Professional Documents
Culture Documents
Router
V800R010C10SPC500
Issue 01
Date 2018-12-05
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Contents
6.10.7 (Optional) Configuring the Function to Generate and Send Logs About User Logins, Logouts, and Online
Results................................................................................................................................................................................ 97
6.10.8 Tracing Services of Users........................................................................................................................................ 98
6.10.9 Configuring User Testing........................................................................................................................................ 99
6.10.10 Changing the Getting Online Period in Loose Mode.......................................................................................... 100
6.10.11 Configuring Whether to Log Out Users When an Interface Goes Down............................................................101
6.10.12 Configuring Automatic User Login.....................................................................................................................102
6.10.13 Enabling User Traffic Statistics Collection Based on Inner or Outer VLAN IDs on a Device...........................105
6.10.14 (Optional) Configuring the Alarm Function on an Interface with No Backup Protection Configured...............106
6.10.15 Verifying the User management Configuration...................................................................................................106
6.11 Maintaining AAA..................................................................................................................................................... 109
6.11.1 Clearing AAA Statistics.........................................................................................................................................109
6.11.2 (Optional) Mapping Refined Online Failure or Offline Sub-reasons to a General Sub-reason.............................110
6.12 Configuration Examples for AAA and User Management.......................................................................................110
6.12.1 Example for Performing Authentication and Accounting for Users by Using RADIUS......................................110
6.12.2 Example for Configuring Dynamic ACL Delivery Through the RADIUS Server............................................... 114
6.12.3 Example for Configuring RADIUS for User Authentication and Accounting (Through Flexible Interoperation of
RADIUS Attributes)......................................................................................................................................................... 118
9.9.17 Example for Configuring Layer 2 IPoE Access (Web+MAC Authentication)..................................................... 376
9.9.18 Example for Configuring WLAN User Access Based on RADIUS Proxy Authentication.................................. 383
9.9.19 Example for Configuring Dumb Terminal Access Based on a VLAN ID............................................................ 389
9.9.20 Example for Configuring Dumb Terminal Access Based on a MAC Address..................................................... 392
13.7.4 (Optional) Setting the Interval for Backing Up Traffic or the Traffic Threshold..................................................641
13.7.5 Configuring User Information Backup in Shared IP Address Pool Mode............................................................ 641
13.7.6 Configuring User Information Backup in Exclusive Address Pool Mode............................................................ 643
13.7.7 (Optional) Configuring IP Addresses for Web Authentication and RADIUS Authorization Servers.................. 645
13.7.8 Binding the RBP to a User Access Interface......................................................................................................... 647
13.7.9 (Optional) Configuring an Upper Threshold for the User Access Rate on the Backup Device............................647
13.7.10 (Optional) Binding a Static Route Tag to the RBS..............................................................................................648
13.7.11 (Optional) Configuring a Session ID Range for PPPoE Users............................................................................649
13.7.12 Checking the Configurations............................................................................................................................... 649
13.8 Configuring Multicast Two-node Hot Backup......................................................................................................... 652
13.8.1 Enabling a Multicast RBS..................................................................................................................................... 652
13.8.2 (Optional) Configuring IGMP Packet Duplication............................................................................................... 652
13.8.3 Checking the Configuration Result....................................................................................................................... 653
13.9 Configuring L2TP Two-node Hot Backup............................................................................................................... 654
13.9.1 Establishing a Multi-Device Backup Platform...................................................................................................... 654
13.9.2 Setting a Base Value for L2TP Tunnel IDs............................................................................................................659
13.9.3 Configuring an L2TP Tunnel.................................................................................................................................659
13.9.4 Enabling an L2TP RBS......................................................................................................................................... 660
13.9.5 Controlling Advertisement of L2TP Hot Backup Routes..................................................................................... 660
13.9.6 (Optional) Setting the maximum number of users allowed on an L2TP LAC......................................................662
13.9.7 (Optional) Disabling the L2TP Traffic Protection Mechanism............................................................................. 662
13.9.8 Checking the Configurations................................................................................................................................. 663
13.10 Maintaining Multi-System Backup........................................................................................................................ 665
13.10.1 Displaying Backup Information.......................................................................................................................... 665
13.10.2 Clearing Backup Information.............................................................................................................................. 665
13.11 Configuration Examples......................................................................................................................................... 666
13.11.1 Example for Configuring RUI in Exclusive Address Pool Mode....................................................................... 666
13.11.2 Example for Configuring RUI in Shared Address Pool Mode............................................................................ 675
13.11.3 Example for Configuring User Information Backup with Automatic Route Advertisement.............................. 685
13.11.4 Example for Configuring Multicast Dual-Device Hot Backup........................................................................... 693
13.11.5 Example for Configuring IPv6 Dual-Device Hot Backup...................................................................................703
13.11.6 Example for Configuring L2TP Two-Node Hot Backup.....................................................................................709
13.11.7 Example for Configuring RUI+EDSG in Exclusive Address Pool Mode...........................................................718
13.11.8 Example for Configuring RUI+EDSG in Shared Address Pool Mode............................................................... 735
13.11.9 Example for Configuring Dual-device Hot Backup for Layer 3 Static IPv4 Users............................................ 753
Purpose
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the User Access feature supported by the
NE40E.
Related Version
The following table lists the product version related to this document.
U2000 V200R018C50
Intended Audience
This document is intended for:
Security Declaration
l Encryption algorithm declaration
The encryption algorithms DES/3DES/RSA (RSA-1024 or lower)/MD5 (in digital
signature scenarios and password encryption)/SHA1 (in digital signature scenarios) have
a low security, which may bring security risks. If protocols allowed, using more secure
encryption algorithms, such as AES/RSA (RSA-2048 or higher)/SHA2/HMAC-SHA2 is
recommended.
l Password configuration declaration
– Do not set both the start and end characters of a password to "%^%#". This causes
the password to be displayed directly in the configuration file.
– To further improve device security, periodically change the password.
l Personal data declaration
Your purchased products, services, or features may use users' some personal data during
service operation or fault locating. You must define user privacy policies in compliance
with local laws and take proper measures to fully protect personal data.
l Feature declaration
– The NetStream feature may be used to analyze the communication information of
terminal customers for network traffic statistics and management purposes. Before
enabling the NetStream feature, ensure that it is performed within the boundaries
permitted by applicable laws and regulations. Effective measures must be taken to
ensure that information is securely protected.
– The mirroring feature may be used to analyze the communication information of
terminal customers for a maintenance purpose. Before enabling the mirroring
function, ensure that it is performed within the boundaries permitted by applicable
laws and regulations. Effective measures must be taken to ensure that information is
securely protected.
– The packet header obtaining feature may be used to collect or store some
communication information about specific customers for transmission fault and
error detection purposes. Huawei cannot offer services to collect or store this
information unilaterally. Before enabling the function, ensure that it is performed
within the boundaries permitted by applicable laws and regulations. Effective
measures must be taken to ensure that information is securely protected.
l Reliability design declaration
Network planning and site design must comply with reliability design principles and
provide device- and solution-level protection. Device-level protection includes planning
principles of dual-network and inter-board dual-link to avoid single point or single link
of failure. Solution-level protection refers to a fast convergence mechanism, such as FRR
and VRRP.
Special Declaration
l This document serves only as a guide. The content is written based on device
information gathered under lab conditions. The content provided by this document is
intended to be taken as general guidance, and does not cover all scenarios. The content
provided by this document may be different from the information on user device
interfaces due to factors such as version upgrades and differences in device models,
board restrictions, and configuration files. The actual user device information takes
precedence over the content provided by this document. The preceding differences are
beyond the scope of this document.
l The maximum values provided in this document are obtained in specific lab
environments (for example, only a certain type of board or protocol is configured on a
tested device). The actually obtained maximum values may be different from the
maximum values provided in this document due to factors such as differences in
hardware configurations and carried services.
l Interface numbers used in this document are examples. Use the existing interface
numbers on devices for configuration.
l The pictures of hardware in this document are for reference only.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Convention Description
Change History
Updates between document issues are cumulative. Therefore, the latest document issue
contains all updates made in previous issues.
l Changes in Issue 01 (2018-12-05)
This issue is the first official release. The software version of this issue is
V800R010C10SPC500.
Licensing Requirements
This feature is a basic feature and is not under license control.
Licensing Requirements
BOM License Control Description Minimum Version
Item Requirement
Licensing Requirements
BOM License Control Description Minimum Version
Item Requirement
Licensing Requirements
BOM License Control Description Minimum Version
Item Requirement
This chapter describes how to configure authentication, authorization, and accounting (AAA)
to implement local or remote authentication, authorization, and accounting.This feature is not
supported on the M2E.
Context
NOTE
When IPoE user names are Properly configure the mode Communication between
generated based on the for generating user names IPoE users and the RADIUS
format configured using the for IPoE users and properly server is affected.
vlanpvc-to-username set the system name of a
command, the system name device. If a user name needs
in a user name can contain a to contain the system name,
maximum of 17 bytes. control the length of the
Excessive bytes will be system name to be no more
truncated. If parameters than 17 characters.
specified in the default-
user-name command cannot
be obtained from user
sessions, the generated user
names do not contain the
parameters. For example, if
no IP address is assigned to
a DHCP user before the user
goes online, the IP address
cannot be used to generate
the user name.
The response delay policy Do not deploy a response The load balancing function
for access users on a BAS delay policy for access users for access users is affected.
interface is not supported on and inter-board trunk
the board where inter-board interfaces on the same
trunk interfaces reside. board.
When IPoE user names are Properly configure the mode Communication between
generated based on the for generating user names IPoE users and the RADIUS
format configured using the for IPoE users and properly server is affected.
vlanpvc-to-username set the system name of a
command, the system name device. If a user name needs
in a user name can contain a to contain the system name,
maximum of 17 bytes. control the length of the
Excessive bytes will be system name to be no more
truncated. If parameters than 17 characters.
specified in the default-
user-name command cannot
be obtained from user
sessions, the generated user
names do not contain the
parameters. For example, if
no IP address is assigned to
a DHCP user before the user
goes online, the IP address
cannot be used to generate
the user name.
The response delay policy Do not deploy a response The load balancing function
for access users on a BAS delay policy for access users for access users is affected.
interface is not supported on and inter-board trunk
the board where inter-board interfaces on the same
trunk interfaces reside. board.
When IPoE user names are Properly configure the mode Communication between
generated based on the for generating user names IPoE users and the RADIUS
format configured using the for IPoE users and properly server is affected.
vlanpvc-to-username set the system name of a
command, the system name device. If a user name needs
in a user name can contain a to contain the system name,
maximum of 17 bytes. control the length of the
Excessive bytes will be system name to be no more
truncated. If parameters than 17 characters.
specified in the default-
user-name command cannot
be obtained from user
sessions, the generated user
names do not contain the
parameters. For example, if
no IP address is assigned to
a DHCP user before the user
goes online, the IP address
cannot be used to generate
the user name.
The response delay policy Do not deploy a response The load balancing function
for access users on a BAS delay policy for access users for access users is affected.
interface is not supported on and inter-board trunk
the board where inter-board interfaces on the same
trunk interfaces reside. board.
Context
Perform the following steps on the Router:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius enable
The RADIUS protocol is enabled.
----End
Context
Perform the following steps on the Router:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run authentication-scheme scheme-name
An authentication scheme is created.
The authentication schemes named default, default0, and default1 are set by default on the
NE40E. They can be modified but cannot be deleted.
The function of redirecting a user to a specified domain When the quota of the user equal to
zero is enabled.
Step 7 (Optional) Run authening authen-redirect online authen-domain domain-name
The redirection domain is configured.
After you configure the redirection domain, the users that pass the authentication and the
users that actually fail the authentication go online from different domains.
By configuring a private IP address pool, UCL-based access control, and security domain in
the redirection domain, you can differentiate the functions of address allocation (private
addresses and public addresses), access control, and NAT for different user domains. In this
manner, users in different domains are separated by differentiated configurations. This
solution effectively saves Internet IP addresses and prevents unauthorized users from
occupying many Internet IP addresses.
Step 8 (Optional) In the AAA domain view, run mac-authentication enable
The MAC address authentication is enabled.
NOTE
MAC address authentication is used to simplify Web authentication. If MAC address authentication is
enabled, the user for Web authentication only needs to input the user name and password at the first time
and the RADIUS server records the user's MAC address. When the user attempts to pass the Web
authentication again, the RADIUS server performs the authentication based on the users' MAC address
and the user does not need to input the user name and password again.
In the existing network, this command is used together with the authening authen-fail online authen-
domain domain-name command. If the MAC authentication fails, the user can perform the Web
authentication by inputing the user name and password in the re-direction domain, and then enter the
authentication domain and access the network resources.
----End
Context
If you cannot change the user group to which an online user belongs because the dynamic
authorization server is Down, run commands to change the user group and reauthorize the
user.
NOTE
In network planning, ACLs are used to control user access authority, and ACL rules are configured
based on user groups. Therefore, to change a user's access authority, you can change its user group. For
example, ACL rules are configured to allow user group 1 to access only the internal network and user
group 2 to access both internal and external networks. When user A in user group 1 goes online, user A
can access the internal network only. To allow user A to access both internal and external networks,
reauthorize user A by changing its user group to user group 2.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run reauthorize enable
----End
Context
Perform the following steps on the NE40E:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run
user-qos cir-zero { cir-value | unlimited }
The CIR of user traffic when the CIR and PIR delivered by the RADIUS server are both 0s is
set.
NOTE
This command can be used only when the upstream and downstream CIR and PIR delivered by the
RADIUS server are both 0s.
----End
Context
After being authenticated and authorized, users successfully go online, and accounting starts
with the access of services. Accounting is performed based on online time, user traffic, or
both. The accounting process is as follows: The NE40E collects statistics on the online time
and the upstream and downstream traffic, and then sends the statistics to the RADIUS server
in the format specified by the RADIUS protocol. At last, the server returns a message to the
NE40E indicating whether accounting succeeds.
Perform the following steps on the Router:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run realtime-accounting backup enable
Real-time accounting backup is enabled between the master and slave MPUs.
Run this command if the RADIUS server requires that the interval at which real-time
accounting packets are sent be strictly followed. After the realtime-accounting backup
enable command is run, the master and slave MPUs start real-time accounting at the same
time. Even if a master/slave MPU switchover occurs during the real-time accounting interval,
the device still sends real-time accounting packets at the configured interval.
Step 4 Run accounting-scheme scheme-name
An accounting scheme is created.
The authentication schemes named default0 and default1 are set by default on the NE40E.
They can be modified but cannot be deleted.
Step 5 Run accounting-mode { hwtacacs | none | radius }
An accounting mode is set.
The NE40E supports RADIUS accounting, HWTACACS accounting, and non-accounting.
NOTE
Step 6 (Optional) Run accounting interim interval interval [ second ] [ traffic ] [ hash ]
The interval for real-time accounting and conditions for sending real-time accounting packets
are configured and real-time accounting packets are hashed for the accounting scheme.
Real-time accounting indicates that the NE40E periodically generates accounting packets and
send them to the remote accounting server when a user is online. Real-time accounting
minimizes loss of accounting information when the communication between the NE40E and
the remote server is interrupted.
If the NE40E does not receive any response after sending an accounting start packet to the
remote accounting server, the NE40E adopts the policy for the accounting start failure. This
policy may keep the user online or log the user out.
If the NE40E does not receive any response after re-sending the real-time accounting packets
to the remote accounting server for certain times, the NE40E adopts the policy for the real-
time accounting failure. This policy may keep the user online or log the user out.
When the RADIUS or the HWTACACS server is used for charging, it is recommended that
you set the time of retransmitting real-time charging packets to be larger than the time of
retransmitting failed RADIUS or the HWTACACS packets.
The NE40E is configured to send real-time accounting packets immediately after receiving
the accounting start response.
After receiving the accounting response, the NE40E determines whether to send the real-time
accounting packet immediately according to the configuration.
Step 10 (Optional) Enable a device to send an accounting-start packet about a dual-stack user after a
specified delay
1. Run aaa
----End
Context
Perform the following steps on the Router:
Procedure
Step 1 Run system-view
NOTE
User authentication, authorization, and accounting must be performed in the domain view.
By default, the default1 authentication scheme is used for user-defined domains, the default1
domain, or the default authentication scheme is used for the default_admin domain; the
default0 authentication scheme is used for the default0 domain. You can run the display
authentication-scheme command to view detailed information about the default
authentication schemes.
By default, the default1 accounting scheme is used for user-defined domains and the default1
domain; the default0 accounting scheme is used for the default0 domain and default_admin
domain.
When separate is configured, traffic of IPv4 and IPv6 users is sent to the server separately;
when identical is configured, traffic of IPv4 and IPv6 users is sent to the server together.
By default, accounting is performed separately for IPv4 users and IPv6 users.
----End
Prerequisites
AAA schemes have been configured.
Procedure
l Run the display aaa configuration command to check brief information about AAA.
l Run the display accounting-scheme [ accounting-scheme-name ] command to check the
configuration about the accounting scheme.
l Run the display authentication-scheme [ authentication-scheme-name ] command to
check the configuration about the authentication scheme.
l Run the display authorization-scheme [ authorization-scheme-name ] command to
check the configuration about the authorization scheme.
l Run the display recording-scheme [ recording-scheme-name ] command to check the
configuration about the recording scheme.
----End
Context
NOTE
Context
To configure Remote Authentication Dial-In User Service (RADIUS) authentication and
accounting servers, configure the following parameters:
l IP addresses of the authentication and accounting servers
l VPN instance to which the authentication and accounting servers belong
l Interface numbers of the authentication and accounting servers (1812 and 1813 by
default)
l Weights of the authentication and accounting servers (applicable only to the load
balancing mode with the default value 0)
NOTE
The RADIUS authentication and accounting servers can use the same IP address. This means that a
server can function as both an authentication server and an accounting server.
Procedure
Step 1 Run system-view
RADIUS real-time accounting packet caching is enabled, and the number of retransmissions
is specified for real-time accounting packets entering a cache queue.
NOTE
If the value specified by max-packet-number is not 8192, the system limits the number of accounting
packets specified by max-packet-number and does not limit the number of users.
Step 12 (Optional) Run radius-server accounting cache retransmit retransmit timeout timeout
An interval at which cached RADIUS accounting packets are retransmitted and the number of
users for each packet retransmission are configured.
A memory usage threshold is configured for the master main control board.
The accounting packet cache alarm function is enabled, and an alarm threshold and a clear
alarm threshold are configured. If the accounting packet cache usage reaches the configured
alarm threshold, an alarm is reported.
The device is disabled from deleting cached accounting packets after the number of
retransmissions reaches the specified upper limit.
----End
Context
In some cases, user authentication and accounting may be performed on different devices. For
example, the AC is responsible for user authentication, whereas the BRAS is responsible for
user accounting. To prevent two devices from sending authentication packets to the RADIUS
server at the same time, configure the BRAS that performs user accounting as a RADIUS
proxy. The RADIUS proxy then records authentication information of users when forwarding
RADIUS authentication packets. The BRAS with RADIUS proxy authentication configured
transparently transmits RADIUS packets from a specified RADIUS client to the RADIUS
server, record authorization information delivered by the RADIUS server, and transparently
transmits authentication response packets. If the authentication mode configured in the user
domain of the BRAS is radius-proxy, the BRAS can use the recorded authorization
information to authorize users.
NOTE
Currently, RADIUS proxy authentication takes effect for only IPoE users.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-client ip-address [ mask { mask-ip | mask-length } ] [ vpn-instance instance-
name ] { { shared-key key | shared-key-cipher key-string-cipher } | server-group
groupname | roam-domain domain-name | domain-authorization | trigger-web
{ authentication | accounting | none } } *
A RADIUS client is configured, including the IP address, VPN instance, shared key, and
RADIUS server group.
Step 3 (Optional) Run radius-client check-attribute-length loose [ correct-forwarding ]
Loose check or correction of attribute lengths in authentication or accounting request packets
is configured.
Step 4 (Optional) Run radius-client packet dscp dscp-value
A DSCP value is set for RADIUS packets sent from the BRAS to the AP/AC.
Step 5 Run commit
The configuration is committed.
----End
Context
The algorithm for selecting a RADIUS server functions as follows:
l If the radius-server algorithm master-backup command is run or the default master/
backup mode is used, the RADIUS authentication server or accounting server configured
first is the master server, and the others are backup servers. A backup server is selected
only after the master server goes Down.
– When packets are sent for the first time:
If the master server is Up, it is selected. If no server is in the Up state, the first
configured server is selected.
– When packets are retransmitted due to a timeout:
n If a server has already been selected and the number of retransmission times
has not reached the limit, packets are still retransmitted to this server.
n If the number of retransmission times has reached the limit and the master
server times out, packets are retransmitted to the server that has most recently
received packets. If no such server is available or packets have already been
sent to this server, the polling mechanism is used to select another backup
server in the Up state. If no backup server is in the Up state, the next
configured backup server is selected.
n If the number of retransmission times has reached the limit and the backup
server times out, the polling mechanism is used to select another backup server
in the Up state. If no backup server is in the Up state, the next configured
backup server is selected.
l If the radius-server algorithm loading-share command has been configured to set the
load balancing mode, traffic is load-balanced based on the weights of servers.
– If the sum of weights of RADIUS servers is 0, each RADIUS server is considered
to have the same weight. Then a server in the Up state is selected at random.
For example, if a RADIUS server group has six servers, in which four are Up, one
is selected from the four servers in the Up state at random. These four servers have
the same chance of being selected. If no server is Up, one is selected from the six
servers at random. These six servers have the same chance of being selected.
– If the sum of weights of RADIUS servers is greater than 0, all RADIUS servers that
are in the Up state and have not been used are selected at random based on the
proportion by weight. If no RADIUS server is in the Up state, servers are selected at
random based on the proportion by weight.
For example, if a RADIUS server group has four servers, at a weight of 10, 20, 30,
and 40, respectively. If the four servers are all Up or Down, they will be selected at
a probability of 10%, 20%, 30%, and 40%. If the first server is Down, but the other
three servers are Up, a server is selected from the three servers in the Up state at a
probability of 20/(20+30+40), 30/(20+30+40), and 40/(20+30+40).
NOTE
Each time a RADIUS server is selected, the selection result is independent of previous selection results.
For example, two servers have the selection probability of 50% each. If 100 consecutive users select the
first server, the 101th user still has 50% probability to select the first server. It is similar to flipping a
coin. The probability for getting a head or tail is 50% each. If you only flip a coin few times, the
probability for each is not necessarily 50%. However, if you flip the coin multiple times, the probability
for getting a head or tail is 50% eventually.
l By default, the RADIUS accounting server is selected based on the authentication server
selection result. After a user selects a RADIUS server for authentication, it will also use
this RADIUS server for accounting. If the radius-server algorithm master-backup
[ strict ] command is run, the accounting server is selected based on the configured
algorithm. The master accounting server is preferentially selected, irrelevant to the
authentication server.
Procedure
Step 1 Run system-view
If strict is configured, the accounting server is selected based on the configured algorithm.
The master accounting server is preferentially selected, irrelevant to the authentication server.
----End
Context
Perform the following steps on the Router.
Procedure
Step 1 Run system-view
Step 4 Run protocol protocol-type { packet packet-type [ direation { ingress | egress } ] } python-
script script-name
The system is enabled to call a specified python script to process packets of a specified
protocol, type, and direction (inbound or outbound).
The python script is configured to use the original packet when it fails to modify information
in a packet.
----End
Context
The negotiated parameters specify the conventions of the RADIUS protocol and message
format used for communication between the RADIUS server and the NE40E. The negotiated
parameters are as follows:
Pending packets refer to those packets that have been sent but are not responded to. The
RADIUS server can concurrently process only a certain number of pending packets.
Therefore, the number of pending packets must be restricted.
Procedure
Step 1 Run system-view
The mode for collecting statistics about RADIUS authentication request and response packets
is configured.
You can configure a key on the NE40E for each RADIUS server.
The format of the user name contained in the RADIUS packets is configured.
The Router replaces the user name with the user name delivered by the RADIUS server.
This command is invalid for the RADIUS servers that do not measure traffic by bytes and the
RADIUS servers that use the standard RADIUS protocol.
If you want to configure the number of transmission times and retransmission timeout period
for either all RADIUS authentication servers or RADIUS accounting servers, run the radius-
server { authentication | accounting } retransmit retry-times timeout timeout-value
command.
The ID format of the circuit through which RADIUS packets are transmitted to the upstream
device is set.
The maximum number of pending packets that can be sent to the RADIUS server is set.
The NE40E is configured to send Accounting Start packets to the RADIUS server after NCP
goes Up for PPPv6 users that use DHCPv6 to obtain IPv6 addresses.
----End
Context
This function is configured for a RADIUS server group and takes effect on only the RADIUS
servers in this group. You can disable up to 64 attributes in a RADIUS server group.
You can disable the RADIUS attributes of both the sender and receiver on the NE40E.
Perform the following steps on the Router:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server group group-name
The RADIUS server group view is displayed.
Step 3 Run radius-server attribute translate
RADIUS attribute translation is enabled.
Step 4 Run either of the following commands to disable basic or extended RADIUS attributes:
1. Run the radius-attribute disable attribute-name { receive | send } * command to
disable basic RADIUS attributes for request or response packets.
2. Run the radius-attribute disable attribute-name { access-accept | access-request |
account [ start ] } * command to disable basic RADIUS attributes for Access-Accept,
Access-Request, or accounting packets.
3. Run the radius-attribute disable extend attribute-description { access-accept |
{ access-request | account } * } command to disable extended RADIUS attributes for
Access-Accept, Access-Request, or accounting packets.
4. Run the radius-attribute disable extend { attribute-description | vendor-specific src-
vendor-id src-sub-attr-id }access-accept command to disable extended or user-defined
RADIUS attributes for packets.
5. Run the radius-attribute disable attribute-name { ip ip-address | string string | bin
string | integer integer } receive command to disable RADIUS attributes with specified
data types and carried in response packets.
6. Run the radius-attribute disable { hw-acct-update-address | flow-attributes } integer
integer account commamnd to disable RADIUS attributes with specified integral values
and carried in accounting packets. Currently, the integer parameter can be set to 0 only.
If you specify the flow-attributes parameter in the radius-attribute disable command,
the following flow attributes are all disabled: Acct-Input-Octets, Acct-Output-Octets,
Acct-Input-Packets, Acct-Output-Packets, Acct-Input-Gigawords, Acct-Output-
Gigawords, HW-Acct-IPV6-Input-Octets, HW-Acct-IPV6-Output-Octets, HW-Acct-
IPV6-Input-Packets, HW-Acct-IPV6-Output-Packets, HW-Acct-IPV6-Input-Gigawords,
and HW-Acct-IPV6-Output-Gigawords.
----End
Context
RADIUS servers from various vendors support different RADIUS attributes, and the vendors
also define RADIUS attributes in different manners. This makes interconnection between the
NE40E and RADIUS servers more difficult.
To address this problem, the NE40E provides the attribute translation function. After the
attribute translation function is configured, the NE40E can encapsulate or parse src-attribute
by using the format of dest-attribute when transmitting or receiving RADIUS packets. By
doing this, the NE40E can communicate with different types of RADIUS servers.
This function is applied when one attribute has multiple formats. For example, the nas-port-
id attribute has a new format and an old format. The NE40E uses the new format. If the
RADIUS server uses the old format, you can run the radius-attribute translate nas-port-id
nas-port-identify-old receive send command on the NE40E. Perform the following steps on
the Router:
Procedure
Step 1 Run system-view
Step 4 Perform any of the following operations to configure RADIUS attribute translation:
1. Run the radius-attribute translate src-attr-description dest-attr-description { { receive
| send } * } command to configure RADIUS attribute translation for request or response
packets.
2. Run the radius-attribute translate src-attr-description dest-attr-description { access-
accept | { access-request | account }* } command to configure RADIUS attribute
translation for Access-Accept, Access-Request, or accounting packets.
3. Run the radius-attribute translate extend src-attr-description dest-attr-description
{ access-accept | { access-request | account} * } command to configure extended
RADIUS attribute translation for Access-Request or accounting packets.
4. Run the radius-attribute translate extend src-attr-description vendor-specific src-
vendor-id src-sub-attr-id { access-request | account } * command to configure vendor-
specific extended RADIUS attribute translation for Access-Request or accounting
packets.
----End
Context
The RADIUS protocol specifies that the RADIUS server must deliver the tunnel password in
cipher text. Most RADIUS servers, however, do not conform to this specification. Therefore,
the NE40E supports configuration of the tunnel password delivery mode so that the NE40E
can communicate with various types of RADIUS servers.
Procedure
Step 1 Run system-view
The mode in which the RADIUS server delivers the tunnel password is configured.
----End
Context
As specified in the standard RADIUS protocol, the Class attribute carried in an Access-
Accept packet sent from the RADIUS server to the client must be returned to the accounting
server without any change in an accounting request packet.
The NE40E extends the standard RADIUS protocol by adding the CAR value to the Class
attribute (RADIUS attribute 25).
Procedure
Step 1 Run system-view
NOTE
To meet the requirements of various RADIUS servers, the NE40E can use the RADIUS attribute 25 or
RADIUS attribute 26 to send the CAR value to the RADIUS server. The preceding commands configure
how to use the RADIUS attribute 25 to send the CAR value to the RADIUS server.
----End
Context
Perform the following steps on the Router:
Procedure
Step 1 Run system-view
The format of the NAS-Port attribute and format of the NAS-Port-Id attribute are configured.
l If vendor-id is set to 2352, the NE40E uses the default format of Redback to encapsulate
the NAS-Port-Id attribute.
The encapsulation format is slot/port[vpi-vci vpi vci | vlan-id [ivlan:]evlan] [pppoe sess-
id | clips sess-id].
Format example: 2/5 vlan-id 4 pppoe 8.
NOTE
If a logical interface is configured on the user access interface, encapsulate packets on the logical
interface. Otherwise, encapsulate packets on the user access interface. pppoe sess-id indicates
session ID of a PPPoE user. clips sess-id indicates CID of DHCP users on the device. For
untagged Ethernet user VLANs, the VLAN ID is 0. For QinQ interfaces, evlan and ivlan indicate
outer VLAN ID and inner VLAN ID.
l If vendor-id is set to 2636, the NE40E uses the default format of Juniper to encapsulate
the NAS-Port-Id attribute.
The encapsulation format is {fastEthernet|gigabitEthernet} slot/port.subinterface[:vpi.vci
|:ivlan]
Format example: gigabitEthernet 2/5.4:4.
If vendor-id is set to 2636 and version1 is specified, the NE40E uses the version 1
format of Juniper to encapsulate the NAS-Port-Id attribute.
The encapsulation format is {FastEthernet|GigabitEthernet} slot/card/
port.subinterface[:vpi.vci |:ivlan]
Format example: GigabitEthernet 2/0/5.4:4
NOTE
If the logical interface configured on the user access interface is a non-Trunk interface, encapsulate
packets on the logical interface.
If the logical interface is a Trunk interface, encapsulate packets on the user access interface. If the
user access interface is also a Trunk interface, encapsulate packets on the first member interface of
the Trunk interface.
l If vendor-id is set to 9, the NE40E uses the default format of Cisco to encapsulate the
NAS-Port-Id attribute.
The encapsulation format is {ethernet|trunk|PW} slot/subslot/port.
Format example: ethernet 2/0/5.
NOTE
If a logical interface is configured on the user access interface, encapsulate packets on the logical
interface. Otherwise, encapsulate packets on the user access interface. For Trunk and PW
interfaces, the subslot number is 0.
l If the redback-simple format is specified to encapsulate the NAS-Port-Id attribute,
The encapsulation format is slot/port[vpivci vpi vci | vlanid [ivlan:]evlan] [pppoe sess-id
| clips sess-id].
Format example: 2/5 vlan-id 4 pppoe 8.
NOTE
Different from the Redback format, the redback-simple format does not contain any hyphen (-) in
keywords of vpivci or vlanid.
l If the redback-addition format is specified to encapsulate the NAS-Port-Id attribute,
the encapsulation format is atm slot/amalgamation result of subslot number and subport
number.
Format example: atm 3/12:20.32.
NOTE
This is an example for users log in on Atm3/3/0. This format only applies to users that log in on ATM
interfaces and the scenario where the device does not trust Option 82 and the vlanpvc-to-username is
set to version10 or version20. The amalgamation result of slot number and port number is calculated
based on the formula: (subslot number &0x03)<<2)|(port number &0x03)
The default NAS-Port-Id attribute format is determined by the vbas and client-option82
commands.
l When vbas or client-option82 command is disabled (the default status) on a BAS
interface, the following situations may occur:
– If the vlanpvc-to-username is set to version20 (the default parameter),
the format of NAS-Port-Id is: slot=xx; subslot=xx; port=xx;{VPI=xx;VCI=xx;|
vlanid=xx;|vlanid=xx;vlanid2=xx;}
Format example: slot=2;subslot=0;port=5;vlanid=4.
The slot number, subslot number, port number, VPI number, VCI number, outer
VLAN ID, and inner VLAN ID are filled with the actual values.
– If the vlanpvc-to-username is set to version10,
the format of NAS-Port-Id is: slot=xx;subslot=xx;port=xx;{VPI=xx;VCI=xx;|
vlanid=xx;}
Format example: slot=2;subslot=0;port=5;vlanid=4.
The slot number, subslot number, port number, VPI number, VCI number, outer
VLAN ID, and inner VLAN ID are filled with the actual values. For access users on
QinQ interfaces, the inner VLAN ID is filled.
– If the vlanpvc-to-username is set to turkey,
the format of NAS-Port-Id is: slot number/port number vlan-id inner VLAN
ID:outer VLAN ID.
Format example: 2/5 vlan-id 4096:4.
For untagged user VLANs, the IDs of inner and outer VLANs are both 4096. If the
user VLAN only carries a tag, the inner VLAN ID is 4096.
– If the vlanpvc-to-username is set to standard,
the format of NAS-Port-Id is: {eth|trunk|PW} slot number/subslot number/port
number:{vpi.vci| outer VLAN ID.inner VLAN ID} 0/0/0/0/0/0.
Format example: eth 2/0/5:4096.4 0/0/0/0/0/0.
NOTE
The slot number, subslot number, port number, VPI number, VCI number, outer VLAN ID, and
inner VLAN ID are filled with the actual values. For Trunk interfaces, the subslot number is 0.
For untagged user VLANs, the IDs of inner and outer VLANs are both 4096. If the user VLAN
only carries a tag, the inner VLAN ID is 4096. In the AAA view, you can specify pevlan or
cevlan in the vlanpvc-to-username standard trust { pevlan | cevlan } command. By default,
both parameters are specified in the command. If only pevlan is specified, set the inner VLAN ID
to 4096. If only cevlan is specified, set the outer VLAN ID to 4096.
l The vbas or client-option82 command is configured on the BAS interface.
– The vlanpvc-to-username is set to version20 (the default parameter) or version10
and the client-option82 basinfo-insert cn-telecom command is not run.
n User packets carry Option 82 information.
If VBAS is configured on the BAS interface, return Option 82 information
carried by user packets.
Format example: mse-108 eth 0/2/0/5:4.
If the option82-relay-mode command is not configured on the BAS interface,
return the first TLV value of user Option 82 information with two offset bytes.
For example, if the user Option 82 information is abc, return c.
The host name configured using the nas logic-sysname command in the BAS interface
view is preferentially used. If no host name is configured on the BAS interface, the default
host name is used. For untagged user VLANs, the IDs of inner and outer VLANs are both 0.
If the user VLAN carries only a tag, the inner VLAN ID is 0, indicating that the inner
VLAN is not displayed.
– If the vlanpvc-to-username to set to turkey and the client-option82 basinfo-
insert cn-telecom command is not run,
the format of NAS-Port-Id is: slot number/port number vlan-id inner VLAN
ID:outer VLAN ID.
Format example: 2/5 vlan-id 4096:4.
For untagged user VLANs, the IDs of inner and outer VLANs are both 4096. If the
user VLAN only carries a tag, the inner VLAN ID is 4096.
– If the vlanpvc-to-username is set to standard and the client-option82 basinfo-
insert cn-telecom command is run,
the format of NAS-Port-Id is: {eth|trunk|PW} slot number/subslot number/port
number:{vpi.vci|outer VLAN ID.inner VLAN ID} information carried by the client.
The slot number, subslot number, port number, VPI number, VCI number, outer
VLAN ID, and inner VLAN ID are filled with the actual values. For Trunk
interfaces, the slot number is 0. For untagged user VLANs, the IDs of inner and
outer VLANs are both 4096. If the user VLAN only carries a tag, the inner VLAN
ID is 4096. For PW interfaces, the subslot number is 0. In the AAA view, you can
specify pevlan or cevlan in the vlanpvc-to-username standard trust { pevlan |
cevlan } command. By default, both parameters are specified in the command. If
pevlan is specified, set the inner VLAN ID to 4096. If cevlan is specified, set the
outer VLAN ID to 4096.
n User packets carry Option 82 information.
If the vbas command is configured on the BAS interface, parse the complete
Option 82 information carried by user packets. Otherwise, parse Option 82
information with two offset bytes.
If user Option 82 information contains no blank space, information carried by
the client is filled with user Option 82 information with two offset bytes. For
example, if user Option 82 information is abc, the format of NAS-Port-Id is
eth 2/0/5:4096.4 c.
If user Option 82 information contains a space and / is in front of the space,
information carried by the client is filled with user Option 82 information with
two offset bytes. For example, if user Option 82 information is aaa/b cd, the
format of NAS-Port-Id is eth 2/0/5:4096.4 a/b cd.
If user Option 82 information contains two spaces and no / in front of the first
space, information carried by the client is filled with user Option 82
information after the second space. For example, if user Option 82 information
is aaab cd e, the format of NAS-Port-Id is eth 2/0/5:4096.4 e.
----End
Context
On the NE40E, you can configure the interface that connects to a RADIUS server as the
source interface of the RADIUS server. On the NE40E, you can configure the source interface
in the system view or in the view of a RADIUS server group. Therefore, the RADIUS servers
in the RADIUS server group use this source interface to interact with the NE40E. If the
source interface of the RADIUS server group is not configured, the RADIUS servers use the
global source interface.
Perform the following steps on the Router:
Procedure
l Configure the global source interface of all RADIUS servers in all RADIUS server
groups.
a. Run system-view
The system view is displayed.
b. Run radius-server source interface interface-type interface-number
The global source interface of all the RADIUS servers is configured.
l Configure the source interface of a specified RADIUS server group.
a. Run system-view
The system view is displayed.
b. Run radius-server group group-name
The RADIUS server group view is displayed.
c. Run radius-server source interface interface-type interface-number
The source interface of the RADIUS server group is configured.
----End
Context
You need to configure a RADIUS authorization server for a dynamic service so that the
RADIUS server can dynamically authorize a user when the user uses the dynamic service.
NOTE
The NE40E supports Change of Authorization (CoA). Authorization information about online users can
be dynamically changed. While maintaining the online status of users, the network administrator can
modify the service attributes on the RADIUS server and then send CoA packets to dynamically change
the services used by users. This authorization mode is referred to as dynamic authorization.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server authorization ip-address [ vpn-instance instance-name ] { shared-key
key | server-group groupname } * [ ack-reserved-interval interval ]
The global RADIUS authorization server is configured.
To retain the RADIUS authorization response packet to respond to the retransmitted packets
from the RADIUS authorization server, you need to set the period of retaining the
authorization response when configuring the RADIUS authorization server.
If destination-ip dest-ip or destination-port dest-port has been configured, the device checks
the destination IP address or port number in the dynamic authorization packets and discards
the packets if the destination IP address or port number does not match.
Step 3 Run radius-server authorization error-reply { version1 | version2 }
The rule for configuring dynamic authorization response packets sent by the NE40E is
executed.
Step 4 Run radius-server authorization accounting-realtime-packet disable
The NE40E is disabled from automatically responding with a real-time accounting packet
upon receipt of a CoA message delivered by the RADIUS server.
After this command is run, the NE40E does not automatically respond with a real-time
accounting packet upon receipt of a CoA message from the RADIUS server. As a result, the
RADIUS server cannot learn the latest user status in a timely manner. To resolve this problem,
run the accounting interim interval interval [ second ] [ traffic ] [ hash ] command to set an
interval for informing the RADIUS server of the latest user status.
----End
Context
RADIUS clients can detect the status of RADIUS servers and determine the real-time status
of RADIUS servers based on responses from the RADIUS servers. This helps identify which
servers are in the Up state so as to process user request packets in real time.
The configuration is valid for all RADIUS servers.
Perform the following steps on the Router:
Procedure
Step 1 Run system-view
The system view is displayed.
----End
Context
After you configure the extended source interfaces of the RADIUS server, the NE40E
increases the number of packets sent to the RADIUS server in a certain period of time.
After the configuration, the NE40E sends RADIUS packets by using the extended source
interfaces. The former half of extended source interfaces are used to send and receive
RADIUS authentication packets, and the latter half of extended source interfaces are used to
send and receive RADIUS accounting packets. If an odd number of extended source
interfaces are configured, the authentication interfaces outnumber the accounting interfaces by
one.
Procedure
Step 1 Run system-view
NOTE
If you do not specify the start interface number when configuring the extended source interfaces, the
system assigns a configured number of valid extended source interfaces.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server group group-name
The RADIUS server group view is displayed.
Step 3 Run radius-server calling-station-id include [ delimiter delimiter ] { domain [ delimiter
delimiter ] | mac [ delimiter delimiter ] | interface [ delimiter delimiter ] | sysname
[ delimiter delimiter | { option82 | access-line-id} [ delimiter delimiter ] ] }*
Configuring a method of constructing the No. 31 RADIUS public attribute, namely, Calling-
Station-Id.
Step 4 Run radius-server calling-station-id include refer-option61
The Calling-Station-Id attribute format is determined based on Option 61.
After the radius-server calling-station-id include refer-option61 command is run, note the
following issues:
l If user packets carry Option 61, the Calling-Station-Id attribute format uses user MAC
addresses.
l If user packets do not carry Option 61, the Calling-Station-Id attribute format uses user
names without domain names.
Step 5 Run radius-server calling-station-id include vlan-binding
The Calling-Station-Id attribute format is constructed in the format of
slot(2)port(2)vpi(2)vci(4)vlan(4)mac(12).
Step 6 Run radius-server calling-station-id include vlan-description
The Calling-Station-Id attribute format is constructed based on the vlan-description format.
Step 7 Run radius-server calling-station-id lns-default version1
The default format for constructing the Calling-Station-Id attribute is configured on the LNS.
After the radius-server calling-station-id lns-default version1 command is run, the LNS
encapsulates the Calling-Station-Id attribute into RADIUS authentication and accounting
packets in the default format, even if the packets sent from the LAC to the LNS do not carry
the calling-number attribute. By default, if the LAC sends user packets without the calling-
number attribute to the LNS, the RADIUS authentication and accounting packets sent to the
RADIUS server do not carry the Calling-Station-Id attribute.
Step 8 Run radius-server calling-station-id lns-default version1 force
The LNS is enabled to construct the Calling-Station-Id attribute based on the version1 format.
In some special scenarios, to enable the LNS to encapsulate the Calling-Station-Id attribute
into RADIUS authentication and accounting packets in the default version1 format
irrespective of whether the LAC sends the calling-number attribute to the LNS, run the
radius-server calling-station-id lns-default version1 force command.
After the radius-server calling-station-id include llid user-type { ppp | lns }* command is
run, the authentication process for PPP or LNS users has the following changes, and going-
online performance is affected because users are authenticated twice.
1. Two authentication request packets are sent. The format of the user name in the first
authentication request packet is NAS-IP-Address NAS-Port-Id, and the password is
HUAWEI (default value). The user name and password in the second authentication
request packet and accounting request packet are the actual user name and password.
2. If the RADIUS server delivers the LLID attribute in the first authentication accept
packet, the Calling-Station-Id field in the second authentication request packet and
accounting request packet is encapsulated with the LLID information. If the LLID
attribute fails to be obtained (for example, the RADIUS server does not deliver the No.
31 RADIUS public attribute Calling-Station-Id, a RADIUS Access-Reject packet is
received, or the authentication times out), the Calling-Station-Id field in the second
authentication request packet and accounting request packet is the same as that in the
first authentication request packet.
If the system fails to obtain the LLID information from the RADIUS server, the
authentication and accounting packets for the second authentication will carry the No. 31
RADIUS Calling-Station-Id attribute by default. However, if this occurs after the radius-
server calling-station-id disable with-llid-fail command is run, the authentication and
accounting packets for the second authentication will not carry the No. 31 RADIUS Calling-
Station-Id attribute. This configuration helps identify the users who have failed to obtain the
LLID information.
