2 <!DOCTYPE article PUBLIC
"-//OASIS//DTD DocBook XML V4.4//EN"
3 "http://docbook.org/xml/4.4/docbookx.dtd">
7 <title>L2TPNS Manual
</title>
11 <title>Overview
</title>
13 <command>l2tpns
</command> is half of a complete L2TP
14 implementation. It supports only the LNS side of the
19 L2TP (Layer
2 Tunneling Protocol) is designed to allow any layer
20 2 protocol (e.g. Ethernet, PPP) to be tunneled over an IP
21 connection.
<command>l2tpns
</command> implements PPP over L2TP
26 There are a couple of other L2TP implementations, of which
27 <ulink url=
"http://sourceforge.net/projects/l2tpd">l2tpd
</ulink>
28 is probably the most popular. l2tpd also will handle being
29 either end of a tunnel, and is a lot more configurable than
30 <command>l2tpns
</command>. However, due to the way it works, it
31 is nowhere near as scalable.
35 <command>l2tpns
</command> uses the TUN/TAP interface provided by
36 the Linux kernel to receive and send packets. Using some packet
37 manipulation it doesn't require a single interface per
38 connection, as l2tpd does.
42 This allows it to scale extremely well to very high loads and
43 very high numbers of connections.
47 It also has a plugin architecture which allows custom code to be
48 run during processing. An example of this is in the walled
49 garden module included.
53 <sect1 id=
"installation">
54 <title>Installation
</title>
55 <sect2 id=
"installation-requirements">
56 <title>Requirements
</title>
60 Linux kernel version
2.4 or above, with the Tun/Tap
61 interface either compiled in, or as a module.
67 libcli
1.8.5 or greater. You can get this from
68 <ulink url=
"http://sourceforge.net/projects/libcli">
75 <sect2 id=
"installation-compile">
76 <title>Compiling
</title>
78 You can generally get away with just running
79 <command>make
</command> from the source directory. This will
80 compile the daemon, associated tools and any modules shipped
81 with the distribution.
85 <sect2 id=
"installation-install">
86 <title>Installing
</title>
88 After you have successfully compiled everything, run
89 <userinput>make install
</userinput> to install it. By
90 default, the binaries are installed into
91 <filename>/usr/sbin
</filename>, the configuration into
92 <filename>/etc/l2tpns
</filename>, and the modules into
93 <filename>/usr/lib/l2tpns
</filename>.
97 You will definately need to edit the configuration files
98 before you start. See
<xref linkend=
"configuration"/> for
103 <sect2 id=
"installation-run">
104 <title>Running
</title>
106 You only need to run
<filename>/usr/sbin/l2tpns
</filename> as
107 root to start it. It does not normally detach to a daemon
108 process (see the
<option>-d
</option> option), so you should
109 perhaps run it from
<command>init
</command>.
113 By default there is no log destination set, so all log
114 messages will go to stdout.
119 <sect1 id=
"configuration">
120 <title>Configuration
</title>
122 All configuration of the software is done from the files
123 installed into
<filename>/etc/l2tpns
</filename>.
126 <sect2 id=
"config-startup">
127 <title><filename>startup-config
</filename></title>
129 This is the main configuration file for
130 <command>l2tpns
</command>. The format of the file is a list
131 of commands that can be run through the command-line
132 interface. This file can also be written directly by the
133 <command>l2tpns
</command> process if a user runs the
134 <userinput>write memory
</userinput> command, so any comments
135 will be lost. However if your policy is not to write the
136 config by the program, then feel free to comment the file with
137 a
<literal>#
</literal> or
<literal>!
</literal> at the
138 beginning of the line.
142 A list of the possible configuration directives follows. Each
143 of these should be set by a line like:
145 set configstring
"value"
146 set ipaddress
192.168.1.1
153 <term><literal>debug
</literal> (int)
</term>
156 Sets the level of messages that will be written to the
157 log file. The value should be between
0 and
5, with
0
158 being no debugging, and
5 being the highest. A rough
159 description of the levels is:
163 <term><constant>0</constant>: Critical Errors
</term>
165 <para>Things are probably broken
</para>
170 <term><constant>1</constant>: Errors
</term>
173 Things might have gone wrong, but probably will
180 <term><constant>2</constant>: Warnings
</term>
183 Just in case you care what is not quite perfect
189 <term><constant>3</constant>: Information
</term>
191 <para>Parameters of control packets
</para>
196 <term><constant>4</constant>: Calls
</term>
198 <para>For tracing the execution of the code
</para>
203 <term><constant>5</constant>: Packets
</term>
206 Everything, including a hex dump of all packets
207 processed... probably twice
215 Note that the higher you set the debugging level, the
216 slower the program will run. Also, at level
5 a
217 <emphasis>lot
</emphasis> of information will be logged.
218 This should only ever be used for working out why it
225 <term><literal>log_file
</literal> (string)
</term>
228 This will be where all logging and debugging information
229 is written to. This may be either a filename, such as
230 <filename>/var/log/l2tpns
</filename>, or the special
232 <literal>syslog:
</literal><replaceable>facility
</replaceable>,
233 where
<replaceable>facility
</replaceable> is any one of
234 the syslog logging facilities, such as
235 <literal>local5
</literal>.
241 <term><literal>pid_file
</literal> (string)
</term>
244 If set, the process id will be written to the specified
245 file. The value must be an absolute path.
251 <term><literal>random_device
</literal> (string)
</term>
254 Path to random data source (default
255 <filename>/dev/urandom
</filename>). Use
"" to use the
256 rand() library function.
262 <term><literal>l2tp_secret
</literal> (string)
</term>
265 The secret used by
<command>l2tpns
</command> for
266 authenticating tunnel request. Must be the same as the
267 LAC, or authentication will fail. Only actually be used
268 if the LAC requests authentication.
274 <term><literal>l2tp_mtu
</literal> (int)
</term>
277 MTU of interface for L2TP traffic (default:
278 <literal>1500</literal>). Used to set link MRU and
285 <term><literal>ppp_restart_time
</literal> (int)
</term>
286 <term><literal>ppp_max_configure
</literal> (int)
</term>
287 <term><literal>ppp_max_failure
</literal> (int)
</term>
290 PPP counter and timer values, as described in
§4.1
291 of
<ulink url=
"ftp://ftp.rfc-editor.org/in-notes/rfc1661.txt">
298 <term><literal>primary_dns
</literal> (ip address)
</term>
299 <term><literal>econdary_dns
</literal> (ip address)
</term>
302 Whenever a PPP connection is established, DNS servers
303 will be sent to the user, both a primary and a
304 secondary. If either is set to
0.0.0.0, then that one
311 <term><literal>primary_radius
</literal> (ip address)
</term>
312 <term><literal>secondary_radius
</literal> (ip address)
</term>
315 Sets the RADIUS servers used for both authentication and
316 accounting. If the primary server does not respond,
317 then the secondary RADIUS server will be tried.
