No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
L2TP Commands

L2TP Commands

NOTE:

AR500&AR510&AR530 series do not support LAC and LNS. But support L2TP Client.

allow l2tp

Function

The allow l2tp command specifies a virtual interface template and the name of an LAC tunnel that are used by the LNS to accept an L2TP connection request.

The undo allow command rejects an L2TP connection request.

By default, an L2TP connection request is rejected.

Format

allow l2tp virtual-template virtual-template-number [ remote remote-name [ vpn-instance vpn-instance-name ] ]

NOTE:
Only V200R007C02 supports the vpn-instance keyword.

undo allow

Parameters

Parameter Description Value
virtual-template virtual-template-number Specifies the number of a virtual interface template used when the LNS accepts a call connection request. The value is an integer that ranges from 0 to 1023.
remote remote-name

Specifies the name of a remote tunnel end. You can use the tunnel name command to configure the name on an LAC in the L2TP group view.

When the L2TP group number is not 1, you must specify remote-name.

The value is a string of 1 to 30 case-sensitive characters.
vpn-instance vpn-instance-name

Specifies the VPN instance to which the IP address of the L2TP connection belongs.

The LNS searches for the corresponding L2TP group based on the VPN instance name and remote-name. Route information to LACs exists in the routing table of the VPN instance.

The value is a string of 1 to 31 case-sensitive characters.

Views

L2TP group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The allow l2tp command is used on the LNS side to establish an L2TP connection between the LAC and LNS. After receiving an L2TP connection request, the LNS accepts the L2TP connection request and initiates a PPP negotiation on the specified virtual tunnel template (which also used as an L2TP tunnel interface) if the tunnel name contained in the connection request is consistent with the name specified by the allow l2tp command.

When L2TP group 1 is used and the tunnel name is not specified, the default L2TP group receives L2TP connection requests sent by any remote end and the tunnel name on the LAC side is not checked. This method can be used when the name of a remote tunnel end is unknown to the LNS.

Precautions

When specify the name of the remote tunnel end, ensure that the name is consistent with the tunnel name configured on the LAC side.

Example

# Configure the device to receive L2TP tunnel connection requests sent by the LAC device named lac. Create a virtual interface template virtual-template 1.

<Huawei> system-view
[Huawei] l2tp-group 2
[Huawei-l2tp2] allow l2tp virtual-template 1 remote lac

# Set L2TP group 1 as the default L2TP group, configure the device to receive L2TP tunnel connection requests sent by any remote end, and create a virtual interface template virtual-template 1.

<Huawei> system-view
[Huawei] l2tp-group 1
[Huawei-l2tp1] allow l2tp virtual-template 1

# Configure the device to receive L2TP tunnel connection requests sent by the LAC device named lac that belongs to vpn1. Create a virtual interface template virtual-template 1.

<Huawei> system-view
[Huawei] l2tp-group 2
[Huawei-l2tp2] allow l2tp virtual-template 1 remote lac vpn-instance vpn1

display l2tp session

Function

The display l2tp session command displays information about L2TP sessions established on the current device.

Format

display l2tp session [ destination-ip d-ip-address | session-item session-id | source-ip s-ip-address ]

Parameters

Parameter Description Value
destination-ip d-ip-address Specifies the IP address of the L2TP tunnel remote end used to view session information. The value is in dotted decimal notation.
session-item session-id Specifies IDs of local sessions, and displays session used to view tunnel information.
The value is an integer and the value range depends on device types.
  • AR500&AR530 series: 1 to 16
  • AR510 series: 1 or 2
source-ip s-ip-address Specifies the IP address of the L2TP tunnel local end and displays session information. The value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After L2TP sessions are established, you can use this command to view the number of L2TP sessions that are established on the current device, and the session IDs.

You can view statistics of L2TP sessions by the IP address of the L2TP tunnel remote end or local end.

If local session IDs are specified, you can view information about L2TP sessions and the tunnel.

Prerequisites

L2TP sessions have been established.

Example

# Display information about L2TP sessions.

<Huawei> display l2tp session

 Total session : 1
 LocalSID  RemoteSID  LocalTID
  1         1          1
Table 10-1  Description of the display l2tp session command output

Item

Description

Total session

Total number of sessions established on the local end.

LocalSID

Local session ID.

RemoteSID

Remote session ID.

LocalTID

Local tunnel ID.

# Display information about L2TP sessions of the tunnel with the destination IP address as 10.1.2.3.

<Huawei> display l2tp session destination-ip 10.1.2.3

 Total session : 1
 LocalSID  RemoteSID  LocalTID
 ----------------------------------------------------------------------------
  1          1         1                        

# Display information about L2TP sessions of the tunnel with the local session ID as 1.

<Huawei> display l2tp session session-item 1
  ---------------------------------------------------------
    Call id             :1
    Remote Call id      :1
    Call State          :Up
    Remote tunnel name  :lac
    Remote Address      :10.1.2.3   port : 1701
    Local tunnel name   :lns
    Local Address       :10.1.2.4   port : 1701
    Call serial number  :1
    Session username    : NULL
    Sequencing is       :off
  --------------------------------------------------------- 
Table 10-2  Description of the display l2tp session command output

Item

Description

Call id

Local session ID.

