnel

Syntax 
tunnel tunnel-name [create]
no tunnel tunnel-name
Context 
config>router>l2tp>group
config>service>vprn>l2tp>group
Description 

This command configures an L2TP tunnel. A tunnel exists between a LAC-LNS pair and consists of a Control Connection and zero or more L2TP sessions. The tunnel carries encapsulated PPP datagrams and control messages between the LAC and the L2TP Network Server (LNS).

Parameters 
tunnel-name—
Specifies a valid string to identify a L2TP up to 32 characters in length.
create—
mandatory while creating a new tunnel

tunnel-selection-blacklist

Syntax 
tunnel-selection-blacklist
Context 
config>router>l2tp
Description 

This command enables the context to configure L2TP Tunnel Selection Blacklist parameters.

add-tunnel

Syntax 
add-tunnel never
add-tunnel on reason [reason...(up to 8 max)]
no add-tunnel
Context 
config>router>l2tp>tunnel-selection-blacklist
config>service>vprn>l2tp>tunnel-selection-blacklist
Description 

This command will force the tunnel to the blacklist and render it unavailable for new sessions for the duration of pre-configured time. Peers are always forced to the black list in case that they time out (failure to receive response to control packets). In addition to time outs, certain events can be used to trigger placement of the tunnel on the black list.

Parameters 
reason—
Specifies the return codes or events that determine which tunnels are added to the blacklist
Values—
cdn-err-code — A tunnel will be forced to the blacklist in case that CDN message with the Result Code 2 (Call disconnected for the reasons indicated in error code) is received.
cdn-inv-dest — A tunnel will be forced to the blacklist in case that CDN message with the Result Codes 6 (Invalid destination) is received.
cdn-tmp-no-facilities — A tunnel will be forced to the blacklist in case that CDN message with the Result Code 4 is received (Call failed due to lack of appropriate facilities being available - temporary condition) is received.
cdn-perm-no-facilities — A tunnel will be forced to the blacklist in case that CDN message with the Result Codes 5 (Call failed due to lack of appropriate facilities being available - permanent condition) is received.
tx-cdn-not-established-in-time — A tunnel will be forced to the blacklist in case that CDN message with the Result Code 10 (Call was not established within time allotted by LAC) is sent from the LAC to the LNS.
stop-ccn-err-code — A tunnel will be forced to the blacklist in case that StopCCN message with the Result Code 2 (General error – Error Code indicates the problem) is sent or received.
stop-ccn-other — A tunnel will be forced to the blacklist in case that StopCCN message with the following Result Codes is received:
(1) General request to clear control connection

(4) Requestor is not authorized to establish a control channel

(5) Protocol version not supported

(6) Requestor is being shutdown Or in the case that the StopCCN with the following result codes is transmitted:

(4) Requestor is not authorized to establish a control channel.

(5) Protocol version not supported The receipt of the following Result Codes will NEVER blacklist a tunnel:

(0) Reserved

(3) Control channel already exist

(7) Finite state machine error

(8) Undefined

Transmission of the following Result Codes will NEVER blacklist a tunnel:

(1) General request to clear control connection

(3) Control channel already exist

(6) Requestor is being shutdown

(7) Finite state machine error

addr-change-timeout — A timed-out tunnel for which the peer IP address has changed mid-session (from the one that is provided initially during configuration) will be forced to the blacklist. In absence of this configuration option, only the configured peer for the tunnel will be blacklisted, but not the tunnel itself which now has a different peer address than the one initially configured.

never—
When specified, no tunnels will be placed on blacklist under any circumstance. This parameter will available to preserve backward compatibility.

max-list-length

Syntax 
max-list-length unlimited
max-list-length count
no max-list-length
Context 
config>router>l2tp>tunnel-selection-blacklist
config>service>vprn>l2tp>tunnel-selection-blacklist
Description 

This command configured the maximum length of the peer/tunnel blacklist.

This command specifies how many items (tunnels or peers) can be in the tunnel-selection-blacklist. If a tunnel or peer needs to be added to the tunnel-selection-blacklist and the tunnel-selection-blacklist is full, the system will remove the item (tunnel or peer) from the blacklist that was in this blacklist for the longest time.

Default 

unlimited

Parameters 
unlimited—
Specifies there is no limit.
count—
Specifies how many items (tunnels or peers) can be in the tunnel-selection-blacklist.
Values—
1 to 65635

max-time

Syntax 
max-time minutes
no max-time
Context 
config>router>l2tp>tunnel-selection-blacklist
config>service>vprn>l2tp>tunnel-selection-blacklist
Description 

This command configures time for which an entity (peer or a tunnel) are kept in the blacklist.