321 In addition to the source IP address and identifier,
322 the RADIUS server
<emphasis>must
</emphasis> include
323 the source port when detecting duplicates to supress
324 (in order to cope with a large number of sessions
325 comming on-line simultaneously
326 <command>l2tpns
</command> uses a set of udp sockets,
327 each with a seperate identifier).
335 <term><literal>primary_radius_port
</literal> (short)
</term>
336 <term><literal>secondary_radius_port
</literal> (short)
</term>
339 Sets the authentication ports for the primary and
340 secondary RADIUS servers. The accounting port is one
341 more than the authentication port. If no RADIUS ports
342 are given, the authentication port defaults to
1645, and
343 the accounting port to
1646.
349 <term><literal>radius_accounting
</literal> (boolean)
</term>
352 If set to true, then RADIUS accounting packets will be
353 sent. This means that a Start record will be sent when
354 the session is successfully authenticated, and a Stop
355 record will be sent when the session is closed.
361 <term><literal>radius_interim
</literal> (int)
</term>
364 If
<literal>radius_accounting
</literal> is on, defines
365 the interval between sending of RADIUS interim
366 accounting records (in seconds).
372 <term><literal>radius_secret
</literal> (string)
</term>
375 This secret will be used in all RADIUS queries. If this
376 is not set then RADIUS queries will fail.
382 <term><literal>radius_authtypes
</literal> (string)
</term>
385 A comma separated list of supported RADIUS
386 authentication methods (
<literal>pap
</literal> or
387 <literal>chap
</literal>), in order of preference
388 (default
<literal>pap
</literal>).
394 <term><literal>radius_bind_min
</literal> (short)
</term>
395 <term><literal>radius_bind_max
</literal> (short)
</term>
398 Define a port range in which to bind sockets used to
399 send and receive RADIUS packets. Must be at least
400 RADIUS_FDS (
64) wide. Simplifies firewalling of RADIUS
401 ports (default: dynamically assigned).
407 <term><literal>radius_dae_port
</literal> (short)
</term>
410 Port for DAE RADIUS (Packet of Death/Disconnect, Change
411 of Authorization) requests (default:
412 <literal>3799</literal>).
418 <term><literal>allow_duplicate_users
</literal> (boolean)
</term>
421 Allow multiple logins with the same username. If false
422 (the default), any prior session with the same username
423 will be dropped when a new session is established.
429 <term><literal>guest_account
</literal> (string)
</term>
432 Allow multiple logins matching this specific username.
438 <term><literal>bind_address
</literal> (ip address)
</term>
441 When the tun interface is created, it is assigned the
442 address specified here. If no address is given,
1.1.1.1
443 is used. Packets containing user traffic should be
444 routed via this address if given, otherwise the primary
445 address of the machine.
451 <term><literal>peer_address
</literal> (ip address)
</term>
453 <para>Address to send to clients as the default gateway.
</para>
458 <term><literal>send_garp
</literal> (boolean)
</term>
461 Determines whether or not to send a gratuitous ARP for
462 the bind_address when the server is ready to handle
463 traffic (default:
<literal>true
</literal>). This value
464 is ignored if BGP is configured.
470 <term><literal>throttle_speed
</literal> (int)
</term>
473 Sets the default speed (in kbits/s) which sessions will
474 be limited to. If this is set to
0, then throttling
475 will not be used at all. Note: You can set this by the
476 CLI, but changes will not affect currently connected
483 <term><literal>throttle_buckets
</literal> (int)
</term>
486 Number of token buckets to allocate for throttling.
487 Each throttled session requires two buckets (in and
494 <term><literal>accounting_dir
</literal> (string)
</term>
497 If set to a directory, then every
5 minutes the current
498 usage for every connected use will be dumped to a file
499 in this directory. Each file dumped begins with a
500 header, where each line is prefixed by
<code>#
</code>.
501 Following the header is a single line for every
502 connected user, fields separated by a space.
506 The fields are username, ip, qos, uptxoctets,
507 downrxoctets. The qos field is
1 if a standard user,
508 and
2 if the user is throttled.
514 <term><literal>dump_speed
</literal> (boolean)
</term>
517 If set to true, then the current bandwidth utilization
518 will be logged every second. Even if this is disabled,
519 you can see this information by running the
520 <userinput>uptime
</userinput> command on the CLI.
526 <term><literal>multi_read_count
</literal> (int)
</term>
529 Number of packets to read off each of the UDP and TUN
530 fds when returned as readable by select (default:
10).
531 Avoids incurring the unnecessary system call overhead of
532 select on busy servers.
538 <term><literal>scheduler_fifo
</literal> (boolean)
</term>
541 Sets the scheduling policy for the
542 <command>l2tpns
</command> process to
543 <constant>SCHED_FIFO
</constant>. This causes the kernel
544 to immediately preempt any currently running
545 <constant>SCHED_OTHER
</constant> (normal) process in
546 favour of
<command>l2tpns
</command> when it becomes
547 runnable. Ignored on uniprocessor systems.
553 <term><literal>lock_pages
</literal> (boolean)
</term>
556 Keep all pages mapped by the
<command>l2tpns
</command>
563 <term><literal>icmp_rate
</literal> (int)
</term>
566 Maximum number of host unreachable ICMP packets to send
573 <term><literal>packet_limit
</literal> (int)
</term>
576 Maximum number of packets of downstream traffic to be
577 handled each tenth of a second per session. If zero, no
578 limit is applied (default:
0). Intended as a DoS
579 prevention mechanism and not a general throttling
580 control (packets are dropped, not queued).
586 <term><literal>cluster_address
</literal> (ip address)
</term>
589 Multicast cluster address (default:
239.192.13.13).
590 See
<xref linkend=
"clustering"/> for more information.
596 <term><literal>cluster_port
</literal> (udp port)
</term>
599 UDP cluster port (default:
32792).
600 See
<xref linkend=
"clustering"/> for more information.
606 <term><literal>cluster_interface
</literal> (string)
</term>
608 <para>Interface for cluster packets (default: eth0)
</para>
613 <term><literal>cluster_mcast_ttl
</literal> (int)
</term>
615 <para>TTL for multicast packets (default:
1).