Remote Call id

Remote session ID.

Call State

Call status. The value is Up after an L2TP session is established.

Remote tunnel name

Remote tunnel name.

Remote Address

Remote tunnel address.

Local tunnel name

Local tunnel name.

Local Address

Local IP address.

Call serial number

Call serial number.

Session username

Session username. The default value is NULL.

Sequencing is

Sequencing function. The default value is off.

Related Topics

display l2tp tunnel

Function

The display l2tp tunnel command displays information about the current L2TP tunnel.

Format

display l2tp tunnel [ tunnel-item tunnel-id | tunnel-name tunnel-name ]

Parameters

Parameter

Description

Value

tunnel-item tunnel-id Specifies the tunnel ID used to view tunnel information.
The value is an integer and the value range depends on device types.
  • AR500&AR530 series: 1 to 16
  • AR510 series: 1 or 2
tunnel-name tunnel-name Specifies the name of the tunnel remote end used to view tunnel information.

The value is a string of 1 to 30 characters.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After L2TP tunnels are established, you can use this command to view the number of L2TP tunnels that are established on the current device, the tunnel IDs, and tunnel addresses.

You can view detailed information about a specified L2TP tunnel by local tunnel ID or remote tunnel name.

Prerequisites

L2TP sessions have been established.

Example

# Display information about the current L2TP tunnel.

V200R007C00,V200R007C01:

<Huawei> display l2tp tunnel

 Total tunnel : 1
 LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName
 1        1         10.1.2.4         1701   1        lns 

V200R007C02:

<Huawei> display l2tp tunnel

 Total tunnel : 1
 LocalTID RemoteTID RemoteAddress    VPN-Instance Name    Port   Sessions RemoteName
 1        1         10.1.2.3          a                    1701   1        lac 
NOTE:

If a large number of sessions are carried over a tunnel, the sessions may still exist when you tear down the tunnel.

Table 10-3  Description of the display l2tp tunnel command output

Item

Description

Total tunnel

Total number of tunnels established on the local end.

LocalTID

Local tunnel ID.

RemoteTID

Remote tunnel ID.

RemoteAddress

Remote tunnel IP address.

VPN-Instance Name

Name of the VPN instance to which the L2TP tunnel belongs.

NOTE:

This parameter is available in V200R007C02 only.

Port

Remote port number. The value is 1701 in general.

Sessions

Number of sessions that an L2TP tunnel carries.

Remote Name

Name of the tunnel remote end.

# Display detailed information about L2TP tunnel 1.

V200R007C00,V200R007C01:

<Huawei> display l2tp tunnel tunnel-item 1
  ---------------------------------------------------------
    Tunnel id           :1
    Remote Tunnel id    :1
    Tunnel State        :Up
    Remote tunnel name  :lns
    Remote Address      :10.1.2.4   port : 1701
    ReCall Address      :10.1.2.4
    Local tunnel name   :lac
    Local Address       :10.1.2.3   port : 1701
    active sessions     :1
    Session Limit       :4294967295
    Control Ns          :170
    Control Nr          :169
    Retransmission      :5
    Timeout             :2
    Hello Interval      :60
    Local RWS           :4
    Remote RWS          :128
    OuterDscp           :0xff
  --------------------------------------------------------- 

V200R007C02:

<Huawei> display l2tp tunnel tunnel-item 1
  ---------------------------------------------------------
    Tunnel id           :1                                                      
    Remote Tunnel id    :1                                                      
    Tunnel State        :Up                                                     
    Remote tunnel name  :lac                                                    
    Remote Address      :10.1.2.3   port : 1701                                  
    ReCall Address      :10.1.2.3                                                
    Local tunnel name   :lns                                                    
    Local Address       :10.1.2.4   port : 1701                                  
    active sessions     :1                                                      
    Session Limit       :4294967295                                             
    Control Ns          :277                                                    
    Control Nr          :279                                                    
    Retransmission      :5                                                      
    Timeout             :2                                                      
    Hello Interval      :60                                                     
    Local RWS           :4                                                      
    Remote RWS          :128                                                    
    OuterDscp           :0xff
  --------------------------------------------------------- 
Table 10-4  Description of the display l2tp tunnel command output

Item

Description

Tunnel id

Local tunnel ID.

Remote Tunnel id

Remote tunnel ID.

Tunnel State

Tunnel status. The tunnel status is Up after the L2TP tunnel is successfully set up.

Remote tunnel name

Name of the tunnel remote end.

Remote Address

Remote port number and IP address. The port number is 1701 in general.

ReCall Address

Recall address.

Local tunnel name

Name of the tunnel local end.

Local Address

Local port number and IP address. The port number is 1701 in general.

active sessions

Number of sessions established in the current L2TP tunnel.

Session Limit

Maximum number of sessions that can be established in the L2TP tunnel.