Default 

5 minutes

Parameters 
minutes—
Specifies the maximum time a tunnel or peer may remain in the blacklist,
Values—
1 to 60

timeout-action

Syntax 
timeout-action action
no timeout-action
Context 
config>router>l2tp>tunnel-selection-blacklist
config>service>vprn>l2tp>tunnel-selection-blacklist
Description 

This command defines an action that will be executed on the entity (peer/tunnel) in the blacklist once the entity becomes eligible for selection again.

Default 

remove-from-blacklist

Parameters 
action —
Specifies the Action to be taken when a tunnel or peer has been in the blacklist for the max-period of time.
Values—
remove-from-blacklist — The peer or tunnel in the blacklist will be removed completely from the blacklist and made eligible for the selection process once the max-time expires. In this mode of operation, multiple new sessions can be mapped into the same, newly released tunnel from the blacklist. The first such session will try to setup the tunnel, while the other will be buffered until the tunnel establishment process is completed. In case that the tunnel remains unavailable, it will be placed in the blacklist again. Consequently all new sessions will have be re-negotiated over an alternate tunnel.
try-one-session — Once the max-time expired, the peer or tunnel in the blacklist is made available for selection only to a single new session request. Only upon successful tunnel establishment will the incoming new sessions be eligible to be mapped into this tunnel. This behavior will avoid session establishment delays in case that the tunnel just removed from the blacklist is still unavailable.

non-multi-chassis-tunnel-id-range

Syntax 
non-multi-chassis-tunnel-id-range start l2tp-tunnel-id end l2tp-tunnel-id
non-multi-chassis-tunnel-id-range default
no non-multi-chassis-tunnel-id-range
Context 
config>system>l2tp
Description 

This command sets the tunnel-id range that will be used to allocate a new tunnel-id for a tunnel for which no multi-chassis redundancy is configured.

Default 

Sets the tunnel-id range to the full tunnel-id range available on this system

The default for start l2tp-tunnel-id is 1. No tunnel-ids are available for which no multi-chassis redundancy is configured when set to 0.

The default for end l2tp-tunnel-id is the maximum tunnel-id allowed on this system. The end l2tp-tunnel-id must be set to 0 when the start l2tp-tunnel-id is set to 0 and vice versa.

track-srrp-instances

Syntax 
track-srrp-instances
Context 
config>redundancy>multi-chassis>peer>sync
Description 

This command enables the context to configure

track-srrp

Syntax 
[no] track-srrp [srrp-instance]
Context 
config>redundancy>multi-chassis>peer>sync>track-srrp-instances
Description 

This command configures a tracked SRRP instance.

The no form of the command reverts to the default.

Parameters 
srrp-instance—
Indicates the unique identifier of the tracked SRRP instance.
Values—
1 to 4294967295

l2tp-tunnel-id-range

Syntax 
l2tp-tunnel-id-range start l2tp-tunnel-id end l2tp-tunnel-id
no l2tp-tunnel-id-range
Context 
config>redundancy>multi-chassis>peer>sync>track-srrp-instances>track-srrp
Description 

This command sets the tunnel-id range that will be used to allocate a new tunnel-id for a tunnel for which multi-chassis redundancy is configured to this MCS peer.

Default 

Makes the tunnel ID empty.

Parameters 
start l2tp-tunnel-id
Specifies the start of the range of L2TP tunnel identifiers that can be allocated by L2TP on this system, to be synchronized with Multi Chassis Redundancy Synchronization (MCS).
Values—
1 to 16383
end l2tp-tunnel-id
Specifies the end of the range of L2TP tunnel identifiers that can be allocated by L2TP on this system, to be synchronized with Multi Chassis Redundancy Synchronization (MCS).
Values—
1 to 16383

recovery-max-session-lifetime

Syntax 
recovery-max-session-lifetime minutes
no recovery-max-session-lifetime
Context 
config>router>l2tp>failover
Description 

This command configures the sub-set of sessions that this system attempts to synchronize in the Session State Synchronization phase as described in RFC 4951, Fail Over Extensions for Layer 2 Tunneling Protocol (L2TP).

The no form of the command reverts to the default.

