LNS Configuration 1611Note that:■ With the L2TP multi-instance function enabled, a router can serve as LNS formultiple enterprises. The implementation of L2TP multi-instance enriches VPNnetwork applications, especially in MPLS-VPN. In practice, private routes ofenterprises need the support of VPN instances. For VPN instance configuration,refer to “MPLS Basics Configuration” on page 1311. In L2TP multi-instanceapplications, VPN instances must be configured on the LNS.■ The start l2tp and allow l2tp commands are mutually exclusive.■ An L2TP group is intended to represent a group of parameters and iscorresponding to one or one group of VPN users. This not only allows forflexible L2TP configuration on routers, but also facilitates one-to-one andone-to-many networking applications between LAC and LNS. An L2TP grouphas only local significance. However, you need to ensure that the relevantsettings of the corresponding L2TP groups on the LAC and LNS matchrespectively. For example, the local tunnel name configured on the LAC mustmatch the remote tunnel name configured on the LNS.■ You can specify whether tunnel authentication must be performed before atunnel is set up. Either of the LAC and the LNS can initiate a tunnelauthentication request. Whenever tunnel authentication is enabled on oneside, a tunnel can be set up successfully only if tunnel authentication is enabledon the other side and the two sides are configured with the same passwordthat is not null. You are recommended to enable tunnel authentication fortunnel security. You can change the password for tunnel authentication, butyour change takes effect for only tunnels established later.■ To check the connectivity of a tunnel, the LAC and the LNS regularly send Hellopackets to each other. Upon receipt of a Hello packet, the LAC or LNS returns aresponse packet. When the LAC or LNS fails to receive a Hello response packetfrom the peer in a specified period of time, it retransmits the Hello packet. If itreceives no response packet from the peer after retransmitting the Hello packetfor three times, it considers that the L2TP tunnel is down and tries tore-establish a tunnel with the peer.■ If neither LCP re-negotiation nor mandatory CHAP authentication isconfigured, an LNS performs proxy authentication of users. In this case, theLAC sends to the LNS all authentication information from users as well as theauthentication mode configured on the LAC itself, and the LNS, by default,accepts the authentication results from the LAC.■ A tunnel will be disconnected when there is no more user online, a networkfailure occurs, or a network administrator wants to tear it down. Either of theLAC and the LNS can initiate a tunnel disconnection request. Once a tunnel isdisconnected, the control connection and all the sessions within the tunnel willbe removed. When a user dials in, a new tunnel will be established.Configuring MandatoryCHAP AuthenticationAn LNS may be configured to authenticate a user that has passed authenticationon the LAC. In this case, the user is authenticated twice, once on the LAC andReturn to user view quit -Disconnect the specified tunnelby forcereset l2tp tunnel{ remote-name | tunnel-id }OptionalTo do... Use the command... Remarks