Control Ns

Number of control packets sent over the tunnel.

Control Nr

Number of control packets received over the tunnel.

Retransmission

Number of retransmission times after the transmission of control packets fails.

Timeout

Aging time of control packets.

Hello Interval

Interval for sending Hello packets.

Local RWS

Size of the local receiving window.

Remote RWS

Size of the remote receiving window.

OuterDscp

Priority of packets after L2TP encapsulation. This parameter is used in QoS deployment.

Related Topics

display l2tp-group

Function

The display l2tp-group command displays configurations of the L2TP group on the device.

Format

display l2tp-group [ group-number ]

Parameters

Parameter

Description

Value

group-number

Specifies an L2TP group.

The value is an integer and the value range depends on device types.
  • AR500&AR530 series: 1 to 16
  • AR510 series: 1 or 2

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command displays the L2TP group and its number.

You can also use this command to view L2TP configurations of a specified group to rectify a fault or check the configurations.

Example

# Display the L2TP group existing on the device currently.

<Huawei> display l2tp-group
-----------------------------------------
  L2TP-GROUP    GROUP-NUMBER
-----------------------------------------
  1               1
  2               2
  4               4
-----------------------------------------
Table 10-5  Description of the display l2tp-group command output

Item

Description

L2TP-GROUP

L2TP group identified by a group number.

GROUP-NUMBER

L2TP group number.

# Display the configurations of the L2TP group 1.

<Huawei> display l2tp-group 1
 -----------------------------------------------
 L2tp-index         :    1
 GroupType          :    ACCEPT_DIALIN_L2TP
 TunnelAuth         :    Use tunnel authentication
 LocalName          :    lns
 Encrypt            :   0
 Hello              :   60
 Retransmit         :   5
 Timeout            :   2
 IfIndex            :   4294967295
 SrcIp              :   255.255.255.255
 VtNum              :   1
 RemoteName         :   lac1
 ForceChap          :   0
 LcpReg             :   0
 LcpMismatch        :   0
 tunnel each user   :   0
 -----------------------------------------------
Table 10-6  Description of the display l2tp-group command output

Item

Description

L2tp-index

L2TP group number.

GroupType

L2TP group type.
  • REQUEST_DIALIN_L2TP: The device functions as the LAC to receive dial-up calls and initiate L2TP connections to the LNS.
  • ACCEPT_DIALIN_L2TP: The device functions as the LNS to receive the L2TP connection requests from the LAC.
  • VPDNGROUPTYPE_NONE: The L2TP group function is not configured.

TunnelAuth

Whether tunnel authentication is enabled.

LocalName

Name of the tunnel local end.

Encrypt

Whether the authentication password is configured for tunnel encapsulation.
  • 0: no
  • 1: yes

Hello

Interval for sending Hello messages (the default interval is 60 seconds).

Retransmit

Number of retransmission times after the transmission of control packets fails (the default number of retransmissions is 5).

Timeout

Aging time of control packets (the default aging time is 2 seconds).

IfIndex

Interface index bound to the tunnel.

SrcIp

IP address of the tunnel source interface.

VtNum

Number of the virtual interface template.

RemoteName

Name of the tunnel remote end.

ForceChap

Whether mandatory CHAP authentication is enabled.
  • 0: no
  • 1: yes

LcpReg

Whether LCP renegotiation is enabled.
  • 0: no
  • 1: yes

LcpMismatch

Whether mandatory LCP renegotiation is enabled when the PPP authentication mode on the LAC is different from that on the LNS.
  • 0: no
  • 1: yes

tunnel each user

Whether an L2TP user exclusively occupies an L2TP tunnel.
  • 0: no
  • 1: yes

display l2tp statistics tunnel

Function

The display l2tp statistics tunnel command displays L2TP packet statistics.

NOTE:

Only V200R007C00 supports this command.

Format

display l2tp statistics tunnel [ local-id tunnel-id ]

Parameters

Parameter

Description

Value

local-id tunnel-id

Specifies the local tunnel ID of an L2TP tunnel.

The value is an integer and the value range depends on device types.
  • AR500&AR530 series: 1 to 16
  • AR510 series: 1 or 2

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

When L2TP users go online, there are packet exchanges of multiple protocols. You can run the display l2tp statistics tunnel command to check L2TP packet statistics.

Prerequisites

A tunnel is established successfully before you run the display l2tp statistics tunnel local-id tunnel-id command. You can run the display l2tp tunnel command to check the value of local-id.