Default 

2

Parameters 
minutes—
Specifies the sub-set of sessions to recover.
Values—
2 to 4294967295

recovery-method

Syntax 
recovery-method method
no recovery-method
Context 
config>router>l2tp>failover
config>service>vprn>l2tp>failover
config>router>l2tp>group>failover
config>service>vprn>l2tp>group>failover
config>router>l2tp>group>tunnel>failover
config>service>vprn>l2tp>group>tunnel>failover
Description 

This command sets the recovery method to be used for newly created tunnels.

Default 

mcs on config>router>l2tp>failover

default on config>service>vprn>l2tp>failover

default on config>router>l2tp>group>tunnel>failover

default on config>service>vprn>l2tp>group>failover

default on config>service>vprn>l2tp>group>tunnel>failover

Parameters 
method—
Describes how a pair of redundant LAC peers recover tunnel and session state (sequence numbers, for example) immediately after a failover.
Note:

While failover is enabled, the tunnels and sessions proper are always kept synchronized between the redundant pair, regardless of the recovery method for the sequence numbers when a failover really occurs.

Values—
mcs — Specifies that the stateful information is recovered from the failover peer directly, using Multi-Chassis Redundancy Synchronization (MCS).
recovery-tunnel — Specifies that the stateful information is recovered as described in RFC 4951, Fail Over Extensions for Layer 2 Tunneling Protocol (L2TP). This method uses a recovery tunnel to the L2TP peer to pass the stateful information.
default — Specifies that the actual value must be derived from another object of the same type with a wider scope. Takes the value of the next higher level (not available in config>router>l2tp>failover and config>service>vprn>l2tp>failover).

recovery-time

Syntax 
recovery-time seconds
no recovery-time
Context 
config>router>l2tp>failover
config>service>vprn>l2tp>failover
config>router>l2tp>group>failover
config>service>vprn>l2tp>group>failover
config>router>l2tp>group>tunnel>failover
config>service>vprn>l2tp>group>tunnel>failover
Description 

This command sets the recovery time to be negotiated via RFC 4951. It represents the extra time this L2TP peer (LAC or LNS) needs to recover all its tunnels.

Default 

0 on config>router>l2tp>failover

config>service>vprn>l2tp>failover

Parameters 
seconds—
The period of time, expressed in seconds, an endpoint asks its peer to wait before assuming the recovery process has failed.
Values—
0 to 900

track-srrp

Syntax 
track-srrp srrp-instance peer ip-address sync-tag sync-tag
no track-srrp srrp-instance
Context 
config>router>l2tp>failover
config>service>vprn>l2tp>failover
Description 

This command sets the sync-tag to be used to synchronize the tunnels with track-srrp <srrp-id> to MCS peer <IP-@>. The same sync-tag should be configured on the MCS peer.

Default 

Removes the sync-tag for the indicated track-srrp.

Parameters 
srrp-instance—
Specifies the Simple Router Redundancy Protocol (SRRP) instance used for Multi-Chassis redundancy failover that is associated with this Layer Two Tunneling Protocol Tunnel.
sync-tag sync-tag
Specifies a synchronization tag to be used while synchronizing with the peer.

tunnel

Syntax 
tunnel tunnel-name [create]
no tunnel tunnel-name
Context 
config>router>l2tp>group
Description 

This command configures an L2TP tunnel.

Parameters 
tunnel-name—
Specifies a string to identify a L2TP tunnel up to 32 characters in length.

L2TP Tunnel RADIUS Accounting Commands

l2tp-accounting-policy

Syntax 
l2tp-policy policy-name [create]
no l2tp-policy
Context 
config>aaa
Description 

This command enables the L2TP accounting.

The no form of this command disables accounting.

Default 

None

Parameters 
name—
The name of L2TP tunnel accounting policy.
create—
Mandatory keyword to create a policy name.

accounting-type

Syntax 
accounting-type [session] [tunnel]
no accounting-type
Context 
config>aaa>l2tp-acct-plcy
Description 

This command specifies the accounting type for the L2TP tunnel accounting policy.

The no form of the command reverts to the default.

Default 

session tunnel

Parameters 
session—
Enables tunnel level accounting, including:

Tunnel-Link-Start

Tunnel-Link-Stop

Tunnel-Link-Reject

tunnel—
Enables link level accounting, including:

Tunnel-Start

Tunnel-Stop

Tunnel-Reject

include-radius-attribute

Syntax 
[no] include-radius-attribute
Context 
config>aaa>l2tp-acct-plcy
Description 

This command enables the context to specify the RADIUS parameters that the system should include into RADIUS authentication-request messages.

