L2TP and Subscriber Scale Tuning

L2TP Tunnel Tuning

References:
https://www.ietf.org/rfc/rfc2661.txt
www.cisco.com/c/en/us/td/docs/ios-xml/ios/vpdn/command/vpd-cr-book/vpd-l1.html
https://www.cisco.com/c/en/us/td/docs/routers/asr1000/configuration/guide/chassis/xe-16-6/asr1000-software-config-guide-16-6/scaling-asr.html#con_1125595
https://www.cisco.com/c/en/us/support/docs/dial-access/virtual-private-dialup-network-vpdn/200713-Configure-Call-Admission-Control.html

 

MTU between CPE and ADSL DSLAM

Assuming PPPoA: All IP packets are divided into 53 byte ATM cells which are 5 bytes of header and 48 bytes of data. Assuming the DSLAM is performing PPPoA to PPPoE interworking, 6 bytes of PPPoE header (1 byte shared for version and type flags, 1 byte for code, 2 bytes for session ID and 2 bytes for payload length) will be inserted and the PPP header will be only 2 bytes (2 bytes for payload protocol ID), reducing the CPE IP MTU from 1500 to 1492.

 

MTU between DSLAM and BNG/LAC

Most DSLAMs that perform PPPoA to PPPoE interworking synthesize an Ethernet address for the PPPoA CPE and subs may be placed into a shared VLAN. The minimum MTU required between DSLAM and BNG/LAC would be: the original 1500 (1492 byte IPv4/6 packet + 2 byte PPP header + 6 byte PPPoE header) + 1 VLAN + 14 byte synthesized Ethernet headers.

 

MTU between LAC and LNS

The LAC should perform PPPoE to L2TP interworking removing the PPPoE header towards the LNS and adding in L2TP.

Minimum MTU: L2TP runs over UDP over IPv4. A full 1492 byte end user packet transported over L2TP to an LNS, assuming 2 MPLS labels to reach the LNS from the LAC, requires an MTU between LNS and LAC of 1538 bytes.

1492: EU IPv4/6 Packet
4 : PPP Header (Min: 1 byte address, 1 byte control, 2 byte protocol ID. Opt: 2 byte padding)
6 : L2TP Header (Min: 2 bytes for flags and version, 2 bytes tunnel ID, 2 bytes session ID. Opt: 2 bytes offset, 2 bytes length, 2 bytes Nr, 2 bytes Ns)
8 : UDP Header
20: IP Header
4 : MPLS VPN Label
4 : MPLS Transport Label

If L2TP sequencing is enabled and additional 4 bytes are required in the L2TP header for Nr + Ns fields.

 

ASR1K-X Scaling:

! conf t

! Configure CAC / Call Admission Control
call admission new-model ! Enable CAC.
call admission cpu-limit 80 ! Incoming calls will be dropped when the measured 5-second CPU utilization is 80% or higher.
! call admission session-limit 10000 ! New PPP/VPDN session requests above this number will be dropped until the session number drops below this again.
! ^ This enforces a max session count which is dangerous
call admission limit 1000 ! Set a cap for the number of session requests the router should respond to (per second)
! The session charge per time-frame (example:  per second) for PPP/VPDN sessons:
call admission vpdn 10 1
call admission pppoe 10 1

! Check with: show call admission statistics detailed

! Note that L2TP control packets must be processed and cannot be dropped by CAC. We can reduce the L2TP receive window to protect the CPU:
vpdn-group X
 l2tp tunnel receive-window 1024


! Disable SNMP for Virtual-Access sub-interfaces:
no virtual-template snmp ! This is disabled by default)

! Increase the PPP keepalive timer, the default is 30 seconds and the holdtime is x5:
interface Virtual-Template10
 keepalive 60

! Disable UDP checksum checking for L2TP packets:
vpdn ip udp ignore checksum

 

7210 Scaling:

! conf t

! Enable L2TP congestion control (sliding window) - enabled by default.
l2tp congestion-control 

! Once entered, the router directly queues the L2TP Hello packets and Hello acknowledgements to
! the L2TP control process.
! If not configured the L2TP software sends the packets to UDP to validate the checksum.
! When too many packets are queued to the IP input process, the router starts
! Selective Packet Discard (SPD) mechanism that causes IP packets to be dropped.
! Default is to perform checksums.
vpdn ip udp ignore checksum


vpdn-group group1

 ! Enable the NAS or tunnel server to drop out-of-order packets.
 !Default is disabled.
 no l2tp drop out-of-order

 ! Enables IP UDP checksums on data packets causes minimizing delays that occur when the
 ! ultimate error correction is done end-to-end rather than at the tunnel endpoints.
 ! Switches to process-switch forwarding
 ! Default is disabled.
 no l2tp ip udp checksum

 ! Enable sequencing for packets sent over the L2TP tunnel.
 ! By default is sequencing is disabled.
 no l2tp sequencing

 ! Timeout before checking if a router that was previous busy is now free.
 !Range is 5 to 6000 seconds.
 !Default is 60 seconds.
 l2tp tunnel busy timeout 30

 ! Frequency of L2TP hello keepalive packets. Range 0 to 1000 seconds. Default 60 seconds.
 l2tp tunnel hello 30

 ! The number of L2TP control packets that can be queued in the receive window.
 ! Range is 0 to 5000.
 ! Default is platform dependant.
 l2tp tunnel receive-window 500

 ! The number of retries made sending the initial control packet when establishing an L2TP tunnel.
 ! Range is 1 to 1000.
 ! Default is 2 retries.
 l2tp tunnel retransmit initial retries 3

 ! The minimum and maximum frequency a router will retry to send the initial control packet during tunnel establishment.
 ! Range is from 1 to 8 seconds.
 ! Default is 1 second min and 8 seconds max.
 ! ONLY USED WHEN LOAD BALANCING IS CONFIGURED
 l2tp tunnel retransmit initial timeout min 3
 l2tp tunnel retransmit initial timeout max 6

 ! The number of retransmit retries for control packets.
 ! Range is 5 to 1000 retries. Default is 10 retires.
 l2tp tunnel retransmit retries 5

 ! The minimum and maximum frequency a router will retry to send control packets.
 ! Range is from 1 to 8 seconds. Default is minimum 1 and maximum 8 seconds.
 l2tp tunnel retransmit timeout min 3
 l2tp tunnel retransmit timeout max 4

 ! The number of seconds before an L2TP tunnel is closed down due to being empty (no subscribers).
 ! Range is 0 to 86400 seconds.
 ! Default is 15 seconds if the router is a NAS or 10 seconds if the router is a tunnel server.
 l2tp tunnel timeout no-session 5

 ! The number of seconds the router waits for the return message to an initial L2TP control
 ! packet before considering the peer busy.
 ! The range is 60 to 6000 seconds.
 ! Default is 10 seconds.
 l2tp tunnel timeout setup 25

 ! Enable PMTUD.
 ! Default it is disabled.
 ip pmtu

 ! Enable LCP MRU renegotiation.
 ! MRU is negotiated during the LCP phase of PPP establishment, when using wholesale services
 ! the MRU between CPE and LNS might different than the MRU between CPE and LAC.
 ! Default is disabled.
 ! Could be "on-mismatch" or "always".
 lcp renegotiation on-mismatch

---