Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 1-1, users on enterprise branches LAN1 and LAN2 connect to the LAC using PPPoE and initiate connections with enterprise headquarters LAN3.
Two domains are configured on the LAC: aaa.com and bbb.com. Users in the domain aaa.com are located on the network segment 10.1.1.0/24 and users in the domain bbb.com are located on the network segment 10.2.1.0/24.
There is a reachable route from the LNS to the LAC and a tunnel is set up between the LNS and the LAC. After access users are authenticated, the LNS allocates IP addresses and gateway addresses to the access users.
Figure 1-1 Networking diagram of multi-domain access
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
aaa
authentication-scheme lmt
domain aaa.com
authentication-scheme lmt
domain bbb.com
authentication-scheme lmt
local-user user1@aaa.com password cipher %@%@/|S75*sxcH2@FQL=wn#2@I`a%@%@
local-user user1@aaa.com service-type ppp
local-user user1@aaa.com privilege level 0
local-user user2@bbb.com password cipher %@%@qh-<X%_2QB+^!UR+UkxUA/6<%@%@
local-user user2@bbb.com privilege level 0
local-user user2@bbb.com service-type ppp //Configure local user names and passwords on the PPPoE server.
#
interface Virtual-Template1 //Create a virtual template interface VT1 and set parameters for the PPPoE server.
ppp authentication-mode chap //Set the authentication mode to CHAP.
#
interface GigabitEthernet1/0/0
ip address 202.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
pppoe-server bind Virtual-Template 1 //Enable PPPoE server on the interface, import parameters configured on VT1, and authenticate dialup users.
#
interface GigabitEthernet3/0/0
pppoe-server bind Virtual-Template 1
#
l2tp-group 1 //Create an L2TP group and set parameters for L2TP setup.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@ //Enable tunnel authentication, and set the cipher password to huawei, which is the same as that on the peer device.
tunnel name lac1 //Set the tunnel name to lac1, which is identified by the peer LNS.
start l2tp ip 202.1.1.1 domain aaa.com //Initiate L2TP tunnel setup to the peer device. This example assumes that the domain name of access users is aaa.com.
#
l2tp-group 2
tunnel password cipher %@%@EB~j7Je>;@>uNr''D=J<]\WL%@%@
tunnel name lac2
start l2tp ip 202.1.1.1 domain bbb.com
#
Step 2 Configure the LNS.
#
sysname LNS
#
l2tp enable
#
ip pool 1 //Create IP address pool 1 from which IP addresses are allocated to access users.
gateway-list 10.1.1.1 //Configure the gateway address.
network 10.1.1.0 mask 255.255.255.0 //Specify the IP address range.
#
ip pool 2
gateway-list 10.2.1.1
network 10.2.1.0 mask 255.255.255.0
#
aaa
local-user user1@aaa.com password cipher %@%@/|S75*sxcH2@FQL=wn#2@I`a%@%@
local-user user1@aaa.com privilege level 0
local-user user1@aaa.com service-type ppp
local-user user2@bbb.com password cipher %@%@qh-<X%_2QB+^!UR+UkxUA/6<%@%@
local-user user2@bbb.com privilege level 0
local-user user2@bbb.com service-type ppp
#
interface Virtual-Template1
ppp authentication-mode chap
remote address pool 1 //Import the IP address pool. The PPPoE server then allocates IP addresses from the IP address pool to the authenticated users.
ip address 10.1.1.1 255.255.255.0 //Configure the gateway address for the address pool.
#
interface Virtual-Template2
ppp authentication-mode chap
remote address pool 2
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 202.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.3.1.1 255.255.255.0
#
l2tp-group 1
allow l2tp virtual-template 1 remote lac1 //Specify the name of the remote end of the tunnel and the virtual template used by the remote end.
tunnel password cipher %@%@eS*)0t-0D!,~pa;IPll=3liC%@%@
tunnel name lns
#
l2tp-group 2
allow l2tp virtual-template 2 remote lac2
tunnel password cipher %@%@Cyor,=OAk#tWwA;%2\!W3lwj%@%@
tunnel name lns
#
Step 3 Verify the configuration.
# Run the display l2tp session command on the LNS. You can see that two sessions are set up.
# PC1 and PC2 can ping PC3 successfully.
----End
Configuration Notes
l An L2TP group is created for each domain and different L2TP groups have different tunnel names.
l An L2TP group uses tunnel authentication by default and passwords at both ends of the tunnel must be the same.