Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Subscriber Management] Advanced load-balancing for L2TP traffic across multiple LNS with dynamic L2TP sessions via AAA attributes (PPPoE)

0

0

Article ID: KB36463 KB Last Updated: 18 Feb 2021Version: 1.0
Summary:
 

This example explains how to enable load balancing for L2TP (dynamic) sessions across multiple L2TP Network Servers (LNS) from a single L2TP Access Concentrator (LAC) node with two options:

  1. weighted-load-balancing: Using the Tunnel-Preference attribute for weighted load balance of L2TP sessions across multiple LNSs

  2. destination-equal-load-balancing: Equal L2TP session load-balancing across multiple LNS servers from a single LAC

Note

  • The configuration in this example is for an MX-LAC node.

  • If multiple links are present between a single LAC and LNS pair, this solution mainly load-balances uplink traffic from LAC towards LNS.

  • The LNS tunnel information is provided via AAA RADIUS attributes, so RADIUS user examples are also included.

  • By default, LNS tunnel information via AAA RADIUS attributes are always preferred by an MX (LAC) node. If tunnel attributes are not provided, the LAC will connect to the default L2TP tunnel (as per access > domain > map default > tunnel-profile name).

 

Solution:
 

Topology

                                            |--(ge-0/0/0)<----> RADIUS Server(192.168.40.26)
IPv4 PPPoE subs.<---->([vlan 3320]ge-0/0/2) MX (ge-0/0/1)<----> LNS Server1(10.1.100.21)
                                            |--(ge-0/0/3)<----> LNS Server2(10.1.100.22)

The RADIUS Server (@192.168.40.26) is reachable via the global routing instance inet.0 table.

 

Configuration

Option 1: weighted-load-balancing

Dynamic L2TP session (LNS tunnel information via AAA attributes) with static default LNS tunnel at BRAS (LAC) node:

services {
    l2tp {
        weighted-load-balancing;        ## Enables load balance of L2TP sessions between LNSs
        failover-within-preference;     ## Enables failover between same preference LNSs
        destination;  
        access-line-information;  
    }
}
forwarding-options {
    load-balance {
        indexed-load-balance;    
    }
    enhanced-hash-key {
        family inet {
            incoming-interface-index;         ## Includes incoming interface index into hash key
            l2tp-tunnel-session-identifier;   ## Includes L2TP tunnel and session ID into hash key
        }
    }
}
access {
    profile ACCESS-FTTH {                          ## Access-profile name
        accounting-order radius;    
        authentication-order radius;
        radius {
            authentication-server 192.168.40.26;       
            options {
                accounting-session-id-format description;   
                client-authentication-algorithm direct;     
            }
        }
        radius-server {
            192.168.40.26 {
                port 1812;                         ## RADIUS authentication port number
                accounting-port 1813;              ## RADIUS accounting port number
                dynamic-request-port 3799;         ## RADIUS CoA/dynamic-request port number
                secret "$ABC123";                  ## SECRET-DATA
                source-address 192.168.40.6;       ## Source IP address to be used for RADIUS messages
            }
        }
    }
    tunnel-profile l2tp-access {
        tunnel 1 {
            remote-gateway {
                address 10.1.100.21;   ## lo0.0 IPv4 address of the LNS node
                gateway-name lns;
            }
            source-gateway {
                address 10.1.100.1;    ## lo0.0 IPv4 address of this LAC node
                gateway-name lac;
            }
            secret "$ABC123";    ## SECRET-DATA
            medium ipv4;
            tunnel-type l2tp;
            max-sessions 10;     ## Max session inside this L2TP tunnel
        }
    }
    domain {                    ## Map domain-id with access-profile, pool, dynamic-profile
        map default {           ## Default domain map; matches all/no domain-id
            access-profile ACCESS-FTTH;
            dynamic-profile PPPoE;
            tunnel-profile l2tp-access;
        }
        delimiter "@";          ## Delimiter character to identify start of domain-id 
    }
}
dynamic-profiles {                                  
    PPPoE {                                        
        routing-instances {                         ## Enables PPPoE/LAC subscribers inside VRF
            “$junos-routing-instance” {
                interface “$junos-interface-name” {
                    any;
                }
            }
        }
        interfaces {
            pp0 {
                unit “$junos-interface-unit” {
                    actual-transit-statistics;           
                    ppp-options {
                        chap;                       
                        pap;                        
                        mtu 1492;                   ## PPP mtu to be set during authentication
                    }
                    pppoe-options {
                        underlying-interface “$junos-underlying-interface”;
                        server;                     ## Enables to accept PPPoE/LAC connection
                    }
                    family inet {
                        unnumbered-address “$junos-loopback-interface”;    
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/2 {
        hierarchical-scheduler maximum-hierarchy-levels 2;
        flexible-vlan-tagging;
        unit 3320 {                                ## Static unit number for static VLAN subscriber int
            encapsulation ppp-over-ether;
            vlan-id 3320;                          ## Single stack (dot1q) static VLAN ID for incoming PPPoE
            pppoe-underlying-options {
                dynamic-profile PPPoE;
            }
        }
    }
}
 

Option 2: destination-equal-load-balancing (modify only services l2tp section as shown below)

services {
    l2tp {
        destination-equal-load-balancing;    ## Enables equal load balance of L2TP sessions between LNSs
        failover-within-preference;          ## Enables failover between same preference LNSs
        destination;  
        access-line-information;  
    }
}

For equal L2TP session load-balancing between multiple LNS servers, set “destination-equal-load-balancing” under the [edit services l2tp] section [instead of weighted-load-balancing]. By default, tunnel selection within a preference level is strictly random. The weighted-load-balancing statement must be disabled to successfully enable destination-equal-load-balancing.