Step 10 Run radius-server calling-station-id include pevlan [ { delimiter delimiter } [ cevlan ] ]
or run radius-server calling-station-id include cevlan [ { delimiter delimiter } [ pevlan ] ]
The Calling-Station-Id attribute format is constructed based on the outer or inner VLAN
information.
The Calling-Station-Id attribute contains user VLAN information. You can specify either or
both of pevlan and cevlan. If you specify both pevlan and cevlan and specify pevlan before
specifying cevlan, the RADIUS server parses pevlan before parsing cevlan. If you specify
cevlan before specifying pevlan, the RADIUS server parses cevlan before parsing pevlan.
If access users send packets that carry single VLAN tags, the single VLAN tags can only be
encapsulated into pevlan.
After the radius-server format-attribute include sub-slot command is run, the Calling-
Station-Id and NAS-port-ID attributes in RedBack format use the interface number in the
format of slot/sub-slot/port.
----End
Procedure
Step 1 Run system-view
The ID of the vendor whose private RADIUS attribute the device can parse is added.
Step 5 Run radius-attribute vendor { { huawei | microsoft | 3gpp2 | redback | dslforum | other }*
| all } continuous
The NE40E is configured to carry multiple proprietary attributes in RADIUS attribute 26.
An attribute can be added to a RADIUS packet only by using the radius-attribute include
command. This can help control attributes in a RADIUS packet and prevent the length of a
RADIUS packet from exceeding 2048 bytes.
----End
Context
You can configure DSCP values for RADIUS packets, including the RADIUS packets sent by
the NE40E to a RADIUS server and the RADIUS packets sent by the NE40E to an AP/AC.
Procedure
l Configure DSCP values of RADIUS packets sent by the NE40E to a RADIUS server.
DSCP priorities of RADIUS packets sent by the NE40E to a RADIUS server can be
configured in two modes. The DSCP value of RADIUS packets configured in the
RADIUS server group view has a higher priority.
a. Run system-view
In the RADIUS server group view, configure a DSCP value for RADIUS packets.
a. Run system-view
----End
Context
The attributes of a RADIUS server for encapsulation include Framed-IP-Address, Framed-IP-
Netmask, and Delegated-IPv6-Prefix. In version 1 format, the NE40E can only encapsulate a
valid address into these attributes. In version2 format, the NE40E can encapsulate a valid
address or an invalid address that is delivered by the RADIUS server into these attributes.
Procedure
Step 1 Run system-view
----End
Context
l Access service template
After an access service template is configured, the RADIUS server can send the service
template name and control user traffic by time segment.
When the authentication response message sent by the RADIUS server includes the HW-
Access-Service attribute, the traffic bandwidth restriction is based on the QoS profile
rule bound to the service template. When the QoS profile not containing a time segment
and the QoS profile containing a time segment in an access service template exist at the
same time, the QoS profile containing a time segment has a higher priority than the QoS
profile not containing a time segment.
If an in-use QoS profile in an access service template is modified, the modification takes
effect in real time. If all QoS profiles in an access service template are removed, the QoS
profile that is previously bound with the user takes effect.
l Static route synchronization from the RADIUS server to the NE40E
This function enables the NE40E to periodically or immediately synchronize static
routes with those delivered by the RADIUS server. Static route synchronization requests,
if not acknowledged, will be retransmitted before the maximum allowable number of
times is reached.
l Update of user names and domains based on CoA messages
In the web authentication scenario where a portal server cannot exchange authentication
messages with a BRAS, you can configure the portal server to exchange authentication
messages with a RADIUS server. To enable a BRAS to update user names based on
those delivered in CoA messages and switch users to the domains carried in the
RADIUS-delivered user names, run the radius-server coa update username command.
Procedure
l Create an access service template.
a. Run system-view
The system view is displayed.
b. Run access-service service-name
The access service template view is displayed.
c. Run qos-profile profile-name
The default QoS profile bound to the access service template is configured.
Each access service template can be bound only with one QoS profile not
containing a time segment.
d. Run qos-profile profile-name time-range time-range-name
The QoS profile (containing a time segment) bound to the access service template is
configured.
Each access service template can be bound with up to 16 different time segments.
l Enable static route synchronization from the RADIUS server to the NE40E.
a. Run system-view
The system view is displayed.
b. Run aaa route-download server-group group-name base-user-name user-name
password { simple | cipher } password [ download-interval interval-value | retry-
interval retry-interval-value | retry-max-count retry-count | tag tag-value | cost
cost-value | synchronization synchronization ]
The NE40E is enabled to periodically synchronize static routes with those delivered
by the RADIUS server.
c. (Optional) Run aaa route-download recover-delay delay-time
Delayed advertisement is configured for static routes downloaded from a RADIUS
server after the NE40E is restarted and configurations are restored.
In BRAS multi-device backup scenarios, after the aaa route-download command
is run to enable the NE40E to download static routes from a RADIUS server at an
interval, you must also run the aaa route-download recover-delay command to
configure delayed advertisement of static routes downloaded from a RADIUS
server.
In BRAS multi-device backup scenarios, after the aaa route-download command
is run to enable the NE40E to download static routes from a RADIUS server at an
interval, the master and backup devices download static routes from the RADIUS
server, but the cost value of the static routes downloaded to the master device is less
than that of the static routes downloaded to the backup device. If the master device
is restarted and immediately downloads static routes from the RADIUS server and
advertises them to the network side, network-side traffic will be transmitted to the
master device. However, batch backup of user information has not yet completed,
and the master device cannot process traffic. Therefore, the traffic is transmitted to
the backup device through the link between the master and backup devices. If the
network traffic volume is greater than the bandwidth of the link between the master
and backup devices, the downstream traffic may be interrupted.
Static routes delivered by the RADIUS server are cleared from the NE40E.
e. Run aaa route-download now force
The device is enabled to update user names based on those delivered in CoA
messages and switch users to the domains carried in the RADIUS-delivered user
names.
----End
Result
l Run the display access-service command in any view to check information about the
access service template.
l Run the display aaa route-download config command in any view to check
configurations about static route synchronization from the RADIUS server to the
NE40E.
l Run the display aaa route command in any view to check whether static routes are
successfully delivered by the RADIUS server.
Context
If you want to use an IPv6 address pool delivered by a RADIUS server using the Framed-
Ipv6-Pool attribute and IPv6 address pools configured in the domain to assign IPv6 addresses
to users, run the radius-attribute apply framed-ipv6-pool match pool-type command. After
you configure the radius-attribute apply framed-ipv6-pool match pool-type command, an
IPv6 address pool to be delivered by a RADIUS server using the Framed-Ipv6-Pool attribute
to replace the IPv6 address pools of the same type configured in a domain.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server group group-name
The RADIUS server group view is displayed.
Step 3 Run radius-attribute apply framed-ipv6-pool match pool-type
An IPv6 address pool to be delivered by a RADIUS server using the Framed-Ipv6-Pool
attribute is configured to replace the IPv6 address pools of the same type configured in a
domain.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server group group-name
The RADIUS server group view is displayed.
Step 3 Run radius-attribute assign attribute-name { dhcp dhcp-option-code | dhcpv6 dhcpv6-
option-code }
The device is configured to encapsulate a RADIUS attribute in a specified DHCP/DHCPv6
option.
NOTE
----End
Context
The RADIUS server delivers the HW-Data-Filter attribute (No.26-82) carrying the traffic
classifier-behavior pair. The traffic classifier attribute carries the classifier name, behavior
name, and rule information, and the traffic behavior attribute carries the behavior name and
behavior information. ACL information is dynamically delivered after the traffic classifier-
behavior is delivered. The HW-Data-Filter attribute disabled by default. You can enable the
HW-Data-Filter attribute only using commands.
Procedure
Step 1 Run system-view
The interval at which the NE40E checks whether online users or dynamic ACLs are using the
dynamic user group created by the RADIUS server is configured.
The NE40E checks one dynamic user group at each interval. If a user group is not used, the
NE40E deletes the user group.
The RADIUS server is configured to create dynamic ACLs. The RADIUS server can deliver
the HW-Data-Filter attribute carrying the traffic classifier-behavior pair for dynamic ACLs.
The RADIUS server is configured to deliver the alarm threshold for the traffic classifier-
behavior pair usage.
The NE40E ignores the RADIUS packets with the attribute that fails the parse and check.
----End
Context
User login request packets carry Relay headers or multi-level Relay headers. The Relay
header carries the Option 17 field which contains sub-options. If the format of the options
carried in the Relay headers and DHCPv6 packets conforms to that defined by the DSL
Forum, the device can parse the Option 17 field and send the obtained sub-attributes to the
RADIUS server after the dhcpv6 option-17 decode version1 command is run in the system
view. Otherwise, the device does not parse the options nor send the attributes to the RADIUS
server.
Perform the following steps on the Router.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run dhcpv6 option-17 decode version1
The device is enabled to parse the Option 17 field based on the format defined by the DSL
Forum and sent the obtained sub-attributes to a RADIUS server.
----End
Prerequisites
RADIUS server has been configured.
Procedure
l Run the display radius-server authorization configuration command to check the
configuration of the RADIUS authorization server.
l Run the display radius-server configuration [ group groupname ] command to check
the configuration of the RADIUS server group.
NOTE
Configuring the ui-mode type1 command in the system view influences the output format of the
display command.
l Run the display radius-attribute [ name attribute-name | { type { 3gpp | dsl | huawei |
microsoft | redback | standard } attribute-number ] command to check the RADIUS
attributes supported by the system.
l Run the display radius-attribute [ server-group server-group-name packet { access-
request | access-accept | access-reject | accounting-request | accounting-response |
----End
Example
Run the display radius-server authorization configuration command to view the
configuration of the RADIUS authorization server.
<HUAWEI> display radius-server authorization configuration
-----------------------------------------------------------------------------
IP-Address Secret-key Group Ack-r
Reserved-interval
-----------------------------------------------------------------------------
192.168.7.100 huawei rd1 20
Vpn : --
-----------------------------------------------------------------------------
1 Radius authorization server(s) in total
Run the display radius-server configuration command, and you can view the configuration
of the RADIUS server group.
<HUAWEI> display radius-server configuration
RADIUS source interface : LoopBack20
RADIUS no response packet count : 30
RADIUS auto recover time(Min) : 100
RADIUS authentication source ports :
IPv4: 1812
IPv6: 1812
RADIUS accounting source ports :
IPv4: 1813
IPv6: 1813
-------------------------------------------------------
Server-group-name : chen
Authentication-server: IP:10.3.4.144 Port:1812 Weight[0] [UP]
Vpn: -
Accounting-server : IP:10.3.4.144 Port:1814 Weight[0] [UP]
Vpn: -
Protocol-version : radius
Shared-secret-key : ******
Retransmission : 3
Timeout-interval(s) : 5
Acct-Stop-Packet Resend : NO
Acct-Stop-Packet Resend-Times : 0
-------------------------------------------------------
Run the display radius-attribute [ name attribute-name | { type { 3gpp | dsl | huawei |
microsoft | redback | standard } attribute-number ]command, and you can view the
RADIUS attributes supported by the NE40E of the current version.
<HUAWEI> display radius-attribute type standard 1
Radius Attribute Type : 1
Radius Attribute Name : User-Name
Radius Attribute Description : This Attribute indicates the name of the user to
be authenticated.
Supported Packets : Auth Request, Acct Request, Session Control, COA
Request, COA Ack
88 Framed-Pool
89 Chargeable-User-Identity
90 Tunnel-Client-Auth-ID
96 Framed-Interface-Id
97 Framed-IPv6-Prefix
98 Login-IPv6-Host
99 Framed-IPv6-Route
100 Framed-IPv6-Pool
123 Delegated-IPv6-Prefix
135 Ascend-Client-Primary-Dns
136 Ascend-Client-Secondary-Dns
2011(HUAWEI),1 HW-Input-Committed-Burst-Size
2011(HUAWEI),2 HW-Input-Committed-Information-Rate
2011(HUAWEI),3 HW-Input-Peak-Information-Rate
2011(HUAWEI),4 HW-Output-Committed-Burst-Size
2011(HUAWEI),5 HW-Output-Committed-Information-Rate
2011(HUAWEI),6 HW-Output-Peak-Information-Rate
2011(HUAWEI),15 HW-Remanent-Volume
2011(HUAWEI),17 HW-Subscriber-QoS-Profile
2011(HUAWEI),22 HW-Priority
2011(HUAWEI),27 HW-Portal-URL
2011(HUAWEI),28 HW-FTP-Directory
2011(HUAWEI),29 HW-Exec-Privilege
2011(HUAWEI),30 HW-RADIUS-MP-VT-Number
2011(HUAWEI),31 HW-QOS-Profile-Name
2011(HUAWEI),32 HW-SIP-Server
2011(HUAWEI),35 HW-Renewal-Time
2011(HUAWEI),36 HW-Rebinding-Time
2011(HUAWEI),37 HW-IGMP-Enable
2011(HUAWEI),61 HW-Up-Priority
2011(HUAWEI),62 HW-Down-Priority
2011(HUAWEI),63 HW-Tunnel-Vpn-Instance
2011(HUAWEI),64 HW-Virtual-Template
2011(HUAWEI),65 HW-User-Date
2011(HUAWEI),66 HW-User-Class
2011(HUAWEI),70 HW-PPP-NCP-Type
2011(HUAWEI),71 HW-VSI-Name
2011(HUAWEI),72 HW-Subnet-Mask
2011(HUAWEI),73 HW-Gateway-Address
2011(HUAWEI),74 HW-Lease-Time
2011(HUAWEI),75 HW-Ascend-Client-Primary-WINS
2011(HUAWEI),76 HW-Ascend-Client-Second-WIN
2011(HUAWEI),77 HW-Input-Peak-Burst-Size
2011(HUAWEI),78 HW-Output-Peak-Burst-Size
2011(HUAWEI),79 HW-Reduced-CIR
2011(HUAWEI),80 HW-Tunnel-Session-Limit
2011(HUAWEI),82 HW-Data-Filter
2011(HUAWEI),83 HW-Access-Service
2011(HUAWEI),85 HW-Portal-Mode
2011(HUAWEI),87 HW-Policy-Route
2011(HUAWEI),88 HW-Framed-Pool
2011(HUAWEI),91 HW-Queue-Profile
2011(HUAWEI),92 HW-Layer4-Session-Limit
2011(HUAWEI),93 HW-Multicast-Profile-Name
2011(HUAWEI),94 HW-VPN-Instance
2011(HUAWEI),95 HW-Policy-Name
2011(HUAWEI),96 HW-Tunnel-Group-Name
2011(HUAWEI),97 HW-Multicast-Source-Group
2011(HUAWEI),98 HW-Multicast-Receive-Group
2011(HUAWEI),99 HW-Multicast-Type
2011(HUAWEI),100 HW-Reduced-PIR
2011(HUAWEI),135 HW-Client-Primary-DNS
2011(HUAWEI),136 HW-Client-Secondary-DNS
2011(HUAWEI),138 HW-Domain-Name
2011(HUAWEI),140 HW-HTTP-Redirect-URL
2011(HUAWEI),141 HW-PPP-Local-IP-Address
2011(HUAWEI),142 HW-Qos-Profile-Type
2011(HUAWEI),143 HW-Max-List-Num
2011(HUAWEI),154 HW-DNS-Server-IPv6-Address
2011(HUAWEI),155 HW-DHCPv4-Option121
2011(HUAWEI),156 HW-DHCPv4-Option43
2011(HUAWEI),157 HW-Framed-Pool-Group
2011(HUAWEI),158 HW-Framed-IPv6-Address
2011(HUAWEI),160 HW-Nat-Policy-Name
2011(HUAWEI),164 HW-Nat-Port-Forwarding
2011(HUAWEI),166 HW-DS-Lite-Tunnel-Name
2011(HUAWEI),167 HW-PCP-Server-Name
2011(HUAWEI),182 HW-Down-Qos-Profile-Name
2011(HUAWEI),183 HW-Port-Mirror
2011(HUAWEI),191 HW-Delegated-IPv6-Prefix-Pool
2011(HUAWEI),194 HW-IPv6-Policy-Route
2011(HUAWEI),253 HW-Web-URL
311(MICROSOFT),16 MS-MPPE-Send-Key
311(MICROSOFT),17 MS-MPPE-Recv-Key
311(MICROSOFT),26 MS-CHAP2-Success
311(MICROSOFT),28 MS-Primary-DNS-Server
311(MICROSOFT),29 MS-Secondary-DNS-Server
2352(RedBack),92 Forward-Policy
2352(RedBack),106 NPM-Service-Id
2352(RedBack),107 HTTP-Redirect-Profile-Name
2352(RedBack),165 HTTP-Redirect-URL
5535(3GPP2),7 Home-Agent-Address
5535(3GPP2),81 Removal-Indication
-------------------------------------------------------------------------------
Run the display radius-client statistics command to view statistics about RADIUS packets
exchanged between the RADIUS client and proxy.
<HUAWEI> display radius-client statistics client-ip 10.111.2.20
Authentication packets:
Access Requests : 0 Access Accepts : 0
Access Challenges : 0 Access Rejects : 0
Bad Authenticators : 0 Packets Dropped : 0
Accouting packets:
Run the display aaa remote-download acl item [ user-id user-id | classifier classifier-
name ] * [ verbose ] command. The command output shows information about the traffic
classifier-behavior pair in dynamic ACLs delivered by the RADIUS server.
<HUAWEI> display aaa remote-download acl item
-------------------------------------------------------------------------------
class6 1 2
remote
The used user-id table
are :
-------------------------------------------------------------------------------
class5 1 2
remote
The used user-id table
are :
-------------------------------------------------------------------------------
Run the display aaa remote-download acl statistics classifier classifier-name [ slot slot-id ]
command. The command output shows statistics about the traffic classifier-behavior pair in
dynamic ACLs delivered by the RADIUS server on a specific board.
<HUAWEI> display aaa remote-download acl statistics classifier c2 slot 1
-------------------------------------------------------------------------
Classifier name: c2
Classifier type: remote
rule:(number: 1)
ipv4;ruleid=5;daaflag;permit;proto=6;dipv4=10.2.3.3/16;su-group=group1;
(IPv4, inbound: 0 packets, 0 bytes, outbound: 0 packets, 0 bytes)
Behavior name: b2
deny;
Behavior Type: remote
----------------------------------------------------------------------------
Context
A Diameter server is used to deliver service policies for value-added services, such as the
BOD, DAA, and EDSG services.
Before configuring a Diameter server, get familiar with the following basic concepts:
l Diameter client: is the local Router. Only one client entity can be configured on the
Router.
l Diameter server: is the remote policy server RM9000. A maximum of eight Diameter
servers can be specified on the Router.
l Diameter connection group: is a Diameter server-client connection group that is uniquely
identified by the client name and server name. Since a maximum of eight servers can be
specified on the Router, at most eight Diameter connection groups may exist on the
Router.
l Diameter link: is a Diameter connection that is established using TCP. It is uniquely
identified by the IP address and port number of the Diameter client, and IP address and
port number of the Diameter server. A maximum of four Diameter links can be set up in
the Diameter server group view.
Configuration Process
Mandatory
Optional
Context
By default, a Diameter server cannot deliver EDSG services through a Gx interface.
Therefore, configure the Diameter-enabled Gx interface to allow the Diameter server to
deliver EDSG services.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run diameter predefined-rule support-type edsg
The Diameter-enabled Gx interface is configured to allow the Diameter server to deliver
EDSG services.
Step 3 Run commit
The configuration is committed.
----End
Context
After the Diameter function is enabled, you can configure some optical Diameter-related
functions, such as the maximum number of times a probe packet can be retransmitted and the
maximum number of times a CCR-I message can be retransmitted.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run diameter enable
The Diameter protocol is enabled on the Router.
----End
Context
A Diameter server group consists of the Diameter client, Diameter server, and Diameter link.
Procedure
Step 1 Run system-view
The Diameter client entity information is configured, including the name, host IP address (IP
address of the interface specified by interface interface-type interface-number), host name,
domain name, and product name of the client.
The Diameter server entity information is specified, including the host name, domain name,
IP address, and port number of the server.
Step 5 Run diameter-link local local-name peer peer-name client-port port-number [ weight
weight-value ]
The device is disabled from sending CCR-I messages to a Diameter server for user login after
the device receives a RADIUS authentication response message that does not carry the
subscription-id attribute.
The device is configured to process case sensitivity of the predefined EDSG rules delivered
by the Diameter server.
----End
Context
After a Diameter server group is configured, bind the server group to an AAA domain so that
the Diameter server group can be used in this domain.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
The AAA domain view is displayed.
Step 4 Run diameter-server group group-name
The created Diameter server group is bound to the AAA domain.
Step 5 Run commit
The configuration is committed.
----End
Prerequisites
The Diameter server has been configured.
Procedure
l Run the display diameter configuration command to check Diameter server
configurations.
l Run the display diameter-group bind-info command to check the binding relationship
between the AAA domain and Diameter server group.
----End
Example
Run the display diameter configuration command to check Diameter server configurations.
<HUAWEI> display diameter configuration
<HUAWEI> display diameter configuration
-- Diameter Configuration ---------------------------------------------------
Run the display diameter-group bind-info command to check the binding relationship
between the AAA domain and Diameter server group.
-----------------------------------------------------------------------------
| Domain Name | Diameter Group Name |
-----------------------------------------------------------------------------
| huawei | huawei |
-----------------------------------------------------------------------------
Context
If a RADIUS server is configured to implement the accounting for access users or value-
added services, the Router allows the generation of local bills under the following scenarios:
l An accounting stop request is triggered by a user or value-added service, but the
RADIUS server does not respond. In this case, the Router generates a local bill to record
the accounting information and considers that the user is offline.
l The accounting start-fail online command is run to allow a user to go online even if
accounting fails to start for the user. When users go offline, local bills can be created to
record accounting information.
Local bills can be transferred to a bill server for account reconciliation on the RADIUS server.
Procedure
Step 1 Run system-view
Step 4 Run bill-server ip-address filename filename [ user-name user-name password cipher
cipher-password port ]
A bill server can be used to transfer bills stored in the local bill pool or CF card, so that the
space of local bill pool or CF card can be released.
Step 5 Configure the transfer mode and the transfer trigger conditions for bills on the Router.
l Configure the transfer mode for bills stored in the local bill pool or CF card.
a. Run local-bill cache backup-mode { cfcard | none | tftp | sftp }
The automatic bill transfer mode is specified.
If none is specified, bills in the local bill pool are not transferred. If you need bill
transfer before the automatic bill transfer condition is met, run the local-bill cache
backup command to manually transfer local bills to the CF card or bill server.
b. Run local-bill cfcard backup-mode { tftp | sftp }
The mode in which the bills in the CF card are transferred to the bill server is
configured.
Besides automatic bill transfer, the Router supports manual bill transfer from the CF
card to the bill server using the local-bill cfcard backup command.
l Configure the transfer trigger conditions for local bill transfer to the CF card or bill
server.
a. Run local-bill { cache | cfcard } backup-interval interval-time
The interval at which bills in the local bill pool or CF card are transferred to the bill
server is set.
b. Run local-bill { cache | cfcard } alarm-threshold threshold-value
The threshold at which a bill alarm is generated for the local bill pool or CF card is
set.
Step 6 (Optional) Run local-bill cfcard reset
Bills in the CF card are manually cleared.
When the CF card storage space is insufficient but the bill server is faulty, run the preceding
command to clear existing local bills. Otherwise, new bills will be dropped.
Bills cannot be restored after they are deleted from the CF card. Exercise caution when
running this command.
----End
Result
After configuring the function to locally generate and store user bills, perform the following
checks:
l Run the display local-bill configuration command to check the configurations of the
local bill transfer function.
l Run the display local-bill information command to check the usage of the CF card or
local bill pool.
l Run the display local-bill cache start-num count command to check the information
about specified bills in the local bill pool.
Context
Perform the following steps on the Router:
Procedure
Step 1 Run system-view
The device is enabled to add the Option 82 information to the URL string in a redirection
packet to be sent to a user.
NOTE
If IP addresses are automatically allocated from the BAS address pool, the DNS server can be
configured in both the domain view and the address pool view, but the configuration in the domain
view takes precedence.
The IP address of the DNS server for user access can be delivered by the RADIUS server,
configured in the AAA domain view, or configured in the address pool view. The DNS server
address configured in the AAA domain view has a higher priority than that configured in the
address pool view but has a lower priority than that delivered by the RADIUS server.
----End
Context
To guarantee the processing capability of the NE40E, you can limit the total number of access
users for a domain. If the number of users reaches the limit, additional access users are
denied.
Perform the following steps on the Router:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
The domain view is displayed.
Step 4 Run access-limit max-number
The maximum number of access users is specified for the domain.
----End
Context
To guarantee the processing capability of the NE40E, you can limit the maximum number of
sessions for an account. If the number of sessions reaches the limit, additional access users are
denied.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
The domain view is displayed.
Step 4 Run user-max-session max-session-number
The maximum number of sessions for an account is set.
----End
Context
Perform the following steps on the Router:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
The domain view is displayed.
Step 4 Run user-priority { upstream | downstream } { priority | trust-8021p-inner | trust-8021p-
outer | trust-dscp | trust-dscp-inner | trust-dscp-outer | unchangeable | trust-exp-inner |
trust-exp-outer }
The priority of the domain user is set.
Currently, one domain can be configured with only one user priority.
l priority: user priority. The value ranges from 0 to 7.
l trust-8021p-inner: The 802.1p priority in the inner tag of a Layer 2 user packets is used
as the user priority.
l trust-8021p-outer: The 802.1p priority in the outer tag of a Layer 2 user packet is used
as the user priority.
l trust-dscp: The DSCP value of a user packet is used as the user priority.
l trust-dscp-inner: The DSCP value in the inner tag of a user packet is used as the user
priority.
l trust-dscp-outer: The DSCP value in the outer tag of a user packet is used as the user
priority.
l unchangeable: The user priority is fixed.
l trust-exp-inner: The EXP value in the inner tag of an MPLS packet is used as the user
priority.
l trust-exp-outer: The EXP value in the outer tag of an MPLS packet is used as the user
priority.
----End
Context
A domain can belong to any of the following groups:
l User group
A user group is used to control the access right of users and implement ACLs. Up to 255
user groups can be configured on the NE40E.
l VPN instance
Procedure
Step 1 Run system-view
NOTE
This configuration applies to hub and spoke networking scenarios. The VPN instances configured
using the vpn-instance vpn-instance-name inbound and vpn-instance vpn-instance-name
commands cannot be the same.
----End
Context
A domain has the following additional functions:
l Time-based control
Time-based control means that a domain is automatically blocked in a specified period.
During this period, the users of this domain cannot access the NE40E and the online
users are disconnected. After the period, the domain is reactivated automatically, and the
domain users are allowed to log in again.
l Idle cut
When the traffic volume of a user keeps being lower than a threshold in a period, the
NE40E considers the user idle and disconnects the user. To perform the idle cut function,
set the idle time and the traffic threshold.
The idle cut function configured for a domain controls only the basic traffic of a user.
The multicast traffic and the VAS traffic that is not configured with the summary feature
are not included in the basic traffic. Therefore, the idle cut function is invalid for them.
l Mandatory PPP authentication
Generally, the authentication mode (PAP, CHAP, or MSCHAP) of a PPP user is
negotiated by the PPP client and the virtual template. After the mandatory authentication
mode of a PPP user is configured for a domain, the users in the domain are authenticated
in the configured mode.
l Policy-based routing
In packet forwarding, the NE40E determines the forwarding egress according to the
destination addresses of the packets. With the policy-based routing function, however,
the NE40E determines the forwarding egress according to the address specified in the
user domain.
l IP address usage alarm
After the alarm threshold for the usage (in percentage) of IP addresses is set in a domain,
the NE40E sends a trap to the network management system (NMS) when the usage of IP
addresses exceeds the threshold. If no alarm threshold is set, the NE40E does not send
any trap to the NMS, regardless of the usage of IP addresses.
l Traffic statistics
The traffic statistics function collects the total traffic of a domain and the upstream and
downstream traffic of users.
l Accounting packet copy
The accounting packet copy function allows the NE40E to send accounting information
to two RADIUS server groups at the same time and waits for their responses. If no
response is received, the NE40E retransmits accounting information after 5s. If the
NE40E fails to receive a response from a RADIUS server for three consecutive times,
the NE40E sends Accounting Stop packets to this RADIUS server and no longer sends
accounting packets to this RADIUS server.
You can perform this function when multiple copies of original accounting information
are required (for example, multiple ISPs cooperate in the networking). In this case,
accounting packet copies need to be sent to two RADIUS server groups at the same time,
and will be used as the original accounting information in future settlement.
l Re-authentication timeout
The re-authentication timeout is valid for Layer 3 pre-authentication users. If a Layer 3
pre-authentication user does not pass the authentication within the maximum re-
authentication time, the NE40E disconnects this user.
l Policy used for online users when the quota is used up
The NE40E uses a policy after the quota (traffic or session time) of an online user is used
up. The NE40E may forcibly log out the user, keep the user online, or redirect the user to
a specified portal.
l Host route tagging
The host route tagging function allows the NE40E to import route tags based on routing
policies and advertise different host routes to different networks by setting and
categorizing route tags for host routes of IPv4 users and network segment routes
generated based on the RADIUS-delivered Framed-Route attribute.
Procedure
Step 1 Run system-view
You can configure up to four time ranges, which have equal priority.
The idle-cut command is used when some users cannot access the Internet due to an
exception but can access the Internet after being logged out once. The idle-cut function can
take effect on upstream traffic, downstream traffic, or both according to the parameter you
specify. If you do not specify the inbound parameter or the outbound parameter, the idle-cut
function takes effect on both upstream and downstream traffic.
NOTE
This command takes effect only when the user's quota is used up and the user is in the specified domain.
If the user domain is changed by a CoA packet sent from a policy server and the quota-out command is
not configured in the new domain, the user will be logged out if the quota is used up.
If the RADIUS protocol type is set to non-standard, a real-time accounting packet is sent to
the RADIUS server to apply for a new quota when user's quota is used up. If the RADIUS
server responds with zero quota, the user is redirected based on the configured quota-out
redirect url url-string [ redirect-stop-accounting ] command.
If you want a user to be directly redirected when its quota is used, you must first set the
RADIUS protocol type to standard and configure the quota-out redirect url url-string
[ redirect-stop-accounting ].
Step 14 Run radius-no-response lease-time time
The extended lease in case of no response from the RADIUS server is set for DHCP users.
Step 15 Run redirect-domain effect-attribute { user-group | web-url | qos-profile | accounting-
scheme | ip-unr-tag }
The fields that are allowed to take effect are specified in the domain that CoA delivers or the
redirection domain for users after they use up their quota.
Step 16 Run ip unr tag route-type host-route framed-route
A route tag is set for host routes of IPv4 users and network segment routes generated based on
the RADIUS-delivered Framed-Route attribute.
Step 17 Run reallocate-ip-address
IP address reallocation is enabled in a domain
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
The AAA domain view is displayed.
Step 4 Run user volume-quota apply { inbound | outbound }
The traffic direction to which the user traffic quota applies is specified.
----End
Context
By default, a domain cannot have both public and private network users or have users
belonging to different VPN instances. After you configure a device to trust the VPN instance
bound to the BAS interface through which users go online or the VPN instance bound to the
address pool or address pool group that the RADIUS server uses to deliver IP addresses to
Layer 2 users, public and private network users or users belonging to different VPN instances
can coexist in a domain.
Procedure
Step 1 Configure public and private network users or users belonging to different VPN instances to
go online through the same BAS interface and coexist in the same domain.
1. Run system-view
The system view is displayed.
2. Run aaa
The AAA view is displayed.
The device is configured to trust the VPN instance bound to the BAS interface through
which Layer 2 users go online.
For VPN users, run the vpn-instance command on the BAS interface through which
VPN users go online to bind a VPN instance to the BAS interface. Note that the VPN
instance bound to the BAS interface must be the same as that bound to an IP address
pool.
This command applies only to Layer 2 common users and static users.
Step 2 Configure public and private network users or users belonging to different VPN instances to
go online through different BAS interfaces and coexist in the same domain.
1. Run system-view
The device is configured to trust the VPN instance bound to the IPv4 address pool or
IPv4 address pool group that the RADIUS server uses to deliver IPv4 addresses to Layer
2 users.
5. (Optional) Run trust vpn-instance framed-ipv6-pool
The device is configured to trust the VPN instance bound to the IPv6 address pool or
IPv6 address pool group that the RADIUS server uses to deliver IPv6 addresses to Layer
2 users.
This command applies only to Layer 2 common IPv6 users and static IPv6 users.
----End
Context
One or two layers of VLAN tags are added to each user packet transmitted over a MAN. The
NE40E counts VLAN header length into packet length when collecting statistics about user
packet bytes. As a result, the number of bytes sent by a user terminal greatly deviates from the
number of bytes in the statistics collected by the NE40E. To improve accounting accuracy,
you can configure the NE40E to exclude VLAN header length from packet length when
collecting statistics about packet bytes of Layer 2 IPoE and PPPoE users.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
The domain view is displayed.
Step 4 Run accounting exclude-type vlan access-user layer2 { ipoe | pppoe } *
The NE40E is configured to exclude VLAN header length from packet length when collecting
statistics about user packet bytes.
This configuration applies to both IPv4 and IPv6 packet statistics.
After this command is configured, the number of bytes sent by the user terminal deviates little
from the number of bytes in the statistics collected by the NE40E. If no packet is lost, the two
numbers are the same.
----End
Context
When an STB is quickly powered off and then restarted, the NE40E cannot detect the user
logout, and the user entry is still available. After the STB restarts, the user goes online again.
The STB obtains a new account from the NMS in which the online domain may have changed
and sends a Discover or Request message to the NE40E. Upon receipt of the Discover or
Request message, the NE40E does not check the Option 60 field because a user entry with the
same MAC address already exists. The NE40E responds with an ACK message. As a result,
the user always goes online from the initial domain and cannot access the network normally.
To resolve this problem, enable the NE40E to log out an online user when a Discover or
Request message from a user with the same MAC address as the online user is received.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
The domain view is displayed.
The device is enabled to log out an online user when a Discover message from a client with
the same MAC address as the online user is received.
----End
Context
Load balancing can be enabled for downstream traffic of a user on Eth-Trunk interfaces.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
The AAA domain view is displayed.
Step 4 Run trunk downstream load-balance enable
Load balancing of downstream traffic on Eth-Trunk interface is enabled.
----End
Context
Perform the following steps on the Router:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
The domain view is displayed.
Step 4 Run block
----End
Prerequisites
The domain has been configured.
Procedure
Step 1 Run the display domain [ domain-name ] command to check the configuration of the
domain.
Step 2 Run the display user-flow-statistics [ domain domain-name ] command in any view to check
user traffic statistics.
Step 3 Run the display ip-pool usage-status [ domain domain-name ] command to check
information about public IP address pool status in a specified domain.
Step 4 Run the display ip-pool pool-usage [ domain dname | pool-name [ pool-name ]]command to
check information about the usage of the address pool of every domain.
----End
Example
Run the display domain command, and you can view the summaries of configurations of all
the domains.
<HUAWEI> display domain
------------------------------------------------------------------------------
Domain name State CAR Access-limit Online BODNum RptVSMNum
------------------------------------------------------------------------------
default0 Active 0 279552 0 0 0
default1 Active 0 279552 0 0 0
default_admin Active 0 279552 0 0 0
default Active 0 279552 0 0 0
isp1 Active 0 279552 0 0 0
------------------------------------------------------------------------------
Total 5,5 printed
<HUAWEI> display domain isp1
------------------------------------------------------------------------------
Domain-name : huawei
Domain-state : Active
Authentication-scheme-name : default1
Accounting-scheme-name : default1
Authorization-scheme-name : -
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Primary-DNS-IPV6-address : -
Second-DNS-IPV6-address : -
Web-server-URL-parameter : No
Portal-server-URL-parameter : No
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
Time-range : Disable
Idle-cut direction : Both
Idle-data-attribute (time,flow) : 0, 60
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
IP-warning-threshold(Low) : -
IPv6-warning-threshold : -
IPv6-warning-threshold(Low) : -
Multicast Forwarding : Yes
Multicast Virtual : No
Max-multilist num : 4
Multicast-profile : -
Multicast-profile ipv6 : -
Multicast-policy : -
Multicast-bandwidth : -
Multicast-bandwidth-level-1 : -
Quota-out : Offline
Service-type : -
User-basic-service-ip-type : -/-/-
PPP-ipv6-address-protocol : Ndra
IPv6-information-protocol : Stateless dhcpv6
IPv6-PPP-assign-interfaceid : Disable
IPv6-PPP-NDRA-halt : Disable
IPv6-PPP-NDRA-unicast : Disable
Trigger-packet-wait-delay : 60s
Peer-backup : Enable
Redirect-domain user-group : Enable
Redirect-domain web-url : Enable
Redirect-domain qos-profile : Enable
Redirect-domain accouting-scheme: Enable
Redirect-domain ip-unr-tag : Enable
Reallocate-ip-address : Disable
Cui enable : Disable
Igmp enable : Enable
Pim snooping enable : Enable
L2tp-user radius-force : Disable
Accounting dual-stack : Separate
Radius server domain-annex : -
Dhcp-option64-service : Disable
Parse-separator : -
Parse-segment-value : -
Dhcp-receive-server-packet : -
Http-hostcar : Disable
Public-address assign-first : Disable
Public-address nat : Enable
Dhcp-user auto-save : Disable
IP-pool usage-status threshold : 255 , 255
Select-Pool-Rule : gateway + local priority
AFTR name : -
Traffic-rate-mode : Separate
Traffic-statistic-mode : Separate
Rate-limit-mode-inbound : Car
Rate-limit-mode-outbound : Car
Service-change-mode : Stop-start
DAA Direction : both
Session Volumequota apply direction: both
Soap-server group : -
Nas logic-sysname : -
Multicast-flow separate(L2tp) : No
Accounting exclude-type vlan : -/-
Framed-ip urpf : Enable
Local backup : Enable
EDSG stop accounting merge : disable
EDSG interim accounting merge : disable
EDSG merged interim accounting interval(minute): --
EDSG merged interim accounting hash : disable
Stop dropped flow direction : -
Interval dropped flow direction : -
Edsg family-schedule inbound : Disable
Edsg family-schedule outbound : Disable
Portal redirect-time : 50s
Web apmac mode : Aes128 cbc
Web usermac mode : Aes128 cbc
Portal usermac mode : Aes128 cbc
Layer2 IPoE ip-pool select-mode : Remote
Layer2 PPPoE ip-pool select-mode: Local
Redirect Diffserv Domain : ss1
RA link-prefix : Enable
Ipv6 address assign mode : Circuit-id
access-trigger loose time(minute) :0
access-trigger loose infinite-lease :Enable
IP unr tag :1234
IPoE user ipv6-pd address release policy : Separate
Map priority : MAP-E
Coa-zero-lease Dual-cut : Disable
------------------------------------------------------------------------------
Run the display user-flow-statistics command to view upstream and downstream traffic
statistics of users.
<HUAWEI> display user-flow-statistics
Total Flow Statistics
-------------------------------------------------
Run the display ip-pool usage-status command to view information about public IP address
pool status in all domains.
<HUAWEI> display ip-pool usage-status
-----------------------------------------------------------------------------
Domain name Used Total Ratio(%) Low(%) High(%) Status
isp1 0 2 0 2 100 0
-----------------------------------------------------------------------------
TOTAL: 1
Run the display ip-pool pool-usage command to view address pool usage in all domains.
<HUAWEI> display ip-pool pool-usage
-------------------------------------
Domain name PoolLen Used Ratio
-------------------------------------------
default0 254 0 0%
default1 0 0 0%
default_admin 0 0 0%
wq 0 0 0%
chen 254 0 0%
isp7 65788 0 0%
gaoli 0 0 0%
ly 254 0 0%
test 0 0 0%
lsh 9 1 11%
------------------------------------------
Prerequisites
BAS needs to be configured on the interfaces for static users.
Context
l The IPv4 address allocated to a static user is one of the addresses in the configured address
pool. If the address pool is a local address pool, run the excluded-ip-address command to
prevent the addresses from being allocated to other users.
l If an IPv6 address or IPv6 delegation prefix needs to be allocated from a local address
pool to a static user, configure a local address pool first. If an IPv6 address or IPv6
delegation prefix needs to be allocated from a remote address pool, the remote address
pool does not need to be configured first.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run static-user interface-list list-name
An access interface list is configured for static users.
Step 3 (Optional) Run interface
An access interface for static users is bound to the access interface list.
Step 4 (Optional) Run quit
Return to the system view.
Step 5 Run either of the following commands:
l (Optional) To create a static user and allow the user to go online through a specified
interface, run the static-user [ description ] { start-ip-address [ end-ip-address ]
[ gateway ip-address ] | start-ipv6-address [ end-ipv6-address ] [ delegation-prefix
start-ipv6-prefix [ end-ipv6-prefix ] prefix-length ] ipv6-gateway ipv6-gateway-address}
* [ vpn-instance instance-name ] [ domain-name domain-name | interface { interface-
The arp-trigger or ip-trigger command must be configured on the BAS interface through
which the IPv4 static user goes online.
When configuring an IPv6 address for a static user, run the ipv6-trigger or nd-trigger
command on the interface that the user accesses to trigger the user to get online with the
configured IPv6 address or IPv6 delegation prefix.
NOTE
l IPv4 single-stack static users can go online through multiple interfaces bound to an interface list, but
the NE40E cannot initiate ARP or IP packets for the static users for login. When you configure IPv4
single-stack static users to go online through interfaces bound to an interface list using the static-
user command, the detect and vlan keywords are removed from the command.
l IPv6 static users cannot go online through interfaces bound to an interface list.
----End
Context
Perform the following steps on the Router:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain-name-delimiter delimiter
The domain name delimiter is configured.
Step 4 Run domain-location { after-delimiter | before-delimiter }
The location of the domain name is configured.
----End
Context
Perform the following steps on the Router:
NOTE
l The new password is at least eight characters long and contains at least two of upper-case letters,
lower-case letters, digits, and special characters.
l When configuring an authentication password, select the ciphertext mode because the password is
saved in configuration files in simple text if you select simple text mode, which has a high risk. To
ensure device security, change the password periodically.
Procedure
l Configuring the generation mode of the user name of an IPoX user and the password of
an IPoX user.
a. Run system-view
The system view is displayed.
b. Run aaa
The AAA view is displayed.
c. Run default-user-name [ template template-name ] include { sysname
[ separator ] | gateway-address separator [ separator ] | ip-address separator
[ separator ] | mac-address { separator | noseparator } [ separator ] | { option82
[ separator | { sub-option sub-option-code [ offset offset ] parse-mode { auto-
identify [ offset ] | string [ length ] | binary length | hex [ length ] { class1 | class2 |
class3 } } [ separator ] } &<1-4> ] | access-line-id [ separator | { circuit-id [ offset
NOTE
For the sake of device security, do not use the default password. Please change the password.
h. Run commit
The configuration is committed.
----End
Context
Perform the following steps on the Router:
Procedure
l Restricting the number of access users in a single VLAN
By default, no more than 3k (3000) users in a single VLAN are allowed to go online. If
more than 3k access users exist in a single VLAN, run the vlan-host-car command to
limit the rate at which user packets with the same VLAN ID are sent to the CPU.
NOTE
The Router supports CAR rate limit to defend against user attacks. The Router is enabled with
some CAR functions by default and has some default CAR parameter values. For detailed
configuration procedures, see Configuring CAR for CPU-destined User Packets By default, the
Router sets the CIR 256 kbit/s, PIR 256 kbit/s, CBS 128000 bytes, and PBS 128000 bytes for user
packets with the same VLAN ID to be sent to the CPU. Therefore, no more than 3k (3072) users in
a single VLAN are allowed to go online.
l Restricting the access of PPP users
a. Run system-view
The system view is displayed.
b. Run ppp-user-slot-warning-threshold threshold-value
The alarm threshold for PPP users allowed to access an interface board is
configured. If the percentage of PPP users currently accessing the interface board
exceeds the threshold, an alarm is generated.
c. Run ppp-user-warning-threshold threshold-value
The alarm threshold for PPP users allowed to access the entire NE40E is
configured. If the percentage of PPP users currently accessing the entire NE40E
exceeds the threshold, an alarm is generated.
d. Run ppp connection chasten[ option105 ] request-sessions request-period
blocking-period [ padi-discard ] [ quickoffline ] or ppp connection chasten
request-sessions request-period blocking-period [ padi-discard ] [ quickoffline ]
[ multi-sessions-permac ]
The number of PPP access attempts is limited.