</para>
620 <term><literal>cluster_hb_interval
</literal> (int)
</term>
623 Interval in tenths of a second between cluster
630 <term><literal>cluster_hb_timeout
</literal> (int)
</term>
633 Cluster heartbeat timeout in tenths of a second. A new
634 master will be elected when this interval has been
635 passed without seeing a heartbeat from the master.
641 <term><literal>cluster_master_min_adv
</literal> (int)
</term>
644 Determines the minumum number of up to date slaves
645 required before the master will drop routes (default:
1).
651 <term><literal>ipv6_prefix
</literal> (ipv6 address)
</term>
654 Enable negotiation of IPv6. This forms the the first
64
655 bits of the client allocated address. The remaining
64
656 come from the allocated IPv4 address and
4 bytes of
0s.
662 <sect3 id=
"config-startup-bgp">
665 BGP routing configuration is entered by the command:
666 <synopsis>router bgp
<replaceable>as
</replaceable></synopsis>
667 where
<replaceable>as
</replaceable> specifies the local AS
672 Subsequent lines prefixed with
673 <synopsis>neighbour
<replaceable>peer
</replaceable></synopsis>
674 define the attributes of BGP neighhbours. Valid commands
677 neighbour
<replaceable>peer
</replaceable> remote-as
<replaceable>as
</replaceable>
678 neighbour
<replaceable>peer
</replaceable> timers
<replaceable>keepalive hold
</replaceable>
683 Where
<replaceable>peer
</replaceable> specifies the BGP
684 neighbour as either a hostname or IP address,
685 <replaceable>as
</replaceable> is the remote AS number and
686 <replaceable>keepalive
</replaceable>,
687 <replaceable>hold
</replaceable> are the timer values in
692 <sect3 id=
"config-startup-acl">
693 <title>Access Lists
</title>
695 Named access-lists are configured using one of the commands:
697 ip access-list standard
<replaceable>name
</replaceable>
698 ip access-list extended
<replaceable>name
</replaceable>
703 Subsequent lines prefixed with
<literal>permit
</literal> or
704 <literal>deny
</literal> define the body of the access-list.
705 Standard access-list syntax:
708 <para role=
"hanging-indent">
709 {
<literal>permit
</literal>|
<literal>deny
</literal>}
710 {
<replaceable>host
</replaceable>|
<replaceable>source
711 source-wildcard
</replaceable>|
<literal>any
</literal>}
712 [{
<replaceable>host
</replaceable>|
<replaceable>destination
713 destination-wildcard
</replaceable>|
<literal>any
</literal>}]
716 <para>Extended access-lists:
</para>
717 <para role=
"hanging-indent">
718 {
<literal>permit
</literal>|
<literal>deny
</literal>}
719 <literal>ip
</literal>
720 {
<replaceable>host
</replaceable>|
<replaceable>source
721 source-wildcard
</replaceable>|
<literal>any
</literal>}
722 {
<replaceable>host
</replaceable>|
<replaceable>destination
723 destination-wildcard
</replaceable>|
<literal>any
</literal>}
724 [
<literal>fragments
</literal>]
727 <para role=
"hanging-indent">
728 {
<literal>permit
</literal>|
<literal>deny
</literal>}
729 <literal>udp
</literal>
730 {
<replaceable>host
</replaceable>|
<replaceable>source
731 source-wildcard
</replaceable>|
<literal>any
</literal>}
732 [{
<literal>eq
</literal>|
<literal>neq
</literal>|
<literal>gt
</literal>|
<literal>lt
</literal>}
733 <replaceable>port
</replaceable>|
<literal>range
</literal>
734 <replaceable>from
</replaceable>
735 <replaceable>to
</replaceable>]
736 {
<replaceable>host
</replaceable>|
<replaceable>destination
737 destination-wildcard
</replaceable>|
<literal>any
</literal>}
738 [{
<literal>eq
</literal>|
<literal>neq
</literal>|
<literal>gt
</literal>|
<literal>lt
</literal>}
739 <replaceable>port
</replaceable>|
<literal>range
</literal>
740 <replaceable>from
</replaceable>
741 <replaceable>to
</replaceable>]
742 [
<literal>fragments
</literal>]
745 <para role=
"hanging-indent">
746 {
<literal>permit
</literal>|
<literal>deny
</literal>}
747 <literal>tcp
</literal>
748 {
<replaceable>host
</replaceable>|
<replaceable>source
749 source-wildcard
</replaceable>|
<literal>any
</literal>}
750 [{
<literal>eq
</literal>|
<literal>neq
</literal>|
<literal>gt
</literal>|
<literal>lt
</literal>}
751 <replaceable>port
</replaceable>|
<literal>range
</literal>
752 <replaceable>from
</replaceable>
753 <replaceable>to
</replaceable>]
754 {
<replaceable>host
</replaceable>|
<replaceable>destination
755 destination-wildcard
</replaceable>|
<literal>any
</literal>}
756 [{
<literal>eq
</literal>|
<literal>neq
</literal>|
<literal>gt
</literal>|
<literal>lt
</literal>}
757 <replaceable>port
</replaceable>|
<literal>range
</literal>
758 <replaceable>from
</replaceable>
759 <replaceable>to
</replaceable>]
760 [{
<literal>established
</literal>|{
<literal>match-any
</literal>|
<literal>match-all
</literal>}
761 {
<literal>+
</literal>|
<literal>-
</literal>}{
<literal>fin
</literal>|
<literal>syn
</literal>|
<literal>rst
</literal>|
<literal>psh
</literal>|
<literal>ack
</literal>|
<literal>urg
</literal>}
762 ...|
<literal>fragments
</literal>]
767 <sect2 id=
"config-users">
768 <title><filename>users
</filename></title>
770 Usernames and passwords for the command-line interface are
771 stored in this file. The format is
773 <replaceable>username
</replaceable>:
<replaceable>password
</replaceable>
775 where
<replaceable>password
</replaceable> may either by plain
776 text, an MD5 digest (prefixed by
777 <literal>$
1</literal><replaceable>salt
</replaceable><literal>$
</literal>)
778 or a DES password, distinguished from plain text by the prefix
779 <literal>{crypt}
</literal>.
783 The username
<literal>enable
</literal> has a special meaning
784 and is used to set the enable password.
789 If this file doesn't exist, then anyone who can get to port
790 23 will be allowed access without a username or password.