Example

# Display L2TP packet statistics of the device.

<Huawei> display l2tp statistics tunnel

                    SEND          RESEND            RCVD                         
             ==========      ==========      ==========                         
SCCRQ                 0               0               9                         
SCCRP                 9              30               0                         
SCCCN                 0               0               2                         
StopCCN               7               0               0                         
ICRQ                  0               0               2                         
ICRP                  2               0               0                         
ICCN                  0               0               2                         
CDN                   0               0               0                         
Hello                 5               0               5                         
Total                 23              30              20  

# Display L2TP packet statistics of tunnel 1.

<Huawei> display l2tp tunnel

 Total tunnel : 1
 LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName
 1        1         10.1.2.4         1701   1        lns 
<Huawei> display l2tp statistics tunnel local-id 1
Tunnel LocalID: 1                                                               
Tunnel RemoteID: 1                                                              
Local Address: 10.1.1.1                                                          
Remote Address: 10.1.1.2                                                         
                                                                                
                   SEND          RESEND            RCVD                         
             ==========      ==========      ==========                         
SCCRQ                 0               0               1                         
SCCRP                 1               0               0                         
SCCCN                 0               0               1                         
StopCCN               0               0               0                         
ICRQ                  0               0               1                         
ICRP                  1               0               0                         
ICCN                  0               0               1                         
CDN                   0               0               0                         
Hello                 5               0               5                         
Total                 7               0               9                         
Table 10-7  Description of the display l2tp statistics tunnel command output

Item

Description

Tunnel LocalID

Local ID of the L2TP tunnel.

Tunnel RemoteID

Remote ID of the L2TP tunnel.

Local Address

Local IP address of the L2TP tunnel.

Remote Address

Remote IP address of the L2TP tunnel.

SEND

Number of sent L2TP packets.

RESEND

Number of resent L2TP packets.

RCVD

Number of received L2TP packets.

SCCRQ

Start control connection request packet.

SCCRP

Start control connection reply packet.

SCCCN

Start control connection connected packet.

StopCCN

Stop control connection notification packet.

ICRQ

Incoming call request packet.

ICRP

Incoming call reply packet.

ICCN

Incoming call connected packet.

CDN

Call disconnection packet.

Hello

Hello packet.

Total

Total number of sent, resent, and received packets of various types.

NOTE:

The device only receives SCCRQ, SCCCN, ICRQ, and ICCN packets.

The device only sends and resends SCCRP and ICRP packets.

The device only sends and receives StopCCN, CDN, and Hello packets.

Related Topics

l2tp aging

Function

The l2tp aging command sets the LNS locking duration.

The undo l2tp aging command restores the default value.

By default, the LNS locking duration is 30 seconds.

Format

l2tp aging time

undo l2tp aging

Parameters

Parameter Description Value
time Specifies the LNS aging time. The value is an integer that ranges from 1 to 3600, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the device attempts to set up a tunnel to an LNS but the LNS runs abnormally, the device marks the LNS as unusable and does not set up a tunnel to the LNS in a period. This period is the LNS locking duration. After the locking duration, the device attempts to set up a tunnel to the LNS again.

Example

# Set the LNS aging time to 60 seconds.

<Huawei> system-view
[Huawei] l2tp aging 60

l2tp enable

Function

The l2tp enable command enables L2TP globally.

The undo l2tp enable command disables L2TP.

By default, L2TP is disabled.

Format

l2tp enable

undo l2tp enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

TheL2TP function enables remote users to dial up to access resources in the enterprise headquarters. You can complete L2TP configurations and then enable L2TP. You can also enable L2TP first and then complete L2TP configurations.

Precautions

The L2TP configurations take effect only after you run the l2tp enable command. If you run the undo l2tp enable command, the L2TP configurations do not take effect.

Example

# Enable L2TP on the industrial switch router.

<Huawei> system-view
[Huawei] l2tp enable

l2tp-auto-client enable

Function

The l2tp-auto-client enable command enables a virtual PPP user on the LAC to initiate an L2TP connection request.

The undo l2tp-auto-client enable command disables a virtual PPP user on the LAC from initiating an L2TP connection request.

By default, a virtual PPP user cannot initiate an L2TP connection request.

Format

l2tp-auto-client enable

undo l2tp-auto-client enable

Parameters

None

Views

VT interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario
An L2TP connection request is initiated in the following cases:
  • The LAC receives a dial-up call from a remote user, and then initiates an L2TP connection request.
  • A virtual PPP user on the LAC automatically dials up, and the LAC initiates an L2TP connection request.

In auto LAC-initiated mode, users in the branch do not need to be managed by the headquarters in a centralized manner. Instead, the LNS in the headquarters authenticates only the gateway in the branch. The branch gateway functions as the LAC on which virtual PPP users are created. The virtual users automatically dial up to initiate L2TP connections to the LNS. No additional devices or configurations are required for branch users to access the headquarters resources.

Prerequisites

L2TP has been enabled globally by running the l2tp enable command on the LAC.

Example

# Enable a virtual PPP user to initiate an L2TP tunnel.

<Huawei> system-view
[Huawei] l2tp enable
[Huawei] interface virtual-template 1
[Huawei-Virtual-Template1] l2tp-auto-client enable
Related Topics

l2tp-group

Function

The l2tp-group command creates an L2TP group or displays an L2TP group with a specified group number.

The undo l2tp-group command deletes an L2TP group.

By default, no L2TP group is created.

Format

l2tp-group group-number

undo l2tp-group group-number

Parameters

Parameter

Description

Value

group-number

Specifies the L2TP group number.