Restricting the number of access attempts can prevent unauthorized users from
using a brute force attack to crack the password of the authorized user. If a user fails
to pass the authentication for N times during the specified period, the user account
is frozen for a period of time, thwarting unauthorized users' efforts in cracking the
password of the authorized user.
In a scenario in which a large number of users go offlilne immediately after they go
online, the CPU may be overloaded and the RADIUS server may even go Down. To
prevent this problem, you can configure the quickoffline parameter to restrict the
number of times a PPP user goes offline within a specified time. If the PPP user
immediately goes offline after going online for request-sessions times within a
request-period, the user account is frozen for blocking-period seconds.
In the system view, this command takes effect on all users that access the NE40E.
In the VLAN view, the command takes effect only on VLAN users that access the
interface where the VLAN resides. If this command is configured in both the
system and VLAN views, the command that first meets the restriction condition
takes effect.
The maximum number of access users is set to more than 1 for a MAC address
using the pppoe-server max-sessions remote-mac command, and option105 is not
specified in the ppp connection chasten command. In this scenario, MAC address-
based restriction on the number of connection requests from a PPP user does not
take effect. To enable this function to take effect, specify the multi-sessions-
permac parameter. If option105 is specified in the ppp connection chasten
command, option105-based restriction on the number of connection requests from a
PPP user takes effect.
e. Run pppoe-server slot-number max-sessions session-number
The maximum number of users that are allowed to access from the interface board
is configured.
f. Run pppoe-server max-sessions remote-mac session-number
The maximum number of users that are allowed to access from a MAC address is
configured.
NOTE
After the maximum number of access users is set to more than 1 using the pppoe-server max-
sessions remote-mac command and option105 is not specified in the ppp connection chasten
command, restriction on the number of connection requests from a PPP user does not take effect.
If option105 is specified in the ppp connection chasten command, restriction on the number of
connection requests from a PPP user takes effect.
g. Run pppoe-server same-user forbid
The function to deny a user's login request if another user having the same MAC
address has gone online from the same physical location is enabled when each
MAC address maps a unique session.
h. Run aaa
The function of the device to check whether a login request from a PPP user
contains a user name and to deny the request if it does not contain a user name is
configured.
j. Run commit
To balance the traffic load of users among different boards and interfaces, configure the
maximum number of IP addresses for PPP users allowed to log in from a specified board
or BAS interface. When the number of PPP users reaches the maximum number, the
board or interface stops responding the PADO packets of PPP users, and no additional
users can log in.
The configuration applies only to PPPoE and L2TP users. The single-stack users are
counted as one user, and dual-stack users are counted as two users. When the number of
login PPP users reaches the maximum value configured on a BAS interface or board, the
interface or board stops responding PADO packets of new access PPP users.
If the number of PPP users logging in from a BAS interface reaches the maximum
number of IP addresses for PPP users configured on a board, the BAS interface stops
responding PADO packets of new access PPP users. However, the BAS interfaces
configured with exclude have no such limitation.
a. Run system-view
The system view is displayed.
b. Run slot slot-id
The slot view is displayed.
c. Run access-ip-limit max-number user-type ppp
The number of IP addresses for PPP users is configured on a board
d. Run quit
The system view is displayed.
e. Run interface interface-type interface-number
The interface view is displayed.
f. Run bas
The bas interface view is displayed.
g. Run access-type layer2-subscriber [ bas-interface-name name | default-domain
{ pre-authentication domain-name | authentication [ force | replace ] domain-
name } * | accounting-copyradius-server radius-name ] *
The access type is set to Layer 2 subscriber access and the attributes of this access
type are configured.
h. Run access-ip-limit max-number user-type ppp [ exclude ]
The number of IP addresses for PPP users is configured on a BAS interface.
i. Run commit
The configuration is committed.
l Restricting the number of users' access packets
If the device is attacked by a large number of ARP/IP/IPv6/ND packets or unauthorized
users repeatedly send ARP/IP/IPv6/ND packets to go online, the MPU's CPU usage goes
high. To configure a limit on the number of ARP/IP/IPv6/ND packets that can be sent to
the MPU, run the access trigger packet-limit command so that the device discard
packets that exceed the configured limit.
a. Run system-view
The system view is displayed.
b. Run slot slot-id
The slot view is displayed.
c. Run access trigger packet-limit packets-num time seconds
The number of ARP/IP/IPv6/ND packets that can be sent to the MPU is configured
on a board
d. Run quit
The system view is displayed.
e. Run commit
The alarm threshold for DHCP users allowed to access an interface board is
configured. If the percentage of DHCP users currently accessing the interface board
exceeds the threshold, an alarm is generated.
c. Run dhcp-user-warning-threshold threshold-value
The alarm threshold for DHCP users allowed to access the entire NE40E is
configured. If the percentage of DHCP users currently accessing the entire NE40E
exceeds the threshold, an alarm is generated.
d. Run dhcp connection chasten { authen-packets authen-packets | request-packets
request-packets } * check-period check-period restrain-period restrain-period
[ slot slotid ]
The alarm threshold for users allowed to access an interface board is configured. If
the percentage of users currently accessing the interface board exceeds the
threshold, an alarm is generated on the Router.
l Restricting the access response delay
a. Run system-view
The access response delay function is enabled, and set the maximum and minimum
access response delays.
NOTE
If the access response delay function is configured globally and on a BAS interface, the
configuration on the interface rather than the global configuration takes effect.
The access response delay depends on the number of access users, and the
configured parameters including the step, maximum access response delay, and
minimum access response delay.
n If the value obtained by dividing the number of access users by the step and
then adding the integer part of the result to the minimum access response delay
is smaller than or equal to the maximum access response delay, you can obtain
the access response delay for the users by multiplying this final value with 10
ms.
n If the value obtained by dividing the number of access users by the step and
then adding the integer part of the result to the minimum access response delay
is greater than the maximum access response delay, you can obtain the access
response delay for the users by multiplying maximum access response delay
with 10 ms.
Assume that the step is 3000, the maximum access response delay is 7, and the
minimum access response delay is 3. Then, the delay for access users numbered 0
to 2999 is 3 x 10 ms; the delay for access users numbered 3000 to 5999 is 4 x 10
ms; the delay for access users numbered 6000 to 8999 is 5 x 10 ms; the delay for
access users numbered 9000 to 11999 is 6 x 10 ms; the delay for access users
numbered 12000 to 10 and numbers after 14999 is 7 x 10 ms.
d. Run quit
The system view is displayed.
e. (Optional) Run access delay load-balance group groupname [ delay-time ]
A load balancing group for BAS interfaces is configured.
If two devices with the same configuration are deployed, users can go online from
any of the two devices that work in master/backup mode. If load balancing groups
are configured on both the master and backup devices, run the access delay load-
balance group group-name delay-time command to configure a response delay
policy for the load balancing group on the backup device. In this way, even if an
interface on the backup device is selected in a Hash operation, the interface will not
respond to user login requests until the time specified by delay-time elapses. This
ensures that users go online preferentially through an interface on the master device.
Users will go online through an interface on the backup device only when the
master device is faulty.
f. Run interface interface-type interface-number
The interface view is displayed.
g. Run bas
A BAS interface is created, and the BAS interface view is displayed.
h. (Optional) Run access-delay delay-time load-balance-group group-name
The BAS interface is added to the load balancing group. After the configurations
are complete, BAS interfaces in the load balancing group either immediately
respond to or delay responding to the received login requests for a configured
period of time in accordance with MAC-address-based Hash results to implement
inter-board load balancing.
The user packets of a specific type are strictly checked by the Router.
l Configure a device to dynamically adjust the number of access users based on the system
status.
a. Run system-view
The system view is displayed.
b. Run aaa
The AAA view is displayed.
c. Run access-speed adjustment system-state enable [ strict-check ]
The device is configured to adjust the user access rate based on the system status.
d. Run access-speed adjustment system-state threshold { main-cpu-usage | main-
memory-usage | access-usage | slot-cpu-usage | slot-memory-usage | ppp-cpcar-
drop | ppp-receive-queue | pppoe-receive-queue | l2tp-queue | dhcp-slot-queue }
alarm threshold-value resume threshold-value
The system status thresholds for decreasing and restoring the user access rate are
configured.
e. Run access-speed adjustment system-state user-type { { dhcp | pppoe | ipv4-
trigger | ipv6-trigger | dot1x } * | none }
The type of users for whom the device adjusts the user access rate based on the
system status is configured.
f. Run access-speed adjustment system-state time interval adjust-interval delay-
count adjust-delay-count [ slot ]
An interval at which the system status is detected for adjusting the user access rate
and the minimum number of detection intervals after which the user access rate is
increased are configured.
g. Run commit
The configuration is committed.
l Configure the device to preferentially allocate CPU resources to users who request to go
online.
a. Run system-view
The system view is displayed.
b. Run aaa
The AAA view is displayed.
c. Run access-speed adjustment edsg-queue enable
The device is enabled to preferentially allocate CPU resources to users who request
to go online and temporarily delay the activation of EDSG services that enter the
activation queue.
l Configure the alarm and clear alarm function for the user resource and CPU usage.
a. Run system-view
The system view is displayed.
b. Run access-user exhaust warning enable
The system is enabled to generate an alarm when the user resource or CPU usage
reaches the alarm threshold or generate a clear alarm when the user resource or
CPU usage falls below the clear alarm threshold.
c. Run access-user exhaust threshold-alarm { main-resource-usage | slot-resource-
usage | main-cpu-usage | slot-cpu-usage } upper-limit upper-limit lower-limit
lower-limit
The alarm and clear alarm thresholds for the user resource or CPU usage are
configured.
d. Run commit
The configuration is committed.
----End
Context
When connections are cut off according to user names and authentication modes, if there are
multiple connections satisfying the condition, they are cut off at the same time.
NOTE
You can cut off the connection with a user with a specified user name, in a specified domain, on a
specified interface, whose IP address is in a specified IP address pool, whose IPv6 address is in a
specified IPv6 address pool, or the combination of them. For example, you can cut off the connection
with an access user whose IP address is in IP address pool 1, on GE 1/0/0, and in domain 1 using the cut
access-user interface gigabitethernet 1/0/0 domain dom1 ip-pool pool1 command.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run cut access-user username user-name { all | hwtacacs | local | none | radius | radius-
proxy }
The online user with the specified user name is disconnected.
Or run cut access-user domain domain-name
The online users in the specified domain are disconnected.
Or run cut access-user mac-address mac-address
The online user with the specified MAC address is disconnected.
Or run cut access-user ipv6-address ipv6-address [ vpn-instance instance-name ]
The online user with the specified IPv6 address is disconnected.
Or run cut access-user ip-address ip-address [ vpn-instance instance-name ]
The online user with the specified IP address is disconnected.
Or run cut access-user interface interface-type interface-number [ pevlan vlan-id ] [ cevlan
vlan-id ]
The online users on the specified interface are disconnected.
Or run cut access-user user-id start-no [ end-no ]
The online user with the specified user ID is disconnected.
Or run cut access-user ip-pool pool-name
The online users using the IP addresses in the specified IP address pool are disconnected.
Or run cut access-user slot slot-id
All users on the board in the specified slot are disconnected.
Or run cut access-user ipv6-pool pool-name
All users in the specified IPv6 address pool are disconnected.
Or run cut access-user ipv6-prefix prefix-address/prefix-length
The online users using the specified IPv6 prefix are disconnected.
Or run cut access-user authen-method authen-method-type
The online users using the specified authentication mode are disconnected.
Step 4 Run user-queue-resource allocate-fail offline
The policy when user queue resources fail to be allocated is configured.
Step 5 (Optional) Configures a device to forcibly log out a dual-stack user if the user releases any IP
address
1. Run domain domain-name
The domain view is displayed.
2. (Optional) Run any-address-release offline
The device is configured to forcibly log out a dual-stack user when the user releases an
IP address.
This command applies to only PPPoX and L2TP users.
----End
Context
Perform the following steps on the Router:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Enable the function to generate user login failure and logout records.
1. Run aaa offline-record
The function to generate logout records is enabled.
2. Run aaa online-fail-record
The function to generate login failure records is enabled.
3. Run aaa_abnormal-offline-record
The function to generate abnormal logout records is enabled.
4. Run aaa normal-offline-record
The function to generate normal logout records is enabled.
Step 3 (Optional) Enable the function to save user login failure and logout records to a local file.
1. Run save aaa online-fail-record
User login failure records are saved to a local file.
----End
Context
After the function to generate and send logs about user logins, logouts, and online results is
enabled on the Router, the device records information when users successfully log in or log
out. The information includes user names, login and logout operations, login and logout time,
access interfaces, and user IP and MAC addresses.
Additionally, the Router can send the logs to a log server, allowing network maintenance
personnel to query logs on the log server.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ip userlog { access | call-status } export host ip-address udp-port
An IP address and UDP port number are set for the log server that is used to receive logs
about user logins, logouts, and online results.
Step 3 Run ip userlog access export version
The version number of packets used to send user login and logout logs is set.
Step 4 Run ip userlog access send format syslog
The format for sending user login and logout logs is set.
----End
Result
l After configuring the function to generate and send logs about user logins, logouts, and
online results, run the display ip userlog access config command to check the
configurations of the function.
l After users log in or out successfully, run the display ip userlog access statistic
command to check statistics about user login and logout logs.
NOTE
To re-collect log statistics about user logins, logouts, and online results, run the reset ip userlog
statistics access command to clear the existing statistics.
Statistics about user login, logout, and online result logs cannot be restored after they are cleared.
Therefore, exercise caution when running this command.
l After configuring the function to generate and send logs about user logins, logouts, and
online results, run the display ip userlog buffer access command to check control block
information and user access information stored in the buffer area where the user logs are
recorded.
Context
Perform the following steps on the Router:
Procedure
Step 1 Run trace access-user object object-id { interface interface-type interface-number | ip-
address ip-address | mac-address mac-address | ce-vlan ce-vlan-id | pe-vlan pe-vlan-id |
ipv6-address ipv6-address/prefixlength | user-name user-name | tunnel-id tunnel-id | access-
mode { pppoe | pppoa | pppoeoa | ipoe | ipoeoa } } * [ output { file file-name | syslog-
server ip-address | vty } | [ -t time ] | mode packet | flow-report ] *
Or run trace access-user object object-id { circuit-id text | remote-id text } * { exact-match
| partial-match }
Or run trace access-user object object-id calling-number [ output { file file-name | syslog-
server ip-address | vty } ] [ mode packet ] [ -t time ] [ | include ] calling-number-content
text
Or run trace access-user object object-id { circuit-id text | remote-id text } * { exact-match
| partial-match } [ output { file file-name | syslog-server ip-address | vty } | -t time | mode
packet | flow-report ] *
----End
Context
Perform the following steps on the NE40E:
NOTE
l The new password is at least eight characters long and contains at least two of upper-case letters,
lower-case letters, digits, and special characters.
l When configuring an authentication password, select the ciphertext mode because the password is
saved in configuration files in simple text if you select simple text mode, which has a high risk. To
ensure device security, change the password periodically.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-test-group radius-test-group-name
The RADIUS server test template is configured.
Step 3 Run include [ authentication | accounting ] radius-attr-name { radius-attribute-value |
auto }
The RADIUS attribute is configured to be sent along with the RADIUS server test template.
Step 4 Run exclude [ authentication | accounting ] radius-attr-name
The RADIUS attribute is configured not to be sent along with the RADIUS server test
template.
----End
Follow-up Procedure
You can run the test-aaa user-name password [ password random [ random1 random2 ]
timestamp [ timestamp1 timestamp2 ] ] radius-group group-name [ chap | pap ] [ test-
group test-group-name ] command to locate a fault by checking whether a user can pass the
authentication of the RADIUS server group.
Prerequisites
Getting online triggered by IP/ARP packets has been enabled on a BAS interface.
Context
By default, the user information backup table cannot be queried within two hours after the
NE40E restarts due to an exception, but original online users can still get online by using
IP/ARP packets. You can run the access-trigger command to change the period during which
users can get online in loose mode, avoiding users that get offline can get online again only
after lease renewal fails (after the lease expires) or users' terminals restart. To change the
getting online period in loose mode, perform the following steps on the NE40E:
Procedure
l Configure user access in loose mode in the AAA view.
a. Run system-view
The system view is displayed.
b. Run aaa
The AAA view is displayed.
c. Run access-trigger loose { loose-time | all-time }
The period during which users can get online in loose mode after the system restarts
is set.
By default, users can get online in loose mode within 120 minutes after the system
restarts.
After this command is executed, the filtering function of the user information
backup table does not take effect, and IP/ARP packets sent by users will trigger
getting online requests. As a result, the NE40E needs to process a large number of
getting online request packets, which uses a lot of resources and affects normal
users' access.
After the NE40E restarts, a large number of request packets will increase the
pressure on the DHCP server and RADIUS server.
d. Run access-trigger loose infinite-lease
Users with an infinite lease are enabled to go online by sending IP/ARP packets
when no abnormal logout backup entry is generated.
l Configure user access in loose mode in the AAA domain view.
a. Run system-view
The system view is displayed.
b. Run aaa
The AAA view is displayed.
NOTE
If the period is configured both in the AAA view and AAA domain view, the configuration
with a longer period takes effect.
e. Run access-trigger loose infinite-lease
Users with an infinite lease in the authentication domain bound to the BAS interface
are enabled to go online by sending IP/ARP packets when no abnormal logout
backup entry is generated.
----End
Context
When an interface goes Down due to an interface fault or a direct link fault, the users on the
interface are logged out. When the interface recovers and goes Up, the users go online
through the interface again. If an interface constantly goes Up and Down due to an interface
fault or a direct link fault, the users also go online and offline through the interface constantly.
To address this problem, run the user-policy interface-down command to configure a policy
for online users when an interface goes Down. The policy can be forcibly logging out the
users or keeping the users online.
Procedure
l Configure whether to log out users when an interface goes Down globally.
a. Run system-view
The system view is displayed.
b. Run user-policy interface-down { offline | online }
A policy is configured and applied to online users when an interface goes Down.
The policy can be forcibly logging out the users or keeping the users online.
l Configure whether to log out users on an interface when the interface goes Down.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number [ .subinterface-number ]
The interface view is displayed.
c. Run commit
The configuration is committed.
d. Run bas
NOTE
l If the user-policy interface-down command is configured in both the system view and the
BAS interface view, whether users are logged out when the BAS interface goes Down depends
on whether the user-policy interface-down command is configured on the BAS interface, and
whether users are logged out when another BAS interface goes Down depends on the
configuration in the system view.
l After you run the user-policy interface-down online command to keep users online when an
interface goes Down, the detection mechanisms, including the ARP probe and PPP keepalive,
configured for users still take effect. Specifically, if the detection fails, the users are forcibly
logged out.
l Run commit
----End
Usage Scenario
In a Dynamic Host Configuration Protocol version 4 (DHCPv4) user access scenario, when
the Router is restarted or its board, subcard, or interface is faulty, DHCPv4 users are logged
out and their information is lost. If a DHCPv4 client does not detect the fault, the DHCPv4
client does not resend a DHCP request packet to the Router or redial up after the fault is
rectified. As a result, the DHCPv4 user cannot go online again. To address this problem,
configure automatic user login. Specifically, save user information automatically before any
fault occurs and allow the users to go online automatically after the fault is rectified.
If the Router is powered off and restarted, user information saved in the high-end memory
will be lost. Before the Router is powered off, write the user information saved in the high-
end memory to the CF card. After the Router is restarted, restore the user information saved in
the CF card to the high-end memory.
NOTE
The following DHCPv4 user information is saved: MAC address, IP address, VLAN/PVC, access
interface, VPN instance name, domain name, lease, Option 82, Option 60, Option 61, and IP address of
the DHCPv4 server. The DHCPv4 user information is used only when the DHCPv4 users go online
automatically. To ensure security, do not save DHCPv4 user information in the CF card for a long time
and clear it in time.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run access-user dhcp auto-save enable max-user-number max-user-number
Automatic backup of DHCPv4 user information is enabled globally, and the maximum
number of DHCPv4 users whose information can be backed up in all domains is specified.
NOTE
The device backs up only information about the configured maximum number of DHCPv4 users in all
domains. The excessive part of DHCPv4 user information is not backed up. Specify max-user-number as
the total number of DHCPv4 users whose information needs to be backed up in all domains.
The access-user dhcp auto-save command applies for a memory space based on the maximum number
of DHCPv4 users. If the command cannot apply for the size of contiguous memory space, the command
fails to be executed, and automatic backup of DHCPv4 user information is disabled.
l If slow is configured, the maximum rate at which DHCPv4 users automatically go online
after the Router recovers from a fault is 100/s.
l If normal is configured, the maximum rate at which DHCPv4 users automatically go
online after the Router recovers from a fault is 300/s.
l If fast is configured, the maximum rate at which DHCPv4 users automatically go online
after the Router recovers from a fault is 500/s.
Step 11 To allow users to go online automatically after the device is powered off and restarted,
perform the following operations additionally:
1. Before the device is powered off, run access-user dhcp save-file file-path-name
DHCPv4 user information saved in the high-end memory is written to the CF card, and
the directory and file name are specified.
If there is a large amount of DHCPv4 user information saved in the high-end memory, it
takes a long time for the access-user dhcp save-file command to write the information
to the CF card, which may affect services. Exercise caution when you run this command.
----End
Run the display access-user auto-save statistics command to check statistics about DHCPv4
user information saved in the high-end memory.
[HUAWEI] display access-user auto-save statistics
Max backup user number : 64000
Current valid item number : 14
Current online user number : 14
Current wait-recover user number : 0
Version of user-backup-table : V3.0
Context
By default, a device can only collect user traffic statistics based on inner or outer VLAN IDs
on interfaces. To allow the device to collect user traffic statistics based on inner or outer
VLAN IDs on the entire device, enable user traffic statistics collection based on inner or outer
VLAN IDs on the device.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run access user-flow-statistics enable
User traffic statistics collection is enabled based on inner or outer VLAN IDs on the device.
Step 3 Run commit
The configuration is committed.
----End
Result
l After PPPoE users go online through QinQ VLAN tag termination sub-interfaces and
any is specified for inner VLAN tags, which means that packets carrying any inner
VLAN tags are forwarded, you can run the display access user-flow-statistics
configuration or display vlan-statistics pevlan command to check user traffic
collection configuration or user traffic statistics on a device.
l To collect user traffic statistics in a coming period, run the reset vlan-statistics pevlan
command to clear the existing statistics based on a specified inner or outer VLAN ID.
The system then starts to collect user traffic statistics about the specified inner or outer
VLAN ID from zero. After a specified period elapses, run the display vlan-statistics
pevlan command to view the newly collected statistics.
Context
The system detects the number of users on interfaces at configured intervals. If no backup
protection is configured on a physical interface (sub-interfaces included), an intra-board Eth-
Trunk interface (sub-interfaces included), or an interface with access response delay based on
odd and even MAC addresses configured but load imbalance occurs (for example, access
response delay based on odd and even MAC addresses fails to take effect due to an interface
fault), a large number of users may fail to go online in case of a board fault. Therefore, you
need to configure the alarm function to prevent impact on user services.
Perform the following steps on the Router.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run access_backup-check detect-interval detect-interval detect-count detect-count fail-
count fail-count
The backup detection interval and number of detections are configured.
Step 4 Run access_backup-check interface-type { eth-trunk | GigabitEthernet |
GigabitEthernet10GE | GigabitEthernet100GE} minor-trap-usernum minor-trap-
usernum major-trap-usernum major-trap-usernum
The minor and major alarm thresholds for the number of users on an interface with no backup
protection configured are configured.
----End
Procedure
l Run the display static-user command to check information about static users.
l Run the display aaa configuration command to check the configuration of the user
account parsing function.
l Run the display vlanpvc-to-username command to check the configuration of the
format of the IPoX user name.
l Run the display call rate command to check the put-through rate of all type of users.
l Run the display access trigger user-table command to check information about users
whose access packets are limited on a board.
l Run the display access-ip-number { interface interface-type interface-number | slot
slot-id }* user-type ppp command to check the configuration of the number of IP
addresses for PPP users who log in from a specified interface or a specified board.
l Run the display trace access-user object [ object-id ] command to display the
configurations of all the service objects to be traced or service objects with specified IDs.
l Run the display aaa online-fail-record dhcp statistics command to check user login
failure records.
l Run the display access delay load-balance [ group group-name ] command to check
information about a configured load balancing group.
----End
Example
After the configuration is complete, you can run the display static-user command to view
information about static users.
<HUAWEI> display static-user
---------------------------------------------------------------------------
Interface VLAN-ID IP-address MAC-address VPN
IPv6-address
IPv6-delegation-prefix
---------------------------------------------------------------------------
GE2/0/3.1 1/1 10.255.255.241 -
-
-
-
GE2/0/3.1 1/1 10.255.255.249 - -
-
-
---------------------------------------------------------------------------
Total 2 item(s) matched
After the configuration is complete, you can run the display aaa configuration command to
view the configuration of the user account parsing function.
<HUAWEI> display aaa configuration
---------------------------------------------------------------------------
AAA configuration information :
---------------------------------------------------------------------------
Parse Priority : Domain first
Domain Name Delimiter : @
Domainname parse direction : Left to right
Domainname location : After-delimiter
Realm name delimiter : -
Realmname parse direction : Left to right
Realmname location : Before-delimiter
Domain : total: 1024 used: 6
Authentication-scheme : total: 32 used: 3
Authorization-scheme : total: 32 used: 1
Accounting-scheme : total: 256 used: 3
Recording-scheme : total: 128 used: 0
AAA-access-user : total: 279552 used: 0
Access-user-state : authen: 0 author: 0 accounting: 0
Transition-step : -
Min-Delay-time : -
Max-Delay-time : -
Access speed : -
Offline speed : 256(/s)
Account-session-id-version : Version1
Remote-download configuration :
Remote user-group : enable
Remote user-group check interval: 10
Remote acl : enable
Edsg update-user-ip-acct : enable
-------------------------------------------------------------------
After the configuration is complete, you can run the display vlanpvc-to-username command
to view the configuration of the format of the IPoX user name.
<HUAWEI> display vlanpvc-to-username
Version of vlan and pvc model in username : Version2.0
After the configuration is complete, you can run the display call rate command to view the
put-through rate of all type of users.
<HUAWEI> display call rate
User callrate:
--------------------------------------------------------
Usertype Calltime Callcompletion Rate
--------------------------------------------------------
PPP 127 127 100.00%
Dot1X 324 324 100.00%
Web/Fast 7 7 100.00%
Bind 0 0 0.00%
Total 458 458 100.00%
After the configuration is complete, you can run the display access trigger user-table
command to view information about users whose access packets are limited on the board in
slot 1.
<HUAWEI> display access-trigger user-table slot 1
----------------------------------------------------------------------------------
---------------------------------
User Mac address :0008-0201-0101
Access Interface :GigabitEthernet0/1/1.1
Access Pevlan/CeVlan:405/-
IPV4:
User IP address :10.1.1.4
Start Limit Time :2013-10-24 16:07:55
Pass Packet :28
Drop Packet :0
# After the configuration is complete, you can run the display trace access-user object
command to display the configurations of all the service objects to be traced or service objects
with specified IDs.
<HUAWEI> display trace access-user object 1
Object ID :
1
MAC Address :
0001-0001-0001
Output to VTY
Aging time : 15
Flow Report : Enable
Object ID :
2
MAC Address :
0001-0001-0002
Output to VTY
Aging time : 15
Flow Report : Enable
--------------------------
# After the configuration is complete, you can run the display aaa online-fail-record dhcp
statistics command to check user login failure records.
<HUAWEI>display aaa online-fail-record dhcp statistics
----------------------------------------------------------------------------------
--------------
DHCPv4 online failures : 10
DHCPv6 online failures : 10
----------------------------------------------------------------------------------
--------------
# After the configuration is complete, you can run the display access delay load-balance
command to check information about a configured load balancing group.
<HUAWEI> display access delay load-balance group huawei
Group-name:huawei Member-count:2
Active-count:2 Delay-time:0
-------------------------------------------------------------------------
Member-InterfaceName Number DelayTime Count Chasten UpDownTime
-------------------------------------------------------------------------
GigabitEthernet1/0/1.1 0 20 0 0 -
GigabitEthernet2/0/1.1 1 20 0 0 -
-------------------------------------------------------------------------
Context
Statistics cannot be restored after you clear them. Exercise caution when running the
command.
Procedure
l Run the reset radius statistics packet command in the system view to clear statistics
about the RADIUS server.
l Run the reset aaa statistics { authentication | accounting } [ domain domain-name ]
command in any view to clear statistics about authentication or accounting packets.
l Run the reset radius-attribute packet-count command in the user view to clear the
number of times an attribute occurs in a RADIUS packet.
l Run the reset aaa remote-download acl statistics [ classifier classifier-name | slot slot-
id ] command in the user view to clear dynamic ACL statistics delivered by the RADIUS
server.
l Run the reset radius-server accounting-packet all command in the user view to clear
all accounting packets from a cache queue.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run sub-reason start-reason [ end-reason ] mapping mapping-reason
Refined login failure or logout sub-reasons are mapped to a general sub-reason.
----End
Networking Requirements
As shown in Figure 6-2, the users access the network through Device A and the users belong
to the domain named huawei. Device B functions as the access server for the destination
network. To access the destination network, the users have to traverse the network where
Device A and Device B reside and pass remote authentication of the access server. After that,
the users can access the network through Device B. Remote authentication is implemented on
the Device B as follows:
l The RADIUS server performs authentication and accounting for access users.
l The RADIUS server at 10.7.66.66/24 functions as the primary authentication and
accounting server. The RADIUS server at 10.7.66.67/24 functions as the secondary
authentication and accounting server. The default port numbers for authentication and
accounting are 1812 and 1813 respectively.
Figure 6-2 Networking diagram of performing authentication and accounting for users by
using RADIUS
Domain huawei
DeviceB
DeviceA Network
10.7.66.66/24
Destination 10.7.66.67/24
network
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a RADIUS server group, an authentication scheme, and an accounting scheme
on Device B.
2. Apply the RADIUS server group, authentication scheme, and accounting scheme on
Device B to the domain.
NOTE
For administrators, the domain must be the default domain default_admin of administrators. If you
want users from another domain to log in as administrators, run the adminuser-priority command in
this domain. For BAS access users, the domain must be the authentication domain of BAS access users.
Data Preparation
To complete the configuration, you need the following data:
l IP address of the primary (secondary) RADIUS authentication server
l IP address of the primary (secondary) RADIUS accounting server
Procedure
Step 1 Configure a RADIUS server group, an authentication scheme, and an accounting scheme.
# Configure a RADIUS server group named shiva.
<Device> system-view
[~Device] radius-server group shiva
# Configure the IP addresses and interface numbers of the primary RADIUS authentication
and accounting servers.
[*Device-radius-shiva] radius-server authentication 10.7.66.66 1812
[*Device-radius-shiva] radius-server accounting 10.7.66.66 1813
# Configure the IP addresses and interface numbers of the secondary RADIUS authentication
and accounting servers.
[*Device-radius-shiva] radius-server authentication 10.7.66.67 1812
[*Device-radius-shiva] radius-server accounting 10.7.66.67 1813
# Set the key and the number of retransmission attempts for the RADIUS server.
[*Device-radius-shiva] radius-server shared-key-cipher it-is-my-secret1
[*Device-radius-shiva] radius-server retransmit 2
[DeviceDevice-radius-shiva] commit
[~Device-radius-shiva] quit
Step 2 Configure a domain named huawei and apply authentication scheme 1, accounting scheme 1,
and RADIUS server group shiva in the domain.
[~Device-aaa] domain huawei
[*Device-aaa-domain-huawei] authentication-scheme 1
[*Device-aaa-domain-huawei] accounting-scheme 1
[*Device-aaa-domain-huawei] radius-server group shiva
[*Device-aaa-domain-huawei] commit
Run the display radius-server configuration group shiva command on the Router, and you
can see that the configurations of the RADIUS server group meet the requirements.
<Device> display radius-server configuration group shiva
-------------------------------------------------------
Server-group-name : shiva
Authentication-server: IP:10.7.66.66 Port:1812 Weight[0] [UP]
Vpn: -
Authentication-server: IP:10.7.66.67 Port:1812 Weight[0] [UP]
Vpn: -
Authentication-server: -
Authentication-server: -
Authentication-server: -
Authentication-server: -
Authentication-server: -
Authentication-server: -
Accounting-server : IP:10.7.66.66 Port:1813 Weight[0] [UP]
Vpn: -
Accounting-server : IP:10.7.66.67 Port:1813 Weight[0] [UP]
Vpn: -
Accounting-server : -
Accounting-server : -
Accounting-server : -
Accounting-server : -
Accounting-server : -
Accounting-server : -
Protocol-version : radius
Shared-secret-key : ******
Retransmission : 2
Timeout-interval(s) : 5
Acct-Stop-Packet Resend : NO
Acct-Stop-Packet Resend-Times : 0
Traffic-unit : B
ClassAsCar : NO
User-name-format : Domain-included
Option82 parse mode : -
Attribute-translation: NO
Packet send algorithm: Master-Backup
Tunnel password : cipher
Run the display domain domain-name command on the Router, and you can view the
configurations of the domain.
<Device> display domain huawei
------------------------------------------------------------------------------
Domain-name : huawei
Domain-state : Active
Authentication-scheme-name : 1
Accounting-scheme-name : 1
Authorization-scheme-name :
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
User-group-name : -
Idle-data-attribute (time,flow) : 0, 60
Install-BOD-Count : 0
Report-VSM-User-Count : 0
Value-added-service : COPS
User-access-limit : 279552
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-server-IP : -
Portal-URL : -
Portal-force-times : 2
PPPoE-user-URL : Disable
IPUser-ReAuth-Time(second) : 300
Ancp auto qos adapt : Disable
RADIUS-server-template : shiva
Two-acct-template : -
HWTACACS-server-template : -
Bill Flow : Disable
Tunnel-acct-2867 : Disabled
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
Multicast Forwarding : Yes
Multicast Virtual : No
Max-multilist num : 4
Multicast-profile : -
Quota-out : Offline
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname Device
#
sysname Device
#
radius-server group shiva
radius-server authentication 129.7.66.66 1812 weight 0
radius-server authentication 129.7.66.67 1812 weight 0
radius-server accounting 129.7.66.66 1813 weight 0
radius-server accounting 129.7.66.67 1813 weight 0
radius-server shared-key-cipher %^%#h{FXVBLZX9#`VI]EWUUaOSHGd5E!.1DGeVYEie=%^
%
radius-server retransmit 2
#
aaa
authentication-scheme 1
authentication-mode radius
#
authorization-scheme default
#
accounting-scheme 1
accounting-mode radius
#
domain huawei
authentication-scheme 1
accounting-scheme 1
radius-server group shiva
#
return
Networking Requirements
On the network shown in Figure 6-3, users in the domain named huawei access the network
through Device A. Device B functions as the access server for the target network. The users
can access the target network only through Device A and Device B and after they are being
authenticated by the remote server. Remote authentication on Device B is as follows:
Figure 6-3 Configuring dynamic ACL delivery through the RADIUS server
Domain huawei
DeviceB
DeviceA Network
10.7.66.66/24
Destination 10.7.66.67/24
network
Configuration Roadmap
The configuration roadmap is as follows:
NOTE
Run the adminuser-priority command in the domain view if you want to configure a user not in the
default_admin domain to log in as the administrator. The domain must be configured as the
authentication domain for BAS access users.
Data Preparation
To complete the configuration, you need the IP addresses of the master and backup RADIUS
authentication servers.
Procedure
Step 1 Configure a RADIUS server group, an authentication scheme, and dynamic ACL delivery.
# Configure a RADIUS server group named shiva.
<Device> system-view
[~Device] radius-server group shiva
# Configure an IP address and a port number for the master RADIUS authentication server.
[*Device-radius-shiva] radius-server authentication 10.7.66.66 1812
# Configure an IP address and a port number for the backup RADIUS authentication server.
[*Device-radius-shiva] radius-server authentication 10.7.66.67 1812
# Configure a shared key and the number of retransmissions for the RADIUS server group.
[*Device-radius-shiva] radius-server shared-key-cipher it-is-my-secret1
[*Device-radius-shiva] radius-server retransmit 2
[*Device-radius-shiva] commit
[~Device-radius-shiva] quit
Step 2 Configure a domain named huawei and bind authentication scheme 1 and RADIUS server
group shiva to the domain.
[~Device-aaa] domain huawei
[*Device-aaa-domain-huawei] authentication-scheme 1
[*Device-aaa-domain-huawei] radius-server group shiva
[*Device-aaa-domain-huawei] commit
[*Device-aaa-domain-huawei] quit
[~Device-GigabitEthernet0/1/1.1-bas] quit
[~Device-GigabitEthernet0/1/1.1] quit
----End
Configuration Files
#
sysname HUAWEI
#
user-group huawei
#
radius-server group shiva
radius-server authentication 10.7.66.66 1812 weight 0
radius-server authentication 10.7.66.67 1812 weight
0
radius-server shared-key-cipher %^%#h{FXVBLZX9#`VI]EWUUaOSHGd5E!.1DGeVYEie=%^
%
radius-server retransmit 2
#
aaa
remote-download acl enable
default-password template huawei cipher %^%#M*p1,itN!
4kQo5%Dc1s(whyJCM@xt0u[,,XMWG/O%^%
default-user-name template huawei include
sysname
#
authentication-scheme 1
#
authorization-scheme
default
#
domain huawei
authentication-scheme
1
Networking Requirements
As shown in Figure 6-4, users access the network by logging in to Device A and the users
belong to the domain huawei. Device B functions as an access server on the target network.
To access the target network, users must first traverse the networks on which Device A and
Device B reside and can access the network through Device B after being authenticated by a
remote RADIUS server. Remote authentication and accounting modes on Device B are as
follows:
l The RADIUS server performs authentication and accounting for access users.
l The RADIUS server with an IP address of 10.7.66.66/24 functions as the master
authentication and accounting server, whereas the RADIUS server with an IP address of
10.7.66.67/24 functions as the backup authentication and accounting server. The default
authentication port number and accounting port number are 1812 and 1813, respectively.
However, when Device B interoperates with the RADIUS server, the attributes carried in
authentication and accounting request packets are not all the same. Therefore, you need to
load the python script package to implement flexible interoperation of RADIUS attributes.
Figure 6-4 Networking for configuring RADIUS for user authentication and accounting
Domain huawei
DeviceB
DeviceA Network
10.7.66.66/24
Destination 10.7.66.67/24
network
Configuration Roadmap
The configuration roadmap is as follows:
The python script package must have been uploaded to the cfcard: directory.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure a RADIUS server group, an authentication scheme, and an accounting scheme.
# Configure a RADIUS server group named shiva.
<HUAWEI> system-view
[~Device] radius-server group shiva
# Configure an IP address and a port number for the master RADIUS authentication and
accounting server.
[*Device-radius-shiva] radius-server authentication 10.7.66.66 1812
[*Device-radius-shiva] radius-server accounting 10.7.66.66 1813
# Configure an IP address and a port number for the backup RADIUS authentication and
accounting server.
[*Device-radius-shiva] radius-server authentication 10.7.66.67 1812
[*Device-radius-shiva] radius-server accounting 10.7.66.67 1813
# Configure a shared key and the number of retransmissions for the RADIUS server.
[*Device-radius-shiva] radius-server shared-key-cipher it-is-my-secret1
[*Device-radius-shiva] radius-server retransmit 2
[*Device-radius-shiva] commit
[~Device-radius-shiva] quit
Step 2 Configure a domain named huawei and bind authentication scheme 1, accounting scheme 1,
and RADIUS server group shiva to the domain.
[~Device-aaa] domain huawei
[*Device-aaa-domain-huawei] authentication-scheme 1
[*Device-aaa-domain-huawei] accounting-scheme 1
[*Device-aaa-domain-huawei] radius-server group shiva
[*Device-aaa-domain-huawei] commit
# Configure the association between packets and scripts in the python policy template named
py.
[~HUAWEI-python-policy py] protocol radius packet access-request direction egress
python-script access-request.py
[*HUAWEI-python-policy py] protocol radius packet accounting-request direction
egress python-script acct-request.py
[*HUAWEI-python-policy py] protocol radius packet process-fail passthrough
[*HUAWEI-python-policy py] commit
[~HUAWEI-python-policy py] quit
Step 5 Bind the RADIUS server group to the python policy template.
[~HUAWEI] radius-server group shiva
[*HUAWEI-radius-shiva] python-policy huawei
[*HUAWEI-radius-shiva] commit
Run the display domain domain-name command on the Router to view the domain
configuration.
<HUAWEI> display domain huawei
------------------------------------------------------------------------------
Domain-name : huawei
Domain-state : Active
Authentication-scheme-name : 1
Accounting-scheme-name : 1
Authorization-scheme-name :
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
User-group-name : -
Idle-data-attribute (time,flow) : 0, 60
Install-BOD-Count : 0
Report-VSM-User-Count : 0
Value-added-service : COPS
User-access-limit : 279552
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-server-IP : -
Portal-URL : -
Portal-force-times : 2
PPPoE-user-URL : Disable
IPUser-ReAuth-Time(second) : 300
Ancp auto qos adapt : Disable
RADIUS-server-template : shiva
Two-acct-template : -
HWTACACS-server-template : -
Bill Flow : Disable
Tunnel-acct-2867 : Disabled
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
Multicast Forwarding : Yes
Multicast Virtual : No
Max-multilist num : 4
Multicast-profile : -
Quota-out : Offline
------------------------------------------------------------------------------
Run the display access python-script information command on the Router to view related
information about the loading of a+ python script package.
<HUAWEI> display access python-script information
Script Package Name : cfcard:/V800R010C10SPC500.zip
Script Package Version : V800R010C10SPC500
Script Package Run Time : 2018-05-21 05:06:22
Script Info:
---------------------------------------------------------------
ScriptName State
---------------------------------------------------------------
acct-request.py Running
access-request.py Running
---------------------------------------------------------------
Total = 2
----End
Configuration Files
#
sysname HUAWEI
#
radius-server group shiva
radius-server authentication 10.7.66.66 1812 weight 0
radius-server authentication 10.7.66.67 1812 weight 0
This section describes the concept, rationale, and configuration of IPv4 address and provides
several configuration examples.
Context
NOTE
If DHCPv4 and PPPoEv4 Deploy a local address pool If a PPPoEv4 user requests
users with the same MAC and a remote address pool or to go online when a
address go online from a two local address pools for DHCPv4 user is waiting for
remote address pool at the DHCP and PPPoE users a response from the
same time, the DHCP server with the same MAC DHCPv4 server, the server
may incorrectly distribute address. may send the response for
response packets to users, the DHCPv4 user to the
causing user login failures. PPPoEv4 user. As a result,
both users fail to go online.
If a DHCPv4 user requests
to go online when a
PPPoEv4 user is waiting for
a response from the
DHCPv4 server, the server
may send the response for
the PPPoEv4 user to the
DHCPv4 user. As a result,
both users fail to go online.
If the first user has
successfully gone online and
the remote server can
distinguish between the
DHCPv4 user and the
PPPoE user during address
allocation, the second user
can go online successfully.
If DHCPv4 and PPPoEv4 Deploy a local address pool If a PPPoEv4 user requests
users with the same MAC and a remote address pool or to go online when a
address go online from a two local address pools for DHCPv4 user is waiting for
remote address pool at the DHCP and PPPoE users a response from the
same time, the DHCP server with the same MAC DHCPv4 server, the server
may incorrectly distribute address. may send the response for
response packets to users, the DHCPv4 user to the
causing user login failures. PPPoEv4 user. As a result,
both users fail to go online.
If a DHCPv4 user requests
to go online when a
PPPoEv4 user is waiting for
a response from the
DHCPv4 server, the server
may send the response for
the PPPoEv4 user to the
DHCPv4 user. As a result,
both users fail to go online.
If the first user has
successfully gone online and
the remote server can
distinguish between the
DHCPv4 user and the
PPPoE user during address
allocation, the second user
can go online successfully.
Usage Scenario
A BAS-side address pool needs to be configured to assign IP addresses to access users. If the
NE40E needs to allocate IP addresses to users, you must configure a local address pool on the
NE40E, as shown in Figure 7-1; if a DHCPv4 or BOOTP server needs to allocate IP
addresses to users, you must configure a remote address pool on the NE40E, as shown in
Figure 7-2.