795 <sect2 id=
"config-ip-pool">
796 <title><filename>ip_pool
</filename></title>
798 This file is used to configure the IP address pool which user
799 addresses are assigned from. This file should contain either
800 an IP address or a CIDR network per line. e.g.:
813 Keep in mind that
<command>l2tpns
</command> can only handle
814 65535 connections per process, so don't put more than
65535 IP
815 addresses in the configuration file. They will be
820 <sect2 id=
"config-build-garden" xreflabel=
"build-garden">
821 <title><filename>build-garden
</filename></title>
823 The garden plugin on startup creates a NAT table called
824 "garden" then sources the
<filename>build-garden
</filename>
825 script to populate that table. All packets from gardened
826 users will be sent through this table. Example:
829 iptables -t nat -A garden -p tcp -m tcp --dport
25 -j DNAT --to
192.168.1.1
830 iptables -t nat -A garden -p udp -m udp --dport
53 -j DNAT --to
192.168.1.1
831 iptables -t nat -A garden -p tcp -m tcp --dport
53 -j DNAT --to
192.168.1.1
832 iptables -t nat -A garden -p tcp -m tcp --dport
80 -j DNAT --to
192.168.1.1
833 iptables -t nat -A garden -p tcp -m tcp --dport
110 -j DNAT --to
192.168.1.1
834 iptables -t nat -A garden -p tcp -m tcp --dport
443 -j DNAT --to
192.168.1.1
835 iptables -t nat -A garden -p icmp -m icmp --icmp-type echo-request -j DNAT --to
192.168.1.1
836 iptables -t nat -A garden -p icmp -j ACCEPT
837 iptables -t nat -A garden -j DROP
843 <sect1 id=
"operation">
844 <title>Operation
</title>
846 A running l2tpns process can be controlled in a number of ways.
847 The primary method of control is by the Command-Line Interface
852 You can also remotely send commands to modules via the
853 <command>nsctl
</command> client provided.
857 There are also a number of signals that l2tpns understands and
858 takes action when it receives them.
861 <sect2 id=
"operation-cli">
862 <title>Command-Line Interface
</title>
864 You can access the command line interface by telneting to port
865 23. There is no IP address restriction, so it's a good idea
866 to firewall this port off from anyone who doesn't need access
867 to it. See
<xref linkend=
"config-users"/> for information on
868 restricting access based on a username and password.
872 The CLI gives you real-time control over almost everything in
873 the process. The interface is designed to look like a Cisco
874 device, and supports things like command history, line editing
875 and context sensitive help. This is provided by linking with
876 the
<ulink url=
"http://sourceforge.net/projects/libcli">
877 libcli
</ulink> library. Some general documentation of the
879 url=
"http://sourceforge.net/docman/display_doc.php?docid=20501&group_id=79019">
884 After you have connected to the telnet port (and perhaps
885 logged in), you will be presented with a
886 <prompt><replaceable>hostname
</replaceable>></prompt>
891 Enter
<userinput>help
</userinput> to get a list of possible
892 commands, or press
<userinput>?
</userinput> for
893 context-specific help.
897 A brief overview of the more important commands
901 <varlistentry id=
"operation-cli-show-session"
902 xreflabel=
"show session">
904 <userinput>show session [
<replaceable>ID
</replaceable>]
910 Detailed information for a specific session is
911 presented if you specify a session
912 <replaceable>ID
</replaceable> argument.
916 If no
<replaceable>ID
</replaceable> is given, a
917 summary of all connected sessions is produced. Note
918 that this summary list can be around
185 columns wide,
919 so you should probably use a wide
924 The columns listed in the summary are:
928 <colspec colname=
"col"/>
929 <colspec colname=
"desc"/>
930 <colspec colname=
"extra"/>
933 <entry><literal>SID
</literal></entry>
934 <entry namest=
"desc" nameend=
"extra">Session ID
</entry>
937 <entry><literal>TID
</literal></entry>
938 <entry>Tunnel ID
</entry>
941 linkend=
"operation-cli-show-tunnel"/> CLI
946 <entry><literal>Username
</literal></entry>
948 The username given in the PPP authentication.
951 If this is *, then LCP authentication has
956 <entry><literal>IP
</literal></entry>
957 <entry>The IP address given to the session.
</entry>
959 If this is
0.0.0.0, IPCP negotiation has not
964 <entry><literal>I
</literal></entry>
965 <entry>Intercept
</entry>
967 Y or N: indicates whether the session is
968 being snooped. See also the
969 <xref linkend=
"operation-cli-snoop"/>
974 <entry><literal>T
</literal></entry>
975 <entry>Throttled
</entry>
977 Y or N: indicates whether the session is
978 currently throttled. See also the
979 <xref linkend=
"operation-cli-throttle"/>
984 <entry><literal>G
</literal></entry>
985 <entry>Walled Garden
</entry>
987 Y or N: indicates whether the user is
988 trapped in the walled garden. This field is
989 present even if the garden module is not
994 <entry><literal>6</literal></entry>
997 Y or N: indicates whether the session has
998 IPv6 active (IPV6CP open)
1002 <entry><literal>opened
</literal></entry>
1003 <entry namest=
"desc" nameend=
"extra">
1004 The number of seconds since the
1009 <entry><literal>downloaded
</literal></entry>
1010 <entry namest=
"desc" nameend=
"extra">
1011 Number of bytes downloaded by the user
1015 <entry><literal>uploaded
</literal></entry>
1016 <entry namest=
"desc" nameend=
"extra">
1017 Number of bytes uploaded by the user
1021 <entry><literal>idle
</literal></entry>
1022 <entry namest=
"desc" nameend=
"extra">
1023 The number of seconds since traffic was
1024 detected on the session
1028 <entry><literal>LAC
</literal></entry>
1029 <entry namest=
"desc" nameend=
"extra">
1030 The IP address of the LAC the session is
1035 <entry><literal>CLI
</literal></entry>
1036 <entry namest=
"desc" nameend=
"extra">
1037 The Calling-Line-Identification field
1038 provided during the session setup. This
1039 field is generated by the LAC.
1049 <varlistentry id=
"operation-cli-show-user" xreflabel=
"show user">
1051 <userinput>show users
</userinput>
1054 <userinput>show user
<replaceable>username
</replaceable>
1060 With no arguments, display a list of currently
1061 connected users. If an argument is given, the session
1062 details for the given
1063 <replaceable>username
</replaceable> are displayed.
1068 <varlistentry id=
"operation-cli-show-tunnel" xreflabel=
"show tunnel">
1070 <userinput>show tunnel [
<replaceable>ID
</replaceable>]
</userinput>
1075 Produce a summary list of all open tunnels, or detail
1076 on a specific tunnel
<replaceable>ID
</replaceable>.
