Manualshelf

R3303-HP HSR6800 Routers Layer 2 - WAN Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
81828384858687888990
78
15. The LNS assigns an internal IP address to the remote user. The user can now access the internal
resources of the enterprise network.
L2TP features
Flexible identity authentication mechanism and high security—L2TP by itself does not provide
security for connections. However, it has all the security features of PPP and allows for PPP
authentication (CHAP or PAP). L2TP can also cooperate with IPsec to guarantee data security,
strengthening the resistance of tunneled data to attacks. Tunnel encryption, end-to-end data
encryption, and end-to-end application-layer data encryption technologies can be used together
with L2TP for higher data security as required.
Multiprotocol transmission—L2TP tunnels PPP frames, which can be used to encapsulate packets of
multiple network layer protocols.
RADIUS authentication—An LAC and LNS can send the username and password of a remote user
to a RADIUS server for authentication.
Private address allocation—An LNS can reside behind the firewall of a corporate network and
dynamically allocates private addresses to remote users, facilitating corporate private address
management (RFC 1918) and improving the security.
Accounting flexibility—Accounting can be simultaneously carried out on the LAC and LNS,
allowing bills to be generated on the ISP side and charging and auditing to be processed on the
enterprise gateway. The L2TP can provide accounting data, such as inbound and outbound traffic
statistics (in packets and bytes) and the connection's start time and end time. These features enable
flexible accounting.
Reliability—L2TP supports LNS backup. When the connection to the primary LNS is torn down, an
LAC can establish a new one to a secondary LNS. This redundancy enhances the reliability and
fault tolerance of VPN services.
L2TP-based EAD
When EAD is used, a PPP user that has passed access authentication must also pass security
authentication on the EAD server before accessing network resources. If the security authentication fails,
the user can access only the resources in the quarantined area.
This function is implemented in the following procedure:
1. The iNode client (the user host) connects to the LNS device through L2TP. After the client passes PPP
authentication, the IMC server issues the isolation ACL to the device, which will then filter packets
from the client by using the firewall function.
2. After the IPCP negotiation, the IMC server notifies the iNode client of its IP address (this IP address
is permitted by the isolation ACL) through the device.
3. The IMC server performs EAD authentication and security checks on the iNode client. After the
client passes the security authentication, the IMC server issues a security ACL to the device to allow
the client to access network resources.
When you configure L2TP-based EAD, follow these guidelines:
Make sure that the ACLs to be assigned by the authentication server are configured appropriately
on the LNS device. An empty ACL or incorrect ACL rules can cause EAD authentication failure.
You can configure different ACLs for different hosts. The device filters packets of a host according to
the configured ACL.