Figure 7-1 Networking diagram for address assignment from the local address pool
DNS Server
Internet
Figure 7-2 Networking diagram for address assignment from the remote address pool
DHCP
Server
Access
Internet
Network
Pre-configuration Tasks
Before configuring an IP address pool, complete the following task:
If two remote address pools are bound to the same DHCP server, whereas configurations of the DHCP
server are not consistent with both remote address pools, either of the remote address pools becomes
invalid. Therefore, ensure that configurations of the DHCP server and two address pools are consistent,
or each remote address pool is bound to a DHCP server.
Context
Perform the following steps on the Router: Either configure a dynamic address pool or a non-
dynamic address pool.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run access wait-request-time dhcpv4 time-value
The timeout period for a router to wait for a Request message from a client in response to an
Offer message sent to the client is set.
Step 3 Perform the corresponding steps according to the type of the address pool to be created.
l Create a dynamic address pool.
a. Run ip pool pool-name bas dynamic
A dynamic address pool is created, and the dynamic address pool view is displayed.
b. Run radius-server group group-name
A RADIUS server group is bound to the dynamic address pool.
c. Run authentication-name authentication-name password cipher password
An authentication name and a password are configured for the BRAS to apply to a
RADIUS server for dynamic address segments.
d. Run subnet length initial { length | gateway-mask } [ extend { length | gateway-
mask } ]
The mask lengths are configured for the initial and subsequent address segments
being applied for a dynamic address pool.
e. (Optional) Run ip used-thresholdupper-limitupper-valuelower-limitlower-value
The upper and lower address usage thresholds are configured for the dynamic
address pool. The lower threshold for address segment release must be less than the
upper threshold for address segment application.
By default, the upper threshold for address segment application is 80%, and the
lower threshold for address segment release is 20%.
The BRAS checks the dynamic address pool usage every 10 minutes. If the BRAS
detects that the dynamic address pool usage reaches the upper threshold, the BRAS
applies to the RADIUS server for new address segments. If the BRAS detects that
the dynamic address pool usage falls below the lower threshold, the BRAS applies
to the RADIUS server for releasing address segments.
f. (Optional) Run detect retransmit retransmit-value interval days hours minutes
The number of retransmission times and a retransmission interval for detecting
address segment availability are configured for the dynamic address pool.
By default, the number of retransmission times is 3, and the retransmission interval
is 3 days.
l Create a non-dynamic address pool.
a. Run ip pool pool-name [ bas { local | remote } [ rui-slave ] | server ]
An non-dynamic address pool is created and the address pool view is displayed.
n After the weight is configured for the IPv4 address pool, you must run the ip-pool
algorithm loading-share remote command in the system view to configure the device
to assign addresses from IPv4 remote address pools based on their weights.
n The ip-pool algorithm loading-share remote command applies only to IPv4 remote
address pools.
The dhcp-server check-remote-ip loose command takes effect for remote address pools and
remote RUI address pools only.
The public network attribute is configured for an IP address pool or an IP address pool group.
After the configuration is complete, the IP address pool or the IP address pool group is used
for the calculation of public IP address pool status.
By default, IP address pools or IP address pool groups have no public network attribute. They
are not used for the calculation of public IP address pool status.
To use the public IP address pool for the calculation of public IP address pool status, run the
ip-pool usage-status threshold command to configure the upper and lower thresholds for IP
address pool usage in a domain to calculate public IP address pool status.
The ip-attribute public command takes effect only on local address pools.
By default, the lease of the IP addresses in an address pool is three days. If the lease is set to
0, the lease of the IP addresses is not limited.
By default, the rebinding time of IP addresses is 87.5% of the lease of the address pool.
When the user is not online, you can reclaim the occupied IP address manually by running
this command.
If the interval-time value is set to 0, the automatic address reclaim function is disabled.
Conflicting addresses will not be assigned to users. You must run the reset conflict-ip-
address command to reclaim conflicting addresses.
If the interval-time value is not set to 0, the usage of IP addresses in the address pool exceeds
the alarm threshold, and the address conflict time exceeds the interval-time value, the Router
automatically reclaims some conflicting addresses and assigns them to users.
This command is valid only in the view of the local or server address pool.
Step 10 (Optional) Run reserved ip-address { lease | mac }
The reservation type of an IP address for a user is configured.
By default, IP addresses are not reserved. When a user goes offline, the IP address is
reclaimed.
If a user is assigned a lease of four days during the first login, the user can still use the
originally-allocated IP address provided that he goes online for the second time within four
days. This is called lease-based IP address reservation.
If a user's MAC address and the allocated IP address are recorded during the first login, the
user can still use the originally-allocated IP address when he goes online for the second time.
This is called MAC-address-based IP address reservation.
Step 11 (Optional) Run vpn-instance instance-name
A VPN instance is bound to the address pool.
Step 12 (Optional) Run warning-threshold threshold-value
The alarm threshold for the address usage of an address pool is set. If the address usage
exceeds the threshold, an alarm is generated on the Router.
By default, the alarm threshold for the address usage of an address pool is set to 80%.
Step 13 (Optional) Run warning-exhaust
The address exhaustion alarm function is enabled for the address pool.
After this command is executed, the system generates an address exhaustion alarm when IP
addresses in the address pool are exhausted, prompting the administrator to plan the IP
addresses. When IP addresses in the address pool are exhausted, users cannot go online.
When IP address usage of the address pool falls below 90%, the address exhaustion alarm is
cleared.
Step 14 (Optional) Run frame-ip lease manage
The lease management function of IP addresses delivered by the RADIUS server is enabled in
an IP address pool.
By default, the lease management function for IP addresses delivered by the RADIUS server
is disabled.
Step 15 (Optional) Run option33 route dest-ip gateway
IP addresses in this address pool are configured as the destination IP address and gateway IP
addresses.
Step 16 (Optional) Run option router disable
The device is disabled from sending DHCP packets carrying Option 3 (network gateway
address) to the client.
Step 17 (Optional) Enable the automatic recycling of IP addresses assigned in RADIUS authentication
responses.
1. Run quit
----End
Context
Based on the clients' needs, you can adopt either static address binding or dynamic address
assignment.
Perform the following steps on the Router that functions as a DHCPv4 server:
Procedure
Step 1 Run system-view
----End
Follow-up Procedure
Some clients may need fixed IP addresses that are bound to their MAC addresses. When the
client with a specific MAC address uses DHCPv4 to apply for an IP address, the DHCPv4
server finds out the fixed IP address bound to the MAC address and assigns it to the client.
Context
Perform the following steps on the DHCPv4 server that provides DNS services for the
DHCPv4 clients:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ip pool pool-name [ bas { local | remote } | server ]
An IP address pool is created and the IP address pool view is displayed.
Step 3 Run dns-suffix suffix-name
The DNS suffix of the IP address pool is configured.
NOTE
This command is valid for only the local address pool and server address pool.
NOTE
If IP addresses are automatically allocated from the BAS address pool, the DNS server can be
configured in both the domain view and the address pool view, but the configuration in the domain view
takes precedence.
If the RADIUS server is used to deliver IP addresses and gateway addresses, the following situations are
available:
l If the RADIUS server also delivers the DNS server address, the DNS server address delivered by
the RADIUS server takes precedence.
l If the RADIUS server does not deliver the DNS server address, the DNS server must be
configured in the domain view, and this configuration does not take effect for the address pool.
If a client sends a packet carrying the Option 119 field to request search domain information
from the DHCP server, the domain-search-list command can be used to configure search
domains so that the DHCP server can send required search domain information to the
user.After the domain-search-list command is run and the first domain name resolution fails,
the configured search domain is used for resolution.
----End
Follow-up Procedure
On the DHCPv4 server, designate a DNS suffix for each address pool used to assign IP
addresses to clients.
When a host accesses the Internet by using the DNS suffix, the DNS server resolves the DNS
suffix into an IP address. Therefore, to ensure that the client successfully accesses the
Internet, the DHCPv4 server also needs to specify the DNS server address for the client when
it assigns IP addresses.
Context
Perform the following steps on the Router that provides NetBIOS services for the DHCPv4
clients:
Procedure
Step 1 Run system-view
----End
Follow-up Procedure
For the client using the operating system of Microsoft, Windows Internet Naming Service
(WINS) server provides resolution from the host name to the IP address. This is given to the
host that uses NetBIOS protocol for communication. Most of the Windows clients need to be
configured with WINS.
l Type b nodes (b-node): "b" stands for broadcast. That is, type b nodes obtain the
mapping relationship by means of broadcast.
l Type h nodes (h-node): "h" stands for hybrid. Type h nodes are type b nodes owning the
"peer-to-peer" communicating mechanism.
l Type m nodes (m-node): "m" stands for mixed. Type m nodes are the type p nodes
owning part of the broadcasting features.
l Type p nodes (p-node): "p" stands for peer-to-peer. That is, type p nodes obtain the
mapping by communicating with NetBIOS servers.
Context
Perform the following steps on the Router that provides SIP services for the DHCPv4 clients:
Procedure
Step 1 Run system-view
----End
Context
If both dhcp option125 and option 125 commands are used, only the dhcp option125
command takes effect.
Performs the following steps on the Router that functions as a DHCPv4 server:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ip pool pool-name [ bas local | server ]
An IP address pool is created and the IP address pool view is displayed.
Step 3 Run option code { { ip ip-address } &<1-2> | string string | hex hex-string &<1-160>|
{ suboption subcode { ip ip-address | string sub-string } } &<1-16> }
A DHCPv4 option is configured.
Step 4 (Optional) Run dhcp option125 [ enterprise-code enterprise-code ] option125-string
The enterprise code and description encapsulated into DHCP Option 125 for a telecom
equipment supplier are configured.
After this command is used, the enterprise code and description will be encapsulated into the
DHCP Option 125 field of each DHCP Reply packet.
Step 5 Run option force-reply { code }&<1-16>
The DHCP option forcibly replied to a client by a DHCP server is configured.
Some DHCP option information is not replied by a server if a client does not initiate a
request. However, without this DHCP option information, such as an IP address, the client
cannot access the Internet. The option force-reply command is run to configure the server to
forcibly reply a specified DHCP option to the client.
NOTE
----End
Follow-up Procedure
The Option field in DHCPv4 packets carries control information and parameters that are not
defined in common protocols. If the DHCPv4 server is configured with an Option, the
DHCPv4 client obtains the configuration information saved in the Option field of DHCPv4
response packets.
You need to add the options to the attribute list of the DHCPv4 servers. For example,
l To configure the IP address of a log server to 10.110.204.1, use the option 7 ip
10.110.204.1 command.
l To configure the Option 129 field to represent "huawei", use the option 129 string
huawei command.
NOTE
The value of a common option for the DNS or lease, is determinate. The common option codes include
3, 6, 15,44, 46, 50 to 54, and 57 to 59, 82, 119. When the value is re-set, the system prompts that re-
setting the value is not allowed.
The option command enables DHCPv4 response packets to carry specific options.
Before using this command, you need to know the function of each option. Option 77 identifies client
types or applications of DHCPv4 clients. Based on User Class in the Option field, the DHCPv4 server
selects a proper address pool and configuration parameters. Option 77 is commonly configured on the
client.
Context
Methods of protecting addresses in an address pool are as follows:
l Locking the IP address pool
You can lock an IP address pool by running commands. When an IP address pool is
locked, IP addresses in the address pool cannot be assigned to users.
This method is used when the address pool needs to be deleted but there are users using
IP addresses in the address pool. If you lock the address pool, no more IP addresses will
be assigned. After all users log out and the occupied IP addresses are released, you can
delete the address pool.
l Excluding the IP address
You can use this method on a complex network to exclude certain IP addresses.
l Reclaiming the IP address
If an IP address in the address pool is in the Occupied state but no user is using it, you
can reclaim the IP address by running the related command.
Perform the following steps on the Router:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ip pool pool-name [ bas { local | remote } | server ]
An IP address pool is created and the IP address pool view is displayed.
NOTE
----End
Context
After the ip-pool constant-index enable command is used, the index of the IPv4 address
pool, IPv6 prefix pool, or IPv6 address pool does not change after the device restarts. The
constant-index index command is automatically generated in the views of all the IPv4
address pools, IPv6 prefix pools, and IPv6 address pools configured on the device for users to
check the constant index value. But the constant-index command cannot be used to change
the automatically generated constant index for an IP pool.
Procedure
Step 1 Run system-view
The constant index function is enabled for IPv4 address pools, IPv6 prefix pools, and IPv6
address pools.
----End
Context
Perform the following steps on the Router.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run dhcp server base-option60 enable
# A network-side DHCP server is enabled to allocate IP addresses based on Option60 values.
Step 3 Run ip pool pool-name server
An address pool is created and the address pool view is displayed.
Step 4 Run client-option60 option60-value
Option 60 values carried in user packets in a specified address pool are configured.
NOTE
l After the command is used, IP addresses can be allocated by the address pool only when Option 60
values in the option60–value command matches Option 60 values carried in user packets.
l The command can only be configured in the address pool on the DHCP server.
----End
Context
An IP address pool with an in-use IP address cannot be deleted. Therefore, configure the drain
function to lock the address pool before you delete the address pool. After an IP address pool
is locked using the lock drain command, DHCP Request messages for lease renewal from
online users will be discarded. The address pool can be deleted after all online users using the
address pool go offline upon lease expiry. If you only need to disable an IP address pool so
that the address pool will not be used to assign IP addresses to new users but online users can
still use assigned IP addresses, configure the lock function to lock the address pool using the
lock command.
Perform the following steps on the Router.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ip pool pool-name [ bas { local | remote } ]
The IP address pool view is displayed.
Step 3 Perform either of the following configurations as needed:
l Configure the drain function to lock the address pool.
a. Run lock drain
The IP address pool is locked so that the address pool cannot be used to assign IP
addresses to new users and Request messages for lease renewal from online users
using the address pool are discarded.
b. Run commit
The configuration is committed.
l Configure the lock function to lock the address pool.
a. Run lock
The IP address pool is locked so that the address pool cannot be used to assign IP
addresses to new users but Request messages for lease renewal from online users
can still be processed.
b. Run commit
The configuration is committed.
----End
Context
An address pool group can be created if either of the following conditions is met:
l Multiple domains share some address pools.
l A RADIUS server is able to deliver address pool names.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ip pool-group group-name [ bas ]
An address pool group is created and the address pool group view is displayed.
Step 3 (Optional) Run vpn-instance vpn-instance-name
An address pool group is bound to a VPN instance.
The address pool group and its address pools must be bound to the same VPN instance.
The address pool group in a domain and the domain must be bound to the same VPN instance.
Step 4 (Optional) Run ip-attribute public
The public network attribute is configured for an IP address pool or an IP address pool group.
After the configuration is complete, the IP address pool or the IP address pool group is used
for the calculation of public IP address pool status.
To use the public IP address pool for the calculation of public IP address pool status, run the
ip-pool usage-status threshold command to configure the upper and lower thresholds for IP
address pool usage in a domain to calculate public IP address pool status.
The ip-attribute public command takes effect only on local address pools.
Step 5 Run ip-pool pool-name
An address pool is added to an address pool group.
Step 6 (Optional) Run quit
Return to the system view.
Step 7 (Optional) Run warning-exhaust
The address exhaustion alarm function is enabled for the address pool group.
After this command is executed, the system generates an address exhaustion alarm when IP
addresses in the address pool group are exhausted, prompting the administrator to plan the IP
addresses. When IP addresses in the address pool group are exhausted, users cannot go online.
When IP address usage of the address pool group falls below 90%, the address exhaustion
alarm is cleared.
Step 8 Run commit
The configuration is committed.
----End
Follow-up Procedure
You can run the ip-pool-group group-name [ move-to new-position ] command in AAA
domain view to bind an address pool group to a domain.
Context
The IPv4 address pool for a domain can be a local or remote address pool.
A maximum of 1024 IPv4 address pools can be specified for a domain, and one IPv4 address
pool can be used for multiple domains. The IPv4 address pools configured for a domain can
be moved. The range in which the IPv4 address pool can be moved is associated with the
number of address pools configured in the domain. For example, if 10 address pools are
configured in the domain, the address pool can move in the range between 1 and 10.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
The domain view is displayed.
Step 4 Run ip-pool pool-name [ move-to position ]
IPv4 address pools are specified for the domain.
Step 5 (Optional) Run ip-pool-group group-name
Configurations of the IP address pool group are displayed.
Step 6 Run commit
The configuration is committed.
----End
Context
A domain has public and private network users. A Broadband Remote Access Server (BRAS)
sends public IP address pool status to a RADIUS server. The RADIUS server determines
whether a user is a public or private network user based on user information and the public IP
address pool status. The RADIUS server then sends the corresponding user group name and
IP address pool name or IP address pool group name to the BRAS. The BRAS determines
whether the user is a public or private network user based on the received user group name
and assigns an IP address to the user from the received IP address pool or IP address pool
group.
Perform the following steps on the NE40E.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
NOTE
----End
Prerequisites
IP address pool has been configured.
Procedure
l Run the display ip pool [ name pool-name [ section-num [ start-ip-address [ end-ip-
address ] ] | all | used ] ] [ vpn-instance instance-name ] command to check the
configuration of the IP address pool.
l Run the display ip pool-group [ name group-name ] [ vpn-instance instance-name ]
command to check IP address pool configurations.
l Run the display ip-pool pool-usage [ domain dname | pool-name [ pool-name ]]
command to check the usage of the address pool of every domain.
l Run the display ip-pool max-ratio domain command to check IP address pool usage in
all domains on the device.
l Run the display ip-pool pool-usage { upper-threshold | lower-threshold | all-
threshold } command to check information about domains whose IP address pool usage
exceeds a specified threshold.
----End
Example
Run the display ip pool command, and you can view information about all the address pools
configured in the system.
<HUAWEI> display ip pool
-----------------------------------------------------------------------
Pool-Name : huawei
Pool-No : 0
Pool-constant-index: -
Position : Local Status : Unlocked
RUI-Flag : -
Gateway : 10.16.16.1 Mask : 255.255.255.0
Vpn instance : -- Unnumbered gateway: -
IP address Statistic
Total :4
Used :0 Free :4
Conflicted :0 Disable :0
Designated :0 Gateway :0
Ratio :0%
Isolated :0
-----------------------------------------------------------------------
Pool-Name : test
Pool-No : 1
Pool-constant-index: -
Position : Local Status : Unlocked
RUI-Flag : -
Gateway : 10.15.15.1 Mask : 255.255.255.0
Vpn instance : -- Unnumbered gateway: -
IP address Statistic
Total :9
Used :0 Free :9
Conflicted :0 Disable :0
Designated :0 Gateway :0
Ratio :0%
Isolated :0
IP address Statistic
Total :13
Used :0 Free :13
Conflicted :0 Disable :0
Designated :0 Gateway :0
Ratio :0%
Isolated :0
Profile-Name : - Server-Name : -
UNR-Tag : 123
Total Idle : 4 Have Dhcp IP : 1
Timeouts : 0
Timeout Count : 0 Sub Option Count : 0
Option Count : 0 Force-reply Count: 2
Loading-share : Enable Weight : 5
Codes: CFLCT(conflicted) Wait-Request-Time: --
IP Loose Check : 1 Blocked Times : 0
----------------------------------------------------------------------------------
-----
ID start end total used idle CFLCT disable reserved
static-bind
----------------------------------------------------------------------------------
-----
0 10.16.16.2 10.16.16.5 4 0 4 0 0
0 0
----------------------------------------------------------------------------------
-----
Total: 1
Run the display ip-pool max-ratio domain command to view IP address pool usage in all
domains on the device.
<BASE_VNFC1> display ip-pool max-ratio domain
--------------------------------------------------------------------
Domain name Current Max Time
--------------------------------------------------------------------
default0 0 0 -
default1 0 0 -
default_admin 0 0 -
ppp 2% 10% 2012-08-07 15:28:30
isp1 9% 19% 2012-08-07 14:32:40
isp2 0 0 -
test1 0 0 -
test2 0 0 -
isp 0 0 -
--------------------------------------------------------------------
Usage Scenario
The NE40E can be used as a DHCPv4 server to assign IP addresses to users. A remote
DHCPv4 server can also be used with the NE40E functioning as a DHCPv4 relay agent to
assign IP addresses to users.
When IP addresses are allocated by a remote DHCPv4 server, you need to configure the IP
address of the remote DHCPv4 server on the NE40E. This allows the NE40E to communicate
with the DHCPv4 server. The NE40E manages DHCPv4 servers by using DHCPv4 server
groups.
NOTE
A DHCPv4 server group is required only when the remote address pool is used to assign IP addresses to
BAS-side users.
Pre-configuration Tasks
None.
Context
Perform the following steps on the Router:
Procedure
Step 1 Run system-view
A DHCPv4 server group is created and the DHCPv4 server group view is displayed.
A master DHCPv4 server and seven backup DHCPv4 servers can be configured in a DHCPv4
server group.
When there are two servers in a DHCPv4 server group, you can specify the algorithm from
the load balancing, master/backup mode, or polling for selecting DHCPv4 servers.
l Load balancing: The NE40E distributes the load according to the weights of servers.
l Master/backup: The NE40E specifies one server as the master server and the other as the
backup server.
l Polling: The NE40E sends request packets to all servers and selects the server that
receives the packets first. Subsequent packets are sent to only the selected server, except
the discover and select request packets.
Step 5 (Optional) Run release-agent
The DHCPv4 release agent function is configured.
With the DHCPv4 release agent function, the NE40E, instead of the user, sends a DHCPv4
release packet to the DHCPv4 server when the user goes offline.
Step 6 (Optional) Run dhcp rebind forward-mode all
The NE40E is configured to send DHCP Rebind packets to all DHCPv4 servers in a DHCPv4
server group.
----End
Context
Perform the following steps on the Router:
Procedure
Step 1 Run system-view
The lease management function is enabled for the remote address pool.
If some clients do not respond to ARP probe packets sent by the Router, ARP probe is
disabled on access interfaces on the Router. In this case, if a client is powered off or has gone
offline unexpectedly, the Router cannot sense that the client is offline, because the client does
not send any Release packet. As a result, the IP address used by the user cannot be released
from the remote address pool. To prevent this problem, enable the lease management function
for the remote address pool.
NOTE
If destination IP addresses of lease packets sent by a DHCP server to users are user IP addresses instead
of gateway IP addresses, do not enable the lease management function for the remote address pool.
Because the Router directly forwards these packets to users without updating the leases, users will go
offline after the leases expire.
----End
Prerequisites
DHCPv4 server groups have been configured.
Procedure
l Run the display dhcp-server group [ group-name ] command to check the
configuration of the DHCPv4 server group.
----End
Example
Run the display dhcp-server group command, and you can view information about all
DHCPv4 server groups.
<HUAWEI> display dhcp-server group
Group-Name : remote
Release-Agent : Support
Primary-Server : -
Vpn instance : --
Weight : 0
Status : -
Secondary-Server : -
Vpn instance : --
Weight : 0
Status : -
Algorithm : master-backup
Source : --
Giaddr : --
Rebind forward mode : all
Group-Name : g1
Release-Agent : Support
Primary-Server : -
Vpn instance : --
Weight : 0
Status : -
Secondary-Server : -
Vpn instance : --
Weight : 0
Status : -
Algorithm : master-backup
Source : --
Giaddr : --
2 DHCP server group(s) in total
Access
Internet
Network
subscriber
DeviceA
@isp2
Pre-configuration Tasks
7.5 Configuring a DHCPv4 Server Group
Context
Perform the following steps on the NE40E:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number [ .subinterface-number ]
The interface view is displayed.
Step 3 Run bas
A BAS interface is created and the BAS interface view is displayed.
Step 4 Run access-type layer2-subscriber [ default-domain { [ authentication [ force | replace ]
dname ] [ pre-authentication predname ] } ]
The access type is set to Layer 2 subscriber access and the attributes of this access type are
configured.
Step 5 Run dhcp-proxy enable
NOTE
l Currently, DHCPv4 proxy is used only for the BAS remote address pool of the BAS. The
configuration modification does not take effect on online users.
l DHCPv4 proxy can also be used for Layer 2 users or Layer 2 leased line users.
NOTE
Using shorter proxy leases can accelerate the identification of client or link faults. However, users renew
their leases more frequently, increasing the processing load of the device. To balance the conflict
between fault detection and processing load, run the dhcp lease-proxy first-step second-step command
to enable DHCP lease proxy with step-based proxy leases.
----End
Usage Scenario
After configuring a DHCPv4 server, you need to configure the security function of the
DHCPv4 service. This enhances security of the DHCPv4 service and prevents other
unauthorized DHCPv4 servers from assigning invalid IP addresses to clients. By viewing
logs, the administrator determines whether there are unauthorized DHCPv4 servers assigning
invalid IP addresses to clients.
Pre-configuration Tasks
Before adjusting DHCPv4 parameters, complete the following task:
l Configuring a DHCPv4 server
Context
Perform the following steps on the Router:
Procedure
Step 1 Run system-view
The maximum number of DHCPv4 access users allowed for a specified board is set.
The function of Router strictly checks packets from a DHCP client is enabled.
The limit on the packet transmission rate of a DHCPv4 server group is set.
The destination IP address of a packet forwarded by a DHCP relay as the identifier of the
DHCP server is set.
After the dhcp server identifier dest-ip command is configured, the DHCP response packet
forwarded by the NE40E carries the destination IP address of the request packet as the DHCP
server identifier.
The command only applies to a scenario in which the NE40E is the non-first PE router and
functions as the DHCP server.
After a user sends a DHCP request packet with option 50, the NE40E authenticates the user. If
the requested IP address has been assigned to another user, the NE40E replies an NAK packet
to the user. If a large number of users resend DHCP Discover packets to apply for IP
addresses, the NE40E authenticates the users again, causing high CPU usage. To resolve this
problem, run the dhcp request-ip-address check enable command to enable check of DHCP
request packets with option 50 fields. After that, if the request IP addresses have been
assigned to other users, the NE40E replies NAK packets without authenticating users again.
In this manner, high CPU usage is prevented.
The BRAS is enabled to send Option 82 information to the RADIUS server if user packets do
not carry the Option 82 field or the BRAS does not trust the Option 82 field in user packets.
The device is disabled from sending an NAK message in response to a client's DHCP Rebind
message if no corresponding user entry exists on the device.
Step 9 (Optional) Run dhcp rebind no-user action nak server-ip server-ip
The device is enabled to send an NAK message in response to a client's DHCP Rebind
message if no corresponding user entry exists on the device.
----End
Context
When a terminal device, such as the set top box of the digital TV, accesses the network, the
NE40E cannot identify its domain according to its user name. Therefore, the NE40E cannot
allocate IP address to the device. In this case, the terminal device uses Option 60 to carry the
domain information when initiating the DHCP request. After receiving the DHCP request, the
NE40E allocates the IP address to the device according to the domain information contained
in Option 60.
Option 121 allows a DHCP server to allocate static routes to DHCP clients.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run dhcp option-60 [ cn | [ offset offset ] { length length | sub-option sub-option-code
[ sub-offset sub-offset ] [ sub-length sub-length ] } ] { domain-included | included-in-
domain } { exact-match | partial-match } [ encrypt ]
The Option 60 attribute is set for DHCP packets. This attribute allows the device to allocate
IP addresses from a corresponding address pool based on the domain name. Option 60 can be
configured to contain the domain name. Partial match or exact match of the domain name can
be configured. You can configure encrypt to encrypt the Option 60 attribute.
If user domain information is obtained from the vendor-class information, the character string
following the domain name delimiter (defaulting to @) in the vendor-class field is used as the
domain name. If no user domain information is obtained from the vendor-class information,
the NE40E performs the following procedure to continue searching for the information. If
there is no domain name delimiter in the field, the NE40E performs a fuzzy or exact match of
the domain name information based on the configured mode. The procedure will stop if user
domain information is obtained.
1. Check if the dhcp option-60 command is configured in the system view. If the command
is configured, obtain user information from the command configuration.
2. Use the authorization domain configured on the BAS interface as the user domain.
Step 3 Run aaa
The AAA view is displayed.
Step 4 Run domain domain-name
A domain is created and the domain view is displayed.
Step 5 Run dhcp option121 route ip-address mask-length gateway-address
----End
Context
When IP addresses are assigned from a remote address pool to Layer 2 access users, the
DHCP server identifies a carrier based on the remote ID carried in the Option 82 attribute of a
DHCP message. Therefore, you need to configure a device to insert Sub-option 2 (remote ID)
into the Option 82 attribute or replace Sub-option 2 carried in the Option 82 attribute of a
message to be sent to the DHCP server based on a fixed format. Self-defined character strings
can be encapsulated into Sub-option 2.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number [ .subinterface-number ]
The interface view is displayed.
Step 3 Run bas
The BAS interface view is displayed.
Step 4 Configure the format for encapsulating the Option 82 attribute into DHCP messages. Perform
the following steps as required. The following commands are mutually exclusive.
l Run dhcp option82 rebuild version3 send-to-server [ remote-id { neba | vula } ]
The device is enabled to encapsulate the Option 82 attribute into a message to be sent to
the DHCP server in a fixed format. In this format, self-defined contents cannot be
encapsulated into the Option 82 attribute.
The dhcp option82 rebuild version3 send-to-server command has a higher priority
than the dhcp option-82 agent-remote-id strip command.
l Run dhcp option82 rebuild version4 send-to-server
The device is enabled to encapsulate the Option 82 attribute in the format of
sysname:interface-name:svlan-cvlan into a message to be sent to the DHCP server.
l Run dhcp option82 rebuild self-define { circuit-id circuit-id-value | out-vlan out-vlan-
value | inner-vlan inner-vlan-value | remote-id remote-id-value } * send-to-server
The device is enabled to encapsulate the Option 82 attribute into a message to be sent to
the DHCP server based on the fixed OSP format. In this format, self-defined contents
can be encapsulated into the Option 82 attribute.
NOTE
The dhcp option82 rebuild send-to-server command takes effect only after DHCP proxy is enabled on
the BAS interface.
----End
Context
When the NE40E is being upgraded, DHCP users cannot detect that the link goes Down and
dial-up again like PPP users. Therefore, these users do not redial to get online. Instead, the
terminal must be restarted to trigger a DHCP request so that the users can obtain IP addresses
to get online again. In the current upgrade solution, the address pool lease time is shortened at
the lease renewal time before the upgrade date. For example, if the address pool lease renewal
time is 1.5 days, the address pool lease is changed to 30 minutes and the lease renewal time is
changed to 15 minutes 1.5 days before the upgrade. This solution ensures that the terminal can
send lease renewal packets in a shorter period of time after the device is upgraded to allow
DHCP users to get online again.
Using the dhcp upgrade command in the system view to change the address lease for all
DHCP users attached to the device solves these problems.
Procedure
Step 1 Run system-view
Step 2 Run dhcp upgrade lease day [ hour [ minute ] ] [ renewal-time day [ hour [ minute ] ] ]
[ rebinding-time day [ hour [ minute ] ] ]
The address lease for all DHCPv4 users attached to the device is configured.
After the dhcp upgrade command is used, the lease configured in the system view takes
effect for new users, online users that need to renew the lease, users using addresses in local
address pools, and users using addresses delivered by a RADIUS server.
No configuration file will be generated after the dhcp upgrade command is used. To view the
configuration result, run the display dhcp upgrade command. The dhcp upgrade command
becomes invalid after the device restarts.
If a short lease is configured, a large number of users will renew their lease at the same time,
causing high CPU usage. Therefore, configuring a short lease is not recommended unless the
device needs to be upgraded.
----End
Context
When a user shuts down the STB and then restarts it immediately, the NE40E cannot detect
that the user goes offline and retains the user entry. When receiving the DHCPv4 Discover
packet that the STB sends after restart, the NE40E forces the user to go offline and waits until
the user sends a DHCPv4 Discover packet to obtain the address through DHCPv4.
Some STBs, however, send only one DHCPv4 Discover packet after they restart. In this case,
the users cannot go online after shutting down their STBs.
You can configure the function of transparently transmitting DHCPv4 packets to solve this
problem. Perform the following steps on the Router:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run dhcp through-packet
The function of transparently transmitting DHCPv4 packets is configured.
----End
Context
In scenarios where IP addresses are assigned from a DHCP remote address pool, if a DHCP
client sends a Discover message to the DHCP server through a BRAS and the BRAS receives
a NAK message from the DHCP server, the BRAS discards the NAK message by default.
After the BRAS is enabled to transparently transmit NAK messages to clients, the clients can
be informed of login failures if parsing of NAK messages is supported on the client terminals.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run dhcp through-nak
The BRAS is enabled to transparently transmit NAK messages sent by the DHCP server in
response to the Discover messages to DHCP clients in DHCP remote address pool scenarios.
----End
Context
If a private DHCPv4 server exists on the network, clients cannot obtain correct IP addresses
and thus cannot log in to the network because this private DHCPv4 server will interact with
the DHCPv4 clients during address application. Such a private DHCPv4 server is an
unauthorized DHCPv4 server.
The logs contain IP addresses of all the DHCPv4 servers that allocate IP addresses to clients.
By viewing these logs, the administrator can determine whether an unauthorized DHCPv4
server exists.
Perform the following steps on the NE40E that functions as a DHCPv4 server:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run dhcp invalid-server-detecting [ interval ]
The interval at which unauthorized DHCPv4 servers are detected is configured.
If the interval at which unauthorized DHCPv4 servers are detected is 0, the NE40E does not
detect unauthorized DHCPv4 servers.
NOTE
You can perform this function on only the devices at the BAS side.
----End
Context
Before assigning an IP address to a client, the DHCPv4 server needs to detect whether the IP
address is used by another client. This prevents an IP address conflict.
NOTE
Perform the following steps on the NE40E that functions as a DHCPv4 server:
Procedure
Step 1 Run system-view
The longest time for the DHCPv4 server to wait for a ping response is configured.
The maximum number of ping packets sent by the DHCPv4 server is configured.
----End
Follow-up Procedure
The ping command is used to check whether there is a ping response from the IP address to
be assigned to a client within a specific time. If there is no response after a specific time, the
DHCPv4 server re-sends a ping packet to this IP address until the allowed maximum number
of ping packets are sent. If there is still no response, the DHCPv4 server considers that the IP
address is not in use. This ensures that a unique IP address is assigned to the client.
Context
Perform the following steps on the NE40E that functions as a DHCPv4 server:
Procedure
Step 1 Run system-view
----End
Follow-up Procedure
The NE40E can save the current DHCPv4 data to the storage device and restore the data from
the storage device when the NE40E fails.
DHCPv4 data is saved with a fixed file name on the storage device. Normally, the IP leasing
information is saved in the lease.txt file and the address conflict information is saved in the
conflict.txt file. Back up these two files to other directories because information in these files
is replaced regularly.
Context
Perform the following steps on the NE40E that functions as a DHCPv4 server:
NOTE
Procedure
Step 1 Run system-view
----End
Context
To implement authentication, authorization, and accounting for users separately, users must
use different IP addresses to go online. This requires the NE40E to detect whether the IP
address assigned to a new user conflicts with that of an online user. By default, if the NE40E
detects that the IP address assigned to a new user is the same as the IP address of an online
user, it sends a DHCP Decline message to the DHCP server. Then the new user cannot go
online, but the online user is not affected.
In scenarios in which IP addresses are assigned based on the Option 82 field that carries
physical location information of users and ARP probe is not configured, the online user is
required to go offline to allow the new user to go online. For example, if a CPE is replaced,
users attached to the old CPE will switch to the new CPE to go online. As their physical
location information remains the same, they will be assigned the same IP addresses as before.
However, if the previous IP address lease has not expired, the user information is retained.
Therefore, the NE40E considers that the users are already online and discards the user packets
sent from the new CPE. Subsequently, the users fail to go online through the new CPE. To
allow the users to go online through the new CPE, configure the NE40E to delete the previous
user information and deny new user access so that the users can be triggered to go online
again.
Procedure
Step 1 Run system-view
The NE40E is configured to log out an online user and deny access of a new user if it detects
that the IP address assigned to the new user from a remote address pool or by the RADIUS
server is the same as the IP address of the online user.
When both the dhcp conflict-ip-address offline and dhcp conflict-ip-address offline user
commands are run, and a new user is assigned the IP address of an online user from a remote
address pool and the two users are both IPv4/IPv6 dual-stack users, the dhcp conflict-ip-
address offline command configuration takes effect. Specifically, the NE40E will log out the
online user only from the IPv4 address after detecting the IPv4 address conflict.
----End
Context
By default, a device logs out a dual-stack user from only the IPv4 stack and sends a DHCPv4
NAK message to the user when the RADIUS server delivers a zero lease for the user's IPv4
address in a CoA message and the user sends a Request message to renew the lease. To enable
the device to logout a dual-stack user from both IPv4 and IPv6 stacks, run the dhcp coa-zero-
lease dual-cut command.
Procedure
Step 1 Run system-view
The device is enabled to log out a dual-stack user from both IPv4 and IPv6 stacks and sends a
DHCPv4 NAK message to the user when the RADIUS server delivers a zero lease for the
user's IPv4 address in a CoA message and the user sends a Request message to renew the
lease.
----End
Prerequisites
Adjustment of DHCPv4 parameters has been configured.
Procedure
l Run the display dhcp-server item ip-address [ vpn-instance vpn-instance ] command
to check information about a DHCPv4 server.
l Run the display dhcp server database command to check the storage path and file
information of the DHCPv4 data.
l Run the display dhcp upgrade command to check the lease configuration for DHCPv4
users to determine the time when the NE40E restarts.
----End
Example
Run the display dhcp-server item ip-address command, and you can view information about
a DHCPv4 server.
<HUAWEI> display dhcp-server item 1.2.3.4
IPAddress : 1.2.3.4
State : UP
Speed Limit : 0 packets / 0 seconds
Dead Count : 0
Timeout : 25(Sec)
Dead Time : 3(Min)
Nak Count : 10
Vpn Instance: yl
Run the display dhcp server database command, and you can view the saved path of the
DHCPv4 data.
<HUAWEI> display dhcp server database
Status: disable
Recover from files after reboot: disable
File saving lease items: cfcard:/dhcp/lease.txt
File saving conflict items: cfcard:/dhcp/conflict.txt
Save interval: 300 (seconds)
Run the display dhcp upgrade command, and you can view the configuration to determine
the time when the NE40E restarts.
<HUAWEI> display dhcp upgrade
DHCP upgrade: enable.
Lease time: 0days 0hours 30minutes
Renew time: 0days 0hours 15minutes
Rebind time:0days 0hours 22minutes
Access DHCP user count of new lease: 100
Access DHCP user count of old lease: 100
Access DHCP user count of infinite lease: 10
Max interval from current for old lifetime DHCP user renew: 0 days 0 hours 15
minutes
Context
DHCPv4 statistics cannot be restored after they are cleared. Exercise caution when running
reset commands.
Procedure
l Run the reset dhcp relay statistics [ interface interface-type interface-number [ .sub-
interface-number ] command in the user view to clear the DHCPv4 relay statistics.
l Run the reset ip-pool max-usage [ pool [ pool-name ] | domain [ domain-name ] ]
command in the user view to clear the historical maximum usage of addresses in an IPv4
address pool.
l Run the reset ip-pool max-ratio domain command in the user view to clear statistics
about IP address pool usage in all domains on the device.
----End
Prerequisites
In routine maintenance, you can run the following command in any view to check the
DHCPv4 operating status.
Procedure
l Run the display ip pool [ name pool-name [ section-num [ start-ip-address [ end-ip-
address ] ] | all | used ] ] [ vpn-instance vpn-instance-name ] command to check the
configuration of the IP address pool.
l Run the display dhcp-server group [ group-name ] command to check the
configuration of the DHCPv4 server group.
l Run the display dhcp-server item ip-address [ vpn-instance vpn-instance ] command
to check information about a DHCPv4 server.
l Run the display dhcp-server statistics ip-address [ vpn-instance vpn-instance ]
[ verbose ] command to check the statistics on a DHCPv4 server.
l Run the display dhcp relay address { all | interface interface-type interface-number |
vlan vlan-id } command to check configurations about interfaces where DHCPv4 relay
is enabled.
l Run the display dhcp-access statistics packet command to check statistics about
DHCPv4 services.
l Run the display ip-pool max-usage { pool [ pool-name ] | domain [ domain-name ] }
command in any view to check the historical maximum usage of addresses in an IPv4
address pool.
----End
Context
NOTE
In actual networking, the license needs to be loaded. For details, see the HUAWEI NE40E-M2 Series
Universal Service Router Configuration Guide - System Management.
Networking Requirements
As shown in Figure 7-4, it is required that a local address pool be configured to assign IP
addresses to access users and the following requirements be met:
l The local address pool is used to assign IP addresses to users in the domain isp1.
l The IP addresses in the address pool range from 10.10.10.3 to 10.10.10.100, and the
gateway address is 10.10.10.2.
l The IP address of the DNS server is 10.20.20.1.
l The IP address of the interface GE3/0/0 which is connected to the DNS server is
10.20.20.2.
l Non-authentication and non-accounting are adopted by the user.
Figure 7-4 Networking diagram for address assignment based on the local address pool
NOTE
DNS Server
10.20.20.1
Interface3
Interface1 Interface2
Internet
Configuration Roadmap
NOTE
Access users include IPoE users and PPPoE users. The address assignment for the two types of users
differs in the access mode. This section describes only the IPv4 address pool configurations. For details
about the IPoE access configuration, see Example for Configuring the Common IPoE Access
Service.
Data Preparation
To complete the configuration, you need the following data:
l Name of the address pool, range of the addresses in the pool, and IP addresses of the
gateway and the DNS server
l Name of the user domain
l Authentication mode and accounting mode
Procedure
Step 1 Configure the DHCPv4 server.
# Configure an address pool.
<HUAWEI> system-view
[~HUAWEI] ip pool pool1 bas local
[*HUAWEI-ip-pool-pool1] gateway 10.10.10.2 255.255.255.0
[*HUAWEI-ip-pool-pool1] permit up-id 1024
[*HUAWEI-ip-pool-pool1] section 0 10.10.10.3 10.10.10.100
[*HUAWEI-ip-pool-pool1] dns-server 10.20.20.1
[*HUAWEI-ip-pool-pool1] commit
[~HUAWEI-ip-pool-pool1] quit
# Configure the IP address of the interface GE3/0/0 which is connected to the DNS server.
[~HUAWEI] interface GigabitEthernet 0/3/0
[*HUAWEI-GigabitEthernet0/3/0] ip address 10.20.20.2 255.255.255.0
[*HUAWEI-GigabitEthernet0/3/0] commit
[~HUAWEI-GigabitEthernet0/3/0] quit
Pool-Name : pool1
Pool-No : 19
Pool-constant-index :-
Lease : 3 Days 0 Hours 0 Minutes
NetBois Type : N-Node
DNS-Suffix : -,
DNS1 :10.20.20.1
Position : Local Status : Unlocked
Gateway : 10.10.10.2 Mask : 255.255.255.0
Vpn instance : --
Profile-Name : - Server-Name : -
Codes: CFLCT (conflicted)
----------------------------------------------------------------------------------
-----
ID start end total used idle CFLCT disable reserved
static-bind
----------------------------------------------------------------------------------
-----
0 10.10.10.3 10.10.10.100 98 0 98 0 0
0 0
----------------------------------------------------------------------------------
-----
Second-NBNS-IP-address : -
User-group-name : -
Idle-data-attribute (time, flow) : 0,60
Install-BOD-Count : 0
Report-VSM-User-Count : 0
Value-added-service : COPS
User-access-limit : 279552
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-server-IP : -
Portal-URL : -
Portal-force-times : 2
PPPoE-user-URL : Disable
IPUser-ReAuth-Time (second) : 300
mscg-name-portal-key : -
Portal-user-first-url-key : -
Ancp auto qos adapt : Disable
Service-type : STB
RADIUS-server-template : -
Two-acct-template : -
HWTACACS-server-template : -
Bill Flow : Disable
Tunnel-acct-2867 : Disabled
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
Multicast Forwarding : Yes
Multicast Virtual : No
Max-multilist num : 4
Multicast-profile : -
IP-address-pool-name : pool1
Quota-out : Offline
------------------------------------------------------------------------------
----End
Configuration Files
l Configuration file of HUAWEI
#
sysname HUAWEI
#
ip pool pool1 bas local
gateway 10.10.10.2 255.255.255.0
permit up-id 1024
section 0 10.10.10.3 10.10.10.100
dns-server 10.20.20.1
#
aaa
authentication-scheme huawei
authentication-mode none
#
accounting-scheme huawei1
accounting-mode none
#
domain isp1
authentication-scheme huawei
accounting-scheme huawei1
ip-pool pool1
#
interface GigabitEthernet0/1/0.1
user-vlan 1
bas
#
Networking Requirements
As shown in Figure 7-5, it is required that a remote address pool be configured to assign IP
addresses to access users and the following requirements be met:
l The remote address pool is used to assign IP addresses to users in the domain isp2.
l The Router, functioning as a relay agent, is connected to the DHCPv4 server through GE
3/0/0 whose IP address is 10.1.1.2/24.
l The IP address of the DHCPv4 server bound to the remote address pool is 10.1.1.1, and
no standby DHCPv4 server is deployed.
l Non-authentication and non-accounting are adopted by the user.