The value is an integer and the value range depends on device types.
  • AR500&AR530 series: 1 to 16
  • AR510 series: 1 or 2

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An L2TP tunnel is established after the LAC and LNS negotiate L2TP parameters successfully. These L2TP parameters are set in the L2TP group view. An L2TP group is an end of a tunnel. A local end and a remote end constitute an L2TP tunnel.

When the group number is 1, it is the default group. When the default group is configured on the LNS and no remote tunnel name is specified, the LNS accepts any L2TP connection request initiated by the LAC.

Prerequisites

L2TP has been enabled by running the l2tp enable command in the system view.

Follow-up Procedure

Configure L2TP parameters on the LAC or LNS.

Precautions

After you run the undo l2tp-group command to delete an L2TP group, all information about this group is deleted.

If an L2TP tunnel with the group as one end exists, this group cannot be deleted. Run the reset l2tp tunnel { local-id local-id | peer-name peer-name } command in the user view to forcibly disconnect the L2TP tunnel based on the tunnel ID or remote tunnel name, and then delete the L2TP group.

Example

# Create L2TP group 2 and enter the L2TP group 2 view.

<Huawei> system-view
[Huawei] l2tp-group 2
[Huawei-l2tp2]

mandatory-chap

Function

The mandatory-chap command enables the LNS to perform mandatory CHAP authentication on remote users.

The undo mandatory-chap command disables mandatory CHAP authentication.

By default, mandatory CHAP authentication is disabled on the LNS.

Format

mandatory-chap

undo mandatory-chap

Parameters

None

Views

L2TP group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Mandatory CHAP authentication is enabled on networks that demand high security. The LNS authenticates remote users using CHAP authentication. If PAP authentication mode is configured on the LAC, the LNS will not perform PPP negotiation with the LAC immediately after receiving the authentication success message. Instead, the LNS requires that the remote user initiates secondary CHAP authentication.

Prerequisites

The l2tp-group l2tp-group command has been executed to create an L2TP group and enter the L2TP group view.

Precautions

Some PPP clients may not support the second authentication. In this case, the L2TP connection fails if mandatory CHAP authentication is enabled.

When LCP renegotiation and mandatory CHAP authentication are configured simultaneously in an L2TP group, the LCP renegotiation takes effect.

Example

# Enable mandatory CHAP authentication.

<Huawei> system-view
[Huawei] l2tp-group 1
[Huawei-l2tp1] mandatory-chap
Related Topics

mandatory-lcp

Function

The mandatory-lcp command enables LCP renegotiation on the LNS.

The undo mandatory-lcp command disables LCP renegotiation.

By default, LCP renegotiation is disabled on the LNS.

Format

mandatory-lcp

undo mandatory-lcp

Parameters

None

Views

L2TP group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

On networks that demand high security, the LNS does not trust the authentication result on remote users performed by the LAC. In this case, enable LCP renegotiation to perform second authentication on remote users. L2TP tunnels can be set up after PPP renegotiation between the LNS and remote users succeeds.

Prerequisites

The l2tp-group l2tp-group command has been executed to create an L2TP group and enter the L2TP group view.

Precautions

Some PPP clients may not support the second authentication. In this case, the L2TP connection fails when LCP renegotiation is enabled.

When LCP renegotiation and mandatory CHAP authentication are configured simultaneously in an L2TP group, the LCP renegotiation takes effect.

Example

# Enable LCP renegotiation.

<Huawei> system-view
[Huawei] l2tp-group 1
[Huawei-l2tp1] mandatory-lcp
Related Topics

multichassis-mp enable

Function

The multichassis-mp enable command enables Multi-Chassis Multilink PPP (MMP) for an L2TP group.

The undo multichassis-mp enable command disables MMP for an L2TP group.

By default, MMP is disabled for an L2TP group.

NOTE:

The AR510 series device does not support this command.

Format

multichassis-mp enable

undo multichassis-mp enable

Parameters

None

Views

L2TP group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

MMP allows multiple dialup requests sent by the same branch device to multiple access servers to be terminated in the same bundle through L2TP, which increases bandwidth of the branch device. In MMP scenarios, run the multichassis-mp enable command for an L2TP group on the access server (LAC/LNS).

The access server processes ISDN requests from the branch device as follows:
  • If an MP bundle has been created, the access server adds ISDN requests to the MP bundle and does not initiate L2TP dialup.

  • If no MP bundle is created, the access server initiates L2TP dialup according to user information and searches an MP bundle on another access server.

    If an MP bundle exists on another access server, the access server adds ISDN requests to the MP bundle. If no MP bundle is created, the access server creates an MP bundle and adds ISDN requests to the MP bundle so that ISDN users can connect to the ISDN.

Precautions

Before disabling MMP, ensure that the triggering condition of initiating calls is not specified when the local end serves as the L2TP LAC end. If the triggering condition has been specified, run the undo start command to delete the triggering condition.