 

RADIUS User Example for Dynamic L2TP Tunnel

  1. User example for weighted-load-balancing (with different Tunnel-Preference value for weighted load-balance)

client21@domain Auth-Type := Local, User-Password := "pass”
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    Tunnel-Type:1 = L2TP,
    Tunnel-Medium-Type:1 = IP,
    Tunnel-Server-Endpoint:1 = "10.1.100.21",
    Tunnel-Password:1 = "pass1234",
    Tunnel-Client-Auth-ID:1 = "lac_1",
    Tunnel-Server-Auth-ID:1 = "lns_1",
    Tunnel-Preference:1 = 100,
    Tunnel-Client-Endpoint:1 = "10.1.100.1",
    Tunnel-Type:2 += L2TP,
    Tunnel-Medium-Type:2 += IP,
    Tunnel-Server-Endpoint:2 += "10.1.100.22",
    Tunnel-Password:2 += "pass1234",
    Tunnel-Client-Auth-ID:2 += "lac_1",
    Tunnel-Server-Auth-ID:2 += "lns_2",
    Tunnel-Preference:2 += 200,
    Tunnel-Client-Endpoint:2 += "10.1.100.1"
   
client23@domain Auth-Type := Local, User-Password := "pass”
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    Tunnel-Type:1 = L2TP,
    Tunnel-Medium-Type:1 = IP,
    Tunnel-Server-Endpoint:1 = "10.1.100.21",
    Tunnel-Password:1 = "pass1234",
    Tunnel-Client-Auth-ID:1 = "lac_1",
    Tunnel-Server-Auth-ID:1 = "lns_1",
    Tunnel-Preference:1 = 100,
    Tunnel-Client-Endpoint:1 = "10.1.100.1",
    Tunnel-Type:2 += L2TP,
    Tunnel-Medium-Type:2 += IP,
    Tunnel-Server-Endpoint:2 += "10.1.100.22",
    Tunnel-Password:2 += "pass1234",
    Tunnel-Client-Auth-ID:2 += "lac_1",
    Tunnel-Server-Auth-ID:2 += "lns_2",
    Tunnel-Preference:2 += 200,
    Tunnel-Client-Endpoint:2 += "10.1.100.1"
  1. User example for destination-equal-load-balancing (with same Tunnel-Preference value for equal load-balance)

client21@domain Auth-Type := Local, User-Password := "pass”
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    Tunnel-Type:1 = L2TP,
    Tunnel-Medium-Type:1 = IP,
    Tunnel-Server-Endpoint:1 = "10.1.100.21",
    Tunnel-Password:1 = "pass1234",
    Tunnel-Client-Auth-ID:1 = "lac_1",
    Tunnel-Server-Auth-ID:1 = "lns_1",
    Tunnel-Preference:1 = 100,
    Tunnel-Client-Endpoint:1 = "10.1.100.1",
    Tunnel-Type:2 += L2TP,
    Tunnel-Medium-Type:2 += IP,
    Tunnel-Server-Endpoint:2 += "10.1.100.22",
    Tunnel-Password:2 += "pass1234",
    Tunnel-Client-Auth-ID:2 += "lac_1",
    Tunnel-Server-Auth-ID:2 += "lns_2",
    Tunnel-Preference:2 += 100,
    Tunnel-Client-Endpoint:2 += "10.1.100.1"

client23@domain Auth-Type := Local, User-Password := "pass”
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    Tunnel-Type:1 = L2TP,
    Tunnel-Medium-Type:1 = IP,
    Tunnel-Server-Endpoint:1 = "10.1.100.21",
    Tunnel-Password:1 = "pass1234",
    Tunnel-Client-Auth-ID:1 = "lac_1",
    Tunnel-Server-Auth-ID:1 = "lns_1",
    Tunnel-Preference:1 = 100,
    Tunnel-Client-Endpoint:1 = "10.1.100.1",
    Tunnel-Type:2 += L2TP,
    Tunnel-Medium-Type:2 += IP,
    Tunnel-Server-Endpoint:2 += "10.1.100.22",
    Tunnel-Password:2 += "pass1234",
    Tunnel-Client-Auth-ID:2 += "lac_1",
    Tunnel-Server-Auth-ID:2 += "lns_2",
    Tunnel-Preference:2 += 100,
    Tunnel-Client-Endpoint:2 += "10.1.100.1"

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search