Figure 7-5 Networking diagram for address assignment based on the remote address pool
NOTE
DHCP
Server
10.1.1.1
10.1.1.2/24
Interface3
subscriber@isp2 Device
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a DHCPv4 server group and a remote address pool, and bind the address pool to
the DHCPv4 server group.
2. Configure the domain isp2 to which the user belongs, including the authentication mode
and the accounting mode.
3. Configure the BAS interface, including the user access mode.
Data Preparation
To complete the configuration, you need the following data:
l Name of the address pool
l IP address of the gateway
l Name of the user domain
l IP address of the interface that connects the Router to the DHCPv4 server
l User access mode
Procedure
Step 1 Configure the Router.
# Create a DHCPv4 server group.
<HUAWEI> system-view
[~HUAWEI] dhcp-server group group1
[*HUAWEI-dhcp-server-group-group1] dhcp-server 10.1.1.1
[*HUAWEI-dhcp-server-group-group1] commit
[~HUAWEI-dhcp-server-group-group1] quit
# Create a remote address pool, and bind the pool to the DHCPv4 server group.
[~HUAWEI] ip pool pool2 bas remote
[*HUAWEI-ip-pool-pool2] gateway 10.10.10.1 24
[*HUAWEI-ip-pool-pool2] dhcp-server group group1
[*HUAWEI-ip-pool-pool2] commit
[~HUAWEI] quit
[~HUAWEI-GigabitEthernet0/1/0.1] quit
Group-Name : group1
Release-Agent : Support
Primary-Server : 10.1.1.1
Vpn instance : --
Weight : 0
Status : up
Secondary-Server : --
Vpn instance : --
Weight : 0
Status : up
Algorithm : master-backup
Source : --
Giaddr : --
Pool-Name : pool2
Pool-No : 0
Pool-constant-index :-
DHCP-Group : group1
Position : Remote Status : Unlocked
Gateway : 10.10.10.1 Mask : 255.255.255.0
Vpn instance : --
Profile-Name : - Server-Name : -
Codes: CFLCT (conflicted)
----------------------------------------------------------------------------------
-----
ID start end total used idle CFLCT disable reserved
static-bind
----------------------------------------------------------------------------------
-----
0 10.10.10.0 10.10.10.255 256 0 256 0 0
0 0
----------------------------------------------------------------------------------
-----
User-group-name : -
Idle-data-attribute (time,flow) : 0, 60
Install-BOD-Count : 0
Report-VSM-User-Count : 0
Value-added-service : COPS
User-access-limit : 279552
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-server-IP : -
Portal-URL : -
Portal-force-times : 2
PPPoE-user-URL : Disable
IPUser-ReAuth-Time(second) : 300
Ancp auto qos adapt : Disable
RADIUS-server-template : -
Two-acct-template : -
HWTACACS-server-template : -
Bill Flow : Disable
Tunnel-acct-2867 : Disabled
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
Multicast Forwarding : Yes
Multicast Virtual : No
Max-multilist num : 4
Multicast-profile : -
IP-address-pool-name : pool2
Quota-out : Offline
------------------------------------------------------------------------------
----End
Configuration Files
l Configuration file of Router
#
sysname HUAWEI
#
dhcp-server group group1
dhcp-server 10.1.1.1
#
ip pool pool2 bas remote
gateway 10.10.10.1 255.255.255.0
dhcp-server group group1
#
aaa
authentication-scheme default0
#
accounting-scheme default0
#
domain isp2
authentication-scheme default0
accounting-scheme default0
ip-pool pool2
#
interface GigabitEthernet0/1/0.1
undo shutdown
user-vlan 1
bas
#
access-type layer2-subscriber default-domain authentication
isp2
authentication-method bind
#
interface GigabitEthernet3/0/0
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
return
This section describes how to assign IPv6 addresses to access users and manage these IPv6
addresses.
Context
NOTE
This section describes how to configure the NE40E to use DHCPv6 (IA_NA) to allocate IPv6
addresses when the CPE works in bridging mode.
8.10 Configuring DHCPv6 (IA_PD) Prefix Allocation
This section describes how to configure the NE40E to allocate prefixes to the CPE when the
CPE works in unnumbered routing mode. The CPE allocates the prefixes to the attached host
to generate IPv6 addresses.
8.11 Configuring DHCPv6 (IA_NA+IA_PD) Address Allocation
This section describes how to configure the NE40E to use DHCPv6 to allocate IPv6 addresses
and prefixes to the WAN interface on the CPE when the CPE works in numbered routing
mode. The CPE sends the prefixes to the attached hosts for them to generate IPv6 addresses.
8.12 Configuring NDRA Address Allocation
This section describes how to configure the NE40E to use ND to allocate IPv6 addresses
when the CPE works in bridging mode.
8.13 Configuring NDRA+DHCPv6 (IA_PD) Address Allocation
This section describes how to configure the NE40E to use ND to allocate IPv6 addresses to
the WAN interfaces on the CPE and use DHCPv6 (IA_PD) to allocate prefixes to the CPE
when the CPE works in numbered routing mode. The CPE allocates the prefixes to the
attached hosts to generate IPv6 addresses.
8.14 Maintaining IPv6 Address Management
8.15 Configuration Examples for IPv6 Address Management
This section provides several examples of IPv6 address management. Each configuration
example includes the networking requirements, configuration notes, and configuration
roadmap.
The NE40E allows a user to access the network by configuring a fixed IP address, receiving
an IPv6 address from the RADIUS server or obtaining an IP address dynamically.
IP addresses cannot be Do not deploy these services If a user has been online, a
reserved based on MAC at the same time. new user with the same
addresses in scenarios where MAC address as the online
DHCPv6 and PPPoEv6 user cannot go online.
users have the same MAC If the user has been offline,
address and one-to-many the reserved address is
mapping between one MAC occupied by a new user with
address and multiple the same MAC address as
sessions is configured for the offline user.
PPPoEv6 users.
You can run the reserved None Users cannot use reserved
prefix command to prefixes to go online.
configure a reservation type
for the prefixes in a
delegation prefix pool. The
following reservation types
are supported: MAC
address-based reservation,
MAC address and lease-
based reservation, DUID-
based reservation, DUID
and lease-based reservation
l When ND assigns IPv6
prefixes in unshared
mode, MAC-based
reservation does not take
effect for L2TP users
because LNS-side users
have no MAC address.
IPoE and PPPoE support
MAC-based reservation
only.
l When DHCPv6 uses
IA_PD options to assign
IPv6 prefixes to L2TP
users, prefix reservations
based on MAC addresses
and based on MAC
addresses+leases are not
supported.
l IPv6 prefixes delivered
by RADIUS servers
cannot be reserved.
l Prefix reservations are
not supported when one
MAC address maps to
multiple sessions for
PPPoE users.
IP addresses cannot be Do not deploy these services If a user has been online, a
reserved based on MAC at the same time. new user with the same
addresses in scenarios where MAC address as the online
DHCPv6 and PPPoEv6 user cannot go online.
users have the same MAC If the user has been offline,
address and one-to-many the reserved address is
mapping between one MAC occupied by a new user with
address and multiple the same MAC address as
sessions is configured for the offline user.
PPPoEv6 users.
You can run the reserved None Users cannot use reserved
prefix command to prefixes to go online.
configure a reservation type
for the prefixes in a
delegation prefix pool. The
following reservation types
are supported: MAC
address-based reservation,
MAC address and lease-
based reservation, DUID-
based reservation, DUID
and lease-based reservation
l When ND assigns IPv6
prefixes in unshared
mode, MAC-based
reservation does not take
effect for L2TP users
because LNS-side users
have no MAC address.
IPoE and PPPoE support
MAC-based reservation
only.
l When DHCPv6 uses
IA_PD options to assign
IPv6 prefixes to L2TP
users, prefix reservations
based on MAC addresses
and based on MAC
addresses+leases are not
supported.
l IPv6 prefixes delivered
by RADIUS servers
cannot be reserved.
l Prefix reservations are
not supported when one
MAC address maps to
multiple sessions for
PPPoE users.
IP addresses cannot be Do not deploy these services If a user has been online, a
reserved based on MAC at the same time. new user with the same
addresses in scenarios where MAC address as the online
DHCPv6 and PPPoEv6 user cannot go online.
users have the same MAC If the user has been offline,
address and one-to-many the reserved address is
mapping between one MAC occupied by a new user with
address and multiple the same MAC address as
sessions is configured for the offline user.
PPPoEv6 users.
You can run the reserved None Users cannot use reserved
prefix command to prefixes to go online.
configure a reservation type
for the prefixes in a
delegation prefix pool. The
following reservation types
are supported: MAC
address-based reservation,
MAC address and lease-
based reservation, DUID-
based reservation, DUID
and lease-based reservation
l When ND assigns IPv6
prefixes in unshared
mode, MAC-based
reservation does not take
effect for L2TP users
because LNS-side users
have no MAC address.
IPoE and PPPoE support
MAC-based reservation
only.
l When DHCPv6 uses
IA_PD options to assign
IPv6 prefixes to L2TP
users, prefix reservations
based on MAC addresses
and based on MAC
addresses+leases are not
supported.
l IPv6 prefixes delivered
by RADIUS servers
cannot be reserved.
l Prefix reservations are
not supported when one
MAC address maps to
multiple sessions for
PPPoE users.
IP addresses cannot be Do not deploy these services If a user has been online, a
reserved based on MAC at the same time. new user with the same
addresses in scenarios where MAC address as the online
DHCPv6 and PPPoEv6 user cannot go online.
users have the same MAC If the user has been offline,
address and one-to-many the reserved address is
mapping between one MAC occupied by a new user with
address and multiple the same MAC address as
sessions is configured for the offline user.
PPPoEv6 users.
Usage Scenario
When users access the NE40E, it functions as a DHCPv6 relay agent and forwards user
address requests to the remote DHCPv6 servers. Configuring multiple DHCPv6 servers is
recommended to perform redundancy backup and load balancing among the remote servers.
The DHCPv6 server group must be bound to the remote address pool. This binding shields the
interactions between NE40E and DHCPv6 servers from the client.
Figure 8-1 Networking diagram of the NE40E as a DHCPv6 relay agent on user side
DHCPv6 Server
DNS Server
Access Backbone
network network
DHCPv6 Relay
HOST CPE agent
Pre-configuration Tasks
The remote DHCPv6 servers have been deployed.
Configuration Procedures
Figure 8-2 Flowchart for configuring a DHCPv6 relay agent on the user side
Configuring a Remote IPv6 Prefix
Pool
Mandatory
Optional
Context
Perform the following steps on the NE40E.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ipv6 prefix prefix-name remote
A remote IPv6 prefix pool is created and the IPv6 prefix pool view is displayed.
Step 3 Run link-address ipv6-address / prefix-length
The link address is configured.
When the remote server allocates addresses or prefixes, link addresses must be configured on
the relay.
Step 4 (Optional) Run lock
The IPv6 prefix pool is locked.
No prefix in the locked IPv6 prefix pool can be allocated, preventing new users from getting
online using the IPv6 prefix pool.
This command applies to a scenario where the IPv6 prefix pool cannot be deleted because it is
being used by online users. Lock the IPv6 prefix pool first to stop it from allocating prefixes.
The prefixes in the IPv6 prefix pool will be released when the users get offline. Then the IPv6
prefix pool can be deleted.
Step 5 (Optional) Run vpn-instance vpn-instance-name
The VPN instance is configured for the prefix pool.
Step 6 Run remote-ip lease manage
The lease management function is enabled for the remote ipv6 prefix pool.
Step 7 Run commit
The configuration is committed.
----End
Context
Perform the following steps on the NE40E.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ipv6 pool pool-name bas remote
An IPv6 address pool is created, and the IPv6 address pool view is displayed.
Step 3 Run prefix prefix-name
The IPv6 address pool is bound to the IPv6 prefix pool.
Step 4 (Optional) Run preference preference-value
A priority value is set for the IPv6 address pool.
Step 5 Run export host-route
Advertisement of the routes in the remote address pool is enabled.
Step 6 (Optional) Configure the device to assign addresses from IPv6 remote address pools based on
weights of the address pools.
1. Run weight weight-valuecommit
A weight is configured for the IPv6 address pool.
2. Run commit
The configuration is committed.
3. Run quit
Return to the system view.
4. Run ipv6-pool algorithm loading-share remote
The device is configured to assign addresses from IPv6 remote address pools based on
their weights.
NOTE
This function applies only to IPv6 remote address pools and local rui-slave address pools.
----End
Context
Perform the following steps on Router:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run dhcpv6-server group group-name
A DHCPv6 server group is created and the DHCPv6 server group view is displayed.
Step 3 Run dhcpv6-server { destination ipv6-address [ vpn-instance vpn-instance ] | interface
interface-type interface-number } [ weight weight-value ]
NOTE
– The dhcpv6 relay option-insert mode type1 [ remote-id { neba | vula } ] and dhcpv6 relay
option-insert { interface-id mode { cn-telecom | tr-101 } | remote-id } commands are
mutually exclusive.
– The dhcpv6 relay option-insert mode type1 command takes effect in real time. After the
command is run on an interface, the command configuration takes effect for online users on
the interface.
3. Run quit
Return to the system view.
Step 9 (Optional) Run dhcpv6-server [ ipv6-address [ vpn-instance vpn-instance ] ] { dead-count
dead-count | timeout timeout-value | dead-time dead-time } *
The threshold of status (Up/Down) switchover for a DHCPv6 server are configured.
The rate at which Solicit packets are sent to the DHCPv6 server is configured.
----End
Context
Perform the following steps on NE40E.
Procedure
Step 1 Run system-view
----End
Prerequisites
The address pool to be bound has been created and bound to a prefix pool.
Context
Perform the following steps on Router.
Procedure
Step 1 Run system-view
The threshold for the usage of IPv6 addresses and prefixes is configured.
----End
Context
When IPv6 addresses are assigned from a remote IPv6 address pool, you can configure the
device to insert the self-defined Option 18 and Option 37 attributes into Relay-forward
messages to be sent to the DHCPv6 server.
Option 18 identifies the interface on which client messages are received on a DHCP relay
agent, facilitating the forwarding of Relay-reply messages. The DHCP server can also assign
addresses/prefixes based on the Option 18 attribute, which plays a similar role as the circuit-id
sub-attribute carried in the Option 82 attribute of DHCP messages.
A DHCP relay agent inserts additional information about remote users into the Option 37
attribute, which plays a similar role as remote-id sub-attribute carried in the Option 82
attribute of DHCP messages.
Procedure
Step 1 Run system-view
The device is enabled to insert the self-defined Option 18 attribute into a Relay-forward
message to be sent to the DHCPv6 server.
The device is enabled to insert the self-defined Option 37 attribute into a Relay-forward
message to be sent to the DHCPv6 server.
----End
Procedure
l Run the display ipv6 pool [ pool-name ] command to check the IPv6 address pool
configurations.
l Run the display ipv6 prefix [ prefix-name [ all | used ] ] command to check the IPv6
prefix pool configurations.
l Run the display dhcpv6-server statistics { ipv6-address [ vpn-instance vpn-instance ]|
interface interface-type interface-number }command to check packet statistics on a
DHCPv6 server.
l Run the display dhcpv6-server item { ipv6-address [ vpn-instance vpn-instance ] |
interface interface-type interface-number } command to check information about the
DHCPv6 server.
l Run the display ipv6-pool max-ratio domain command to check information about
IPv6 address pool or prefix pool usage in all domains on the device.
Usage Scenario
DHCPv6 PD is used to manage and configure IPv6 network segments.
On an IPv4 network, the NE40E uses DHCPv4 to allocate IPv4 addresses to the CPE; the
CPE allocates private IPv4 addresses to home users and forwards IPv4 packets through NAT.
On an IPv6 network, all users can obtain global unicast addresses. The CPE working in
unnumbered mode uses DHCPv6 to obtain the prefixes from the NE40E and allocates IPv6
addresses to the host.
DHCPv6-PD
Access
network
Requesting
Delegating
DeviceA
DeviceB
Pre-configuration Tasks
Before configuring NE40E as a delegating router, enable IPv6 on interfaces
Configuration Procedures
Mandatory
Optional
Context
When the NE40E functions as a DHCPv6 server, DHCPv6 Server DUID should be
configured .
When the NE40E functions as a DHCPv6 relay agent and encapsulates Options 37 to relay-
forward packets, DHCPv6 Server DUID should be configured .
Procedure
Step 1 Run system-view
When a DHCPv6 client interacts with a DHCPv6 server, each of the client and server is
identified by a unique DUID. A DHCPv6 server identifies a DHCPv6 client with a client
DUID and uses the client DUID in the local address allocation; a DHCPv6 client identifies a
DHCPv6 server with a server DUID.
----End
Context
l Prefix configuration
Only one prefix and one mask can be configured for a local prefix pool. The mask length
ranges from 1 bit to 128 bits.
l Prefix locking configuration
After a prefix pool is locked, the leases of prefixes that have been allocated cannot be
extended and new addresses cannot be allocated.
l Address conflict resolution configuration
If an IPv6 address status conflict is resolved, the address can be allocated to another user.
l Binding an IPv6 prefix pool to a VPN instance
After a prefix pool is bound to a VPN instance, prefixes in the prefix pool can be
allocated to VPN users.
l Prefix lease configuration
A preferred prefix lifetime and valid prefix lifetime can be configured. The default value
for the preferred prefix lifetime is 2 days, and the default value for the valid prefix
lifetime is 3 days. The preferred prefix lifetime is used to limit the lease renewal time
and rebinding time. By default, the lease renewal time accounts for 50% of the preferred
prefix lifetime, and rebinding time accounts for 80% of the preferred lifetime. The valid
prefix lifetime specifies the validity period in which an address can be used.
l Address reservation configuration
Addresses in the local prefix pool have four reservation types:
– 1: MAC reservation
– 2: MAC+lease-based reservation
– 3: DUID reservation
– 4: DUID+lease-based reservation
l Address withdrawal
The address of an offline user can be withdrawn using the command.
l Exclusive prefix pool configuration
The delegation prefix pool can be used to allocate unshared prefixes to ND users or
prefixes only to DHCPv6 (IA_PD) users.
l Prefix exclusion
In complex network planning, some IPv6 prefixes cannot be allocated to users.
l Address exclusion
In complex network planning, some IPv6 addresses cannot be allocated to users.
Perform the following steps on the NE40E.
Procedure
Step 1 Run system-view
The delegation prefix pool is configured only for DHCPv6 IA_PD prefix allocation.
Step 10 (Optional) Run dhcpv6-unshare-only
The prefix pool is configured to assign only IPv6 addresses not prefixes to users.
NOTE
NOTE
To enable the NE40E to manage the leases of RADIUS-delivered IPv6 addresses that are not in the supported
address pools, run the access frame-ipv6 lease manage pool-exclude command in the system view.
----End
Context
l Prefix binding
A prefix pool can be bound to only one address pool. Similarly, an address pool can be
bound to only one prefix pool. Table 8-1 shows the binding between address pools and
prefix pools.
l Priority configuration
Among address pools of the same type, the greater the value of pool, the higher its
priority.
In NDRA address allocation mode, BAS local address pools are used to allocate shared
prefixes, while BAS delegation address pools are used to allocate unshared prefixes. A
BAS delegation address pool configured with slaac-unshare-only takes precedence over
other BAS delegation address pools.
l Address pool binding configuration
An IPv6 address pool whose addresses are in use cannot be deleted. To delete an IPv6
address pool, first run the lock command in the IPv6 address pool view to lock the pool
and then delete it after all online users have logged out.
l DNS suffix configuration
Only one domain name suffix can be set for an IPv6 address pool.
l DNS server configuration
A maximum of two DNS servers can be bound to an IPv6 address pool.
l Address lease configuration
If an IPv6 address pool has been bound to a domain, the address lease cannot be
changed.
Procedure
Step 1 Run system-view
An IPv6 address pool is created, and the view of the IPv6 address pool is displayed.
A DNS server is specified for an IPv6 address pool. An IPv6 address is used to specify a DNS
server.
A lease renewal time and rebinding time are set for the IPv6 address pool.
By default, the renewal time for an IPv6 address pool is 50% of the preferred lifetime and the
rebinding time is 80% of the preferred lifetime.
Step 8 (Optional) Run option code { ipv6-address ipv6-address & <1-2> | string string | hex hex-
string | { suboption subcode { ipv6-address ipv6-address | string string | hex hex-string } }
& <1-16> }
A DHCPv6 user-defined option is configured.
Step 9 Run commit
The configuration is committed.
----End
Prerequisites
An IPv6 delegation address pool has been configured.
Context
Perform the following steps on Router:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
A domain is created and the AAA domain view is displayed.
Step 4 Run ipv6-pool pool-name
An IPv6 delegation address pool is bound to the domain.
Step 5 (Optional) Run ipv6-warning-threshold { upper-limit-value | lower-limit lower-limit-value }
Threshold for the usage of IPv6 addresses and prefixes is configured.
Step 6 (Optional) Run prefix-assign-mode unshared
IPv6 prefix allocation mode is set to unshared mode. IPv6 users do not share the same IPv6
prefix.
Step 7 (Optional) Configure different users of a home connected to the network through a hub to
communicate with each other directly rather than through a BRAS.
NOTE
You must run the dhcpv6-unshare-only command in the IPv6 prefix pool view before performing this
step.
The device is configured to assign IPv6 addresses to users based on the Option 18 or
Option 37 attribute.
2. Run ipv6 nd ra link-prefix
The device is configured to send RA packets carrying the first 64 bits of the addresses
assigned to IPv6 users as on-link prefixes.
Step 8 Run commit
The configuration is committed.
----End
Procedure
l Run the display ipv6 pool [ pool-name ] command to check the IPv6 address pool
configurations.
l Run the display ipv6 prefix [ prefix-name [ all | used | start-ipv6-prefix [ end-ipv6-
prefix ] ] ] command to check the IPv6 prefix pool configurations.
l Run the display dhcpv6 upgrade command to check the lease configuration for
DHCPv6 users to determine the time when the device restarts.
l Run the display dhcpv6-access user-table command to query the detailed information
about online DHCPv6 users.
l Run the display dhcpv6-access statistic command to check statistics about packets
exchanged between users and the DHCPv6 server.
l Run the display ipv6-pool max-ratio domain command to check information about
IPv6 address pool or prefix pool usage in all domains on the device.
l Run the display ipv6-pool pool-usage { upper-threshold | lower-threshold | all-
threshold } command to check information about domains whose IPv6 address pool or
prefix pool usage exceeds a specified threshold.
----End
Example
Run the display ipv6 pool command, you can view brief information about all IPv6 address
pools.
<HUAWEI> display ipv6 pool
----------------------------------------------------------------------
Pool name : lj
Pool No : 3
Pool constant index: -
Pool type : BAS LOCAL
RUI-Flag : -
Preference : 255
Renew time : 50
Rebind time : 80
Status : UNLOCKED
Refresh interval : infinite
Used by domain : 0
Dhcpv6 Unicast : disable
Dhcpv6 rapid-commit: disable
Dns list : -
Dns server master : -
Dns server slave : -
AFTR name : -
Warning Threshold : 10
Warning Exhaust Switch: TRUE
----------------------------------------------------------------------
Prefix-Name Prefix-Type
----------------------------------------------------------------------
lj LOCAL
----------------------------------------------------------------------
Run the display ipv6 prefix command, you can view the configuration of all IPv6 prefix
pools.
<HUAWEI> display ipv6 prefix
-------------------------------------------------------------------------------
Index Name Address/Length Type
Constant-index
-------------------------------------------------------------------------------
0 dg 2021::/46 DELEGATION
-
1 dl - REMOTE
-
2 dpc 2011::/64 LOCAL
-
3 god6 2012::/64 LOCAL
-
4 prefix1 - LOCAL
-
5 tt 1000::/64 LOCAL
-
6 wm 1111::/64 LOCAL
-
7 ww 2222::/46 DELEGATION
-
-------------------------------------------------------------------------------
Total created prefix pool(s): 8
Run the display dhcpv6 upgrade command, you can view leases of DHCPv6 users.
<HUAWEI> display dhcpv6 upgrade
DHCPv6 upgrade: enable.
Preferred lifetime: 0days 0hours 30minutes
Valid lifetime: 0days 1hours 0minutes
Renew time percent: 50%
Rebind time percent:80%
Renew time: 0days 0hours 15minutes
Rebind time: 0days 0hours 24minutes
Access DHCPv6 user count of new lifetime: 100
Access DHCPv6 user count of old lifetime: 100
Access DHCPv6 user count of infinite lifetime: 10
Max interval from current for old lifetime DHCPv6 user renew: 0days 0hours
15minutes
Run the display dhcpv6-access user-table command, you can view detailed information
about the DHCPv6 user with user-id set to 2.
<HUAWEI> display dhcpv6-access user-table user-id 2
-------------------------------------------------------------------
Interface : GigabitEthernet0/1/0.3
SVLAN/CVLAN : 3/0
User Link-Local Address : FE80::202:1FF:FE01:10C
User Address Type : IA_NA
DNS search list : -
AFTR name : -
Option15 : 01 02 03 04 05 06 07 08 09
User DUID : 00 03 00 01 00 02 01 01 01 0C
User MAC Address : 0002-0101-010C
User-ID : 2
Index : 1
User State : ONLINE
VPN Instance : -
Session ID : 2147483649
Client DUID to Remote Server : 00 02 00 00 07 DB FF FF 80 00 00 01 01 01 01 01
01 01 00 00
Run the display dhcpv6-access statistic command, you can view statistics about packets
exchanged between users and DHCPv6 server.
<HUAWEI> display dhcpv6-access statistic
-------------------------------------------------------------------------
Received Packets
-------------------------------------------------------------------------
Total Packets : 40
-------------------------------------------------------------------------
Sent Packets
-------------------------------------------------------------------------
Total Packets : 18
Sent to Clients : 18
Advertise Packets : 8
Reply Packets : 10
Sent to Servers : 0
Solicit Packets : 0
Request Packets : 0
Renew Packets : 0
Rebind Packets : 0
Confirm Packets : 0
Release Packets : 0
Decline Packets : 0
-------------------------------------------------------------------------
Run the display ipv6-pool max-ratio domain command to view information about IPv6
address pool or prefix pool usage in all domains on the device.
<BASE_VNFC1> display ipv6-pool max-ratio domain
----------------------------------------------------------------------------
Domain name:
Address Current Max Time
NDRA Unshared Prefix Current Max Time
Delegation Prefix Current Max Time
----------------------------------------------------------------------------
isp2
10% 40% 2012-08-07 15:31:50
0 0 -
0 0 -
----------------------------------------------------------------------------
Context
l Transparent transmission of DHCPv6 packets and the speed threshold at which solicit
packets are sent
When receiving the DHCPv6 Solicit packet that the online user terminal, the NE40E
forces the user to go offline and waits until the user sends a DHCPv6 Solicit packet to
obtain the address through DHCPv6.
If a user terminal that does not support retransmission of DHCP Solicit packets is
restarted immediately after a user logout, the NE40E is unable to detect the logout event.
In this case, run the dhcpv6 through-packet command to enable transparent
transmission of DHCPv6 packets so that the user can normally log in to the NE40E.
The dhcpv6 solicit-speed-threshold command is used when the speed at which users go
online needs to be limited.
l DHCPv6 server unicast mode and two-message exchange between a DHCPv6 client and
a DHCPv6 server
The dhcpv6 unicast-option command must be run if the DHCPv6 server needs to
communicate with DHCPv6 clients in unicast mode.
In certain situations, for example, when a DHCPv6 client retains the last IP address it
was allocated, the client can obtain an IP address through a rapid two-message exchange
if the Solicit packet sent from the client contains the Rapid Commit option and the server
also supports this option.
Procedure
l Configure transparent transmission of DHCPv6 packets.
a. Run system-view
The more solicit packets are sent within a specified time period, the faster users go
online.
l Configure DHCPv6 server unicast mode and two-message exchange between a DHCPv6
client and a DHCPv6 server.
a. Run system-view
This command run in the system view allows all DHCPv6 clients with the Rapid
Commit option to obtain IP addresses through a rapid two-message exchange.
Without this command run in the system view, the dhcpv6 rapid-commit
command configured in the view of the IPv6 address pool allocated by the client
determines whether to use a rapid two-message exchange.
c. Run ipv6 pool pool-name { bas { local | delegation | relay } }
An IPv6 address pool is created, and the IPv6 address pool view is displayed.
d. (Optional) Run dhcpv6 unicast-option
Unicast mode is configured on the DHCPv6 server.Then, the DHCPv6 server can
receive unicast DHCPv6 messages and instruct the DHCPv6 clients to
communicate with the DHCPv6 server in unicast mode.
e. (Optional) Run dhcpv6 rapid-commit
----End
Context
In DHCPv6 scenarios, Layer 2 relay agents insert Option 37 to the relay header of Relay-
forward messages. When the NE40E receives the Relay-forward messages, the NE40E can
parse Option 37. However, if Layer 2 relay agents insert Option 37 to DHCPv6 Solicit or
Request messages instead of the relay header of Relay-forward messages, the NE40E can
parse Option 37 only if it is 10 or 16 bytes in length. In this case, configure the NE40E to
parse Option 37 of any format in DHCPv6 Solicit or Request messages.
Procedure
Step 1 Run system-view
The NE40E is enabled to parse Option 37 of any format in DHCPv6 Solicit or Request
messages.
----End
Context
When the NE40E is being upgraded, DHCPv6 users cannot detect that the link goes Down
and dial-up again like PPP users. Therefore, these users do not redial to get online. Instead,
the terminal must be restarted to trigger a DHCPv6 request so that the users can obtain IP
addresses to get online again. In the current upgrade solution, the address pool lease time is
shortened at the lease renewal time before the upgrade date. This solution ensures that the
terminal can send lease renewal packets in a shorter period of time after the device is
upgraded to allow DHCPv6 users to get online again.
Using the dhcpv6 upgrade command in the system view to change the address lease for all
DHCP users attached to the device solves these problems.
Procedure
Step 1 Run system-view
Step 2 Run dhcpv6 upgrade preferred-lifetime day [ hour [ minute ] ] valid-lifetime day [ hour
[ minute ] ] [ renew-time-percent renew-time-percent ] [ rebind-time-percent rebind-time-
percent ]
The address lease for all DHCPv6 users attached to the device is configured.
After the dhcpv6 upgrade command is used, the lease configured in the system view takes
effect for new users, online users that need to renew the lease, users using addresses/prefixes
in local and Delegation address pools, and users using addresses/prefixes delivered by a
RADIUS server.
No configuration file will be generated after the dhcpv6 upgrade command is used. To view
the configuration result, run the display dhcpv6 upgrade command. The dhcpv6 upgrade
command becomes invalid after the device restarts.
If a short lease is configured, a large number of users will renew their lease at the same time,
causing high CPU usage. Therefore, configuring a short lease is not recommended unless the
device needs to be upgraded.
----End
Context
After the ip-pool constant-index enable command is used, the index of the IPv4 address
pool, IPv6 prefix pool, or IPv6 address pool does not change after the device restarts. The
constant-index index command is automatically generated in the views of all the IPv4
address pools, IPv6 prefix pools, and IPv6 address pools configured on the device for users to
check the constant value. But the constant-index command cannot be used to change the
automatically generated constant index for an IPv6 prefix pool or IPv6 address pool.
Procedure
Step 1 Run system-view
The constant index function is enabled for IPv4 address pools, IPv6 prefix pools, and IPv6
address pools.
----End
Context
If the mapping between the vendor-class attribute and a DHCPv6 option code is configured in
both system and BAS interface views, the configuration in the BAS interface view takes
effect.
Procedure
l Configure a mapping between the vendor-class attribute and a DHCPv6 option code in
the system view.
a. Run system-view
The mapping between the vendor-class attribute and a DHCPv6 option code as well
as the offset value are configured. After the configuration is complete, the BRAS
uses the offset value to obtain the desired contents in the Value field of the DHCPv6
option.
l Configure a mapping between the vendor-class attribute and a DHCPv6 option code in
the BAS interface view.
a. Run system-view
You can configure an interface as the BAS interface by running the bas command
in the interface view. You can configure an Ethernet interface or its sub-interface, a
VE interface or its sub-interface, an ATM interface or its sub-interface, or an Eth-
Trunk interface or its sub-interface as a BAS interface.
d. Run access-type layer2-subscriber [ default-domain { [ authentication [ force |
replace ] dname ] [ pre-authentication predname ] } ]
The access type is set to Layer 2 subscriber access and the attributes of this access
type are configured.
The access type is set to Layer 3 subscriber access and the attributes of this access
type are configured.
When setting the access type on the BAS interface, you can set the service attributes
of the access users at the same time. You can also set these attributes in later
configurations.
The access type cannot be configured on the Ethernet interface that is added to an
Eth-Trunk interface. You can configure the access type of such an Ethernet interface
only on the associated Eth-Trunk interface.
e. Run vendor-class dhcpv6 [ option-code option-code | offset offset-length ]*
The mapping between the vendor-class attribute and a DHCPv6 option code as well
as the offset value are configured. After the configuration is complete, the BRAS
uses the offset value to obtain the desired contents in the Value field of the DHCPv6
option.
----End
Context
To implement authentication, authorization, and accounting for users separately, users must
use different IPv6 addresses to go online. This requires the NE40E to detect whether the IPv6
address assigned to a new user conflicts with that of an online user. By default, if the NE40E
detects that the IPv6 address assigned to a new user is the same as the IPv6 address of an
online user, it sends a DHCPv6 Decline message to the DHCPv6 server. Then the new user
cannot go online, but the online user is not affected.
In scenarios in which IPv6 addresses are assigned based on the Option 82 field that carries
physical location information of users and ARP probe is not configured, the online user is
required to go offline to allow the new user to go online. For example, if a CPE is replaced,
users attached to the old CPE will switch to the new CPE to go online. As their physical
location information remains the same, they will be assigned the same IPv6 addresses as
before. However, if the previous IPv6 address lease has not expired, the user information is
retained. Therefore, the NE40E considers that the users are already online and discards the
user packets sent from the new CPE. Subsequently, the users fail to go online through the new
CPE. To allow the users to go online through the new CPE, configure the NE40E to delete the
previous user information and deny new user access so that the users can be triggered to go
online again.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run dhcpv6 conflict-ip-address offline user [ include framed-ipv6 ]
The NE40E is configured to log out an online user and deny access of a new user if it detects
that the IPv6 address assigned to the new user from a remote address pool or by the RADIUS
server is the same as the IPv6 address of the online user.
Step 3 Run commit
The configuration is committed.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run dhcpv6 option-priority radius domain pool
The highest, medium, and lowest priorities are configured for the DHCPv6 Option delivered
by the RADIUS server, configured in the domain view, and configured in the address pool
view, respectively.
Step 3 Run commit
----End
Usage Scenario
In DHCPv6(IA_NA) address allocation mode, IA_NA options are used to carry IA addresses
to be allocated.
DHCPv 6(IA_NA)
Access Backbone
network network
HOST CPE
Device
The host initiates a connection request and the CPE transparently forwards the connection
request packet. The NE40E uses DHCPv6 (IA_NA) to allocate IPv6 addresses to the host.
Pre-configuration Tasks
Before configuring DHCPv6 address allocation, enable IPv6.
Configuration Procedures
Mandatory
Optional
Context
When a device acts as a DHCPv6 relay agent, refer to the configuration of 8.6 Configuring a
DHCPv6 Relay Agent on the User Side.
When a device acts as a DHCPv6 server, perform the following operations to allow Layer 3
DHCPv6 users to request for IPv6 addresses from an IPv6 relay address pool.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ipv6 prefix prefix-name local
An IPv6 prefix pool is created, and the IPv6 prefix pool view is displayed.
The address pool is of the relay type, and the prefix pool must be configured as the local
mode.
Step 3 Run prefix prefix-address/prefix-length
An IPv6 address prefix is configured.
Step 4 Run quit
The system view is displayed.
Step 5 Run ipv6 pool pool-name bas relay
An IPv6 address pool is created, and the IPv6 address pool view is displayed.
Step 6 Run prefix prefix-name
The IPv6 address pool is bound to the IPv6 prefix pool.
----End
Context
Stateful address allocation (M=1) should be configured for IA_NA and IA_NA+IA_PD
address allocation modes.
If the M flag is 1, the clients need to obtain IPv6 addresses and other configuration
information in stateful mode.
NOTE
l For PPPoE users, the domain configuration determines whether stateful or stateless configuration
should be adopted.
l For IPoE users, the interface configuration determines whether stateful or stateless address
configuration should be adopted.
Procedure
l Configure the state of address allocation on an interface.
a. Run system-view
a. Run bas
The IPv6 prefix allocation mode is set to unshared mode. After the configuration,
IPv6 users do not share the same IP prefix.
g. (Optional) Run dhcpv6-follow-ipv6cp wait-delay { time-value| infinity }
The timeout period for waiting for a DHCPv6 connection request is set.
h. (Optional) Run ipv6 nd ra unicast
----End
Procedure
l Run the display ipv6 pool [ pool-name ] command to check the IPv6 address pool
configurations.
l Run the display ipv6 prefix [ prefix-name [ all | used ] ] command to check the IPv6
prefix pool configurations.
l Run the display domain [ domain-name ] command to check the domain configurations.
l Run the display ipv6-pool pool-usage [ domain domain-name | pool-name [ pool-
name ] ] command to check information about the usage of the address pool.
l Run the display ipv6-pool max-usage { pool [ pool-name ] | domain [ domain-name ] }
command in any view to check the historical maximum usage of addresses in an IPv6
address pool.
l Run the display ipv6-pool max-ratio domain command to check information about
IPv6 address pool or prefix pool usage in all domains on the device.
l Run the display ipv6-pool pool-usage { upper-threshold | lower-threshold | all-
threshold } command to check information about domains whose IPv6 address pool or
prefix pool usage exceeds a specified threshold.
----End
Usage Scenario
In DHCPv6 prefix allocation, the IA_PD option is used to carry IA prefixes.
IA-PD
Access Backbone
network network
HOST CPE
unnumbered Device
The CPE initiates a connection request, and the NE40E uses DHCPv6 (IA_PD) to allocate
prefixes to the CPE and the CPE allocates the prefixes to the attached host for the host to
generate IPv6 addresses.
Pre-configuration Tasks
Before configuring PD (IA_PD) prefix allocation, enable IPv6.
Context
PD(IA_PD) prefix allocation is used, and NE40E acts as a delegating router. For details, refer
to the configuration of 8.7 Configuring a Delegating Router.
When NE40E acts as a DHCPv6 relay agent, refer to the configuration of 8.6 Configuring a
DHCPv6 Relay Agent on the User Side.
Procedure
l Run the display ipv6 pool [ pool-name ] command to check the IPv6 address pool
configurations.
l Run the display ipv6 prefix [ prefix-name [ all | used ] ] command to check the IPv6
prefix pool configurations.
l Run the display domain [ domain-name ] command to check the domain configurations.
l Run the display ipv6-pool pool-usage [ domain domain-name | pool-name [ pool-
name ] ] command to check information about the usage of the address pool.
l Run the display ipv6-pool max-ratio domain command to check information about
IPv6 address pool or prefix pool usage in all domains on the device.
l Run the display ipv6-pool pool-usage { upper-threshold | lower-threshold | all-
threshold } command to check information about domains whose IPv6 address pool or
prefix pool usage exceeds a specified threshold.
----End
Usage Scenario
The NE40E uses DHCPv6 to allocate addresses to the WAN interfaces on the CPE and uses
PD to allocate the prefixes to the CPE working in numbered mode. The CPE sends the
prefixes to Home LANs.
IA-PD
Access Backbone
network network
HOST CPE
numbered Device
The CPE initiates a connection request, and the NE40E uses DHCPv6 (IA_NA) to allocate
IPv6 addresses to the WAN interfaces on the CPE and uses DHCPv6 (IA_PD) to allocate
prefixes to the CPE and the CPE allocates the prefixes to the attached host for the host to
generate IPv6 addresses.
Pre-configuration Tasks
Before configuring DHCPv6(IA_NA+IA_PD) address allocation, complete the following
tasks:
Context
When IA_NA is used to allocate addresses to the WAN interfaces on the CPE, refer to the
configuration of 8.9 Configuring DHCPv6 (IA_NA) Address Allocation.
When DHCPv6 (IA_PD) is used to allocate prefixes to the CPE, refer to the configuration of
8.10 Configuring DHCPv6 (IA_PD) Prefix Allocation.
NOTE
In IA_NA+IA_PD address allocation, a DNS server must be configured for both the address pool for
IA_NA address allocation and the address pool for IA_PD address allocation.
Context
Stateful address allocation (M=1) should be configured for IA_NA and IA_NA+IA_PD
address allocation modes.
If the M flag is 1, the clients need to obtain IPv6 addresses and other configuration
information in stateful mode.
NOTE
l For PPPoE users, the domain configuration determines whether stateful or stateless configuration
should be adopted.
l For IPoE users, the interface configuration determines whether stateful or stateless address
configuration should be adopted.
Procedure
l Configure the state of address allocation on an interface.
a. Run system-view
a. Run bas
b. Run aaa
The IPv6 prefix allocation mode is set to unshared mode. After the configuration,
IPv6 users do not share the same IP prefix.
g. (Optional) Run dhcpv6-follow-ipv6cp wait-delay { time-value| infinity }
The timeout period for waiting for a DHCPv6 connection request is set.
h. (Optional) Run ipv6 nd ra unicast
----End
Procedure
l Run the display ipv6 pool [ pool-name ] command to check the IPv6 address pool
configurations.
l Run the display ipv6 prefix [ prefix-name [ all | used ] ] command to check the IPv6
prefix pool configurations.
l Run the display domain [ domain-name ] command to check the domain configurations.
l Run the display ipv6-pool pool-usage [ domain domain-name | pool-name [ pool-
name ] ] command to check information about the usage of the address pool.
l Run the display ipv6-pool max-ratio domain command to check information about
IPv6 address pool or prefix pool usage in all domains on the device.
l Run the display ipv6-pool pool-usage { upper-threshold | lower-threshold | all-
threshold } command to check information about domains whose IPv6 address pool or
prefix pool usage exceeds a specified threshold.
----End
Usage Scenario
NDRA address allocation is implemented using Stateless Address Autoconfiguration
(SLAAC).
The NE40E allocates only the 64-bit IPv6 prefixes. The 64-bit interface ID is generated by the
client itself.
NDRA
Access Backbone
network network
HOST CPE
Device
The host initiates a connection request, and the CPE transparently forwards the connection
request packet. The NE40E uses NDRA to allocate IPv6 addresses to the host.
NOTE
If NDRA address allocation is configured for IPoXv6 users, only unshared IPv6 prefixes support to
allocate .
Pre-configuration Tasks
Before configuring NDRA address allocation, complete the following tasks:
Configuring the CPE working mode as bridging mode
Enabling IPv6
Configuration Procedures
Context
l Prefix configuration
Only one prefix and one mask can be configured for a local prefix pool. The mask length
ranges from 1 bit to 128 bits.
l Prefix locking configuration
After a prefix pool is locked, the leases of prefixes that have been allocated cannot be
extended and new addresses cannot be allocated.
l Address conflict resolution configuration
If an IPv6 address status conflict is resolved, the address can be allocated to another user.
l Binding an IPv6 prefix pool to a VPN instance
After a prefix pool is bound to a VPN instance, prefixes in the prefix pool can be
allocated to VPN users.
l Prefix lease configuration
A preferred prefix lifetime and valid prefix lifetime can be configured. The default value
for the preferred prefix lifetime is 2 days, and the default value for the valid prefix
lifetime is 3 days. The preferred prefix lifetime is used to limit the lease renewal time
and rebinding time. By default, the lease renewal time accounts for 50% of the preferred
prefix lifetime, and rebinding time accounts for 80% of the preferred lifetime. The valid
prefix lifetime specifies the validity period in which an address can be used.
l Address reservation configuration
Addresses in the local prefix pool have four reservation types:
– 1: MAC reservation
– 2: MAC+lease-based reservation
– 3: DUID reservation
– 4: DUID+lease-based reservation
l Address withdrawal
The address of an offline user can be withdrawn using the command.
l Exclusive prefix pool configuration
The delegation prefix pool can be used to allocate unshared prefixes to ND users or
prefixes only to DHCPv6 (IA_PD) users.
l Prefix exclusion
In complex network planning, some IPv6 prefixes cannot be allocated to users.
l Address exclusion
In complex network planning, some IPv6 addresses cannot be allocated to users.