Example

# Enable MMP.

<Huawei> system-view
[Huawei] l2tp-group 1
[Huawei-l2tp1] multichassis-mp enable
Related Topics

ppp keepalive echo enhance

Function

The ppp keepalive echo enhance command configures the LNS not to send a heartbeat packet to the remote LAC after receiving a heartbeat packet from the LAC.

The undo ppp keepalive echo enhance command configures the LNS to send a heartbeat packet to the remote LAC after receiving a heartbeat packet from the LAC.

By default, the LNS does not send a heartbeat packet to the remote LAC after receiving a heartbeat packet from the LAC.

Format

ppp keepalive echo enhance

undo ppp keepalive echo enhance

Parameters

None

Views

Virtual template interface view

Default Level

2: Configuration level

Usage Guidelines

After a device functioning as the LNS establishes an L2TP tunnel with a remote LAC, the two devices need to send heartbeat packets to each other to maintain the connection. To consume fewer network resources, you can run the ppp keepalive echo enhance command to configure the LNS not to send a heartbeat packet to the remote LAC after receiving a heartbeat packet from the LAC.

Example

# Configure the LNS not to send a heartbeat packet to the remote LAC after receiving a heartbeat packet from the LAC.

<Huawei> system-view
[Huawei] interface virtual-template 1
[Huawei-Virtual-Template1] ppp keepalive echo enhance

reset l2tp session

Function

The reset l2tp session command forcibly disconnects a specified L2TP session.

Format

reset l2tp session session-id session-id

Parameters

Parameter Description Value
session-id session-id Specifies the session ID of the L2TP tunnel local end.
The value is an integer and the value range depends on device types.
  • AR500&AR530 series: 1 to 16
  • AR510 series: 1 or 2

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A session can be set up only after a tunnel is created successfully. An L2TP session corresponds to a remote dial-up user.

When a security problem occurs or when you locate a fault, run the reset l2tp session command to forcibly disconnect the specified L2TP session to force the specified remote user to go offline.

When the remote user calls in again, the session can be reestablished.

Precautions

The reset l2tp session command disconnects the specified L2TP session. Exercise caution before you run this command.

Example

# Disconnect the L2TP session 1.

<Huawei> reset l2tp session session-id 1
Related Topics

reset l2tp tunnel

Function

The reset l2tp tunnel command forcibly disconnects a specified tunnel connection and all sessions in the tunnel.

Format

reset l2tp tunnel { peer-name remote-name | local-id tunnel-id }

Parameters

Parameter Description Value
peer-name remote-name Specifies the remote tunnel name of the L2TP tunnel. The value is a string of 1 to 30 characters.
local-id tunnel-id Specifies the remote tunnel ID of the L2TP tunnel.
The value is an integer and the value range depends on device types.
  • AR500&AR530 series: 1 to 16
  • AR510 series: 1 or 2

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When no L2TP remote user exists, a fault occurs on the network, or the L2TP tunnel is not required, you can use this command to disconnect a tunnel connection and all sessions in the tunnel.

If the specified remote tunnel name does not exist, the command has no effect on the current tunnel connection. If multiple tunnels with the same specified remote tunnel name exist, all these tunnel connections and sessions are disconnected. If a tunnel ID is specified, only the specified tunnel connection is disconnected.

When the remote user calls in again, the tunnel can be reestablished.

Follow-up Procedure

You can change parameters of an L2TP group or delete the L2TP group after the L2TP tunnel is disconnected and before a new L2TP tunnel is established.

Precautions

The reset l2tp tunnel command disconnects the specified L2TP tunnel and all sessions in the tunnel. Exercise caution when you run this command.

Example

# Disconnect the L2TP tunnel with a remote tunnel named lac.

<Huawei> reset l2tp tunnel peer-name lac
  Clear tunnel remote name = lac                                                                                                    
                                
Related Topics

reset l2tp statistics tunnel

Function

The reset l2tp statistics tunnel command resets L2TP packet statistics.

NOTE:

Only V200R007C00 supports this command.

Format

reset l2tp statistics tunnel [ local-id tunnel-id ]

Parameters

Parameter

Description

Value

local-id tunnel-id

Specifies the local tunnel ID of an L2TP tunnel.

The value is an integer and the value range depends on device types.
  • AR500&AR530 series: 1 to 16
  • AR510 series: 1 or 2

Views

User view

Default Level

2: Configuration level

Usage Guidelines

To view statistics on L2TP packets within a period of time, you can run the reset l2tp statistics tunnel command to clear the existing packet statistics.

Example

# Reset L2TP packet statistics of the device.

<Huawei> reset l2tp statistics tunnel
  Info: Reset tunnel Statistics success.

# Reset L2TP packet statistics of tunnel 1.

<Huawei> reset l2tp statistics tunnel local-id 1
  Info: Reset tunnel Statistics success, LocID = 1.

start l2tp

Function

The start l2tp command specifies the triggering condition of initiating calls when the local end functions as the LAC.

The undo start command deletes the triggering condition.

By default, no triggering condition is configured.