1080 The columns listed in the summary are:
1087 <entry>Tunnel ID
</entry>
1090 <entry>Hostname
</entry>
1092 The hostname for the tunnel as provided by
1093 the LAC. This has no relation to DNS, it is
1099 <entry>The IP address of the LAC
</entry>
1102 <entry>State
</entry>
1104 Tunnel state: Free, Open, Dieing, Opening
1108 <entry>Sessions
</entry>
1109 <entry>The number of open sessions on the tunnel
</entry>
1118 <varlistentry id=
"operation-cli-show-pool" xreflabel=
"show pool">
1119 <term><userinput>show pool
</userinput></term>
1122 Displays the current IP address pool allocation. This
1123 will only display addresses that are in use, or are
1124 reserved for re-allocation to a disconnected user.
1128 If an address is not currently in use, but has been
1129 used, then in the User column the username will be
1130 shown in square brackets, followed by the time since
1131 the address was used:
1134 IP Address Used Session User
1135 192.168.100.6 N [joe.user]
1548s
1141 <varlistentry id=
"operation-cli-show-radius" xreflabel=
"show radius">
1142 <term><userinput>show radius
</userinput></term>
1145 Show a summary of the in-use RADIUS sessions. This
1146 list should not be very long, as RADIUS sessions
1147 should be cleaned up as soon as they are used. The
1154 <entry>Radius
</entry>
1156 The ID of the RADIUS request. This is sent
1157 in the packet to the RADIUS server for
1162 <entry>State
</entry>
1164 The state of the request: WAIT, CHAP, AUTH,
1165 IPCP, START, STOP or NULL
1169 <entry>Session
</entry>
1171 The session ID that this RADIUS request is
1176 <entry>Retry
</entry>
1178 If a response does not appear to the
1179 request, it will retry at this time. This
1186 Retry count. The RADIUS request is
1187 discarded after
3 retries
1197 <varlistentry id=
"operation-cli-show-run" xreflabel=
"show run">
1198 <term><userinput>show running-config
</userinput></term>
1201 This will list the current running configuration.
1202 This is in a format that can either be pasted into the
1203 configuration file, or run directly at the command
1209 <varlistentry id=
"operation-cli-show-counters"
1210 xreflabel=
"show counters">
1211 <term><userinput>show counters
</userinput></term>
1214 Internally, counters are kept of key values, such as
1215 bytes and packets transferred, as well as function
1216 call counters. This function displays all these
1217 counters, and is probably only useful for debugging.
1221 You can reset these counters by running
1222 <userinput>clear counters
</userinput>.
1227 <varlistentry id=
"operation-cli-show-cluster"
1228 xreflabel=
"show cluster">
1229 <term><userinput>show cluster
</userinput></term>
1232 Show cluster status. Shows the cluster state for this
1233 server (Master/Slave), information about known peers
1234 and (for slaves) the master IP address, last packet
1235 seen and up-to-date status. See
1236 <xref linkend=
"clustering"/> for more information.
1241 <varlistentry id=
"operation-cli-write-mem" xreflabel=
"write memory">
1242 <term><userinput>write memory
</userinput></term>
1245 This will write the current running configuration to
1246 the config file
<filename>startup-config
</filename>,
1247 which will be run on a restart.
1252 <varlistentry id=
"operation-cli-snoop" xreflabel=
"snoop">
1254 <userinput>snoop
<replaceable>user
</replaceable>
1255 <replaceable>IP
</replaceable>
1256 <replaceable>port
</replaceable></userinput>
1260 You must specify a username, IP address and port. All
1261 packets for the current session for that username will
1262 be forwarded to the given host/port. Specify
1264 <replaceable>username
</replaceable></userinput> to
1265 disable interception for the session.
1269 If you want interception to be permanent, you will
1270 have to modify the RADIUS response for the user. See
1271 <xref linkend=
"interception"/>.
1276 <varlistentry id=
"operation-cli-throttle" xreflabel=
"throttle">
1278 <userinput>throttle
<replaceable>user
</replaceable>
1279 [in|out]
<replaceable>rate
</replaceable></userinput>
1283 You must specify a username, which will be throttled
1284 for the current session to
1285 <replaceable>rate
</replaceable> Kbps. Prefix
1286 <replaceable>rate
</replaceable> with
1287 <userinput>in
</userinput> or
1288 <userinput>out
</userinput> to set different upstream
1289 and downstream rates.
1293 Specify
<userinput>no throttle
1294 <replaceable>username
</replaceable></userinput> to
1295 disable throttling for the current session.
1299 If you want throttling to be permanent, you will have
1300 to modify the RADIUS response for the user. See
<xref
1301 linkend=
"throttling"/>.
1306 <varlistentry id=
"operation-cli-drop-session"
1307 xreflabel=
"drop session">
1309 <userinput>drop
<replaceable>session
</replaceable></userinput>
1313 This will cleanly disconnect the session specified by
1314 <replaceable>session
</replaceable> ID.
1319 <varlistentry id=
"operation-cli-drop-tunnel" xreflabel=
"drop tunnel">
1321 <userinput>drop
<replaceable>tunnel
</replaceable></userinput>
1325 This will cleanly disconnect the tunnel specified by
1326 <replaceable>tunnel
</replaceable> ID, as well as all
1327 sessions on that tunnel.
1332 <varlistentry id=
"operation-cli-uptime" xreflabel=
"uptime">
1333 <term><userinput>uptime
</userinput></term>
1336 This will show how long the
<command>l2tpns
</command>
1337 process has been running, and the current bandwidth
1341 17:
10:
35 up
8 days,
2212 users, load average:
0.21,
0.17,
0.16
1342 Bandwidth: UDP-ETH:
6/
6 ETH-UDP:
13/
13 TOTAL:
37.6 IN:
3033 OUT:
2569
1345 The bandwidth line contains
4 sets of values:
1351 <entry>UDP-ETH
</entry>
1353 The current bandwidth going from the LAC to
1354 the ethernet (user uploads), in mbits/sec.
1358 <entry>ETH-UDP
</entry>
1360 The current bandwidth going from ethernet to
1361 the LAC (user downloads).
1365 <entry>TOTAL
</entry>
1366 <entry>The total aggregate bandwidth in mbits/s.
</entry>
1369 <entry>IN and OUT
</entry>
1371 Packets/per-second going between UDP-ETH and
1379 These counters are updated every second.
1384 <varlistentry id=
"operation-cli-configure" xreflabel=
"configure">
1385 <term><userinput>configure terminal
</userinput></term>
1388 Enter configuration mode. Use
1389 <userinput>exit
</userinput> or
1390 <userinput>^Z
</userinput> to exit this mode.