Perform the following steps on the NE40E.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ipv6 prefix prefix-name [ local | delegation ]
An IPv6 prefix pool is created and the IPv6 prefix pool view is displayed.
l The local prefix pool is used to allocate shared prefixes to ND users.
l The delegation prefix pool can allocate unshared prefixes to ND users. The delegation
prefix pool configured with slaac-unshare-only enjoys a higher priority.
Step 3 (Optional) Run slaac-unshare-only
The delegation prefix pool can be used only in stateless address allocation mode.
After this command is run, the delegation prefix pool no longer allocates prefixes when
receiving a DHCPv6 IAPD packet from the clients applying for addresses. In addition, the
delegation prefix pool configured with this command takes precedence over those without this
configuration.
Step 4 Run prefix prefix-address/prefix-length [ delegating-prefix-length delegating-prefix-length ]
IPv6 prefixes are configured.
The assignable prefix length is the length of the IPv6 prefix that a delegating router allocates
to the requesting router. The assignable prefix length in a prefix pool must be greater than or
equal to the prefix length configured in the prefix pool. Otherwise, the prefix pool cannot
allocate prefixes to users.
Step 5 (Optional) Run excluded-ipv6-address start-ipv6-address [ end-ipv6-address ]
A specified IPv6 address is prohibited.
The prohibited IPv6 address must be in the assignable range of the prefix pool. When the end
IPv6 address is not specified, only the start IPv6 address is prohibited.
Step 6 (Optional) Run excluded-ipv6-prefix start-ipv6-prefix/prefix-length [ end-ipv6-prefix/prefix-
length ]
A specified IPv6 prefix is prohibited.
The prohibited IPv6 prefix must be in the assignable range of the prefix pool. When the end
IPv6 prefix is not specified, only the start IPv6 prefix is prohibited.
No prefix in the locked IPv6 prefix pool can be allocated, preventing new users from getting
online using the IPv6 prefix pool.
This command applies to a scenario where the IPv6 prefix pool cannot be deleted because it is
being used by online users. Lock the IPv6 prefix pool first to stop it from allocating prefixes.
The prefixes in the IPv6 prefix pool will be released when the users get offline. Then the IPv6
prefix pool can be deleted.
Step 9 (Optional) Run lifetime preferred-lifetime { days days-value [ hours hours-value [ minutes
minutes-value ] ] | infinite } valid-lifetime { days days-value [ hours hours-value [ minutes
minutes-value ] ] | infinite }
The preferred lifetime and valid lifetime of IPv6 prefixes are configured.
preferred-lifetime of the IPv6 prefixes in the command is used by the system to calculate the
lease renewal time and rebinding time of the IPv6 prefix pool. The time must be no less than
1 minute. The default value is 2 days.
valid-lifetime specifies the validity period of the prefixes. The users using the prefixes will be
logged off after the validity period expires. The valid-lifetime must be no less than 1 minute,
nor less than the preferred prefix lifetime. The default value is 3 days.
The reservation type for the IPv6 addresses in a local address pool is configured.
----End
Context
l Prefix binding
A prefix pool can be bound to only one address pool. Similarly, an address pool can be
bound to only one prefix pool. Table 8-2 shows the binding between address pools and
prefix pools.
l Priority configuration
Among address pools of the same type, the greater the value of pool, the higher its
priority.
In NDRA address allocation mode, BAS local address pools are used to allocate shared
prefixes, while BAS delegation address pools are used to allocate unshared prefixes. A
BAS delegation address pool configured with slaac-unshare-only takes precedence over
other BAS delegation address pools.
l Address pool binding configuration
An IPv6 address pool whose addresses are in use cannot be deleted. To delete an IPv6
address pool, first run the lock command in the IPv6 address pool view to lock the pool
and then delete it after all online users have logged out.
l DNS suffix configuration
Only one domain name suffix can be set for an IPv6 address pool.
l DNS server configuration
A maximum of two DNS servers can be bound to an IPv6 address pool.
l Address lease configuration
If an IPv6 address pool has been bound to a domain, the address lease cannot be
changed.
Procedure
Step 1 Run system-view
The timeout period for a router to wait for a Request message from a client in response to an
Advertise message sent to the client is set.
An IPv6 address pool is created and the IPv6 address pool view is displayed.
NOTE
The parameter remote is controlled by the PAF file. It is disabled by default. That is, the ipv6 pool bas
remote cannot be configured by default.
A DNS server is specified for an IPv6 address pool. An IPv6 address is used to specify a DNS
server.
A lease renewal time and rebinding time are set for the IPv6 address pool.
By default, the renewal time for an IPv6 address pool is 50% of the preferred lifetime and the
rebinding time is 80% of the preferred lifetime.
IPv6 address pool statistics include those about users sharing the prefix pool.
The timeout period for a router to wait for a Request message from a client in response to an
Advertise message sent to the client is set.
NOTE
The wait-request-time time-value command is run in the IP address pool view whereas the access wait-
request-time dhcpv6 time-value command is run in the system view. If the two commands are both run,
the wait-request-time time-value command takes effect.
----End
Prerequisites
The address pool to be bound has been created and bound to a prefix pool.
Context
Perform the following steps on Router.
Procedure
Step 1 Run system-view
The IPv6 local address pool or the delegation address pool is bound to the domain.
----End
Context
Stateless address allocation (M=0) should be configured for NDRA and NDRA+IA_PD
address allocation modes. By default, the M flag is 0, you need not configuration.
NOTE
l For PPPoE users, the domain configuration determines whether stateful or stateless configuration
should be adopted.
l For IPoE users, the interface configuration determines whether stateful or stateless address
configuration should be adopted.
If the M flag is 0, and the O flag is 1, the clients need to obtain other configuration
information except IPv6 addresses in stateful mode.
Perform the following steps on Router.
Procedure
l State of the interface
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run undo ipv6 nd autoconfig managed-address-flag
Stateless address allocation mode is enabled.
d. Run ipv6 nd autoconfig other-flag
The O flag is set to 1 to enable stateful mode.
l State of the domain
a. Run system-view
The system view is displayed.
b. Run aaa
The AAA view is displayed.
c. Run domain domain-name
A domain is created and the AAA view is displayed.
d. Run undo ipv6 nd autoconfig managed-address-flag
Stateless address allocation is configured for PPPoX users.
e. Run ipv6 nd autoconfig other-flag { ndra | dhcpv6 }
The O flag is set.
f. Run prefix-assign-mode unshared
The IPv6 prefix allocation mode is set to unshared mode. After the configuration,
IPv6 users do not share the same IP prefix.
g. Run dhcpv6-follow-ipv6cp wait-delay time-value
The timeout period for waiting for a DHCPv6 connection request is set.
l Run commit
The configuration is committed.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ip-pool constant-index enable
The constant index function is enabled for IPv4 address pools, IPv6 prefix pools, and IPv6
address pools.
Step 3 Run commit
The configuration is committed.
----End
Context
An IPv6 address pool with an in-use IPv6 address cannot be deleted. Therefore, configure the
drain function to lock the IPv6 address pool before you delete the address pool. After an IPv6
address pool is locked using the lock drain command, DHCP Renew or Rebind messages
from online users will be discarded. The IPv6 address pool can be deleted after all online
users using the address pool go offline upon lease expiry. If you only need to disable an IPv6
address pool so that the address pool will not be used to assign IPv6 addresses to new users
but online users can still use assigned IPv6 addresses, configure the lock function to lock the
address pool using the lock command.
Perform the following steps on the Router.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ipv6 pool pool-name [ bas { local | remote | delegation | relay } ]
The IPv6 address pool view is displayed.
This command does not take effect for ND users in remote address pool scenarios.
b. Run commit
The configuration is committed.
l Configure the lock function to lock the IPv6 address pool.
a. Run lock
The IPv6 address pool is locked so that the address pool cannot be used to assign
IPv6 addresses to new users but Renew or Rebind messages from online users can
still be processed.
b. Run commit
The configuration is committed.
----End
Procedure
l Run the display ipv6 pool [ pool-name ] command to check information about the IPv6
address pool.
l Run the display ipv6 prefix [ prefix-name [ all | used ] ] command to check information
about the prefix pool.
l Run the display domain [ domain-name ] command to check information about the
domain.
l Run the display ipv6-pool pool-usage [ domain domain-name | pool-name [ pool-
name ] ] command to check information about the usage of the address pool.
l Run the display ipv6-pool max-usage { pool [ pool-name ] | domain [ domain-name ] }
command in any view to check the historical maximum usage of addresses in an IPv6
address pool.
l Run the display ipv6-pool max-ratio domain command to check information about
IPv6 address pool or prefix pool usage in all domains on the device.
l Run the display ipv6-pool pool-usage { upper-threshold | lower-threshold | all-
threshold } command to check information about domains whose IPv6 address pool or
prefix pool usage exceeds a specified threshold.
----End
Usage Scenario
The CPE sends a DHCPv6 packet only carrying the IA_PD option to allocate IPv6 prefixes to
Home LANs; the NE40E uses an RA packet to send the IPv6 prefixes allocated to the WAN
interfaces on the CPE to the CPE to generate IPv6 addresses.
NDRA+IA-PD
Access Backbone
network network
HOST CPE
numbered Device
The CPE initiates a connection request, and the NE40E uses NDRA to allocate IPv6
addresses to the WAN interfaces on the CPE and uses DHCPv6 (IA_PD) to allocate prefixes
to the CPE and the CPE allocates the prefixes to the attached host for the host to generate
IPv6 addresses.
Pre-configuration Tasks
Before configuring NDRA+DHCPv6 (IA_PD) address allocation, complete the following
tasks:
Setting the CPE working mode to numbered routing mode
Enabling IPv6 on interfaces
Context
When NDRA is used to allocate addresses to the WAN interfaces on the CPE, refer to the
configuration of 8.12 Configuring NDRA Address Allocation.
When DHCPv6(IA_PD) is used to allocate prefixes to the CPE, refer to the configuration of
8.10 Configuring DHCPv6 (IA_PD) Prefix Allocation.
NOTE
In NDRA+IA_PD address allocation, a DNS server must be configured for both the address pool for
NDRA address allocation and the address pool for IA_PD address allocation.
Context
Stateless address allocation (M=0) should be configured for NDRA and NDRA+IA_PD
address allocation modes. By default, the M flag is 0, you need not configuration.
NOTE
l For PPPoE users, the domain configuration determines whether stateful or stateless configuration
should be adopted.
l For IPoE users, the interface configuration determines whether stateful or stateless address
configuration should be adopted.
If the M flag is 0, and the O flag is 1, the clients need to obtain other configuration
information except IPv6 addresses in stateful mode.
Perform the following steps on Router.
Procedure
l State of the interface
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run undo ipv6 nd autoconfig managed-address-flag
Stateless address allocation mode is enabled.
d. Run ipv6 nd autoconfig other-flag
The O flag is set to 1 to enable stateful mode.
l State of the domain
a. Run system-view
The system view is displayed.
b. Run aaa
The AAA view is displayed.
c. Run domain domain-name
A domain is created and the AAA view is displayed.
The IPv6 prefix allocation mode is set to unshared mode. After the configuration,
IPv6 users do not share the same IP prefix.
g. Run dhcpv6-follow-ipv6cp wait-delay time-value
The timeout period for waiting for a DHCPv6 connection request is set.
l Run commit
----End
Procedure
l Run the display ipv6 pool [ pool-name ] command to check the IPv6 address pool
configurations.
l Run the display ipv6 prefix [ prefix-name [ all | used ] ] command to check the IPv6
prefix pool configurations.
l Run the display domain [ domain-name ] command to check the domain configurations.
l Run the display ipv6-pool pool-usage [ domain domain-name | pool-name [ pool-
name ] ] command to check information about the usage of the address pool.
l Run the display ipv6-pool max-ratio domain command to check information about
IPv6 address pool or prefix pool usage in all domains on the device.
l Run the display ipv6-pool pool-usage { upper-threshold | lower-threshold | all-
threshold } command to check information about domains whose IPv6 address pool or
prefix pool usage exceeds a specified threshold.
----End
Context
IPv6 address statistics cannot be restored after they are cleared. Exercise caution when
running the reset ipv6-pool max-ratio domain command.
Procedure
l Run the reset ipv6-pool max-ratio domain command in the user view to clear statistics
about IPv6 address pool usage in all domains on the device.
----End
Networking Requirements
The CPE obtains IPv6 address or prefixes in NDRA+DHCPv6(IA_PD) mode from the
NE40E, and the LAN users attached to the CPE use the prefixes and the interface IDs to
generate IPv6 addresses.
Figure 8-11 Networking diagram of assigning IPv6 prefixes to users from the local delegation
address pool on the user side
NOTE
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a VT.
2. Configure the AAA scheme.
3. Configure a RADIUS server group.
4. Configure a prefix pool, an address pool (with the IP address of the DNS server
specified), and the binding between the two.
5. Configure a domain named isp1.
6. Configure a DUID for the DHCPv6 server.
7. Configure interfaces.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Only the configuration procedure for the NE40E is provided.
# Check information about the prefix pool named pre2. You can see that the prefix pool is a
delegation prefix pool with the prefix address being 2011:2022::/62.
<HUAWEI> display ipv6 prefix pre2
-------------------------------------------------------------
Prefix Name : pre2
Prefix Index : 5
Prefix constant index: -
Prefix Type : DELEGATION
Prefix Address : 2011:2022::
Prefix Length : 62
Valid Lifetime : 3 Days 0 Hours 0 Minutes
Preferred Lifetime : 2 Days 0 Hours 0 Minutes
IfLocked : Unlocked
Vpn instance : -
PD Prefix Len : 64
PD Prefix/C-DUID : -
slaac-unshare-only : FALSE
Conflict address : -
Free Prefix Count : 4
Used Prefix Count : 0
Binded Prefix Count (Free): 0
Binded Prefix Count (Used): 0
Reserved Prefix Count: 0
-------------------------------------------------------------
# Check information about the address pool named pool1. You can see that the address pool is
a local address pool at the user side and the address pool is bound to the prefix pool named
pre1.
<HUAWEI> display ipv6 pool pool1
----------------------------------------------------------------------
Pool name : pool1
Pool No : 4
Pool-constant-index :-
Pool type : BAS LOCAL
Preference : 0
Renew time : 50
Rebind time : 80
Status : UNLOCKED
Refresh interval : 0 Days 0 Hours 0 Minutes
Used by domain : 1
Dhcpv6 Unicast : disable
Dhcpv6 rapid-commit: disable
Dns list : -
Dns server master : 3002:3101::2:2
Dns server slave : -
AFTR name : -
----------------------------------------------------------------------
Prefix-Name Prefix-Type
----------------------------------------------------------------------
pre1 LOCAL
----------------------------------------------------------------------
# Check information about the address pool named pool2. You can see that the address pool is
a user-side delegation address pool and the address pool is bound to the local prefix pool
named pre2.
<HUAWEI> display ipv6 pool pool2
----------------------------------------------------------------------
Pool name : pool2
Pool No : 5
Pool-constant-index :-
# Check configurations of the domain isp1. You can see that the domain is bound to IPv6
address pools pool1 and pool2.
<HUAWEI> display domain isp1
------------------------------------------------------------------------------
Domain-name : isp1
Domain-state : Active
Authentication-scheme-name : auth1
Accounting-scheme-name : acct1
Authorization-scheme-name :
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Web-server-URL-parameter : No
Portal-server-URL-parameter : No
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
User-group-name : -
Idle-data-attribute (time,flow) : 0, 60
Install-BOD-Count : 0
Report-VSM-User-Count : 0
Value-added-service : COPS
User-access-limit : 279552
Online-number : 0
Web-IP-address : -
Web-URL : -
Slave Web-IP-address : -
Slave Web-URL : -
Slave Web-auth-server : -
Slave Web-auth-state : -
Portal-server-IP : -
Portal-URL : -
Portal-force-times : 2
PPPoE-user-URL : Disable
IPUser-ReAuth-Time(second) : 300
mscg-name-portal-key : -
Portal-user-first-url-key : -
Ancp auto qos adapt : Disable
RADIUS-server-template : rd1
Two-acct-template : -
HWTACACS-server-template : -
Bill Flow : Disable
Tunnel-acct-2867 : Disabled
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
IPv6-warning-threshold : -
Multicast Forwarding : Yes
Multicast Virtual : No
Multicast-profile ipv6 : -
Max-multilist num : 4
Multicast-profile : -
IPv6-Pool-name : pool1
IPv6-Pool-name : pool2
Quota-out : Offline
Service-type : -
User-basic-service-ip-type : -/-/-
PPP-ipv6-address-protocol : Ndra
IPv6-information-protocol : Stateless dhcpv6
IPv6-PPP-assign-interfaceid : Disable
Trigger-packet-wait-delay : 60s
Peer-backup : enable
------------------------------------------------------------------------------
----End
Configuration Files
l Router Configuration Files
#
sysname HUAWEI
#
ipv6
#
dhcpv6 duid 006735f300188253a56a
#
radius-server group rd1
radius-server authentication 10.6.55.55 1550 weight 0
radius-server accounting 10.6.55.55 1551 weight 0
radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^%
#
interface Virtual-Template1
ppp authentication-mode pap
#
ipv6 prefix pre1 local
prefix 2010:2021::/64
#
ipv6 prefix pre2 delegation
prefix 2011:2022::/62
delegating-prefix-length 63
#
ipv6 pool pool1 bas local
prefix pre1
#
ipv6 pool pool2 bas delegation
prefix pre2
dns-server 3002:3101::2:2
#
aaa
authentication-scheme default0
authentication-scheme default1
authentication-scheme auth1
authentication-mode radius
#
accounting-scheme default0
accounting-scheme default1
accounting-scheme acct1
accounting-mode radius
#
domain isp1
authentication-scheme auth1
accounting-scheme acct1
radius-server group rd1
ipv6-pool pool1
ipv6-pool pool2
#
interface GigabitEthernet0/1/1.1
Networking Requirements
When a DHCPv6 server and clients reside on different links, the Device can function as a
Layer 2 access device to relay user requests for IPv6 addresses or prefixes to the DHCPv6
server.
On the network in Figure 8-12, the requirements are as follows:
l The user accesses the Device in IPoE mode, and the user belongs to the domain isp1.
l The user is assigned an address on the network segment 2660:2321::/64.
l RADIUS authentication and accounting are used.
l The IP address of the RADIUS server is 10.6.55.55. The authentication port number is
1550, and the accounting port number is 1551. The standard RADIUS protocol is used,
with the password it-is-my-secret1.
l The IP address of the DHCPv6 server is 3002:3101::2:2.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure AAA schemes.
2. Configure a RADIUS server group.
3. Configure a DHCPv6 server group.
4. Configure a remote IPv6 prefix pool.
5. Configure a user-side remote address pool and bind the DHCPv6 server group and IPv6
prefix pool to the address pool.
6. Configure an AAA domain to be used as the default authentication domain.
7. Configure a BAS interface.
Data Preparation
To complete the configuration, you need the following data:
l Remote IPv6 prefix pool name
l Remote address pool name
l Assignable IPv6 prefixes and prefix lengths
Procedure
Step 1 Configure AAA schemes on the Device.
# Configure an authentication scheme.
[*Device] aaa
[*Device-aaa] authentication-scheme auth1
[*Device-aaa-authen-auth1] authentication-mode radius
[*Device-aaa-authen-auth1] commit
[~Device-aaa-authen-auth1] quit
Step 4 Configure a remote IPv6 prefix pool named pre1 on the Device.
[*Device] ipv6 prefix pre1 remote
Info:Create a prefix pool
[*Device-ipv6-prefix-pre1] link-address 2660:2321::1/64
[*Device-ipv6-prefix-pre1] dhcpv6-only
[*Device-ipv6-prefix-pre1] commit
[~Device-ipv6-prefix-pre1] quit
NOTE
The dhcpv6-only command allows the IPv6 prefix pool to be used for IPv6 address or prefix assignment only
for DHCPv6 users. If the dhcpv6-only command is not run, the IPv6 prefix pool can be used for both ND and
DHCPv6 users.
Step 5 Configure a user-side remote address pool named pool1 on the Device.
[*Device] ipv6 pool pool1 bas remote
[*Device-ipv6-pool-pool1] prefix pre1
[*Device-ipv6-pool-pool1] dhcpv6-server group server1
[*Device-ipv6-pool-pool1] commit
[~Device-ipv6-pool-pool1] quit
NOTE
l In bind authentication, the user name is automatically generated based on the NE40E's location and
domain name. Therefore, configure a user name based on the generation rule and configure the
password vlan on the RADIUS server.
l For details on the user name generation rule used in bind authentication, see vlanpvc-to-username
in HUAWEI NE40E-M2 Series Universal Service Router Command Reference.
# Display information about the address pool named pool1. The command output shows that
the address pool is a user-side remote address pool and the address pool is bound to the
remote prefix pool named pre1.
<Device> display ipv6 pool pool1
---------------------------------------------------------------
Pool name : pool1
Pool No : 3
Pool constant index: -
Pool type : BAS REMOTE
RUI-Flag : -
Preference : 255
Renew time : 50
Rebind time : 80
Status : UNLOCKED
Refresh interval : infinite
Used by domain : 1
Dhcpv6 Unicast : disable
Dhcpv6 rapid-commit: disable
Dns list : -
Dns server master : -
Dns server slave : -
AFTR name : -
State : UP
Server down times : 0
----------------------------------------------------------------------
Prefix-Name Prefix-Type
----------------------------------------------------------------------
pre1 REMOTE
---------------------------------------------------------------
----End
Configuration Files
#
ipv6
#
radius-server group rd1
radius-server authentication 10.6.55.55 1550 weight 0
radius-server accounting 10.6.55.55 1551 weight 0
radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^%
#
dhcpv6-server group server1
dhcpv6-server destination 3002:3101::2:2
#
ipv6 prefix pre1 remote
link-address 2660:2321::1/64
#
ipv6 pool pool1 bas remote
prefix pre1
dhcpv6-server group server1
#
aaa
authentication-scheme default0
authentication-scheme default1
authentication-scheme auth1
authentication-mode radius
#
accounting-scheme default0
accounting-scheme default1
accounting-scheme acct1
accounting-mode radius
#
domain isp1
authentication-scheme auth1
accounting-scheme acct1
radius-server group rd1
ipv6-pool pool1
#
interface GigabitEthernet0/1/1.1
user-vlan 1 20
ipv6 enable
ipv6 address auto link-local
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
bas
#
access-type layer2-subscriber default-domain authentication isp1
authentication-method-ipv6 bind
#
return
Networking Requirements
On the network in Figure 8-13, the Device is a DHCPv6 relay agent, and the remote DHCPv6
server assigns ND prefixes to users. The requirements are as follows:
l The user accesses the Device in IPoE mode through GE 1/0/1.1, and the user belongs to
the domain isp1 and uses bind authentication.
l The user is assigned an address on the network segment 2660:2321::/64.
l RADIUS authentication and accounting are used.
l The IP address of the RADIUS server is 10.6.55.55. The authentication port number is
1550, and the accounting port number is 1551. The standard RADIUS protocol is used,
with the password it-is-my-secret1.
l The IP address of the DHCPv6 server is 3002:3101::2:2.
Figure 8-13 Configuring a remote address pool for ND users' IPv6 address assignment
NOTE
Interface1
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable IPv6 packet forwarding on the Device.
2. Configure AAA schemes.
3. Configure a RADIUS server group.
4. Configure a DHCPv6 server group.
5. Configure a remote IPv6 prefix pool.
6. Configure a user-side remote address pool and bind the DHCPv6 server group and IPv6
prefix pool to the address pool.
7. Configure an AAA domain to be used as the default authentication domain.
8. Configure a BAS interface.
Data Preparation
To complete the configuration, you need the following data:
l Remote IPv6 prefix pool name
l Remote address pool name
l Next-hop relay agent's IPv6 address
l Link-address in the prefix pool
NOTE
The remote DHCPv6 server selects an address pool based on the link-address option in packets sent by the
relay agent.
Procedure
Step 1 Configure a DHCPv6 server group.
<Device> system-view
[*Device] dhcpv6-server group group1
[*Device-dhcpv6-server-group-group1] dhcpv6-server destination 3002:3101::2:2
[*Device-dhcpv6-server-group-group1] commit
[~Device-dhcpv6-server-group-group1] quit
NOTE
l In bind authentication, the user name is automatically generated based on the NE40E's location and
domain name. Therefore, configure a user name based on the generation rule and configure the
password vlan on the RADIUS server.
l For details on the user name generation rule used in bind authentication, see vlanpvc-to-username
in HUAWEI NE40E-M2 Series Universal Service Router Command Reference.
l The interface configurations determine whether IPoE access users use the stateless address
autoconfiguration (M=0) or stateful address autoconfiguration (M=1) mode. If the M flag is 0 and
the O flag is 1, the client uses the stateless address autoconfiguration mode to obtain an IP address
and uses the stateful address autoconfiguration mode to obtain other configuration parameters.
# Display information about the prefix pool named pre1. The command output shows that the
prefix pool is a remote prefix pool.
<Device> display ipv6 prefix pre1
-------------------------------------------------------------
Prefix Name : pre1
Prefix Index : 5
Prefix constant index: -
Prefix Type : REMOTE
Link-Address : 2660:2321::1
Prefix Length : 64
Reserved Type : NONE
IfLocked : Unlocked
Vpn instance : -
Lease manage : false
Reserved Prefix Count: 0
Excluded Prefix Count: 0
-------------------------------------------------------------
# Display information about the address pool named pool1. The command output shows that
the address pool is a user-side remote address pool and the address pool is bound to the
remote prefix pool named pre1.
<Device> display ipv6 pool pool1
---------------------------------------------------------------
Pool name : pool1
Pool No : 3
Pool constant index: -
Pool type : BAS REMOTE
RUI-Flag : -
Preference : 255
Renew time : 50
Rebind time : 80
Status : UNLOCKED
Refresh interval : infinite
Used by domain : 1
Dhcpv6 Unicast : disable
Dhcpv6 rapid-commit: disable
Dns list : -
Dns server master : -
Dns server slave : -
AFTR name : -
State : UP
Server down times : 0
----------------------------------------------------------------------
Prefix-Name Prefix-Type
----------------------------------------------------------------------
pre1 REMOTE
---------------------------------------------------------------
----End
Configuration Files
#
ipv6
#
radius-server group rd1
radius-server authentication 10.6.55.55 1550 weight 0
radius-server accounting 10.6.55.55 1551 weight 0
radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^%
#
dhcpv6-server group group1
dhcpv6-server destination 3002:3101::2:2
#
ipv6 prefix pre1 remote
link-address 2660:2321::1/64
#
ipv6 pool pool1 bas remote
prefix pre1
dhcpv6-server group group1
#
aaa
authentication-scheme default0
authentication-scheme default1
authentication-scheme auth1
authentication-mode radius
#
accounting-scheme default0
accounting-scheme default1
accounting-scheme acct1
accounting-mode radius
#
domain isp1
authentication-scheme auth1
accounting-scheme acct1
radius-server group rd1
ipv6-pool pool1
prefix-assign-mode unshared
#
interface GigabitEthernet0/1/1.1
user-vlan 1 20
ipv6 enable
ipv6 address auto link-local
bas
#
access-type layer2-subscriber default-domain authentication isp1
authentication-method-ipv6 bind
#
return
This chapter describes how to control and manage various types of access services by using
BRAS access.This feature is supported only in the Admin-VS.
This feature is not supported on the M2E.
9.1 Overview of IPoE Access
This section describes basic concepts of IP over Ethernet (IPoE) access, helping you quickly
configure IPoE access.
9.2 Licensing Requirements and Limitations for IPoE--M2F
9.3 Licensing Requirements and Limitations for IPoE--M2H
9.4 Licensing Requirements and Limitations for IPoE--M2K
9.5 Configuring an Authentication Mode for IPoE Access
You can use authentication technologies to exchange authentication packets, user names and
passwords between user terminals and the NE40E. The NE40E supports multiple
authentication technologies.
9.6 Configuring IPoE Access Services
In IPoE accessshuo, users can access the Internet by sending packets without using the client
dial-in software for dialing in.
9.7 Configuring IPoEv6 Access Services
IPoEv6 access users can access the Internet by sending packets without dialing up. Therefore,
dial-up software does not need to be installed on the client.
9.8 Maintaining IPoE Access
Maintaining BRAS access includes monitoring the operating status of the BRAS, clearing the
statistics about login and logout users, and debugging in the case of failures.
9.9 Configuration Examples for IPoE Access Authentication
This section provides examples for configuring the BRAS access service, including
networking requirements, configuration notes, and configuration roadmap.
NOTE
Services are interrupted if the memory size of the master MPU is inconsistent with that of the slave
MPU.
When the RADIUS server Do not deliver the Framed- The URPF function does not
delivers the Framed-Route Route attribute to leased line take effect.
attribute to a leased line users if you have high
user, user-to-network traffic requirements for source IP
does not support source IP address check.
address check (URPF).
The auto save feature None The auto save function does
supports Layer 2 DHCPv4 not take effect.
users with the authentication
and accounting modes set to
non-authentication and non-
accounting, respectively.
In a scenario where the next Do not configure a static Load balancing does not
hop of a static route is the IP user's IP address as the next take effect.
address of a static user, hop of a static route in load-
multiple next hops are not balancing scenarios.
supported for the static user,
that is, route load balancing
is not supported.
When the RADIUS server Do not deliver the Framed- The URPF function does not
delivers the Framed-Route Route attribute to leased line take effect.
attribute to a leased line users if you have high
user, user-to-network traffic requirements for source IP
does not support source IP address check.
address check (URPF).
The auto save feature None The auto save function does
supports Layer 2 DHCPv4 not take effect.
users with the authentication
and accounting modes set to
non-authentication and non-
accounting, respectively.
In a scenario where the next Do not configure a static Load balancing does not
hop of a static route is the IP user's IP address as the next take effect.
address of a static user, hop of a static route in load-
multiple next hops are not balancing scenarios.
supported for the static user,
that is, route load balancing
is not supported.
When the RADIUS server Do not deliver the Framed- The URPF function does not
delivers the Framed-Route Route attribute to leased line take effect.
attribute to a leased line users if you have high
user, user-to-network traffic requirements for source IP
does not support source IP address check.
address check (URPF).
The auto save feature None The auto save function does
supports Layer 2 DHCPv4 not take effect.
users with the authentication
and accounting modes set to
non-authentication and non-
accounting, respectively.
In a scenario where the next Do not configure a static Load balancing does not
hop of a static route is the IP user's IP address as the next take effect.
address of a static user, hop of a static route in load-
multiple next hops are not balancing scenarios.
supported for the static user,
that is, route load balancing
is not supported.
Applicable Environment
Web authentication is an interactive authentication mode in which the user opens the
authentication page on the web authentication server, and enters the user name and password
to be authenticated.
Fast authentication is the simplified web authentication. The user opens the web page for
authentication but does not need to enter the user name and password. The NE40E generates
the user name and password according to information about the BAS interface from which the
user logs in.
Binding authentication means that the NE40E automatically generates the user name and
password based on the user's physical location.
Context
When configuring Web authentication or fast authentication, you need the following
parameters:
NOTE
l The new password is at least eight characters long and contains at least two of upper-case letters,
lower-case letters, digits, and special characters.
l When configuring an authentication password, select the ciphertext mode because the password is
saved in configuration files in simple text if you select simple text mode, which has a high risk. To
ensure device security, change the password periodically.
Procedure
Step 1 Configuring the Web Authentication Server
1. Run system-view
NOTE
Redirection URL must be configured in the preauthentication domain for a web dual-stack user.
Otherwise, mandatory web authentication may fail.
5. (Optional) Run web-server { ip-address | url url } bind web-auth-server ip-address
[ vpn-instance vpn-instance ]
The Web authentication server bound to the mandatory Web authentication server is
configured.
6. (Optional) Run web-server { ip-address | url url } bind web-auth-server ip-address
[ vpn-instance vpn-instance ] slave
The Web authentication server bound to the standby mandatory Web authentication
server is configured.
7. (Optional) Run mac-authentication enable
The MAC address authentication is enabled.
NOTE
6. Run quit
The system view is displayed.
7. Run aaa
The AAA view is displayed.
8. Run domain domain-name
The domain view is displayed.
9. Run http-hostcar enable [ no-fast-reply ] enable
hostcar and quick reply are configured for HTTP packets of users on which web
authentication is performed forcibly.
10. Run quit
The AAA view is displayed.
11. Run quit
The system view is displayed.
Step 5 (Optional) Configuring IP address reallocation
1. Run domain domain-name
The view of the authentication domain is displayed.
2. Run reallocate-ip-address
IP address reallocation is enabled in a domain.
Currently, many PCs do not need to be authenticated and can be connected to the
network. If public IP addresses are allocated to PCs after the PCs start, IP addresses will
be wasted. With IP address reallocation, the NE40E allocates a private address to a user
who is not authenticated, and then allocates a public address to a user who is
authenticated. This solves the problem that public addresses are insufficient, and
improves public address usage.
The reallocate-ip-address command is used only for Web users.
3. Run quit
The AAA view is displayed.
4. Run quit
The system view is displayed.
Step 6 Configuring the Authentication Domain and Authentication Method on the BAS Interface
Web authentication users are considered unauthorized users before they are authenticated.
Therefore, they cannot obtain IP addresses or access the web authentication server.
This means web authentication cannot be performed on web authentication users. To resolve
this problem, all unauthenticated web authentication users are assigned to a default domain
configured on an interface. This default domain is called the pre-authentication default
domain. Unauthenticated web authentication users can obtain IP addresses through the pre-
authentication default domain and access the web authentication server through the authorities
granted to the pre-authentication default domain for web authentication.
1. Run interface interface-type interface-number
----End
Context
Perform the following steps on the NE40E:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run bas
The BAS interface view is displayed.
Step 4 Run access-type layer2-subscriber
The user access type is set to Layer 2 subscriber access.
Step 5 Run default-domain pre-authentication domain-name
The default pre-authentication domain is specified.
Step 6 Run default-domain authentication [ force | replace ] domain-name
The default authentication domain is specified.
----End
Procedure
l Run the display web-auth-server configuration command to check the configuration of
the Web authentication server.
l Run the display domain [ domain-name ] command to check the configuration of the
domain.
l Run the display aaa default-user-name [ template template-name | global ] command
to check the mode in which pure IPoE user names are generated.
l Run the display aaa default-password [ template template-name | global ] command to
check the IPoE user password or the password generation mode.
----End
Example
After the configuration is complete, you can run the display web-auth-server configuration
command to view the configuration of the Web authentication server.
<HUAWEI> display web-auth-server configuration
Source interface : -
Listening port : 2000
Portal : version 1, version 2, version 3
Display reply message : enabled
------------------------------------------------------------------------
Server Share-Password Port NAS-IP Vpn-instance
------------------------------------------------------------------------
192.168.3.140 ****** 50100 NO
------------------------------------------------------------------------
1 Web authentication server(s) in total
After the configuration is complete, you can run the display domain [ domain-name ]
command to view the configuration of the domain. For example:
<HUAWEI> display domain
------------------------------------------------------------------------------
Domain name State CAR Access-limit Online BODNum RptVSMNum
------------------------------------------------------------------------------
After the configuration is complete, you can run the display aaa default-user-name
command to view the mode in which IPoE user names are generated. For example:
<HUAWEI> display aaa default-user-name global
Global user name format:enable
Sysname:yes, separator :"-"
Gateway-address:-, separator :no
IP address:-, separator :no
MAC address:-, separator :no
Access-line-id: -, separator :no
Access-line-id circuit-id:-, separator :no, offset: -, parse-mode:%s
Access-line-id remote-id:-, separator :no,offset: -, parse-mode:%s
Vendor-class: -, separator: no,cn-format:-, sub-option:-, offset:-, length:-
Client-id:-, separator :no
DHCPv4 option12:-,separator :no
PE VLAN: -, separator :no
CE VLAN:-, separator :no
Port:-, separator :no
Slot:-, separator :no
Subslot:-, separator :no
After the configuration is complete, you can run the display aaa default-password command
to view the IPoE user password or the mode in which IPoE user passwords are generated. For
example:
<HUAWEI> display aaa default-password global
Global password:the default is ******
Usage Scenario
The IPoE access service is an access authentication service. In IPoE access, a user accesses
the Internet by using the Ethernet or asymmetric digital subscriber line (ADSL). The user uses
a fixed IP address or obtains an IP address by using the Dynamic Host Configuration Protocol
(DHCP). The system then authenticates the user by using Web authentication, fast
authentication, or binding authentication.
The IPoE services can be classified into the IPoE service, IPoEoVLAN service, IPoEoQ
service in different networking.
Pre-configuration Tasks
Before configuring the IPoE access service, complete the following tasks:
Configuration Procedures
To configure the IPoE access service, perform the following procedures.
NOTE
Configuring an AAA scheme, 6.6 Configuring RADIUS, Configuring an IPv4 address pool, and
Configuring a domain are not provided here because all the procedures are described in other chapters.
Configuring a Configuring a
server template server template
Configuring an Configuring an
IPv4 address IPv4 address
pool pool
Configuring a Configuring a
domain domain
Configuring the
BAS interface
Mandatory procedure
Optional procedure
Context
If users access the network by using a sub-interface, the sub-interface needs to be bound to a
VLAN.
You can bind a sub-interface to a VLAN or configure QinQ on a sub-interface. When binding
a sub-interface to a VLAN, you need the following parameters:
l Sub-interface number
l VLAN ID
l QinQ ID
NOTE
l On each main interface, you can set the any-other parameter on only one sub-interface. On one sub-
interface, any-other cannot be set together with start-vlan nor qinq.
l If dot1q termination, QinQ termination, QinQ stacking, or vlan-type dot1q has been configured on a
sub-interface, the user-vlan cannot be configured on this sub-interface.
l Different sub-interfaces cannot be configured with user-side VLANs with the same VLAN ID.
Procedure
Step 1 Run system-view
----End
Context
When configuring a BAS interface, you need the following parameters:
l (Optional) Default domain, roaming domain, and domains that users are allowed to
access
l (Optional) Whether to enable the functions of proxy ARP, DHCP broadcast, accounting
packet copy, IP packet trigger-online, and user-based multicast replication
l (Optional) Whether to trust the access-line-id information reported by clients, user
detection parameters, VPN instances of non-PPP users, and BAS interface name
Perform the following steps on NE40E:
NOTE
l The new password is at least eight characters long and contains at least two of upper-case letters,
lower-case letters, digits, and special characters.
l For security purposes, you are advised to configure a password in ciphertext mode and periodically
change the password.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number [ .subinterface-number ]
The interface view is displayed.
NOTE
In scenarios with BRAS access through L2VPN termination, run the ve-group ve-group-id l2-terminate
command to configure the VE interface as an L2VE interface to terminate an L2VPN and bind the
interface to a VE group. In scenarios with BRAS access through L3VPN termination, run the ve-group
ve-group-id l3-terminate command to configure the VE interface as an L3VE interface to terminate an
L3VPN and bind the interface to a VE group. The preceding commands are configured in the VE
interface view. Only Layer 3 static user access is supported in scenarios with BRAS access through
L3VPN termination. For details, see Example for Configuring BRAS Access Through L3VPN
Termination.
When configuring Layer 3 subscriber access, you can run the layer3-subscriber start-ip-
address end-ip-address [ vpn-instance instance-name ] domain-name domain-name
command and the layer3-subscriber ip-address any domain-name domain-name command
in the system view to specify an IP address segment and authentication domain name.
The access type cannot be configured on the Ethernet interface that is added to an Eth-Trunk
interface. You can configure the access type of such an Ethernet interface only on the
associated Eth-Trunk interface.
When configuring static routes for Layer 3 users, specify the next hop as the user IP address
and do not specify the outbound interface. Otherwise, network-to-user traffic may fail to be
forwarded.
Run access-type layer2-leased-line user-name uname password { cipher password | simple
password } [ bas-interface-name bname | default-domain authentication dname |
accounting-copy radius-server rd-name | nas-port-type { async | sync | isdn-sync | isdn-
async-v120 | isdn-async-v110 | virtual | piafs | hdlc | x.25 | x.75 | g.3-fax | sdsl | adsl-cap |
adsl-dmt | idsl | ethernet | xdsl | cable | wireless-other | 802.11 } ] *
The access type is set to Layer 2 leased line access and the attributes of this access type are
configured.
Run access-type layer3-leased-line { user-name uname | user-name-template } password
{ cipher password | simple password } [ default-domain authentication dname | bas-
interface-name bname | accounting-copy radius-server rd-name | nas-port-type { async |
sync | isdn-sync | isdn-async-v120 | isdn-async-v110 | virtual | piafs | hdlc | x.25 | x.75 | g.3-
fax | sdsl | adsl-cap | adsl-dmt | idsl | ethernet | xdsl | cable | wireless-other | 802.11 } | mac-
address mac-address | client-id client-id ] *
The access type is set to Layer 3 leased line access and the attributes of this access type are
configured.
If there is an online user on the BAS interface, you can change the access type on the interface
only when the online user is a leased line user.
After the access type is set to leased line access, the NE40E performs authentication on the
leased line users immediately.
Step 5 (Optional) Run access leased-line connection chasten request-session request-period
blocking-period quickoffline
Suppression of leased line user access is enabled.
If the duration or traffic volume quota delivered by the RADIUS server to a leased line user is
0, the leased line user can go online but will go offline immediately. This results in frequent
login and logout of leased line users.
The command can be run to configure the maximum number of connection requests allowed,
the interval at which connection requests can be sent, and a blocking period.
Step 6 (Optional) Run trust 8021p-protocol
The 802.1p priority of user packets is set to be trusted.
The trust 8021p-protocol command can be configured only when the access type is set to
Layer 2 subscriber access.
Step 7 (Optional) Run access-limit number [ start-vlan start-vlan [ end-vlan end-vlan ] [ qinq qinq-
vlan ] [ user-type { ipoe | pppoe } ] ]
The number of users that are allowed access through the interface is configured.
l If the access-limit command is configured on a sub-interface enabled with BAS, the
number of VLAN users that access the sub-interface is limited.
l If the access-limit command is configured on a main interface enabled with BAS and the
VLAN range is not specified in the command, the total number of VLAN users that
access the main interface is limited. Note that the configuration of access-limit on a sub-
interface takes precedence over that on the corresponding main interface.
l You can also specify the user-type parameter to limit the maximum number of access
users based on access types.
Step 8 (Optional) Run default-domain pre-authentication domain-name
The default pre-authentication domain is specified.
l For common Layer 2 users, VLANs and VLAN descriptions are configured on the
interface.
Step 14 Perform the following configurations by service type:
l For IPoE access services:
Run the ip-trigger command to enable user access triggered by IP packets. Or run the
arp-trigger command to enable user access triggered by ARP packets.
l For IPoEv6 access services:
Run the ipv6-trigger command to enable user access triggered by IPv6 packets. Or run
the nd-trigger command to enable user access triggered by NS/NA packets.
Step 15 (Optional) Run wlan-switch enable [ switch-group switch-group-name ]
WLAN user roaming switchover is enabled.
After WLAN user roaming switchover is enabled on a BAS interface, you need to configure
the interface to use received user packets to trigger roaming procedures for WLAN users.
Perform the following configurations based on the actual roaming scenarios:
l If users do not pass through Wi-Fi blind spots when roaming between different APs, run
either the ip-trigger or arp-trigger command or both to configure the interface to
trigger roaming procedures for the WLAN users based on the received IP or ARP
packets, or run the ipv6–trigger command to configure the interface to trigger roaming
procedures for Layer 2 IPv6 users based on the received IPv6 packets.
l If users pass through Wi-Fi blind spots when roaming between different APs, run the
dhcp session-mismatch action roam { ipv4 | ipv6 } * command to configure the
interface to allow users to send DHCPv4 Discover or Request messages or DHCPv6
Solicit messages to re-log in.