Format

start l2tp ip ip-address &<1-4> { domain domain-name | fullusername user-name | vpn-instance vpn-instance-name fullusername user-name }

NOTE:
Only V200R007C02 supports the vpn-instance vpn keyword.

start l2tp host hostname { domain domain-name | fullusername user-name }

undo start

Parameters

Parameter Description Value
ip ip-address Specifies the IP address of the LNS. You can specify a maximum of four IP addresses in the primary and secondary LNSs scenario. The IP addresses are in descending order of priorities, that is, the IP address configured first has the highest priority. -
host hostname Specifies the LNS domain name. The value is a string of 1 to 255 case-sensitive characters
domain domain-name Specifies the domain name that triggers the L2TP connection request.
NOTE:

Run the domain domain-name command to create a domain first. Otherwise, the domain name cannot be specified.

The value is a string of 1 to 20 case-insensitive characters.
vpn-instance vpn-instance-name

Specifies the VPN instance to which the IP address of the L2TP connection belongs.

Route information to LNSs exists in the routing table of the VPN instance.

The value is a string of 1 to 31 case-sensitive characters.
fullusername user-name Specifies the full user name that triggers the L2TP connection request. The value is a string of 1 to 64 case-insensitive characters.

Views

L2TP group view

Default Level

2: Configuration level

Usage Guidelines

Run the start l2tp command on the LAC. L2TP connection requests are triggered on the device in the following situations:
  • Triggered based on the domain name. For example, you can specify users with the domain name huawei.com as VPDN users.

  • Triggered based on the full user name. For example, you can specify users with the full name user@huawei.com as VPDN users. L2TP connections are triggered only after the device receives requests from a user with full name user@huawei.com.

  • The device searches for a route to the LNS based on the VPN instance, such as VPN1. The device can initiate an L2TP connection only after an available route is found.

    NOTE:
    In the L2TP over MPLS scenario, an AR can only work as an LAC or a PE.
  • Triggered based on the interface name. User requests are added to an MP bundle.

    In MMP scenarios, the access server functions as both the LAC and LNS.

After receiving a call connection request from a remote user, the LAC determines whether the call initiator is a VPDN user. If the call initiator is a VPDN user, the LAC sends L2TP connection requests to LNSs in their configuration sequence. If the LAC receives a response packet from the LNS, this LNS will function as the remote end of the L2TP tunnel. If the LAC receives no reply packet from the LNS, the LAC sends the L2TP connection request to another LNS.

Example

# Determine VPDN users based on the domain name huawei.com with the IP address of the LNS in the headquarters as 10.1.2.3.

<Huawei> system-view
[Huawei] l2tp-group 1
[Huawei-l2tp1] start l2tp ip 10.1.2.3 domain huawei.com
# Determine VPDN users based on the domain name huawei.com with the domain name of the LNS in the headquarters as www.huawei.com.
<Huawei> system-view
[Huawei] l2tp-group 1
[Huawei-l2tp1] start l2tp host www.huawei.com domain huawei.com

# Find a route to the LNS in the routing table of VPN1 and establish an L2TP connection to the LNS in the headquarters with the IP address 10.1.2.3.

<Huawei> system-view
[Huawei] l2tp-group 1
[Huawei-l2tp1] start l2tp ip 10.1.2.3 vpn-instance vpn1 fullusername huawei

tunnel authentication

Function

The tunnel authentication command enables L2TP tunnel authentication.

The undo tunnel authentication command disables L2TP tunnel authentication.

By default, tunnel authentication is enabled.

Format

tunnel authentication

undo tunnel authentication

Parameters

None

Views

L2TP group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To ensure data security, L2TP tunnel authentication is enabled by default. In case of network connectivity test or receiving a connection request sent by an unknown remote end, disable L2TP tunnel authentication. It is recommended that you enable L2TP tunnel authentication.

The tunnel authentication request can be initiated by the LAC or the LNS. As soon as one end is enabled with tunnel authentication, the identity authentication is performed in the tunnel setup process. The tunnel can be set up only if the passwords of both ends are the same and not empty. Otherwise, the local end automatically disconnects itself from the tunnel. If tunnel authentication is disabled on both ends, the authentication password does not take effect.

Follow-up Procedure

Run the tunnel password command to configure an authentication password. Configure the same authentication password on the LAC and LNS.

Precautions

By default, tunnel authentication is enabled, but no authentication password is configured. When the default configuration is used to set up an L2TP tunnel, tunnel authentication fails and the tunnel cannot be set up.

Example

# Disable tunnel authentication.

<Huawei> system-view
[Huawei] l2tp-group 1
[Huawei-l2tp1] undo tunnel authentication
Related Topics

tunnel avp-hidden

Function

The tunnel avp-hidden command configures Attribute Value Pair (AVP) data to be transmitted in cipher text.

The undo tunnel avp-hidden command restores the default transmission mode of AVP data.

By default, AVP data is transmitted in plain text.