The no form of the command disables

nas-identifier

Syntax 
[no] nas-identifier
Context 
config>aaa>l2tp-acct-plcy>include-radius-attribute
Description 

This command enables the generation of the nas-identifier RADIUS attribute.

nas-port

Syntax 
[no] nas-port bit-specification binary-spec
Context 
config>aaa>l2tp-acct-plcy>include-radius-attribute
Description 

This command enables the generation of the nas-port RADIUS attribute. You enter decimal representation of a 32-bit string that indicates your port information. This 32-bit string can be compiled based on different information from the port (data types). By using syntax number-of-bits data-type you indicate how many bits from the 32 bits are used for the specific data type. These data types can be combined up to 32 bits in total. In between the different data types 0's and/or 1's as bits can be added.

The no form of this command disables your nas-port configuration.

Parameters 
bit-specification binary-spec—
Specifies the NAS-Port attribute
Values—

binary-spec

<bit-specification> <binary-spec>

bit-specification

0 | 1 | <bit-origin>

bit-origin

*<number-of-bits><origin>

number-of-bits

1 to 32

origin

o | i | s | m | p

outer VLAN ID

i

inner VLAN ID

s

slot number

m

MDA number

p

port number or lag-id

Output 

Sample
*12o*12i00*2s*2m*2p => oooo oooo oooo iiii iiii iiii 00ss mmpp
If outer vlan = 0 & inner vlan = 1 & slot = 3 & mda = 1 & port = 1
=>  0000 0000 0000 0000 0000 0001 0011 0101 => nas-port = 309 

nas-port-id

Syntax 
nas-port-id
nas-port-id [prefix-string string] [suffix suffix-option]
no nas-port-id
Context 
config>aaa>l2tp-acct-plcy>include-radius-attribute
Description 

This command enables the generation of the nas-port-id RADIUS attribute. Optionally, the value of this attribute (the SAP-id) can be prefixed by a fixed string and suffixed by the circuit-id or the remote-id of the client connection. If a suffix is configured, but no corresponding data is available, the suffix used will be 0/0/0/0/0/0.

Parameters 
prefix-string string
Specifies that a user configurable string will be added to the RADIUS NAS port attribute, up to 8 characters in length.
suffix suffix-option
Specifies the suffix type to be added to the RADIUS NAS port attribute.
Values—
circuit-id, remote-id

nas-port-type

Syntax 
nas-port-type
nas-port-type [type]
no nas-port-type
Context 
config>aaa>l2tp-acct-plcy>include-radius-attribute
Description 

This command enables the generation of the nas-port-type RADIUS attribute. If set to nas-port-type, the following will be sent: values: 32 (null-encap), 33 (dot1q), 34 (qinq), 15 (DHCP hosts). The nas-port-type can also be set as a specified value, with an integer from 0 to 255.

The no form of the command reverts to the default.

Default 

no nas-port-type

Parameters 
type
Specifies an enumerated integer that specifies the value that will be put in the RADIUS nas-port-type attribute.
Values—
0 to 255

radius-accounting-server

Syntax 
radius-accounting-server
Context 
config>aaa>l2tp-acct-plcy>include-radius-attribute
Description 

This command creates the context for defining RADIUS accounting server attributes under a given session authentication policy.

access-algorithm

Syntax 
access-algorithm {direct | round-robin}
no access-algorithm
Context 
config>aaa>l2tp-acct-plcy>include-radius-attribute
Description 

This command configures the algorithm used to access the list of configured RADIUS servers.

Default 

direct

Parameters 
direct —
Specifies that the first server will be used as primary server for all requests, the second as secondary and so on.
round-robin—
Specifies that the first server will be used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.

retry

Syntax 
retry count
Context 
config>aaa>l2tp-acct-plcy>radius-acct-server
Description 

This command configures the number of times the router attempts to contact the RADIUS server for authentication.

Note:

The retry count includes the first attempt.

The no form of the command reverts to the default value.

Default 

3 (the initial attempt as well as two retried attempts)

Parameters 
count—
Specifies the retry count.
Values—
1 to 10

router

Syntax 
router router-instance
router service-name service-name
no router
Context 
config>aaa>l2tp-acct-plcy>radius-acct-server
Description 

This command specifies the number of times the router attempts to contact the RADIUS server for authentication, if not successful the first time.