NOTE
– The dhcp session-mismatch action roam { ipv4 | ipv6 } * and dhcp session-mismatch
action offline commands override one another. If the two commands are run on the same
interface, the command run later takes effect.
– The dhcp session-mismatch action roam { ipv4 | ipv6 } * command can be configured
together with the ip-trigger, the arp-trigger and the ipv6-trigger commands.
After the preceding steps are performed, WLAN users do not need to be re-authenticated for
login after being logged out when roaming between different APs. This ensures that services
are not interrupted.
Step 16 (Optional) Run user detect retransmit num interval time [ no-datacheck ] or user detect
no-datacheck
User detection parameters are configured.
Step 17 (Optional) Run dhcp session-mismatch action offline
Online users whose physical location information is changed but MAC addresses remain
unchanged are logged out when they resend DHCP or ND login requests.
Step 18 (Optional) Run block [ start-vlan { start-vlan [ end-vlan end-vlan ] [ qinq pe-vlan ] | any
qinq start-qinq-vlan [ end-qinq-vlan ] } | pvc start-vpi/start-vci [ end-vpi/end-vci ] ]
The BAS interface is blocked.
NOTE
After the dhcp-reply trust broadcast-flag command is run, if the broadcast flag value in a DHCP
request packet is 1, the device replies with a DHCP response packet that carries the broadcast address of
all Fs as the destination MAC address; if the broadcast flag value in a DHCP request packet is 0, the
device replies with a DHCP response packet that carries the user MAC address as the destination MAC
address.
The dhcp-reply trust broadcast-flag command applies only to Layer 2 access users.
The dhcp-reply trust broadcast-flag command is mutually exclusive with the dhcp-broadcast
command.
----End
Context
To filter users based on source MAC addresses, configure an ACL rule. When a DHCP or
PPP user attempts to go online, match the user's source MAC address against the ACL rule. If
matched, the user is allowed to go online.
Perform the following steps on the NE40E:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run acl { name link-acl-name { link | [ link ] number link-acl-number } | [ number ] link-
acl-number } [ match-order { config | auto } ]
The ACL view is displayed.
Step 3 Run rule [ rule-id ] { deny | permit } source-mac source-mac sourcemac-mask
NOTE
When a BAS interface uses a filter-policy to filter users, note the following:
l If the action specified in the ACL rule is permit, only users matching the rule are
allowed to access the Router.
l If the action specified in the ACL rule is deny, users matching the rule are not allowed to
access the Router, and the other users are allowed to access the Router.
l If the ACL does not have any rules, the BAS interface that references this ACL does not
filter access users based on users' MAC addresses.
l If the ACL referenced by the BAS interface does not exist, the BAS interface does not
filter access users based on users' MAC addresses.
PPP slow reply is configured for PPP echo packets with a specified MAC address.
The function of filtering DHCP users that attempt to go online based on ACL rules on a BAS
interface is configured.
NOTE
l Before running the filter-policy acl command, the BAS interface must already have the access-type
command configured.
l An access type can be bound to only one ACL on an interface.
l Because IP addresses are assigned to DHCP users based on the MAC addresses contained in user DHCP
packets, if you run the filter-policy acl acl-number dhcp command to filter users, the command filters
users based on source MAC addresses contained in the DHCP packets, rather than those contained in the
Ethernet headers. This command cannot filter out attackers whose MAC addresses contained in Ethernet
headers are inconsistent with those contained in DHCP packets. To protect the device from this type of
attack, run the dhcp check chaddr command.
l The filter-policy acl acl-number ppp command applies to PPPoE, PPoEoA, and L2TP users.
----End
Context
When the NE40E functions as a BRAS or DHCP server, it can assign IP addresses only to
IPoE users with different MAC addresses. If you want the NE40E to assign IP addresses to
users with the same MAC address, configure one-to-many mapping between one MAC
address and many sessions. These users with the same MAC address must have different
VLAN IDs or interface numbers, and different circuit IDs.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ipoe-server multi-sessions per-mac enable
One-to-many mapping between one MAC address and many sessions is enabled for IPoE
users to allow the NE40E to assign IP addresses to IPoE users with the same MAC address.
Step 3 Run commit
The configuration is committed.
----End
Context
On the network shown in Figure 9-2, service packets carry 802.1p values to identify their
priorities. The BRAS can identify service priorities based on the 802.1p values of received
Layer 2 service packets and transmit the service packets to corresponding VPNs. To allow
this, enable a BAS interface to transmit packets to different VPNs based on 802.1p priorities
of the packets and also bind VPN instances to different 802.1p priorities.
VPN1
802.1P 1
HSI 802.1P 1
BRAS
802.1P 2 802.1P 3
Layer2
Network 802.1P 2
VPN2
VoIP
802.1P 3
VPN3
iTV
AAA/DHCP Server
Procedure
Step 1 Create a VPN instance. (Both user and service VPN instances must be configured.)
1. Run system-view
The system view is displayed.
2. Run ip vpn-instance vpn-instance-name
A VPN instance is created, and the VPN instance view is displayed.
3. Run ipv4-family
The IPv4 address family is enabled for the VPN instance, and the VPN instance IPv4
address family view is displayed.
4. Run route-distinguisher route-distinguisher
An RD is configured for the VPN instance IPv4 address family.
5. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-
extcommunity ]
VPN targets are configured for the VPN instance IPv4 address family.
6. Run quit
Return to the VPN instance view.
7. Run quit
The VPN instance bound to the 802.1p priority must be the service VPN instance created
in Step 1.
NOTE
The binding between VPN instances and 802.1p priorities cannot be modified or deleted if the
BAS interface has online users.
4. Run quit
The sub-interface is configured as a BAS interface, and the BAS interface view is
displayed.
6. Run access-type layer2-subscriber [ default-domain { authentication [ force |
replace ] dname | pre-authentication predname } * | bas-interface-name bname |
accounting-copy radius-server rd-name ] *
The access type of the BAS interface is configured as Layer 2 subscriber access.
7. Run authentication-method { bind | { fast | web } }
The BAS interface is enabled to transmit packets to different VPNs based on the 802.1p
priorities of the packets.
9. Run quit
Step 5 Configure a network-side ACL and define redirection for the ACL.
1. Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } |
[ number ] basic-acl-number } [ match-order { config | auto } ]
A VPN group is created, and a VPN instance is added to the VPN group.
The VPN instance added to the VPN group must be the user VPN instance created in
Step 1.
5. Run traffic behavior behavior-name
A traffic behavior is configured, and the traffic behavior view is displayed.
6. Run redirect vpn-group vpn-group-name
Packet redirection to a specified VPN group is configured.
The VPN group to which packets are redirected must be the one created in Step d.
7. Run quit
Return to the system view.
8. Run traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is configured, and the traffic classifier view is displayed.
9. Run if-match acl acl { acl-number | name acl-name }
An IPv4 ACL is specified for MF classification.
10. Run quit
Return to the system view.
11. Run traffic-policy policy-name
A traffic policy is configured.
12. Run share-mode
The shared mode is specified for the traffic policy.
13. Run classifier classifier-name behavior behavior-name [ precedence precedence-
value ]
A traffic behavior is specified for a traffic classifier in the traffic policy.
14. Run quit
Return to the system view.
Step 6 Configure a network-side interface.
1. Run interface interface-type interface-number
A sub-interface is created.
2. Run vlan-type dot1q vlanid { 8021p { 8021p-value1 [ to 8021p-value2 ] } &<1-8> |
dscp { dscp-value1 [ to dscp-value2 ] } &<1-10> | default | eth-type pppoe }
The dot1q VLAN type is configured for the sub-interface.
3. Run ip binding vpn-instance vpn-instance-name
A VPN instance is bound to the sub-interface.
The VPN instance bound to the sub-interface must be the service VPN instance created
in Step 1.
4. Run ip address ip-address { mask | mask-length }
An IP address is configured for the sub-interface.
----End
Procedure
l Run the display access-user command to check information about online users. To view
information about specific users, you can configure parameters in the command to
specify users.
l Run the display web-auth-server configuration command to check the configuration of
the Web authentication server.
l Run the display domain command to check the configuration of the domain.
l Run the display acl command to check the configuration of the ACL.
l Run the display interface command to check the status of the VE interface.
----End
Example
Run the display access-user command. If the IPoE access service is configured successfully,
and you can view information about all access users.
<HUAWEI> display access-user
------------------------------------------------------------------------------
Total users : 9
IPv4 users : 9
IPv6 users : 0
Dual-Stack users : 0
Lac users : 0
RUI local users : 0
RUI remote users : 0
Wait authen-ack : 0
Authentication success : 9
Accounting ready : 9
Accounting state : 0
Wait leaving-flow-query : 0
Wait accounting-start : 0
Wait accounting-stop : 0
Wait authorization-client : 0
Wait authorization-server : 0
------------------------------------------------------------------------------
Domain-name Online-user
------------------------------------------------------------------------------
default0 : 0
default1 : 0
default_admin : 0
wq : 0
chen : 0
isp7 : 0
gaoli : 0
ly : 0
test : 0
lsh : 9
------------------------------------------------------------------------------
The used CID table are :
20-28
------------------------------------------------------------------------------
After the configuration is complete, you can run the display web-auth-server configuration
command to view the configuration of the Web authentication server.
<HUAWEI> display web-auth-server configuration
Source interface : -
Listening port : 2000
Portal : version 1, version 2, version 3
Display reply message : enabled
------------------------------------------------------------------------
Server Share-Password Port NAS-IP Vpn-instance
------------------------------------------------------------------------
192.168.3.140 ****** 50100 NO
------------------------------------------------------------------------
1 Web authentication server(s) in total
After the configuration is complete, you can run the display acl command to view the
configuration of the ACL.
<HUAWEI> display acl 3100
Advanced ACL 3100, 3 rules,
rule 0 permit icmp (2 times matched)
rule 1 permit ip source 10.1.1.1 0 destination 10.2.2.2 0 (0 times matched)
rule 2 permit tcp source 10.110.0.0 0.0.255.255 (0 times matched)
After the configuration is complete, you can run the display interface command to view the
status of the VE interface.
<HUAWEI> display interface virtual-ethernet 1/0/0
Virtual-Ethernet1/0/0 current state : UP
Line protocol current state : UP
Last up time: 2007-11-17, 17:23:43
Description:Virtual-Ethernet81/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.0.1.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc97-a4ab
Context
IPoEv6 access refers to a packet-triggering access mode in which users access the NE40E by
using DHCPv6, ND, or IPv6 packets.
IPoEv6 access services include IPoEv6, IPoEoVLANv6, and IPoEoQv6 services. These
services differ in terms of the protocol stack. In IPoEv6 access mode, users can directly access
the Internet using Web browsers, without having to install client dial-up software on their
PCs.
The service models of different carriers may differ, and the operating modes of home
gateways may also differ on a broadband access network. A home gateway may operate in
bridging mode, numbered routing mode, or unnumbered routing mode.
Pre-configuration Tasks
Before configuring the IPoEv6 access service, complete the following tasks:
l Loading the BRAS license (For details, see the HUAWEI NE40E-M2 Series Universal
Service Router Configuration Guide-System Management.)
If the link-local address is deleted or IPv6 is disabled either from an interface or globally, IPv6 on the
BAS interface goes Down, and IPv4/IPv6 dual-stack users who access the BAS interface are logged out.
Context
NOTE
IPv4 and IPv6 authentication modes (bind authentication) for an IPv4/IPv6 dual-stack user must be the
same.
l Bind authentication
For configuration details, see 9.5.2 Configuring Binding Authentication.
DHCPv4 options are used in bind authentication mode on an IPv4 network. If the
network is upgraded to an IPv6 network, using the DHCPv6 protocol to allocate IPv6
addresses is recommended. Authentication information can be added to DHCPv6
options, remaining unchanged after the network is upgraded from IPv4 to IPv6.
Context
The address allocation mode varies according to the CPE working mode. For details, see the
following table.
NOTE
l Layer 3 users of a leased line obtain their addresses from the access router. The NE40E is in charge
of only authentication and accounting, not address allocation.
If an IPv4 network is upgraded to an IPv6 network, the CPE working mode and authentication
mode do not need to be changed unless there are special service requirements. In PPP
authentication mode, either ND or DHCPv6 can be used for address authentication. In bind
authentication mode, using DHCPv6 for address allocation is recommended. In 802.1X or
web authentication mode, using DHCPv6 for address allocation is recommended if user
terminals support ND+PD. The IPv6 addresses assigned using ND to the WAN interfaces on
CPEs can be used to communicate with the BRAS, while prefixes assigned using PD allow
CPEs to generate IPv6 addresses for the attached terminals. By default, the assigned PD
addresses and the IPv6 addresses assigned using ND are released at the same time. To allow a
device to release only the assigned PD addresses and not the IPv6 addresses assigned using
ND for communicating with CPEs, you can configure the device to separately release PD
addresses for IPoE users.
Procedure
Step 1 Run system-view
The device is enabled to release only the assigned PD addresses in scenarios where CPEs
work in numbered routing mode.
----End
Context
If users access the network by using a sub-interface, the sub-interface needs to be bound to a
VLAN.
You can bind a sub-interface to a VLAN or configure QinQ on a sub-interface. When binding
a sub-interface to a VLAN, you need the following parameters:
l Sub-interface number
l VLAN ID
l QinQ ID
NOTE
l On each main interface, you can set the any-other parameter on only one sub-interface. On one sub-
interface, any-other cannot be set together with start-vlan nor qinq.
l If dot1q termination, QinQ termination, QinQ stacking, or vlan-type dot1q has been configured on a
sub-interface, the user-vlan cannot be configured on this sub-interface.
l Different sub-interfaces cannot be configured with user-side VLANs with the same VLAN ID.
Procedure
Step 1 Run system-view
----End
Context
When configuring a BAS interface, you need the following parameters:
l BAS interface number
l Access type and authentication scheme
l (Optional) Maximum number of users that are allowed access through the BAS interface
and maximum number of users that are allowed access through a specified VLAN
l (Optional) Default domain, roaming domain, and domains that users are allowed to
access
l (Optional) Whether to enable the functions of proxy ARP, DHCP broadcast, accounting
packet copy, IP packet trigger-online, and user-based multicast replication
l (Optional) Whether to trust the access-line-id information reported by clients, user
detection parameters, VPN instances of non-PPP users, and BAS interface name
Perform the following steps on NE40E:
NOTE
l The new password is at least eight characters long and contains at least two of upper-case letters,
lower-case letters, digits, and special characters.
l For security purposes, you are advised to configure a password in ciphertext mode and periodically
change the password.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number [ .subinterface-number ]
The interface view is displayed.
NOTE
In scenarios with BRAS access through L2VPN termination, run the ve-group ve-group-id l2-terminate
command to configure the VE interface as an L2VE interface to terminate an L2VPN and bind the
interface to a VE group. In scenarios with BRAS access through L3VPN termination, run the ve-group
ve-group-id l3-terminate command to configure the VE interface as an L3VE interface to terminate an
L3VPN and bind the interface to a VE group. The preceding commands are configured in the VE
interface view. Only Layer 3 static user access is supported in scenarios with BRAS access through
L3VPN termination. For details, see Example for Configuring BRAS Access Through L3VPN
Termination.
The access type is set to Layer 2 subscriber access and the attributes of this access type are
configured.
The access type is set to Layer 3 subscriber access and the attributes of this access type are
configured.
When setting the access type on the BAS interface, you can set the service attributes of the
access users at the same time. You can also set these attributes in later configurations.
When configuring Layer 3 subscriber access, you can run the layer3-subscriber start-ip-
address end-ip-address [ vpn-instance instance-name ] domain-name domain-name
command and the layer3-subscriber ip-address any domain-name domain-name command
in the system view to specify an IP address segment and authentication domain name.
The access type cannot be configured on the Ethernet interface that is added to an Eth-Trunk
interface. You can configure the access type of such an Ethernet interface only on the
associated Eth-Trunk interface.
When configuring static routes for Layer 3 users, specify the next hop as the user IP address
and do not specify the outbound interface. Otherwise, network-to-user traffic may fail to be
forwarded.
The access type is set to Layer 2 leased line access and the attributes of this access type are
configured.
The access type is set to Layer 3 leased line access and the attributes of this access type are
configured.
If there is an online user on the BAS interface, you can change the access type on the interface
only when the online user is a leased line user.
After the access type is set to leased line access, the NE40E performs authentication on the
leased line users immediately.
If the duration or traffic volume quota delivered by the RADIUS server to a leased line user is
0, the leased line user can go online but will go offline immediately. This results in frequent
login and logout of leased line users.
The command can be run to configure the maximum number of connection requests allowed,
the interval at which connection requests can be sent, and a blocking period.
Step 6 (Optional) Run trust 8021p-protocol
The 802.1p priority of user packets is set to be trusted.
The trust 8021p-protocol command can be configured only when the access type is set to
Layer 2 subscriber access.
Step 7 (Optional) Run access-limit number [ start-vlan start-vlan [ end-vlan end-vlan ] [ qinq qinq-
vlan ] [ user-type { ipoe | pppoe } ] ]
The number of users that are allowed access through the interface is configured.
l If the access-limit command is configured on a sub-interface enabled with BAS, the
number of VLAN users that access the sub-interface is limited.
l If the access-limit command is configured on a main interface enabled with BAS and the
VLAN range is not specified in the command, the total number of VLAN users that
access the main interface is limited. Note that the configuration of access-limit on a sub-
interface takes precedence over that on the corresponding main interface.
l You can also specify the user-type parameter to limit the maximum number of access
users based on access types.
Step 8 (Optional) Run default-domain pre-authentication domain-name
The default pre-authentication domain is specified.
An accounting request packet that the NE40E sends to a RADIUS server is allowed to carry
the link-account attribute.
Before running the command, set the access type to Layer 2 subscriber access.
The command affects RADIUS No. 25 attribute in accounting request packets sent by the
NE40E to a RADIUS accounting server.
An interface fills the link-account information in the RADIUS No. 25 attribute class if both
the following situations are met:
l Users getting online from the interface do not need to be authenticated, and RADIUS
accounting is configured on the interface.
l For common Layer 2 users, VLANs and VLAN descriptions are configured on the
interface.
After WLAN user roaming switchover is enabled on a BAS interface, you need to configure
the interface to use received user packets to trigger roaming procedures for WLAN users.
Perform the following configurations based on the actual roaming scenarios:
l If users do not pass through Wi-Fi blind spots when roaming between different APs, run
either the ip-trigger or arp-trigger command or both to configure the interface to
trigger roaming procedures for the WLAN users based on the received IP or ARP
packets, or run the ipv6–trigger command to configure the interface to trigger roaming
procedures for Layer 2 IPv6 users based on the received IPv6 packets.
l If users pass through Wi-Fi blind spots when roaming between different APs, run the
dhcp session-mismatch action roam { ipv4 | ipv6 } * command to configure the
interface to allow users to send DHCPv4 Discover or Request messages or DHCPv6
Solicit messages to re-log in.
NOTE
– The dhcp session-mismatch action roam { ipv4 | ipv6 } * and dhcp session-mismatch
action offline commands override one another. If the two commands are run on the same
interface, the command run later takes effect.
– The dhcp session-mismatch action roam { ipv4 | ipv6 } * command can be configured
together with the ip-trigger, the arp-trigger and the ipv6-trigger commands.
After the preceding steps are performed, WLAN users do not need to be re-authenticated for
login after being logged out when roaming between different APs. This ensures that services
are not interrupted.
Step 16 (Optional) Run user detect retransmit num interval time [ no-datacheck ] or user detect
no-datacheck
User detection parameters are configured.
Step 17 (Optional) Run dhcp session-mismatch action offline
Online users whose physical location information is changed but MAC addresses remain
unchanged are logged out when they resend DHCP or ND login requests.
Step 18 (Optional) Run block [ start-vlan { start-vlan [ end-vlan end-vlan ] [ qinq pe-vlan ] | any
qinq start-qinq-vlan [ end-qinq-vlan ] } | pvc start-vpi/start-vci [ end-vpi/end-vci ] ]
The BAS interface is blocked.
NOTE
After the dhcp-reply trust broadcast-flag command is run, if the broadcast flag value in a DHCP
request packet is 1, the device replies with a DHCP response packet that carries the broadcast address of
all Fs as the destination MAC address; if the broadcast flag value in a DHCP request packet is 0, the
device replies with a DHCP response packet that carries the user MAC address as the destination MAC
address.
The dhcp-reply trust broadcast-flag command applies only to Layer 2 access users.
The dhcp-reply trust broadcast-flag command is mutually exclusive with the dhcp-broadcast
command.
----End
Context
When the NE40E functions as a BRAS or DHCP server, it can assign IP addresses only to
IPoE users with different MAC addresses. If you want the NE40E to assign IP addresses to
users with the same MAC address, configure one-to-many mapping between one MAC
address and many sessions. These users with the same MAC address must have different
VLAN IDs or interface numbers, and different circuit IDs.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ipoe-server multi-sessions per-mac enable
One-to-many mapping between one MAC address and many sessions is enabled for IPoE
users to allow the NE40E to assign IP addresses to IPoE users with the same MAC address.
Step 3 (Optional) Run dhcpv6-server replace client-duid
The NE40E that functions as a DHCPv6 relay agent is configured to replace the client DUID
in a DHCPv6 message sent from a client with the one it generates for that client before
sending the message to a server.
This command is required for uniquely identifying clients if they have the same client DUID.
Step 4 Run commit
The configuration is committed.
----End
Procedure
l Run the display access-user command to check information about online users. To view
information about specific users, you can configure parameters in the command to
specify users.
l Run the display bas-interface command to check BAS interface configurations.
l Run the display dhcp upgrade command to check the lease configuration for DHCPv6
users to determine the time when the device restarts.
l Run the display vendor-class dhcpv6 command in the system view to check the
mapping between the vendor-class attribute and a DHCPv6 option as well as the
configured offset value.
----End
Example
Run the display access-user command. If the IPoEv6 access service is configured
successfully, and you can view information about all access users.
<HUAWEI> display access-user
------------------------------------------------------------------------------
Total users : 9
IPv4 users : 9
IPv6 users : 0
Dual-Stack users : 0
Lac users : 0
Run the display bas-interface command, and you can view information to check BAS
interface configurations.
<HUAWEI> display bas-interface
---------------------------------------------------------------------------
Interface BASIF-access-type config-state access-number
---------------------------------------------------------------------------
Eth-Trunk0 Layer2-subscriber Updated 0
Eth-Trunk0.1 Layer2-subscriber Updated 1
Eth-Trunk0.1234 Layer2-subscriber Updated 0
----------------------------------------------------------------------
Total 3 BASIF is configured
Run the display dhcpv6 upgrade command, and you can view the lease configuration for
DHCPv6 users to determine the time when the device restarts.
<HUAWEI> display dhcpv6 upgrade
DHCPv6 upgrade: enable.
Preferred lifetime: 0days 0hours 30minutes
Valid lifetime: 0days 1hours 0minutes
Renew time percent: 50%
Rebind time percent:80%
Renew time: 0days 0hours 15minutes
Rebind time: 0days 0hours 24minutes
Access DHCPv6 user count of new lifetime: 100
Access DHCPv6 user count of old lifetime: 100
Access DHCPv6 user count of infinite lifetime: 10
Max interval from current for old lifetime DHCPv6 user renew: 0days 0hours
15minutes
Run the display vendor-class dhcpv6 command in the system view, and you can view the
mapping between the vendor-class attribute and a DHCPv6 option as well as the configured
offset value.
<HUAWEI> display vendor-class dhcpv6
Vendor-class DHCPv6: enable.
DHCPv6 option code: 17.
DHCPv6 offset : 4
Context
After the preceding configurations, run the following display commands in any view to check
the BRAS configurations.
Procedure
Step 1 Run the display web-auth-server configuration command to check the configuration of the
Web authentication server.
Step 2 Run the display bas-interface command to check the configuration of the BAS interface.
Step 3 Run the display aaa online-fail-record command to check the login failure records.
Step 4 Run the display aaa offline-record command to check the logout records.
Step 5 Run the display aaa abnormal-offline-record command to check the abnormal logout
records.
Step 6 Run the display call rate command to check the total call put-through rate for all types of
users.
Step 7 Run the display access-user command in any view to check information about online users.
The protocol-statistics enable command run in the AAA view enables statistics about
protocol packets, including ND, PPPoE, PPP, DHCPv4, and DHCPv6 packets.
Step 8 Run the display user-flow-statistics [ domain domain-name ]command in any view to check
users' uplink and downlink traffic statistics.
Step 9 Run the display access trigger user-table command in any view to check information about
users whose access packets are limited on a board.
----End
Context
BRAS access information cannot be restored after it is cleared. Exercise caution when
running the commands.
Procedure
Step 1 Run the reset aaa online-fail-record command in the user view to clear the login failure
records.
Step 2 Run the reset aaa offline-record command in the user view to clear the logout records.
Step 3 Run the reset aaa abnormal offline-record command in the user view to clear the abnormal
logout records.
Step 4 Run the reset access trigger user-table command in any view to clear information about
users whose access packets are limited on a board.
Step 5 Run the reset call rate command in the user view to clear the call rate statistics of users.
----End
Procedure
l Run the display access statistics packet discard mac-spoofing [ ipoe | pppoe ] [ ipv4 |
ipv6 ] { interface { interface-name | interface-type interface-number } | slot slot-id }
command in any view to display statistics about MAC-spoofing-dropped packets of
access users.
l Run the display access statistics trigger slot slot-id command in any view to display
user packet statistics by the board.
l Run the display layer3-subscriber statistics port-mismatch command in any view to
display statistics on Layer 3 users' packets that are discarded due to an interface
mismatch.
----End
Example
Run the display access statistics packet discard mac-spoofing slot slot-id command, you
can view statistics about MAC-spoofing-dropped packets on the board in slot 1.
<HUAWEI> display access statistics packet discard mac-spoofing slot 1
Run the display access statistics trigger slot slot-id command, you can view statistics about
user packets on the board in slot 2.
<HUAWEI> display access-statistics trigger slot 2
IPv4 Packet information:
Passed packet(s) : 0
Dropped packet(s) : 0
IPv6 Packet information:
Passed packet(s) : 0
Dropped packet(s) : 0
Run the display layer3-subscriber statistics port-mismatch command, you can view
statistics on Layer 3 users' packets that are discarded due to an interface mismatch.
<HUAWEI> display layer3-subscriber statistics port-mismatch
---------------------------------------------------------------------------
Interface Statistics
---------------------------------------------------------------------------
Eth-Trunk1.1 4
Eth-Trunk6 3
Eth-Trunk6.1 3
GigabitEthernet3/0/0.1 2
GigabitEthernet3/0/0.2 100
---------------------------------------------------------------------------
Total 5,5 printed
Context
Broadband remote access server (BRAS) access statistics cannot be restored after being
cleared. Therefore, exercise caution when performing the following operations.
Procedure
l Run the reset vlan-statistics interface interface-type interface-number.subinterface-
number pevlan pe-vlan-id [ cevlan ce-vlan-id ] command to clear statistics about traffic
and Point-to-Point Protocol (PPP) packets on a specified sub-interface bound to a
specified virtual local area network (VLAN).
NOTE
l Run the reset access statistics trigger slot slot-id command to clear access packet
statistics on a board.
l Run the reset layer3-subscriber statistics port-mismatch [ interface { interface-name |
interface-type interface-num } ] command to clear statistics on Layer 3 users' packets
that are discarded due to an interface mismatch.
----End
Context
Before a device upgrade, you must manually block the user access domains and boards of the
device and log out online users, then run the reboot command to restart the device after users
go offline. Instead, you can run the bras auto-upgrade enable command to automatically
block the user access domains and boards of the device and log out online users, then run the
reboot command to restart the device.
Procedure
Step 1 In the user view, run:
bras auto-upgrade enable
The bras auto-upgrade enable command is not stored in the configuration file of the system,
and therefore must be run each time you need this function.
----End
Networking Requirements
As shown in Figure 9-3, the networking requirements for configuring Layer 3 IPoE access
are as follows:
l A user belongs to the domain isp2. The user connects to GE 1/0/2.1 on Device B through
Device A, a DHCP relay agent. The user then accesses the Internet in Layer 3 IPoE
access mode.
l The user adopts web authentication, Remote Authentication Dial In User Service
(RADIUS) authentication, and RADIUS accounting.
l The IP address of the RADIUS server is 192.168.8.249. The authentication port number
is 1812, and the accounting port number is 1813. The standard RADIUS protocol is
used. The shared key is it-is-my-secret1.
l The IP address of the DNS server is 192.168.8.252.
l The IP address of the WEB server is 192.168.8.251. The shared key is webvlan.
Interfaces 1 through 4 in this example are GE 0/1/1, GE 0/1/2, GE0/1/1.1, GE 0/1/2.1, respectively.
Configuration Roadmap
The configuration roadmap is as follows (all functions, except DHCP relay, are configured on
Device B):
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Assign IP addresses to interfaces on Device A and Device B.
Step 3 Configure a network-side IP address pool on Device B. The gateway address of the IP address
pool must be on the same network segment as the IP address of the inbound interface on
Device A, the DHCP relay agent.
<DeviceB> system-view
[~DeviceB] ip pool huawei bas local
[*DeviceB-ip-pool-huawei] gateway 11.11.11.1 24
[*DeviceB-ip-pool-huawei] section 0 11.11.11.2 11.11.11.255
[*DeviceB-ip-pool-huawei] dns-server 192.168.8.252
[*DeviceB-ip-pool-huawei] commit
[~DeviceB-ip-pool-huawei] quit
NOTE
In this example, a UCL rule is configured to permit packets destined for 127.0.0.1 to be sent to the CPU
of Device B.
[*DeviceB-acl-ucl-6000] rule 20 permit ip source user-group huawei destination ip-
address 192.168.8.252 0
[*DeviceB-acl-ucl-6000] rule 25 permit ip source ip-address 192.168.8.252 0
destination user-group huawei
[*DeviceB-acl-ucl-6000] rule 30 permit ip source user-group huawei destination ip-
address 192.168.8.249 0
[*DeviceB-acl-ucl-6000] rule 35 permit ip source ip-address 192.168.8.249 0
destination user-group huawei
[*DeviceB-acl-ucl-6000] rule 40 permit ip source user-group huawei destination ip-
address 192.168.8.251 0
[*DeviceB-acl-ucl-6000] rule 45 permit ip source ip-address 192.168.8.251 0
destination user-group huawei
[*DeviceB-acl-ucl-6000] commit
[~DeviceB-acl-ucl-6000] quit
[~DeviceB] acl 6001
[*DeviceB-acl-ucl-6001] rule 10 permit tcp source user-group huawei destination-
port eq www
[*DeviceB-acl-ucl-6001] rule 15 permit tcp source user-group huawei destination-
port eq 8080
[~DeviceB-acl-ucl-6001] commit
[~DeviceB-acl-ucl-6001] quit
[~DeviceB] acl 6002
[*DeviceB-acl-ucl-6002] rule 5 permit ip source ip-address any destination user-
group huawei
[*DeviceB-acl-ucl-6002] commit
[~DeviceB-acl-ucl-6002] quit
NOTE
For Layer 3 users that do not obtain IP addresses from Device B, run the layer3-subscriber start-ip-
address [ end-ip-address ] [ vpn-instance instance-name ] domain-name domain-name command in the
system view to specify the IP address segment on which the Layer 3 users reside and the authentication
domain name.
[*DeviceB-GigabitEthernet1/0/2.1-bas] commit
[~DeviceB-GigabitEthernet1/0/2.1-bas] quit
[~DeviceB-GigabitEthernet1/0/2.1] quit
----End
Configuration Files
l Device A configuration file
#
sysname DeviceA
#
interface 1/0/2
undo shutdown
ip address 11.11.11.1 255.255.255.0
ip relay address 192.168.1.1
dhcp select relay
#
interface GigabitEthernet1/0/1.1
vlan-type dot1q 1
ip address 192.168.1.2 255.255.255.0
#
return
#
radius-server group rd2
radius-server authentication 192.168.8.249 1812 weight 0
radius-server accounting 192.168.8.249 1813 weight 0
radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^
%
#
acl number 6000
rule 10 permit ip source user-group huawei destination ip-address 127.0.0.1 0
rule 15 permit ip source ip-address 127.0.0.1 0 destination user-group huawei
rule 20 permit ip source user-group huawei destination ip-address
192.168.8.252 0
rule 25 permit ip source ip-address 192.168.8.252 0 destination user-group
huawei
rule 30 permit ip source user-group huawei destination ip-address
192.168.8.249 0
rule 35 permit ip source ip-address 192.168.8.249 0 destination user-group
huawei
rule 40 permit ip source user-group huawei destination ip-address
192.168.8.251 0
rule 45 permit ip source ip-address 192.168.8.251 0 destination user-group
huawei
#
acl number 6001
rule 10 permit tcp source user-group huawei destination-port eq www
rule 15 permit tcp source user-group huawei destination-port eq 8080
#
acl number 6002
rule 5 deny ip source ip-address any destination user-group huawei
#
traffic classifier web_permit operator or
if-match acl 6000
traffic classifier web_deny operator or
if-match acl 6001
traffic classifier web_out operator or
if-match acl 6002
#
traffic behavior web_permit
traffic behavior web_deny
http-redirect
traffic behavior web_out
deny
#
traffic policy web
share-mode
classifier web_permit behavior web_permit
classifier web_deny behavior web_deny
traffic policy web_out
share-mode
classifier web_permit behavior web_permit
classifier web_out behavior web_out
#
ip pool huawei bas local
gateway 11.11.11.1 255.255.255.0
section 0 11.11.11.2 11.11.11.255
dns-server 192.168.8.252
#
aaa
authentication-scheme auth2
#
accounting-scheme acct2
#
domain default0
user-group huawei
web-server 192.168.8.251
web-server url http://192.168.8.251
ip-pool huawei
domain isp2
authentication-scheme auth2
accounting-scheme acct2
radius-server group rd2
portal-server 192.168.8.251
portal-server url http://192.168.8.251/portal/admin/
#
interface GigabitEthernet1/0/2
undo shutdown
#
interface GigabitEthernet1/0/2.1
vlan-type dot1q 1
ip address 192.168.1.1 255.255.255.0
bas
#
access-type layer3-subscriber default-domain pre-authentication default0
authentication isp2
#
traffic-policy web inbound
traffic-policy web_out outbound
#
web-auth-server 192.168.8.251 key webvlan
#
return
Networking Requirements
As shown in Figure 9-4, the networking requirements for configuring Layer 3 IPoE access
are as follows:
l A user belongs to the domain isp2. The user connects to GE 0/1/2.1 on Device B through
Device A, a DHCP relay agent. The user then accesses the Internet in Layer 3 IPoE
access mode.
l The user adopts web authentication, Remote Authentication Dial In User Service
(RADIUS) authentication, and RADIUS accounting.
l The IP address of the RADIUS server is 192.168.8.249. The authentication port number
is 1812, and the accounting port number is 1813. The standard RADIUS protocol is
used. The shared key is it-is-my-secret1.
l The IP address of the DNS server is 192.168.8.252.
l A device has all the web server, web authentication server, and portal server
functionalities, with the portal server address 192.168.8.251.
l The IP address of the web server is 192.168.8.251.
l To improve the success rate for captive portal redirection, configure flow-based captive
portal redirection to allow users that access a specified web page at 4.4.4.4 to be
redirected to the portal redirection page.
Figure 9-4 Configuring Layer 3 IPoE access with captive portal redirection
NOTE
Interfaces 1 through 4 in this example are GE 0/1/1, GE 0/1/2, GE0/1/1.1, GE 0/1/2.1, respectively.
Configuration Roadmap
The configuration roadmap is as follows (all functions, except DHCP relay, are configured on
Device B):
1. Configure DHCP relay on Device A.
2. Configure authentication and accounting schemes.
3. Configure a RADIUS server group.
4. Configure an IP address pool.
5. Configure a pre-authentication domain and a post-authentication domain for web
authentication.
6. Configure a web server.
7. Configure a portal server.
8. Configure a portal service policy.
9. Configure UCL rules and traffic management policies.
10. Configure a BAS interface and an uplink interface.
Data Preparation
To complete the configuration, you need the following data:
l Authentication scheme name and authentication mode
l Accounting scheme name and accounting mode
l Name of the RADIUS server group as well as IP addresses and port numbers of the
RADIUS authentication server and accounting server
l IP address pool name, gateway address, and DNS server address
l Domain names
l Portal service policy name
l Portal server address
l UCL rules
l Traffic management policies
l BAS interface parameters
Procedure
Step 1 Assign IP addresses to interfaces on Device A and Device B.
# Assign IP addresses to the interfaces on Device A.
<DeviceA> system-view
[~DeviceA] interface GigabitEthernet0/1/2
[*DeviceA-GigabitEthernet0/1/2] ip address 11.11.11.1 255.255.255.0
[*DeviceA-GigabitEthernet0/1/2] commit
[~DeviceA-GigabitEthernet0/1/2] quit
[*DeviceA] interface GigabitEthernet0/1/1.1
[*DeviceA-GigabitEthernet0/1/1.1] ip address 192.168.1.2 255.255.255.0
[*DeviceA-GigabitEthernet0/1/1.1] vlan-type dot1q 1
[*DeviceA-GigabitEthernet0/1/1.1] commit
[~DeviceA-GigabitEthernet0/1/1.1] quit
Step 3 Configure a network-side IP address pool on Device B. The gateway address of the IP address
pool must be on the same network segment as the IP address of the inbound interface on
Device A, the DHCP relay agent.
<DeviceB> system-view
[~DeviceB] ip pool huawei bas local
[*DeviceB-ip-pool-huawei] gateway 11.11.11.1 24
[*DeviceB-ip-pool-huawei] section 0 11.11.11.2 11.11.11.255
[*DeviceB-ip-pool-huawei] dns-server 192.168.8.252
[*DeviceB-ip-pool-huawei] commit
[~DeviceB-ip-pool-huawei] quit
[*DeviceB-radius-rd2] commit
[~DeviceB-radius-rd2] quit
# Configure an authentication domain named isp2, and bind the portal service policy to the
authentication domain.
[~DeviceB] aaa
[*DeviceB-aaa] domain isp2
[*DeviceB-aaa-domain-isp2] authentication-scheme auth2
[*DeviceB-aaa-domain-isp2] accounting-scheme acct2
[*DeviceB-aaa-domain-isp2] radius-server group rd2
[*DeviceB-aaa-domain-isp2] portal-server 192.168.8.251
[*DeviceB-aaa-domain-isp2] portal-server url http://192.168.8.251/portal/admin/
[*DeviceB-aaa-domain-isp2] service-policy portal-policy
[*DeviceB-aaa-domain-isp2] commit
[~DeviceB-aaa-domain-isp2] quit
[~DeviceB-aaa] quit
NOTE
In this example, a UCL rule is configured to permit packets destined for 127.0.0.1 to be sent to the CPU
of Device B.
[*DeviceB-acl-ucl-6000] rule 20 permit ip source user-group huawei destination ip-
address 192.168.8.252 0
[*DeviceB-acl-ucl-6000] rule 25 permit ip source ip-address 192.168.8.252 0
destination user-group huawei
[*DeviceB-acl-ucl-6000] rule 30 permit ip source user-group huawei destination ip-
address 192.168.8.249 0
[*DeviceB-acl-ucl-6000] rule 35 permit ip source ip-address 192.168.8.249 0
# Configure UCL rules that allow authentication users to be redirected to the portal server at
192.168.8.251 when these users access a specified web page at 4.4.4.4.
[~DeviceB] acl 7000
[*DeviceB-acl-ucl-7000] rule 5 permit tcp source service-group portal-group
destination ip-address 4.4.4.4 0 destination-port eq www
[*DeviceB-acl-ucl-7000] rule 10 permit tcp source service-group portal-group
destination ip-address 4.4.4.4 0 destination-port eq 8080
[*DeviceB-acl-ucl-7000] rule 15 permit tcp source service-group portal-group
destination ip-address 192.168.8.251 0 destination-port eq www
[*DeviceB-acl-ucl-7000] rule 20 permit tcp source service-group portal-group
destination ip-address 192.168.8.251 0 destination-port eq 8080
[*DeviceB-acl-ucl-7000] commit
[~DeviceB-acl-ucl-7000] quit
----End
Configuration Files
l Device A configuration file
#
sysname DeviceA
#
interface GigabitEthernet0/1/2
undo shutdown
ip address 11.11.11.1 255.255.255.0
ip relay address 192.168.1.1
dhcp select relay
#
interface GigabitEthernet0/1/1.1
vlan-type dot1q 1
ip address 192.168.1.2 255.255.255.0
#
return
#
access-type layer3-subscriber default-domain pre-authentication default0
authentication isp2
#
ip route-static 11.11.11.0 255.255.255.0 192.168.1.2
#
traffic-policy l3-ipoe inbound
traffic-policy l3-ipoe outbound
#
web-auth-server 192.168.8.251
#
return
9.9.3 Example for Configuring the IPoE Access Service for VPN
Users by Using Web Authentication
This section provides an example for configuring IPoE access to a VPN by Using Web
Authentication, including the networking requirements, configuration roadmap, configuration
procedure, and configuration files.
Networking Requirements
The networking is shown in Figure 9-5. The requirements are as follows:
l The user belongs to domain isp2 and accesses the Internet by using GE 0/1/2 on the
Router in IPoE mode.
l The user adopts Web authentication, RADIUS authentication, and RADIUS accounting.
l The IP address of the RADIUS server is 192.168.8.249. The authentication port number
is 1812 and the accounting port number is 1813. The standard RADIUS protocol is used.
The shared key is it-is-my-secret1.
l The user is a VPN user and belongs to a VPN instance named vpn1.
l The IP address of the DNS server is 192.168.8.252.
l The IP address of the Web authentication server is 192.168.8.251 and the key is webvlan.
l The network-side interface is GE 0/1/1.
192.168.8.1
interface2 interface1
Access
Internet
Network
subscriber
Device
@isp2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a VPN instance.
2. Configure authentication and accounting schemes.
3. Configure a RADIUS server group.
4. Configure an address pool.
5. Configure a pre-authentication domain and an authentication domain for Web
authentication.
6. Configure the Web authentication server.
7. Configure ACL rules and traffic policies.
8. Configure a BAS interface and an upstream interface.
Data Preparation
To complete the configuration, you need the following data:
l VPN instance name, RD, and VPN target
l Authentication template name and authentication mode
l Accounting template name and accounting mode
l RADIUS server group name, and IP addresses and port numbers of the RADIUS
authentication server and accounting server
l IP address pool name, gateway address, and DNS server address
l Domain name
l Web authentication server address
l ACL rules
l Traffic policy
l BAS interface parameters
Procedure
Step 1 Configure a VPN instance.
<HUAWEI> system-view
[~HUAWEI] ip vpn-instance vpn1
[*HUAWEI-vpn-instance-vpn1] ipv4-family
[*HUAWEI-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[*HUAWEI-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both
[*HUAWEI-vpn-instance-vpn1-af-ipv4] commit
[~HUAWEI-vpn-instance-vpn1-af-ipv4] quit
[~HUAWEI-vpn-instance-vpn1] quit
NOTE
If the reallocate-ip-address command has been run for the web authentication domain isp2 to enable
secondary address allocation, the web authentication domain isp2 must be bound to an address pool. The
secondary address allocation function is optional. In normal circumstances, a private network address is
allocated in the pre-authentication domain before authentication, and a public network address is allocated in
the authentication domain after authentication. This addresses public network address shortage and increases
usage of public network addresses.
However, the secondary address allocation function requires the web server to comply with the Huawei
proprietary protocol for secondary address allocation, and the client must download the plug-in through the
web server.