1394 The following commands are valid in this mode:
1397 <varlistentry id=
"operation-cli-conf-load">
1399 <userinput>load plugin
1400 <replaceable>name
</replaceable></userinput>
1404 Load a plugin. You must specify the plugin
1405 name, and it will search in
1406 <filename>/usr/lib/l2tpns
</filename> for
1407 <filename><replaceable>name
</replaceable>.so
</filename>.
1408 You can unload a loaded plugin with
1409 <userinput>remove plugin
1410 <replaceable>name
</replaceable></userinput>.
1415 <varlistentry id=
"operation-cli-conf-set">
1416 <term><userinput>set
</userinput> ...
</term>
1419 Set a configuration variable. You must specify
1420 the variable name, and the value. If the value
1421 contains any spaces, you should quote the value
1422 with double (
") or single (') quotes.
1426 You can set any configuration value in this
1427 way, although some may require a restart to
1428 take effect. See <xref
1429 linkend="config-startup
"/>.
1434 <varlistentry id="operation-cli-conf-router
">
1435 <term><userinput>router bgp</userinput> ...</term>
1438 Configure BGP. See <xref
1439 linkend="config-startup-bgp
"/>.
1444 <varlistentry id="operation-cli-conf-acl
">
1445 <term><userinput>ip access-list</userinput> ...</term>
1448 Configure a named access list. See <xref
1449 linkend="config-startup-acl
"/>.
1461 <sect2 id="operation-nsctl
">
1462 <title>nsctl</title>
1464 <command>nsctl</command> sends messages to a running
1465 <command>l2tpns</command> instance to be control plugins.
1469 Arguments are <userinput>command</userinput> and optional
1470 <replaceable>args</replaceable>. See
1471 <literal>nsctl(8)</literal>.
1475 Built-in command are <userinput>load_plugin</userinput>,
1476 <userinput>unload_plugin</userinput> and
1477 <userinput>help</userinput>. Any other commands are passed to
1478 plugins for processing by the
1479 <literal>plugin_control</literal> function.
1483 <sect2 id="operation-signals
">
1484 <title>Signals</title>
1486 While the process is running, you can send it a few different
1487 signals, using the <command>kill</command> command.
1493 The signals understood are:
1499 <para>Reload the config from disk and re-open log file.</para>
1504 <term>SIGTERM</term>
1508 Stop process. Tunnels and sessions are not
1509 terminated. This signal should be used to stop
1510 <command>l2tpns</command> on a cluster node where
1511 there are other machines to continue handling traffic.
1512 See <xref linkend="clustering
"/>
1518 <term>SIGQUIT</term>
1521 Shut down tunnels and sessions, exit process when
1531 <sect1 id="throttling
">
1532 <title>Throttling</title>
1534 <command>l2tpns</command> contains support for slowing down user
1535 sessions to whatever speed you desire. The global setting
1536 <literal>throttle_speed</literal> defines the default throttle
1541 To throttle a sesion permanently, add a
1542 <literal>Cisco-AVPair</literal> RADIUS attribute. The
1543 <filename>autothrotle</filename> module interprets the following
1550 <entry><literal>throttle=yes</literal></entry>
1552 Throttle upstream/downstream traffic to the configured
1553 <literal>throttle_speed</literal>.
1559 <literal>throttle=<replaceable>rate</replaceable></literal>
1562 Throttle upstream/downstream traffic to the specified
1563 <replaceable>rate</replaceable> Kbps.
1569 <literal>lcp:interface-config#1=service-policy input
1570 <replaceable>rate</replaceable></literal>
1573 <entry morerows="1">
1574 Alternate (Cisco) format: throttle
1575 upstream/downstream to specified
1576 <replaceable>rate</replaceable> Kbps.
1582 <literal>lcp:interface-config#2=service-policy output
1583 <replaceable>rate</replaceable></literal>
1592 You can also enable and disable throttling an active session
1593 using the <xref linkend="operation-cli-throttle
"/> CLI command.
1597 <sect1 id="interception
">
1598 <title>Interception</title>
1600 You may have to deal with legal requirements to be able to
1601 intercept a user's traffic at any time.
1602 <command>l2tpns</command> allows you to begin and end
1603 interception on the fly, as well as at authentication time.
1607 When a user is being intercepted, a copy of every packet they
1608 send and receive will be sent wrapped in a UDP packet to a
1613 The UDP packet contains just the raw IP frame, with no extra
1614 headers. The script <filename>scripts/l2tpns-capture</filename>
1615 may be used as the end-point for such intercepts, writing the
1616 data in PCAP format (suitable for inspection with
1617 <command>tcpdump</command>).
1621 To enable or disable interception of a connected user, use the
1622 <xref linkend="operation-cli-snoop
"/> and <userinput>no
1623 snoop</userinput> CLI commands. These will enable interception
1628 If you wish the user to be intercepted whenever they reconnect,
1629 you will need to modify the RADIUS response to include the
1630 Vendor-Specific value
1631 <literal>Cisco-AVPair="intercept=
<replaceable>ip
</replaceable>:
<replaceable>port
</replaceable>"</literal>.
1632 For this feature to be enabled, you need to have the
1633 <filename>autosnoop</filename> module loaded.
1637 <sect1 id="plugins
">
1638 <title>Plugins</title>
1640 So as to make <command>l2tpns</command> as flexible as possible,
1641 a plugin API is include which you can use to hook into certain
1646 There are a some standard modules included which may be used as
1647 examples: <filename>autosnoop</filename>,
1648 <filename>autothrottle</filename>, <filename>garden</filename>,
1649 <filename>sessionctl</filename>,
1650 <filename>setrxspeed</filename>, <filename>snoopctl</filename>,
1651 <filename>stripdomain</filename> and
1652 <filename>throttlectl</filename>.
1656 When an event occurs that has a hook, <command>l2tpns</command>
1657 looks for a predefined function name in every loaded module, and
1658 runs them in the order the modules were loaded.
1662 The function should return <code>PLUGIN_RET_OK</code> if it is
1663 all OK. If it returns <code>PLUGIN_RET_STOP</code>, then it is
1664 assumed to have worked, but that no further modules should be
1669 A return of <code>PLUGIN_RET_ERROR</code> means that this module
1670 failed, and no further processing should be done for this event.