The no form of the command reverts to the default value.

server

Syntax 
server server-index address ip-address secret key [hash | hash2] [port port] [create]
no server server-index
Context 
config>aaa>l2tp-acct-plcy>radius-acct-server
Description 

This command adds a RADIUS server and configures the RADIUS server IP address, index, and key values.

Up to five RADIUS servers can be configured at any one time. RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available). If a response from a server is received, no other RADIUS servers are queried.

The no form of the command removes the server from the configuration.

Default 

none

Parameters 
server-index—
The index for the RADIUS server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from lowest to highest index.
Values—
1 to 16 (a maximum of 5 accounting servers)
address ip-address—
The IP address of the RADIUS server. Two RADIUS servers cannot have the same IP address. An error message is generated if the server address is a duplicate.
secret key
The secret key to access the RADIUS server. This secret key must match the password on the RADIUS server.
Values—
secret-key — A string up to 20 characters in length.
hash-key — A string up to 33 characters in length.
hash2-key — A string up to 55 characters in length.
hash—
Specifies the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.
hash2 —
Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.
port—
Specifies the UDP port number on which to contact the RADIUS server for authentication.
Values—
1 to 65535

source-address

Syntax 
source-address ip-address
no source-address
Context 
config>aaa>l2tp-acct-plcy>radius-acct-server
Description 

This command configures the source address of the RADIUS messages.

The no form of the command reverts to the default value.

Default 

system IP address

Parameters 
ip-address—
Specifies the source address to be used for NAT RADIUS accounting.

timeout

Syntax 
timeout seconds
Context 
config>aaa>l2tp-acct-plcy>radius-acct-server
Description 

This command configures the number of seconds the router waits for a response from a RADIUS server.

The no form of the command reverts to the default value.

Default 

5

Parameters 
seconds—
Specifies the time the router waits for a response from a RADIUS server.
Values—
1 to 90

request-script-policy

Syntax 
request-script-policy radius-script-policy-name
no request-script-policy
Context 
config>aaa>l2tp-acct-plcy>radius-acct-server
Description 

This command specifies the RADIUS script policy to be used for accounting-request packets.

The no form of the command removes the policy from the configuration.

Parameters 
radius-script-policy-name—
Configures a Python script policy name to modify Access-Request messages.

Show Commands

Note:

The command outputs in the following section are examples only; actual displays may differ depending on supported functionality and user configuration.

peer

Syntax 
peer ip-address [udp-port port]
peer ip-address statistics [udp-port port]
peer [draining] [blacklisted | selectable | unreachable]
Context 
show>router>l2tp
Description 

This command displays L2TP peer operational information/

Parameters 
ip-address—
Specifies the IP dress for the L2TP peer.
Values—

ip-address

ipv4-address - a.b.c.d

ipv6-address

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x - [0 to FFFF]H

d - [0 to 255]D

draining

keyword

statistics

keyword

port

[1 to 65535]

Output 

Sample Output
show router l2tp peer 10.100.0.2
===============================================================================
Peer IP: 10.100.0.2
===============================================================================
Roles capab/actual: LAC LNS /LAC  -     Draining          : false
Tunnels           : 1                   Tunnels Active    : 0
Sessions          : 1                   Sessions Active   : 0
Reachability      : blacklisted         Time Unreachable  : 01/31/2013 08:55:06
Time Blacklisted  : 01/31/2013 08:55:06 Remaining (s)     : 34
===============================================================================
Conn ID                      Loc-Tu-ID Rem-Tu-ID State              Ses Active
  Group                                                             Ses Total
    Assignment
-------------------------------------------------------------------------------
977207296                    14911     0         closed             0
  base_lac_base_lns                                                 1
    t1
-------------------------------------------------------------------------------
No. of tunnels: 1
===============================================================================
 
 
show router l2tp tunnel detail
===============================================================================
L2TP Tunnel Status
==============================================================================
Connection ID: 831782912
State        : closedByPeer
IP           : 10.0.0.1
Peer IP      : 10.100.0.2
Tx dst-IP    : 10.100.0.2
Rx src-IP    : 10.100.0.2
Name         : lac
Remote Name  :
Assignment ID: t1
Group Name   : base_lac_base_lns
Acct. Policy : l2tp-base
Error Message: N/A
 