Format

tunnel avp-hidden

undo tunnel avp-hidden

Parameters

None

Views

L2TP group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

AVP data carries some parameters of the L2TP protocol. For the purpose of security, run this command to configure AVP data to be transmitted in cipher text.

Prerequisites

The following operations have been performed:

  1. Run the l2tp-group command to create an L2TP group and enter the L2TP group view.

  2. Run the tunnel authentication command to enable tunnel authentication function. By default, tunnel authentication is enabled.

  3. Run the tunnel password command to configure the authentication password.

Precautions

If AVP data is transmitted in plain text, the leakage of the user name and password occurs when L2TP packets are intercepted.

When you configure the AVP parameter encryption, enable tunnel authentication on the LAC and LNS, and configure the same authentication password on the two ends.

Example

# Configure AVP data to be transmitted in cipher text.

<Huawei> system-view
[Huawei] l2tp-group 1
[Huawei-l2tp-1] tunnel authentication
[Huawei-l2tp-1] tunnel password cipher huawei
[Huawei-l2tp-1] tunnel avp-hidden

tunnel name

Function

The tunnel name command specifies the local name of a tunnel.

The undo tunnel name command restores the default tunnel name.

By default, the local name of a tunnel is the device name.

Format

tunnel name tunnel-name

undo tunnel name

Parameters

Parameter Description Value
tunnel-name Specifies the name of the local end of a tunnel. The value is a string of 1 to 30 case-sensitive characters.

Views

L2TP group view

Default Level

2: Configuration level

Usage Guidelines

When you create an L2TP group, the local name of a tunnel is initialized to be the device name. Run the tunnel name command to specify another name as the local name.

You can create multiple L2TP groups and establish multiple L2TP tunnels on a device. Specify a tunnel name for each tunnel to differentiate the tunnels. The tunnel name of the LAC end must be specified for the LNS to accept a connection request. It is recommended that you configure the tunnel name on the LAC end.

Example

# Set the local tunnel name to huawei.

<Huawei> system-view
[Huawei] l2tp-group 1
[Huawei-l2tp-1] tunnel name huawei
Related Topics

tunnel password

Function

The tunnel password command specifies a password for tunnel authentication.

The undo tunnel password command deletes the password.

By default, tunnel authentication is enabled, but no authentication password is configured.

Format

tunnel password { simple | cipher } password

undo tunnel password

Parameters

Parameter Description Value
simple

Indicates the password in plain text.

NOTICE:

If simple is selected, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text.

-
cipher

Indicates the password in cipher text.

The password is displayed in cipher text.

-
password

Specifies the password for tunnel authentication.

The password is a string of case-sensitive characters. The password cannot contain command line characters such as spaces and question marks (?).
  • If simple is specified, the password must be in plain text and contain 1 to 16 characters.
  • If cipher is specified, the password can be either in cipher or plain text, depending on what is entered. The password in plain text contains 1 to 16 characters, such as 1234567. The password in cipher mode must be a string of 24/32/48 bytes, for example, _(TT8F]Y\5SQ=^Q`MAF4<1!!.

Views

L2TP group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can decide whether to enable tunnel authentication before creating the tunnel connection. After tunnel authentication is enabled, run the tunnel password command to configure an authentication password. To ensure tunnel security, it is recommended that you enable tunnel authentication.

Prerequisites

The l2tp-group command has been executed to create an L2TP group and enter the L2TP group view.

Tunnel authentication has been enabled by running the tunnel authentication command. By default, tunnel authentication is enabled.

Precautions

If tunnel authentication is enabled on the LAC or the LNS, it must also be enabled on the other end. Configure the same authentication password on the LAC and LNS.

Example

# Set the password for tunnel authentication to huawei in cipher text.

<Huawei> system-view
[Huawei] l2tp-group 1
[Huawei-l2tp-1] tunnel password cipher huawei
Related Topics

tunnel timer hello

Function

The tunnel timer hello command sets the interval for sending Hello packets.

The undo tunnel timer hello command restores the interval to the default value.

By default, Hello packets are sent every 60s.

Format

tunnel timer hello interval

undo tunnel timer hello

Parameters

Parameter Description Value
interval Specifies the interval for sending Hello packets. The value is an integer that ranges from 0 to 1000, in seconds. If the value is 0, no Hello packet is sent.

Views

L2TP group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

L2TP uses Hello packets to check tunnel connectivity. The LAC and LNS periodically send Hello packets to each other. If no response packet is received within a specified period, they retransmit Hello packets. If Hello packets are retransmitted for five times but no response packet is received, the L2TP tunnel is disconnected.

When the network is unstable, set a shorter interval for sending Hello packets to detect tunnel status. When the network is stable, set the interval to a longer value. Different intervals can be set on the LNS and LAC.

Configuration Impact

Hello packets are sent periodically, which increases network burdens. If the interval is set to a smaller value, network burdens increase.

Example

# Set the interval for sending Hello packets to 99s.

<Huawei> system-view
[Huawei] l2tp-group 1
[Huawei-l2tp-1] tunnel timer hello 99
Related Topics
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 52284

Downloads: 102

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next