1671 <note><para>Use this with care.</para></note>
1675 Most event functions take a specific structure named
1676 <code>param_<replaceable>event</replaceable></code>, which
1677 varies in content with each event. The function name for each
1679 <code>plugin_<replaceable>event</replaceable></code>, so for the
1680 event <replaceable>timer</replaceable>, the function declaration
1684 int plugin_timer(struct param_timer *data);
1687 A list of the available events follows, with a list of all the
1688 fields in the supplied structure:
1692 <colspec colname="event
"/>
1693 <colspec colname="event_desc
"/>
1694 <colspec colname="member
"/>
1695 <colspec colname="member_desc
"/>
1696 <spanspec spanname="args
" namest="member
" nameend="member_desc
"/>
1699 <entry>Event</entry>
1700 <entry>Description</entry>
1701 <entry spanname="args
">Arguments</entry>
1707 <entry morerows="1"><code>plugin_init</code></entry>
1708 <entry morerows="1">
1710 Called when the plugin is loaded. A pointer to a
1711 struct containing function pointers is passed as the
1712 only argument, allowing the plugin to call back into
1716 Prior to loading the plugin, <command>l2tpns</command>
1717 checks the API version the plugin was compiled
1718 against. All plugins should contain:
1720 int plugin_api_version = PLUGIN_API_VERSION;
1724 <entry spanname="args
"><code>struct pluginfuncs *</code></entry>
1727 <entry spanname="args
">
1728 See <code>pluginfuncs</code> structure in
1729 <code>plugin.h</code> for available functions.
1734 <entry morerows="1"><code>plugin_done</code></entry>
1735 <entry morerows="1">
1736 Called when the plugin is unloaded or
1737 <command>l2tpns</command> is shutdown.
1739 <entry spanname="args
"><code>void</code></entry>
1742 <entry spanname="args
">No arguments.</entry>
1746 <entry morerows="6"><code>plugin_pre_auth</code></entry>
1747 <entry morerows="6">
1748 Called after a RADIUS response has been received, but
1749 before it has been processed by the code. This will
1750 allow you to modify the response in some way.
1752 <entry spanname="args
">
1753 <code>struct plugin param_pre_auth *</code>
1757 <entry><code>tunnelt *t</code></entry>
1758 <entry>Tunnel.</entry>
1761 <entry><code>sessiont *s</code></entry>
1762 <entry>Session.</entry>
1765 <entry><code>char *username</code></entry>
1766 <entry>User name.</entry>
1769 <entry><code>char *password</code></entry>
1770 <entry>Password.</entry>
1773 <entry><code>int protocol</code></entry>
1775 Authentication protocol: <literal>0xC023</literal> for PAP,
1776 <literal>0xC223</literal> for CHAP.
1780 <entry><code>int continue_auth</code></entry>
1781 <entry>Set to 0 to stop processing authentication modules.</entry>
1785 <entry morerows="5"><code>plugin_post_auth</code></entry>
1786 <entry morerows="5">
1787 Called after a RADIUS response has been received, and
1788 the basic checks have been performed. This is what
1789 the <filename>garden</filename> module uses to force
1790 authentication to be accepted.
1792 <entry spanname="args
">
1793 <code>struct plugin param_post_auth *</code>
1797 <entry><code>tunnelt *t</code></entry>
1798 <entry>Tunnel.</entry>
1801 <entry><code>sessiont *s</code></entry>
1802 <entry>Session.</entry>
1805 <entry><code>char *username</code></entry>
1806 <entry>User name.</entry>
1809 <entry><code>short auth_allowed</code></entry>
1811 Initially true or false depending on whether
1812 authentication has been allowed so far. You can
1813 set this to 1 or 0 to force authentication to be
1814 accepted or rejected.
1818 <entry><code>int protocol</code></entry>
1820 Authentication protocol: <literal>0xC023</literal> for PAP,
1821 <literal>0xC223</literal> for CHAP.
1826 <entry morerows="1"><code>plugin_timer</code></entry>
1827 <entry morerows="1">
1828 Run once per second.
1830 <entry spanname="args
">
1831 <code>struct plugin param_timer *</code>
1835 <entry><code>time_t time_now</code></entry>
1836 <entry>The current unix timestamp.</entry>
1840 <entry morerows="2"><code>plugin_new_session</code></entry>
1841 <entry morerows="2">
1842 Called after a session is fully set up. The session
1843 is now ready to handle traffic.
1845 <entry spanname="args
">
1846 <code>struct plugin param_new_session *</code>
1850 <entry><code>tunnelt *t</code></entry>
1851 <entry>Tunnel.</entry>
1854 <entry><code>sessiont *s</code></entry>
1855 <entry>Session.</entry>
1859 <entry morerows="2"><code>plugin_kill_session</code></entry>
1860 <entry morerows="2">
1861 Called when a session is about to be shut down. This
1862 may be called multiple times for the same session.
1864 <entry spanname="args
">
1865 <code>struct plugin param_kill_session *</code>
1869 <entry><code>tunnelt *t</code></entry>
1870 <entry>Tunnel.</entry>
1873 <entry><code>sessiont *s</code></entry>
1874 <entry>Session.</entry>
1878 <entry morerows="5"><code>plugin_control</code></entry>
1879 <entry morerows="5">
1881 Called in whenever a <command>nsctl</command> packet
1882 is received. This should handle the packet and form a
1883 response if required.
1886 Plugin-specific help strings may be included in the
1887 output of <userinput>nsctl help</userinput> by
1888 defining a <code>NULL</code> terminated list of
1891 char *plugin_control_help[] = { <replaceable>...</replaceable>, NULL };
1895 <entry spanname="args
">
1896 <code>struct plugin param_control *</code>
1900 <entry><code>int iam_master</code></entry>
1901 <entry>If true, this node is the cluster master.</entry>
1904 <entry><code>int argc</code></entry>
1905 <entry morerows="1"><command>nsctl</command> arguments.</entry>
1908 <entry><code>char **argc</code></entry>
1911 <entry><code>int reponse</code></entry>
1913 Response from control message (if handled): should be
1914 either <code>NSCTL_RES_OK</code> or
1915 <code>NSCTL_RES_ERR</code>.
1919 <entry><code>char *additional</code></entry>
1921 Additional information, output by
1922 <command>nsctl</command> on receiving the response.