                                        Remote Conn ID    : 4294901760
Tunnel ID         : 12692               Remote Tunnel ID  : 65535
UDP Port          : 1701                Remote UDP Port   : 1701
Preference        : 50                  Receive Window    : 64
Hello Interval (s): 300
Idle TO (s)       : 5                   Destruct TO (s)   : 60
Max Retr Estab    : 5                   Max Retr Not Estab: 5
Session Limit     : 32767               AVP Hiding        : sensitive
Transport Type    : udpIp               Challenge         : never
Time Started      : 01/31/2013 08:56:58 Time Idle         : 01/31/2013 08:56:58
Time Established  : N/A                 Time Closed       : 01/31/2013 08:56:58
Stop CCN Result   : reqShutDown         General Error     : noError
Blacklist-state   : blacklisted
Blacklist Time    : 01/31/2013 08:56:58 Remaining (s)     : 49
-------------------------------------------------------------------------------
No. of tunnels: 1
===============================================================================
 

l2tp

Syntax 
l2tp
Context 
show>system
Description 

This command displays L2TP system information.

Output 

Sample Output
*A:Dut-C# show system l2tp
===============================================================================
L2TP system
===============================================================================
Non MC tunnel ID range                                  : 8193-16383
Max number of tunnels                                   : 16383
Max number of sessions                                  : 131071
Max number of sessions per tunnel                       : 32767
===============================================================================
 

sync

Syntax 
sync [peer ip-address] [statistics]
sync peer ip-address detail
Context 
show>redundancy>multi-chassis
Description 

This command displays synchronization information.

Parameters 
ip-address—
Specifies the IP address of the peer.
Values—
ipv4-address - a.b.c.d
detail—
Keyword to display detailed output.
statistics—
Keyword to display statistics.
Output 

Sample Output
*A:Dut-C# show redundancy multi-chassis sync peer 2.1.2.2 detail 
 
===============================================================================
Multi-chassis Peer Table
===============================================================================
Peer
-------------------------------------------------------------------------------
Peer IP Address         : 2.1.2.2
Description             : Mc-Lag peer 2.1.2.2
Authentication          : Disabled
Source IP Address       : 1.1.1.1
Admin State             : Enabled
-------------------------------------------------------------------------------
Sync-status
-------------------------------------------------------------------------------
Client Applications     : SUBMGMT-PPPOE SRRP l2tp
Sync Admin State        : Up
Sync Oper State         : Up
Sync Oper Flags         : 
DB Sync State           : inSync
Num Entries             : 2028
Lcl Deleted Entries     : 0
Alarm Entries           : 0
OMCR Standby Entries    : 0
OMCR Alarm Entries      : 0
Rem Num Entries         : 2028
Rem Lcl Deleted Entries : 0
Rem Alarm Entries       : 0
Rem OMCR Standby Entries: 0
Rem OMCR Alarm Entries  : 0
 
===============================================================================
MCS Application Stats
===============================================================================
Application             : igmp
Num Entries             : 0
Lcl Deleted Entries     : 0
Alarm Entries           : 0
OMCR Standby Entries    : 0
OMCR Alarm Entries      : 0
-------------------------------------------------------------------------------
Rem Num Entries         : 0
Rem Lcl Deleted Entries : 0
Rem Alarm Entries       : 0
Rem OMCR Standby Entries: 0
Rem OMCR Alarm Entries  : 0
-------------------------------------------------------------------------------
Application             : igmpSnooping
Num Entries             : 0
Lcl Deleted Entries     : 0
Alarm Entries           : 0
OMCR Standby Entries    : 0
OMCR Alarm Entries      : 0
-------------------------------------------------------------------------------
Rem Num Entries         : 0
Rem Lcl Deleted Entries : 0
Rem Alarm Entries       : 0
Rem OMCR Standby Entries: 0
Rem OMCR Alarm Entries  : 0
-------------------------------------------------------------------------------
Application             : subMgmtIpoe
Num Entries             : 0
Num Entries             : 0
Lcl Deleted Entries     : 0
Alarm Entries           : 0
OMCR Standby Entries    : 0
OMCR Alarm Entries      : 0
-------------------------------------------------------------------------------
Rem Num Entries         : 0
Rem Lcl Deleted Entries : 0
Rem Alarm Entries       : 0
Rem OMCR Standby Entries: 0
Rem OMCR Alarm Entries  : 0
-------------------------------------------------------------------------------
Application             : srrp
Num Entries             : 26
Lcl Deleted Entries     : 0
Alarm Entries           : 0
OMCR Standby Entries    : 0
OMCR Alarm Entries      : 0
-------------------------------------------------------------------------------
Rem Num Entries         : 26          
Rem Lcl Deleted Entries : 0
Rem Alarm Entries       : 0
Rem OMCR Standby Entries: 0
Rem OMCR Alarm Entries  : 0
-------------------------------------------------------------------------------
Application             : mcRing
Num Entries             : 0
Lcl Deleted Entries     : 0
Alarm Entries           : 0
OMCR Standby Entries    : 0
OMCR Alarm Entries      : 0
-------------------------------------------------------------------------------
Rem Num Entries         : 0
Rem Lcl Deleted Entries : 0
Rem Alarm Entries       : 0
Rem OMCR Standby Entries: 0
Rem OMCR Alarm Entries  : 0
-------------------------------------------------------------------------------
Application             : mldSnooping
Num Entries             : 0
Lcl Deleted Entries     : 0
Alarm Entries           : 0
OMCR Standby Entries    : 0
OMCR Alarm Entries      : 0
-------------------------------------------------------------------------------
Rem Num Entries         : 0
Rem Lcl Deleted Entries : 0
Rem Alarm Entries       : 0
Rem OMCR Standby Entries: 0
Rem OMCR Alarm Entries  : 0
-------------------------------------------------------------------------------
Application             : dhcpServer
Num Entries             : 0
Lcl Deleted Entries     : 0
Alarm Entries           : 0
OMCR Standby Entries    : 0
OMCR Alarm Entries      : 0
-------------------------------------------------------------------------------
Rem Num Entries         : 0
Rem Lcl Deleted Entries : 0           
Rem Alarm Entries       : 0
Rem OMCR Standby Entries: 0
Rem OMCR Alarm Entries  : 0
-------------------------------------------------------------------------------
Application             : subHostTrk
Num Entries             : 0
Lcl Deleted Entries     : 0
Alarm Entries           : 0
OMCR Standby Entries    : 0
OMCR Alarm Entries      : 0
-------------------------------------------------------------------------------
Rem Num Entries         : 0
Rem Lcl Deleted Entries : 0
Rem Alarm Entries       : 0
Rem OMCR Standby Entries: 0
Rem OMCR Alarm Entries  : 0
-------------------------------------------------------------------------------
Application             : subMgmtPppoe
Num Entries             : 2000
Lcl Deleted Entries     : 0
Alarm Entries           : 0
OMCR Standby Entries    : 0
OMCR Alarm Entries      : 0
-------------------------------------------------------------------------------
Rem Num Entries         : 2000
Rem Lcl Deleted Entries : 0
Rem Alarm Entries       : 0
Rem OMCR Standby Entries: 0
Rem OMCR Alarm Entries  : 0
-------------------------------------------------------------------------------
Application             : mcIpsec
Num Entries             : 0
Lcl Deleted Entries     : 0
Alarm Entries           : 0
OMCR Standby Entries    : 0
OMCR Alarm Entries      : 0
-------------------------------------------------------------------------------
Rem Num Entries         : 0
Rem Lcl Deleted Entries : 0
Rem Alarm Entries       : 0           
Rem OMCR Standby Entries: 0
Rem OMCR Alarm Entries  : 0
-------------------------------------------------------------------------------
Application             : mld
Num Entries             : 0
Lcl Deleted Entries     : 0
Alarm Entries           : 0
OMCR Standby Entries    : 0
OMCR Alarm Entries      : 0
-------------------------------------------------------------------------------
Rem Num Entries         : 0
Rem Lcl Deleted Entries : 0
Rem Alarm Entries       : 0
Rem OMCR Standby Entries: 0
Rem OMCR Alarm Entries  : 0
-------------------------------------------------------------------------------
Application             : python
Num Entries             : 0
Lcl Deleted Entries     : 0
Alarm Entries           : 0
OMCR Standby Entries    : 0
OMCR Alarm Entries      : 0
-------------------------------------------------------------------------------
Rem Num Entries         : 0
Rem Lcl Deleted Entries : 0
Rem Alarm Entries       : 0
Rem OMCR Standby Entries: 0
Rem OMCR Alarm Entries  : 0
-------------------------------------------------------------------------------
Application             : l2tp
Num Entries             : 2
Lcl Deleted Entries     : 0
Alarm Entries           : 0
OMCR Standby Entries    : 0
OMCR Alarm Entries      : 0
-------------------------------------------------------------------------------
Rem Num Entries         : 2
Rem Lcl Deleted Entries : 0
Rem Alarm Entries       : 0
Rem OMCR Standby Entries: 0           
Rem OMCR Alarm Entries  : 0
-------------------------------------------------------------------------------
Application             : diamProxy
Num Entries             : 0
Lcl Deleted Entries     : 0
Alarm Entries           : 0
OMCR Standby Entries    : 0
OMCR Alarm Entries      : 0
-------------------------------------------------------------------------------
Rem Num Entries         : 0
Rem Lcl Deleted Entries : 0
Rem Alarm Entries       : 0
Rem OMCR Standby Entries: 0
Rem OMCR Alarm Entries  : 0
-------------------------------------------------------------------------------
===============================================================================
===============================================================================
Ports synced on peer 2.1.2.2
===============================================================================
Port/Encap                    Tag
-------------------------------------------------------------------------------
3/2/5                         
  1-999                       pppoe1
  1000-1000                   srrp1
3/2/6                         
  1-999                       pppoe2
===============================================================================
===============================================================================
DHCP Server instances synced on peer 2.1.2.2
===============================================================================
Router-Name                      Server-Name
  Tag
-------------------------------------------------------------------------------
No instances found
===============================================================================
===============================================================================
Python cache instances synced on peer 2.1.2.2
===============================================================================
Python-Policy                    Tag
-------------------------------------------------------------------------------
No instances found
===============================================================================
===============================================================================
L2TP instances
===============================================================================
Router         Tag                              SRRP
-------------------------------------------------------------------------------
Base           lac1                             1
Base           lac2                             2
===============================================================================
===============================================================================
Track SRRP instances
===============================================================================
SRRP                    : 1
-------------------------------------------------------------------------------
L2TP tunnel ID start    : 1
L2TP tunnel ID end      : 1
 