1927 <entry morerows="4"><code>plugin_radius_response</code></entry>
1928 <entry morerows="4">
1929 Called whenever a RADIUS response includes a
1930 <literal>Cisco-AVPair</literal> value. The value is
1932 <replaceable>key</replaceable><literal>=</literal><replaceable>value</replaceable>
1933 pairs. Will be called once for each pair in the
1936 <entry spanname="args
">
1937 <code>struct plugin param_radius_response *</code>
1941 <entry><code>tunnelt *t</code></entry>
1942 <entry>Tunnel.</entry>
1945 <entry><code>sessiont *s</code></entry>
1946 <entry>Session.</entry>
1949 <entry><code>char *key</code></entry>
1950 <entry morerows="1">Key and value.</entry>
1953 <entry><code>char *value</code></entry>
1957 <entry morerows="2"><code>plugin_radius_reset</code></entry>
1958 <entry morerows="2">
1959 Called whenever a RADIUS CoA request is received to
1960 reset any options to default values before the new
1963 <entry spanname="args
">
1964 <code>struct param_radius_reset *</code>
1968 <entry><code>tunnelt *t</code></entry>
1969 <entry>Tunnel.</entry>
1972 <entry><code>sessiont *s</code></entry>
1973 <entry>Session.</entry>
1977 <entry morerows="3"><code>plugin_radius_account</code></entry>
1978 <entry morerows="3">
1979 Called when preparing a RADIUS accounting record to
1980 allow additional data to be added to the packet.
1982 <entry spanname="args
">
1983 <code>struct param_radius_account *</code>
1987 <entry><code>tunnelt *t</code></entry>
1988 <entry>Tunnel.</entry>
1991 <entry><code>sessiont *s</code></entry>
1992 <entry>Session.</entry>
1995 <entry><code>uint8_t **packet</code></entry>
1997 Pointer to the end of the currently assembled
1998 packet buffer. The value should be incremented by the
1999 length of any data added.
2004 <entry morerows="1"><code>plugin_become_master</code></entry>
2005 <entry morerows="1">
2006 Called when a node elects itself cluster master.
2008 <entry spanname="args
"><code>void</code></entry>
2011 <entry spanname="args
">No arguments.</entry>
2015 <entry morerows="1"><code>plugin_new_session_master</code></entry>
2016 <entry morerows="1">
2017 Called once for each open session on becoming cluster
2020 <entry spanname="args
"><code>sessiont *</code></entry>
2023 <entry spanname="args
">
2033 <sect1 id="walled-garden
">
2034 <title>Walled Garden</title>
2036 A "Walled Garden
" is implemented so that you can provide perhaps
2037 limited service to sessions that incorrectly authenticate.
2041 Whenever a session provides incorrect authentication, and the
2042 RADIUS server responds with Auth-Reject, the walled garden
2043 module (if loaded) will force authentication to succeed, but set
2044 the <literal>walled_garden</literal> flag in the session
2045 structure, and adds an <command>iptables</command> rule to the
2046 <literal>garden_users</literal> chain to cause all packets for
2047 the session to traverse the <literal>garden</literal> chain.
2051 This doesn't <emphasis>just work</emphasis>. To set this all
2052 up, you will to setup the <literal>garden</literal> nat table
2053 with the <xref linkend="config-build-garden
"/> script with rules
2054 to limit user's traffic.
2058 For example, to force all traffic except DNS to be forwarded to
2059 192.168.1.1, add these entries to your
2060 <filename>build-garden</filename> script:
2063 iptables -t nat -A garden -p tcp --dport ! 53 -j DNAT --to 192.168.1.1
2064 iptables -t nat -A garden -p udp --dport ! 53 -j DNAT --to 192.168.1.1
2069 <command>l2tpns</command> will add entries to the
2070 <literal>garden_users</literal> chain as appropriate.
2074 You can check the amount of traffic being captured using the
2078 iptables -t nat -L garden -nvx
2083 <sect1 id="filtering
">
2084 <title>Filtering</title>
2086 Sessions may be filtered by specifying
2087 <literal>Filter-Id</literal> attributes in the RADIUS reply.
2088 <replaceable>filter</replaceable>.<literal>in</literal>
2089 specifies that the named access-list
2090 <replaceable>filter</replaceable> should be applied to traffic
2092 <replaceable>filter</replaceable>.<literal>out</literal>
2093 specifies a list for traffic to the customer.
2097 <sect1 id="clustering
">
2098 <title>Clustering</title>
2100 An <command>l2tpns</command> cluster consists of one* or more
2101 servers configured with the same configuration, notably the
2102 multicast <literal>cluster_address</literal> and the
2103 <literal>cluster_port</literal>
2106 <para>*A stand-alone server is simply a degraded cluster.</para>
2109 Initially servers come up as cluster slaves, and periodically
2110 (every <literal>cluster_hb_interval</literal>/10 seconds) send
2111 out ping packets containing the start time of the process to the
2112 multicast <literal>cluster_address</literal> on
2113 <literal>cluster_port</literal>.
2117 A cluster master sends heartbeat rather than ping packets, which
2118 contain those session and tunnel changes since the last
2123 When a slave has not seen a heartbeat within
2124 <literal>cluster_hb_timeout</literal>/10 seconds it "elects
" a
2125 new master by examining the list of peers it has seen pings from
2126 and determines which of these and itself is the "best
" candidate
2127 to be master. "Best
" in this context means the server with the
2128 highest uptime (the highest IP address is used as a tie-breaker
2129 in the case of equal uptimes).
2133 After discovering a master, and determining that it is
2134 up-to-date (has seen an update for all in-use sessions and
2135 tunnels from heartbeat packets) will raise a route (see <xref
2136 linkend="routing
"/>) for the <literal>bind_address</literal> and
2137 for all addresses/networks in <filename>ip_pool</filename>.
2141 Any packets recieved by the slave which would alter the session
2142 state, as well as packets for throttled or gardened sessions are
2143 forwarded to the master for handling. In addition, byte
2144 counters for session traffic are periodically forwarded.
2148 The master, when determining that it has at least one* up-to-date
2149 slave will drop all routes (raising them again if all slaves
2150 disappear) and subsequently handle only packets forwarded to it
2154 <para>*Configurable with <literal>cluster_master_min_adv</literal></para>
2157 Multiple clusters can be run on the same network by just using different
2158 multicast <literal>cluster_address</literal>. However, for a given host to
2159 be part of multiple clusters without mixing the clusters,
2160 <literal>cluster_port</literal> must be different for each cluster.
2164 <sect1 id="routing
">
2165 <title>Routing</title>
2167 If you are running a single instance, you may simply statically
2168 route the IP pools to the <literal>bind_address</literal>
2169 (<command>l2tpns</command> will send a gratuitous arp).
2173 For a cluster, configure the members as BGP neighbours on your
2174 router and configure multi-path load-balancing. Cisco uses
2175 <userinput>maximum-paths ibgp</userinput> for IBGP. If this is
2176 not supported by your IOS revision, you can use
2177 <userinput>maximum-paths</userinput> (which works for EBGP) and
2178 set <literal>as_number</literal> to a private value such as