SRRP                    : 2
-------------------------------------------------------------------------------
L2TP tunnel ID start    : 2
L2TP tunnel ID end      : 2
===============================================================================
===============================================================================
Diameter proxy instances synced on peer 2.1.2.2
===============================================================================
Diameter-Peer-Policy             Tag
-------------------------------------------------------------------------------
No instances found
===============================================================================
===============================================================================
*A:Dut-C# 
 

Debug Commands

assignment-id

Syntax 
assignment-id assignment-id
Context 
debug>router>l2tp
Description 

This command enables and configures debugging for the L2TP tunnel with a given assignment-id.

Parameters 
assignment-id—
Specifies a string that distinguishes this L2TP tunnel.

event

Syntax 
[no] event
Context 
debug>router>l2tp
debug>router>l2tp>assignment-id
debug>router>l2tp>group
debug>router>l2tp>peer
debug>router>l2tp>tunnel
Description 

This command configures an L2TP debugging event.

group

Syntax 
group tunnel-group-name
Context 
debug>router>l2tp
Description 

This command enables and configures debugging for an L2TP group.

Parameters 
tunnel-group-name—
Specifies the tunnel group name up to 63 characters in length.

peer

Syntax 
peer ip-address [udp-port port]
Context 
debug>router>l2tp
Description 

This command enables and configures debugging for an L2TP peer.

Parameters 
ip-address—
Specifies the IP address of the session.
Values—
<ip-address> : ipv4-address - a.b.c.d
ipv6-address - x:x:x:x:x:x:x:x (eight 16-bit pieces)
x:x:x:x:x:x:d.d.d.d
x - [0 to FFFF]H
d - [0 to 255]D
udp-port port
Specifies the local UDP port of this L2TP.
Values—
1 to 65535

tunnel

Syntax 
tunnel connection-id
Context 
debug>router>l2tp
Description 

This command enables and configures debugging for an L2TP tunnel.

Parameters 
connection-id—
Specifies the connection ID of the L2TP session associated with this session.
Values—
1 to 4294967295

recovery

Syntax 
[no] recovery
Context 
debug>router>l2tp>assignment-id>event
debug>router>l2tp>event
debug>router>l2tp>group>event
debug>router>l2tp>peer>event
debug>router>l2tp>tunnel>event
Description 

This command configures L2TP LAC state recovery event debugging.

recovery-failed

Syntax 
[no] recovery-failed
Context 
debug>router>l2tp>assignment-id>event
debug>router>l2tp>event
debug>router>l2tp>group>event
debug>router>l2tp>peer>event
debug>router>l2tp>tunnel>event
Description 

This command configures L2TP LAC state recovery failed event debugging.