NOTE
The upstream interface connected to MPLS network, the configuration is not mentioned here. For
details, refer to the chapter BGP/MPLS IP VPN of the HUAWEI NE40E-M2 Series Universal Service
Router Configuration Guide - VPN
[HUAWEI] interface GigabitEthernet 0/1/1
[HUAWEI-GigabitEthernet0/1/1] ip address 192.168.8.1 255.255.255.0
----End
Configuration Files
#
sysname HUAWEI
#
user-group web-before
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
radius-server group rd2
radius-server authentication 192.168.8.249 1812 weight 0
radius-server accounting 192.168.8.249 1813 weight 0
radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^%
#
acl number 6000
#
acl number 6001
rule 5 permit ip source user-group web-before destination ip-address
192.168.8.251 0
rule 10 permit ip source user-group web-before destination ip-address
192.168.8.252 0
#
acl number 6002
rule 30 permit ip source user-group web-before destination ip-address any
rule 35 permit ip source ip-address any destination user-group web-before
#
traffic classifier c2 operator and
if-match acl 6001
traffic classifier c1 operator and
if-match acl 6000
traffic classifier c3 operator and
if-match acl 6002
#
traffic behavior perm1
traffic behavior deny1
traffic behavior deny2
deny
#
traffic policy action1
classifier c2 behavior perm1
classifier c1 behavior deny1
classifier c3 behavior deny2
traffic-policy action1 inbound
traffic-policy action1 outbound
#
interface GigabitEthernet0/1/2
bas
Networking Requirements
The networking is shown in Figure 9-6. The requirements are as follows:
l The user belongs to domain isp3 and accesses the Internet by using GE 0/1/2.1 on the
Router in IPoEoVLAN mode. The LAN switch tags user packets with VLAN 1 and
VLAN 2.
l The user adopts binding authentication, RADIUS authentication, and RADIUS
accounting.
l The IP address of the RADIUS server is 192.168.8.249. The authentication port number
is 1812 and the accounting port number is 1813. The standard RADIUS protocol is
adopted. The shared key is it-is-my-secret1.
l The IP address of the DNS server is 192.168.8.252.
l The network-side interface is GE 0/1/1.
192.168.8.1
interface2 interface1
subscriber1
Internet
@isp3
Switch Device
subscriber2
@isp3
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure AAA schemes.
NOTE
The configured address pool is used for the authentication domain. The pre-authentication domain is not
required because a user that adopts binding authentication can be authenticated automatically when the
user goes online.
NOTE
When a user obtains an IP address in binding authentication, the Router authenticates the user
automatically. Therefore, you do not need to configure the ACL to control the network access rights of
the user before authentication. Instead, you need to configure the ACL to control the network access
rights of the user after authentication.
NOTE
l The user name for binding authentication is automatically generated based on the location where the
user accesses the NE40E. Therefore, the user name on the RADIUS server must be configured
according to the name generation rule. The password is vlan.
l For details about the user name format used in binding authentication, see the description of the
vlanpvc-to-username command in the HUAWEI NE40E-M2 Series Universal Service Router
Command Reference.
----End
Configuration Files
#
sysname HUAWEI
#
radius-server group rd3
radius-server authentication 192.168.8.249 1812 weight 0
radius-server accounting 192.168.8.249 1813 weight 0
radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^%
#
interface GigabitEthernet0/1/2.1
user-vlan 1 2
bas
access-type layer2-subscriber default-domain authentication isp3
authentication-method bind
#
interface GigabitEthernet0/1/1
ip address 192.168.8.1 255.255.255.0
#
ip pool pool3 bas local
gateway 10.82.2.1 255.255.255.0
section 0 10.82.2.2 10.82.2.200
dns-server 192.168.8.252
#
aaa
authentication-scheme auth3
accounting-scheme acct3
domain isp3
authentication-scheme auth3
accounting-scheme acct3
radius-server group rd3
ip-pool pool3
#
return
Networking Requirements
The networking is shown in Figure 9-7. The requirements are as follows:
l The user accesses the Internet by using GE 0/1/2.2 on the Router in IPoEoQ mode. LAN
switch 1 tags user packets with VLAN 1 and VLAN 2. LAN switch 2 tags user packets
with QinQ 100 (outer VLAN 100).
l The user belongs to domain isp1 and adopts bind authentication and RADIUS
accounting.
l The IP address of the RADIUS server is 192.168.7.249. The authentication port number
is 1812 and the accounting port number is 1813. The standard RADIUS protocol is
adopted. The shared key is it-is-my-secret1.
l The IP address of the DNS server is 192.168.7.252.
VLAN1
QinQ100 192.168.7.1
interface2 interface1
user1@isp1 Internet
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure AAA schemes.
# Configure an authentication scheme.
[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme auth1
[*HUAWEI-aaa-authen-auth1] authentication-mode radius
[*HUAWEI-aaa-authen-auth1] commit
[~HUAWEI-aaa-authen-auth1] quit
----End
Configuration Files
#
sysname HUAWEI
#
radius-server group rd1
radius-server authentication 192.168.7.249 1812 weight 0
radius-server accounting 192.168.7.249 1813 weight 0
radius-server shared-key-cipher %^%#clY:%[]x='-RMNJus[s/VJ:3YBq3<..|.{'xgbp+%^%
#
interface GigabitEthernet0/1/2.2
user-vlan 1 2 qinq 100
bas
access-type layer2-subscriber default-domain authentication isp1
authentication-method bind
#
interface GigabitEthernet0/1/1
ip address 192.168.7.1 255.255.255.0
#
ip pool pool1 bas local
gateway 10.82.0.1 255.255.255.0
section 0 10.82.0.2 10.82.0.200
dns-server 192.168.7.252
#
aaa
authentication-scheme auth1
accounting-scheme acct1
domain default0
domain default1
domain default_admin
domain isp1
authentication-scheme auth1
accounting-scheme acct1
radius-server group rd1
ip-pool pool1
#
return
Networking Requirements
The networking is shown in Figure 9-8. The requirements are as follows:
l The user accesses the Internet by using GE 2/0/0.1 on the Router as a static user and the
IP address of the user is 172.192.0.8.
l The user adopts local authentication.
l The system uses the IP address carried in the user packet as the user name.
Figure 9-8 Networking for configuring local authentication for static users
NOTE
192.168.8.1
interface2 interface1
Internet
Device
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure an authentication scheme.
[*HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme local
[*HUAWEI-aaa-authen-local] authentication-mode local
[*HUAWEI-aaa-authen-local] commit
[~HUAWEI-aaa-authen-local] quit
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.8.1 255.255.255.0
#
interface GigabitEthernet2/0/0.1
user-vlan 2005 qinq 510
bas
access-type layer2-subscriber default-domain authentication isp1
ip-trigger
arp-trigger
authentication-method bind
#
ip pool pool1 bas local
gateway 172.192.0.1 255.255.255.0
section 0 172.192.0.2 172.192.0.200
excluded-ip-address 172.192.0.8
#
aaa
default-user-name include ip-address .
default-password cipher %^%#oNUw%i-|"WcBgt8=fSVID7F<=K_N+.(ip[H\:a{D%^%#
authentication-scheme local
authentication-mode local
domain isp1
authentication-scheme local
accounting-scheme default0
ip-pool pool1
#
local-aaa-server
user 172.192.0.8@isp1 password cipher $1a$7WxAIDb{r+$*F~n0B"*M>+CPC@j
authentication-type b
#
static-user 172.192.0.8 172.192.0.8 interface GigabitEthernet2/0/0.1 user-vlan
2005 qinq 510 detect
#
return
Networking Requirements
On the network shown in Figure 9-9, a user in domain a enters a user name and password for
web authentication when going online for the first time. The RADIUS server automatically
records the MAC address of the user terminal and associates the user name and password with
the MAC address. In subsequent network access, the user can automatically go online without
entering the user name and password. Once the user fails authentication, the user is redirected
to domain b. However, users in domain b can only access limited network addresses, such as
the web server address. If a user in domain b accesses an authorized address, the user is
forcibly redirected to a specified web server where the user must re-enter the user name and
password. After being authenticated, the user belongs to domain c and is able to access
network resources.
Portal RADIUS
server server
Access I n t e rne t
network
PC Device
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a MAC authentication domain named a, a pre-authentication domain named b,
and an authentication domain named c.
2. Configure AAA schemes.
3. Create a RADIUS server group named d, configure the hw-auth-type attribute in the
authentication request packets and convert the hw-auth-type attribute to the Huawei
proprietary No. 109 attribute in the RADIUS server group view.
4. Create an authentication template named e and configure the redirection domain for
authentication failures in the authentication template.
5. Enable MAC authentication in the MAC authentication domain a and bind the MAC
authentication domain a to the RADIUS server group d and authentication template e.
6. Bind non-authentication and non-accounting schemes to the pre-authentication domain
named b to allow users to have access only to limited resources and be redirected to a
specified web server.
7. Bind the RADIUS authentication and accounting schemes to the authentication domain
c.
8. Configure the device to use the MAC address carried in the access request packets as the
pure user name.
9. Configure a pre-authentication domain and an authentication domain on the BAS
interface.
Procedure
Step 1 Create a MAC authentication domain named a, a pre-authentication domain named b, and an
authentication domain named c.
# Create a RADIUS server group named d, configure the hw-auth-type attribute in the
authentication request packets and convert the hw-auth-type attribute to the Huawei
proprietary No. 109 attribute in the RADIUS server group view.
[*Device] radius-server group d
[*Device-radius-d] radius-server authentication 192.168.7.249 1812
[*Device-radius-d] radius-server accounting 192.168.7.249 1813
[*Device-radius-d] radius-server type standard
[*Device-radius-d] radius-server shared-key-cipher it-is-my-secret1
[*Device-radius-d] radius-attribute include hw-auth-type
[*Device-radius-d] radius-server attribute translate
[*Device-radius-d] radius-attribute translate extend hw-auth-type vendor-specific
2011 109 access-request account
[*Device-radius-d] commit
[~Device-radius-d] quit
Step 4 Enable MAC authentication in the MAC authentication domain a and bind the MAC
authentication domain a to the RADIUS server group d and authentication template e.
[*Device-aaa] domain a
[*Device-aaa-domain-a] radius-server group d
[*Device-aaa-domain-a] authentication-scheme e
[*Device-aaa-domain-a] accounting-scheme acct2
[*Device-aaa-domain-a] ip-pool pool2
[*Device-aaa-domain-a] mac-authentication enable
[*Device-aaa-domain-a] commit
[~Device-aaa-domain-a] quit
Step 5 Bind non-authentication and non-accounting schemes to the pre-authentication domain named
b to allow users to have access only to limited resources and be redirected to a specified web
server.
[*Device] user-group web-before
[*Device] aaa
[*Device-aaa] http-redirect enable
[*Device-aaa] domain b
[*Device-aaa-domain-b] authentication-scheme auth3
[*Device-aaa-domain-b] accounting-scheme acct3
[*Device-aaa-domain-b] ip-pool pool2
[*Device-aaa-domain-b] user-group web-before
[*Device-aaa-domain-b] web-server 192.168.8.251
[*Device-aaa-domain-b] web-server url http://192.168.8.251
ip-address 127.0.0.1 0
[*Device-acl-ucl-6005] rule 30 permit ip source ip-address 127.0.0.1 0
destination user-group web-before
[*Device-acl-ucl-6005] commit[~Device-acl-ucl-6005] quit
[*Device] acl number 6006
[*Device-acl-ucl-6006] rule 5 permit ip destination user-group web-before
[*Device-acl-ucl-6006] commit[~Device-acl-ucl-6006] quit
[*Device] acl number 6008
[*Device-acl-ucl-6008] rule 5 permit tcp source user-group web-before destination-
port eq www
[*Device-acl-ucl-6008] rule 10 permit tcp source user-group web-before
destination-port eq 8080
[*Device-acl-ucl-6008] commit[~Device-acl-ucl-6008] quit
[*Device] acl number 6010
[*Device-acl-ucl-6010] commit
[~Device-acl-ucl-6010] quit
Step 6 Bind the RADIUS authentication and accounting schemes to the authentication domain c.
[*Device-aaa] domain c
[*Device-aaa-domain-c] authentication-scheme auth2
[*Device-aaa-domain-c] accounting-scheme acct2
[*Device-aaa-domain-c] radius-server group rd2
[*Device-aaa-domain-c] commit
[~Device-aaa-domain-c] quit
[~Device-aaa] quit
Step 7 Configure the device to use the MAC address carried in the access request packets as the pure
user name.
[*Device-aaa] default-user-name include mac-address -
[*Device-aaa] default-password cipher Root@123
[*Device-aaa] commit
[~Device-aaa] quit
----End
Configuration Files
#
sysname Device
#
user-group web-before
#
radius-server group rd2
radius-server authentication 192.168.8.249 1812 weight 0
radius-server accounting 192.168.8.249 1813 weight 0
radius-server shared-key-cipher %$%$8;fLT*OW4VX|#9Dr(Gl!}M%4%$%$
#
radius-server group d
radius-server authentication 192.168.7.249 1812 weight 0
radius-server accounting 192.168.7.249 1813 weight 0
radius-server shared-key-cipher %$%$8;fLT*OW4VX|#9Dr(Gl!}M%4%$%$
radius-server attribute translate
radius-attribute include HW-Auth-Type
radius-attribute translate extend HW-Auth-Type vendor-specific 2011 109 access-
request account
#
acl number 6004
rule 3 permit ip source user-group web-before destination user-group wlan
rule 5 permit ip source user-group web-before destination ip-address any
#
acl number 6005
rule 5 permit ip source user-group web-before destination ip-address
192.168.8.251 0
domain a
authentication-scheme e
accounting-scheme e
radius-server group d
ip-pool pool2
mac-authentication enable
domain b
authentication-scheme auth3
accounting-scheme acct3
ip-pool pool2
user-group web-before
web-server 192.168.8.251
web-server url http://192.168.8.251
web-server url-parameter
domain c
authentication-scheme auth2
accounting-scheme acct2
radius-server group rd2
#
interface GigabitEthernet0/1/2
bas
#
access-type layer2-subscriber default-domain pre-authentication a
authentication c
authentication-method web
#
traffic-policy web inbound
traffic-policy web-out outbound
Networking Requirements
The networking is shown in Figure 9-10. The requirements are as follows:
l The user belongs to the domain isp6 and accesses the Internet by using GE 0/1/2 on the
NE40E in ND mode. Binding authentication is adopted.
l RADIUS authentication and RADIUS accounting are used.
l The IP address of the RADIUS server is 10.6.55.55. The authentication port number is
1645 and the accounting port number is 1646. The standard RADIUS protocol is
adopted. The shared key is it-is-my-secret1.
l The IP address of the DNS server is 3001:0410::1:2.
Figure 9-10 Networking for configuring the IPv6 access service in ND mode
NOTE
interface2 interface1
Access Internet
Network
subscriber
Device
@isp6
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure AAA schemes.
2. Configure a RADIUS server group.
3. Configure a delegation IPv6 prefix pool.
4. Configure a delegation IPv6 address pool and bind the address pool to the prefix pool.
5. Configure an AAA domain and bind the domain to the address pool.
6. Configure interfaces.
Data Preparation
To complete the configuration, you need the following data:
l Authentication template name and authentication method
l Accounting template name and accounting mode
l RADIUS server group name, and IP addresses and port numbers of the RADIUS
authentication server and accounting server
l Local prefix pool name
l Prefix length and assignable IPv6 prefixes
l Local address pool name
l Domain name
Procedure
Step 1 Configure AAA schemes.
# Configure an authentication scheme.
[*HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme auth6
[*HUAWEI-aaa-authen-auth6] authentication-mode radius
[*HUAWEI-aaa-authen-auth6] commit
[~HUAWEI-aaa-authen-auth6] quit
# Check information about the prefix pool named pre1. You can see that the prefix pool is a
delegation prefix pool and the prefix address is 2010:2021::/64.
<HUAWEI> display ipv6 prefix pre1
-------------------------------------------------------------
Prefix Name : pre1
Prefix Index : 4
Prefix constant index: -
Prefix Type : Delegation
Prefix Address : 2010:2021::
Prefix Length : 64
Reserved Type : NONE
Valid Lifetime : 3 Days 0 Hours 0 Minutes
Preferred Lifetime: 2 Days 0 Hours 0 Minutes
IfLocked : Unlocked
Vpn instance : -
Conflict address : -
Free Prefix Count : 262144
Used Prefix Count : 0
Reserved Prefix Count: 0
-------------------------------------------------------------
# Check information about the address pool named pool1. You can see that the address pool is
a local address pool at the user side and the address pool is bound to the prefix pool named
pre1.
<HUAWEI> display ipv6 pool pool1
----------------------------------------------------------------------
Pool name : pool1
Pool No : 4
Pool-constant-index :-
Pool type : BAS DELEGATION
Preference : 0
Renew time : 50
Rebind time : 80
Status : UNLOCKED
Refresh interval : 0 Days 0 Hours 0 Minutes
Used by domain : 1
Dhcpv6 Unicast : disable
Dhcpv6 rapid-commit: disable
Dns list : -
Dns server master : 3001:0410::1:2
Dns server slave : -
AFTR name : -
----------------------------------------------------------------------
Prefix-Name Prefix-Type
----------------------------------------------------------------------
pre1 DELEGATION
----------------------------------------------------------------------
# Check information about the domain named isp6. You can see that the domain is bound to
the IPv6 address pool named pool1.
<HUAWEI> display domain isp6
------------------------------------------------------------------------------
Domain-name : isp6
Domain-state : Active
Authentication-scheme-name : auth6
Accounting-scheme-name : acct6
Authorization-scheme-name : -
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Primary-DNS-IPV6-address : -
Second-DNS-IPV6-address : -
Web-server-URL-parameter : No
Portal-server-URL-parameter : No
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
Time-range : Disable
Idle-cut direction : Both
Idle-data-attribute (time,flow) : 0, 60
User detect interval : 0s
User detect retransmit times : 0
Install-BOD-Count : 0
Report-VSM-User-Count : 0
Value-added-service : DEFAULT
User-access-limit : 152576
Online-number : 0
Web-IP-address : -
Web-URL : -
Web-auth-server : -
Web-auth-state : -
Web-server-mode : get
Slave Web-IP-address : -
Slave Web-URL : -
Slave Web-auth-server : -
Slave Web-auth-state : -
Portal-server-IP : -
Portal-URL : -
Portal-force-times : 2
Service-policy(Portal) : -
PPPoE-user-URL : Disable
AdminUser-priority : 16
IPUser-ReAuth-Time : 300s
mscg-name-portal-key : -
Portal-user-first-url-key : -
User-session-limit : 4294967295
Ancp auto qos adapt : Disable
L2TP-group-name : -
User-lease-time-no-response : 0s
RADIUS-server-template : -
Two-acct-template : -
RADIUS-server-pre-template : -
-
-
HWTACACS-server-template : -
Bill Flow : Disable
Tunnel-acct-2867 : Disabled
Qos-profile-name inbound : -
Qos-profile-name outbound : -
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
IP-warning-threshold(Low) : -
IPv6-warning-threshold : -
IPv6-warning-threshold(Low) : -
Multicast Forwarding : Yes
Multicast Virtual : No
Max-multilist num : 4
Multicast-profile : -
Multicast-profile ipv6 : -
IPv6-Pool-name : pool1
Quota-out : Offline
Service-type : -
User-basic-service-ip-type : -/-/-
PPP-ipv6-address-protocol : Ndra
IPv6-information-protocol : Stateless dhcpv6
IPv6-PPP-assign-interfaceid : Disable
IPv6-PPP-NDRA-halt : Disable
IPv6-PPP-NDRA-unicast : Disable
Trigger-packet-wait-delay : 60s
Peer-backup : enable
Reallocate-ip-address : Disable
Cui enable : Disable
Igmp enable : Enable
L2tp-user radius-force : Disable
Accounting dual-stack : Separate
Radius server domain-annex : -
Dhcp-option64-service : disable
Parse-separator : -
Parse-segment-value : -
Dhcp-receive-server-packet : -
Http-hostcar : Disable
Public-address assign-first : Disable
Public-address nat : Enable
Dhcp-user auto-save : Disable
IP-pool usage-status threshold : 255 , 255
Select-Pool-Rule : gateway + local priority
AFTR name : -
DAA Direction : both
------------------------------------------------------------------------------
----End
Configuration Files
l Router Configuration Files.
#
sysname HUAWEI
#
ipv6
#
radius-server group rd6
radius-server authentication 10.6.55.55 1645 weight 0
radius-server accounting 10.6.55.55 1646 weight 0
radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^%
#
interface Virtual-Template6
ppp authentication-mode pap
#
ipv6 prefix pre1 delegation
prefix 2010:2021::/64
slaac-unshare-only
#
ipv6 pool pool1 bas delegation
prefix pre1
dns-server 3001:0410::1:2
#
aaa
authentication-scheme default0
authentication-scheme default1
authentication-scheme auth6
authentication-mode radius
#
accounting-scheme default0
accounting-scheme default1
accounting-scheme acct6
accounting-mode radius
#
domain isp6
authentication-scheme auth6
accounting-scheme acct6
radius-server group rd6
ipv6-pool pool1
prefix-assign-mode unshared
#
interface GigabitEthernet0/1/2
pppoe-server bind Virtual-Template 6
ipv6 enable
ipv6 address auto link-local
bas
access-type layer2-subscriber default-domain authentication isp6
authentication-method bind
#
interface GigabitEthernet0/1/1
ipv6 enable
ipv6 address 2001::1/64 eui-64
ipv6 address 3001::1/64
ipv6 address auto link-local
#
return
Networking Requirements
On the IPoEv6 network shown in Figure 9-11, the subscriber belongs to the domain isp2. The
requirements are as follows:
l The subscriber and accesses the Internet through GE 0/1/2 on Device A in IPoEv6 mode.
l The subscriber uses web authentication, and the web authentication server address is
192.168.8.251.
Interface1
Internet
subscriber
@isp2 DeviceA
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
l IPv6 address pool name
l Domain name
l Web authentication server's IP address
l UCL rule numbers
l Traffic policy name
l BAS interface parameters
Procedure
Step 1 Configure a local IPv6 address pool.
# Configure Device A.
<DeviceA> system-view
[~DeviceA] ipv6 prefix prefix1
[*DeviceA-ipv6-prefix-prefix1] prefix 2000:2021::/64
[*DeviceA-ipv6-prefix-prefix1] commit
[~DeviceA-ipv6-prefix-prefix1] quit
[~DeviceA] ipv6 pool pool_local bas local
[~DeviceA-ipv6-pool-pool_local] prefix prefix1
[*DeviceA-ipv6-pool-pool_local] commit
[~DeviceA-ipv6-pool-pool_local] quit
[~DeviceA] dhcpv6 duid llt
[~DeviceA] commit
# Configure the domain isp2 as the authentication domain for web authentication.
[~DeviceA-aaa] domain isp2
[~DeviceA-aaa-domain-isp2] authentication-scheme none
[*DeviceA-aaa-domain-isp2] accounting-scheme none
[*DeviceA-aaa-domain-isp2] commit
[~DeviceA-aaa-domain-isp2] quit
[~DeviceA-aaa] quit
Step 3 Configure a web authentication server and Device A's interface directly connecting to the web
authentication server.
[~DeviceA] web-auth-server 192.168.8.251 port 50100 key cipher Huawei
[*DeviceA] commit
[~DeviceA] interface gigabitethernet 0/1/2
[*DeviceA-GigabitEthernet0/1/2] ip address 192.168.8.250 24
[*DeviceA-GigabitEthernet0/1/2] commit
----End
Configuration Files
l Device A configuration file
#
sysname DeviceA
#
user-group web-before
#
ipv6 prefix prefix1
prefix 2000:2021::/64
#
ipv6 pool pool_local bas local
prefix prefix1
#
acl ipv6 number 6200
rule 5 permit tcp source user-group any destination ipv6-address 2000::1/64
#
acl ipv6 number 6300
rule 5 permit tcp source user-group web-before destination-port eq www
#
traffic classifier web_permit
if-match ipv6 acl 6200
traffic classifier web_http-redirect
if-match ipv6 acl 6300
#
traffic behavior web_permit
permit
traffic behavior web_http-redirect
http-redirect
#
traffic policy web
share-mode
classifier web_permit behavior web_permit
classifier web_http-redirect behavior web_http-redirect
#
aaa
#
domain default0
user-group web-before
web-server url http://[2000::1]/portal/default.portal
web-server identical-url
ipv6-pool pool_local
authentication-scheme none
accounting-scheme none
domain isp2
authentication-scheme none
accounting-scheme none
#
interface GigabitEthernet0/1/2
undo shutdown
ip address 192.168.8.250 24
#
interface GigabitEthernet0/1/2.1
user-vlan 1
ipv6 enable
ipv6 address auto link-local
ipv6 nd autoconfig managed-address-flag
bas
#
access-type layer2-subscriber default-domain pre-authentication default0
authentication isp2
authentication-method-ipv6 web
#
traffic-policy web inbound
#
web-auth-server 192.168.8.251 port 50100 key cipher Huawei
#
return
Networking Requirements
The networking is shown in Figure 9-12. The requirements are as follows:
l The user belongs to the domain isp5 and accesses the Internet by using GE 0/1/2 on the
NE40E in Web authentication mode.
l RADIUS authentication and RADIUS accounting are used.
l The IP address of the RADIUS server is 10.6.55.55. The authentication port number is
1645 and the accounting port number is 1646. The standard RADIUS protocol is
adopted. The shared key is hello.
l The IP addresses of the two DNS servers are respectively 3001:0410::1:2 and 10.10.10.1.
l The IP address of the Web authentication server is 10.6.55.56 and the key is it-is-my-
secret1.
Figure 9-12 Networking for configuring the dual-stack access service by using Web
authentication
NOTE
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure AAA schemes.
2. Configure a Web authentication server.
3. Configure a RADIUS server group.
4. Configure an ACL to allow the user to access only the Web server before Web
authentication is implemented.
Data Preparation
To complete the configuration, you need the following data:
l Authentication template name and authentication mode
l Accounting template name and accounting mode
l RADIUS server group name, and IP addresses and port numbers of the RADIUS
authentication server and accounting server
l Local prefix pool name
l Prefix length and assignable IPv6 prefixes
l Local address pool name
l Domain name
Procedure
Step 1 Configure AAA schemes.
# Configure an authentication scheme.
[*Device] aaa
[*Device-aaa] authentication-scheme auth5
[*Device-aaa-authen-auth5] authentication-mode radius
[*Device-aaa-authen-auth5] commit
[~Device-aaa-authen-auth5] quit
Step 4 Configure an ACL to allow the user to access only the Web server before Web authentication
is implemented.
# Configure a user group.
[*Device] user-group huawei
DNS1 :10.10.10.1
Position : Local Status : Unlocked
Gateway : 10.10.10.2 Mask : 255.255.255.0
Vpn instance : --
Profile-Name : - Server-Name : -
Codes: CFLCT(conflicted)
---------------------------------------------------------------------------
ID start end total used idle CFLCT disable reserved
---------------------------------------------------------------------------
0 10.10.10.3 10.10.10.100 98 0 98 0 0 0
---------------------------------------------------------------------------
# Check information about the prefix pool named pre1. You can see that the prefix pool is a
local prefix pool and the prefix address is 2010:2021::/64.
# Check information about the address pool named pool1. You can see that the address pool is
a local address pool at the user side and the address pool is bound to the prefix pool named
pre1.
<HUAWEI> display ipv6 pool pool1
----------------------------------------------------------------------
Pool name : pool1
Pool No : 2
Pool-constant-index :-
Pool type : BAS DELEGATION
Preference : 255
Renew time : 50
Rebind time : 80
Status : UNLOCKED
Refresh interval : infinite
Used by domain : 0
Dhcpv6 Unicast : disable
Dhcpv6 rapid-commit: disable
Dns list : -
Dns server master : -
Dns server slave : -
AFTR name : -
----------------------------------------------------------------------
Prefix-Name Prefix-Type
----------------------------------------------------------------------
pre1 DELEGATION
----------------------------------------------------------------------
# Check information about the domain named isp5. You can see that the domain is bound to
the IPv6 address pool named pool1 and the IPv4 address pool named pool2.
<HUAWEI> display domain isp5
------------------------------------------------------------------------------
Domain-name : isp5
Domain-state : Active
Authentication-scheme-name : auth5
Accounting-scheme-name : acct5
Authorization-scheme-name :
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Web-server-URL-parameter : No
Slave Web-IP-address : -
Slave Web-URL : -
Slave Web-auth-server : -
Slave Web-auth-state : -
Portal-server-URL-parameter : No
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
User-group-name : -
Idle-data-attribute (time,flow) : 0, 60
Install-BOD-Count : 0
Report-VSM-User-Count : 0
Value-added-service : COPS
User-access-limit : 279552
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-server-IP : -
Portal-URL : -
Portal-force-times : 2
PPPoE-user-URL : Disable
IPUser-ReAuth-Time(second) : 300
mscg-name-portal-key : -
Portal-user-first-url-key : -
Ancp auto qos adapt : Disable
RADIUS-server-template : rd5
Two-acct-template : -
HWTACACS-server-template : -
Bill Flow : Disable
Tunnel-acct-2867 : Disabled
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
IPv6-warning-threshold : -
Multicast Forwarding : Yes
Multicast Virtual : No
Max-multilist num : 4
Multicast-profile : -
Multicast-profile ipv6 : -
IP-address-pool-name : pool2
IPv6-Pool-name : pool1
Quota-out : Offline
Service-type : -
User-basic-service-ip-type : -/-/-
PPP-ipv6-address-protocol : Ndra
IPv6-information-protocol : Stateless dhcpv6
IPv6-PPP-assign-interfaceid : Disable
Trigger-packet-wait-delay : 60s
Peer-backup : enable
------------------------------------------------------------------------------
----End
Configuration Files
l Router Configuration Files
#
sysname Device
#
ipv6
#
user-group huawei
#
radius-server group rd5
radius-server authentication 10.6.55.55 1645 weight 0
radius-server accounting 10.6.55.55 1646 weight 0
radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^
%
#
acl number 6000 match-order auto
rule 5 permit ip source user-group huawei destination ip-address 10.6.55.0
0.0
.0.255
rule 10 deny ip source user-group huawei destination ip-address any
#
traffic classifier class1 operator or
traffic classifier c1 operator or
if-match acl 6000
#
traffic behavior database
traffic behavior b1
#
traffic policy policy
share-mode
classifier c1 behavior b1
#
interface Virtual-Template1
ppp authentication-mode chap
#
ip pool pool2 bas local
gateway 10.10.10.2 255.255.255.0
section 0 10.10.10.3 10.10.10.100
dns-server 10.10.10.1
#
ipv6 prefix pre1 delegation
prefix 2001:2421::/48
slaac-unshare-only
#
ipv6 pool pool1 bas delegation
dns-server 3001:410::1:2
prefix pre1
#
aaa
authentication-scheme default0
authentication-scheme default1
authentication-scheme default
authentication-scheme auth5
authentication-mode radius
#
authorization-scheme default
#
accounting-scheme default0
accounting-scheme default1
accounting-scheme default
accounting-scheme acct5
accounting-mode radius
#
domain domain1
prefix-assign-mode unshared
ip-pool pool2
ipv6-pool pool1
user-group huawei
web-server 10.6.55.56 3001::3
web-server url isp1.com
domain isp5
authentication-scheme auth5
accounting-scheme acct5
radius-server group rd5
#
interface GigabitEthernet0/1/2
undo shutdown
ipv6 enable
ipv6 address auto link-local
bas
#
access-type layer2-subscriber default-domain pre-authentication domain1
authentication isp5
authentication-method web
authentication-method-ipv6 web
#
interface GigabitEthernet0/1/1
undo shutdown
ipv6 enable
ipv6 address 2001::/64 eui-64
ipv6 address auto link-local
#
traffic-policy policy inbound
traffic-policy policy outbound
#
web-auth-server 10.6.55.56 port 50100 key cipher %^%#oNUw
%i-|"WcBgt8=fSVID7F<=K_N+.(ip[H\:a{D%^%#
#
return
Networking Requirements
Router B uses OSPF to exchange traffic with Router A through interfaces on multiple boards
in load-balancing mode. Traffic from the same user may be sent from different boards. Router
B uses PBR to send traffic from the same user but different boards through the backplane to
the same authentication board for user authentication, as shown in Figure 9-13.
Requirements are as follows:
l Router A sends upstream traffic to different interfaces on Router B in load-balancing
mode.
l Router B adds all the inbound interfaces to an L2VPN and configures PBR. Then,
Router B routes all traffic from the same user to the specified next hop based on the
source IP address/VLAN ID/DSCP priority. The outbound interface of the next hop
directly connects to the BAS interface and resides on the same network segment as the
BAS interface.
l After user traffic arrives at the BAS interface and the user goes online, user forwarding
entries are delivered. Subsequent user traffic will then be authenticated and forwarded
based on these forwarding entries.
l Downstream traffic is forwarded through the BAS interface to the L2VPN domain based
on user forwarding entries.
l Router B then sends downstream traffic in the L2VPN domain to Router A along routes
(the traffic can be load-balanced). Then, Router A forwards the traffic to the user.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure PBR to redirect user traffic to the primary and backup next hops. If the
primary next hop fails, traffic automatically switches to the backup next hop to trigger
the user to go online.
2. Configure user access interfaces A1 and A2.
3. Configure C1 and C2 IP addresses as the redirection next hop IP addresses.
4. Configure C1 and C2 as the primary and backup BAS interfaces for B1 and B2.
5. Interfaces A1, A2, B1, and B2 belong to the same L2VPN. Interfaces B1, B2, C1, and
C2 belong to the same network segment. If the PBR redirection next hop is C1 or C2,
traffic can be forwarded through B1 or B2.
Data Preparation
To complete the configuration, you need the following data:
l VE group number
l Local L2VPN name
l OSPF configurations
l Layer 2 user authentication mode, accounting mode, and authentication domain name
l Interface IP addresses
Configuration Procedure
1. Configure a local L2VPN.
Configure a local L2VPN on Router B and add A1, A2, B1, and B2 to this L2VPN.
<HUAWEI> system-view
[~HUAWEI] ip vpn-instance access
[*HUAWEI-vpn-instance-access] ipv4-family
[*HUAWEI-vpn-instance-access] route-distinguisher 200:1
[*HUAWEI-vpn-instance-access] vpn-target 111:1 both
[*HUAWEI-vpn-instance-access] quit
2. Configure PBR.
Configure PBR to redirect user traffic to the primary and backup next hops based on the
source IP address. If the primary next hop fails, traffic automatically switches to the
backup next hop to trigger the user to go online.
[~HUAWEI] acl 3000
[~HUAWEI-acl4-advance-3000] rule permit source 192.168.1.1 255.255.255.255
[~HUAWEI-acl4-advance-3000] quit
[~HUAWEI] traffic classifier class1
[*HUAWEI-classifier-class1] if-match acl 3000
[*HUAWEI-classifier-class1] quit
[*HUAWEI] traffic behavior behavior1
[*HUAWEI-behavior-behavior1] redirect ipv4-MultiNhp nhp 192.168.112.2 vpn
access nhp 192.168.223.2 vpn access non-revertive
[*HUAWEI-behavior-behavior1] quit
[*HUAWEI] traffic policy loadbalance
[*HUAWEI-trafficpolicy-loadbalance] share-mode
[*HUAWEI-trafficpolicy-loadbalance] classifier class1 behavior behavior1
[*HUAWEI-trafficpolicy-loadbalance] quit
# Configure a domain.
[~HUAWEI] aaa
[~HUAWEI-aaa] domain ipv4
[*HUAWEI-aaa-domain-ipv4] commit
[~HUAWEI-aaa-domain-ipv4] authentication-scheme none
[*HUAWEI-aaa-domain-ipv4] accounting-scheme none
[*HUAWEI-aaa-domain-ipv4] commit
[~HUAWEI-aaa-domain-ipv4] ip-pool ipv4
[*HUAWEI-aaa-domain-ipv4] quit
[~HUAWEI-aaa] quit
Configuration Files
l Router B configuration file
#
sysname HUAWEI
#
ip vpn-instance access
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
acl 3000
rule permit source 192.168.1.1 255.255.255.255
#
traffic classifier classifier1
if-match acl 3000
#
traffic behavior behavior1
redirect ipv4-MultiNhp nhp 192.168.112.2 vpn access nhp 192.168.223.2 vpn
access non-revertive
#
traffic policy loadbalance
share-mode
classifier classifier1 behavior behavior1
#
#
interface gigabitethernet1/0/3.100
vlan-type dot1q 100
ip binding vpn-instance access
ip address 192.168.111.1 255.255.255.0
traffic-policy loadbalance inbound
ospf enable 100 area 0.0.0.0
interface GigabitEthernet2/2/7.100
vlan-type dot1q 100
ip binding vpn-instance access
ip address 192.168.222.1 255.255.255.0
traffic-policy loadbalance inbound
ospf enable 100 area 0.0.0.0
#
#
interface Virtual-Ethernet1/0/0
ve-group 1 l2-terminate
interface Virtual-Ethernet1/0/0.100
vlan-type dot1q 100
ip binding vpn-instance access
ip address 192.168.112.1 255.255.255.0
interface Virtual-Ethernet2/0/0
ve-group 1 l2-terminate
interface Virtual-Ethernet2/0/0.100
vlan-type dot1q 100
ip binding vpn-instance access
ip address 192.168.223.1 255.255.255.0
#
aaa
authentication-scheme auth2
authentication-mode radius
#
accounting-scheme acct2
accounting-mode radius
radius-server group rd2
radius-server authentication 192.168.8.249 1812
radius-server accounting 192.168.8.249 1813
radius-server type standard
radius-server shared-key-cipher it-is-my-secret1
ip pool pool2 bas local
gateway 10.82.1.1 255.255.255.0
section 0 10.82.1.2 10.82.1.200
dns-server 192.168.8.252
vpn-instance vpn1
#
aaa
domain ipv4
authentication-scheme none
accounting-scheme none
ip-pool ipv4
interface Virtual-Ethernet1/0/1
ve-group 1 l2-terminate
#
interface Virtual-Ethernet1/0/1.100
vlan-type dot1q 100
interface Virtual-Ethernet1/0/1.100
ip address 192.168.112.2 255.255.255.0
access-type layer2-subscriber default-domain authentication fastweb
default-user-name-template fastweb
default-password-template fastweb
#
interface Virtual-Ethernet2/0/1
ve-group 1 l2-terminate
#
interface Virtual-Ethernet2/0/1.100
vlan-type dot1q 100
ip address 192.168.223.1 255.255.255.0
#
bas
access-type layer2-subscriber default-domain authentication fastweb
default-user-name-template fastweb
default-password-template fastweb
#
static-user 192.168.1.1 interface Virtual-Ethernet2/0/1.100 vlan 100 detect
#
ospf 100
area 0.0.0.0
#
return
Networking Requirements
Router B uses OSPF to exchange traffic with Router A through interfaces on multiple boards
in load-balancing mode. Traffic from the same user may be sent from different boards. Router
B uses PBR to send traffic from the same user but different boards through the backplane to
the same authentication board for Layer 3 user authentication, as shown in Figure 9-14.
NOTE
Only Layer 3 static user access is supported in scenarios with BRAS access through L3VPN
termination.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure PBR to redirect user traffic to the primary and backup next hops. If the
primary next hop fails, traffic automatically switches to the backup next hop to trigger
the user to go online.
2. Configure user access interfaces A1 and A2.
3. Configure C1 and C2 IP addresses as the redirection next hop IP addresses.
4. Configure C1 and C2 as the primary and backup BAS interfaces for B1 and B2.
5. Interfaces A1, A2, B1, and B2 belong to the same L3VPN. Interfaces B1, B2, C1, and
C2 belong to the same network segment. If the PBR redirection next hop is C1 or C2,
traffic can be forwarded through B1 or B2.
Data Preparation
To complete the configuration, you need the following data:
l VE group number
l Local L3VPN name
l OSPF configurations
l Layer 3 user authentication mode, accounting mode, and authentication domain name
l Interface IP addresses
Configuration Procedure
1. Configure a local L3VPN.
Configure a local L3VPN on Router B and add A1, A2, B1, and B2 to this L3VPN.
<HUAWEI> system-view
[~HUAWEI] ip vpn-instance access
[*HUAWEI-vpn-instance-access] ipv4-family
[*HUAWEI-vpn-instance-access] route-distinguisher 200:1
[*HUAWEI-vpn-instance-access] vpn-target 111:1 both
[*HUAWEI-vpn-instance-access] quit
2. Configure PBR.
Configure PBR to redirect user traffic to the primary and backup next hops based on the
source IP address. If the primary next hop fails, traffic automatically switches to the
backup next hop to trigger the user to go online.
[~HUAWEI] acl 3000
[*HUAWEI-acl-adv-3000] rule permit source 192.168.1.1 255.255.255.255
[*HUAWEI-acl-adv-3000] quit
[~HUAWEI] traffic classifier class1
[*HUAWEI-classifier-class1] if-match acl 3000
[*HUAWEI-classifier-class1] quit
[~HUAWEI] traffic behavior behavior1
[*HUAWEI-behavior-behavior1] redirect ipv4-MultiNhp nhp 192.168.112.2 vpn
access nhp 192.168.223.2 vpn access non-revertive
[*HUAWEI-behavior-behavior1] quit
[~HUAWEI] traffic policy loadbalance
[*HUAWEI-trafficpolicy-loadbalance] share-mode
[*HUAWEI-trafficpolicy-loadbalance] classifier class1 behavior behavior1
[*HUAWEI-trafficpolicy-loadbalance] quit
# Configure a domain.
[~HUAWEI-BRAS] aaa
[~HUAWEI-BRAS-aaa] domain ipv4
[*HUAWEI-BRAS-aaa-domain-ipv4] commit
[~HUAWEI-BRAS-aaa-domain-ipv4] authentication-scheme none
[*HUAWEI-BRAS-aaa-domain-ipv4] accounting-scheme none
[*HUAWEI-BRAS-aaa-domain-ipv4] commit
[~HUAWEI-BRAS-aaa-domain-ipv4] ip-pool ipv4
[*HUAWEI-BRAS-aaa-domain-ipv4] quit
[~HUAWEI-BRAS-aaa] quit
Configuration Files
l Router B configuration file
#
sysname HUAWEI
#
ip vpn-instance access
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
acl 3000
rule permit source 192.168.1.1 255.255.255.255
#
traffic classifier classifier1
if-match acl 3000
#
traffic behavior behavior1
redirect ipv4-MultiNhp nhp 192.168.112.2 vpn access nhp 192.168.223.2 vpn
access non-revertive
#
traffic policy loadbalance
share-mode
classifier classifier1 behavior behavior1
#
#
interface gigabitethernet1/0/3.100
vlan-type dot1q 100
ip binding vpn-instance access
ip address 192.168.111.1 255.255.255.0
traffic-policy loadbalance inbound
ospf enable 100 area 0.0.0.0
interface GigabitEthernet2/2/7.100
vlan-type dot1q 100
ip binding vpn-instance access
ip address 192.168.222.1 255.255.255.0
traffic-policy loadbalance inbound
ospf enable 100 area 0.0.0.0
#
#
interface Virtual-Ethernet1/0/0
ve-group 1 l3-terminate
interface Virtual-Ethernet1/0/0.100
vlan-type dot1q 100
ip binding vpn-instance access
ip address 192.168.112.1 255.255.255.0
interface Virtual-Ethernet2/0/0
ve-group 1 l3-terminate
interface Virtual-Ethernet2/0/0.100
vlan-type dot1q 100
ip binding vpn-instance access
ip address 192.168.223.1 255.255.255.0
#
aaa
authentication-scheme auth2
authentication-mode radius
#
accounting-scheme acct2
accounting-mode radius
radius-server group rd2
radius-server authentication 192.168.8.249 1812
radius-server accounting 192.168.8.249 1813
radius-server type standard
radius-server shared-key-cipher it-is-my-secret1
ip pool pool2 bas local
gateway 10.82.1.1 255.255.255.0
section 0 10.82.1.2 10.82.1.200
dns-server 192.168.8.252
vpn-instance vpn1
#
aaa
domain ipv4
authentication-scheme none
accounting-scheme none
ip-pool ipv4
interface Virtual-Ethernet1/0/1
ve-group 1 l3-access
#
interface Virtual-Ethernet1/0/1.100
vlan-type dot1q 100
interface Virtual-Ethernet1/0/1.100
ip address 192.168.112.2 255.255.255.0
access-type layer3-subscriber default-domain pre-authentication fastweb
default-user-name-template fastweb
default-password-template fastweb
#
interface Virtual-Ethernet2/0/1
ve-group 1 l3-access
#
interface Virtual-Ethernet2/0/1.100
vlan-type dot1q 100
ip address 192.168.223.1 255.255.255.0
#
bas
access-type layer3-subscriber default-domain pre-authentication fastweb
default-user-name-template fastweb
default-password-template fastweb
#
layer3-subscriber 192.168.1.1 domain-name fastweb
#
ospf 100
area 0.0.0.0
#
return
Networking Requirements
On the network shown in Figure 9-15, to allow WLAN users to access the network, configure
RADIUS proxy authentication to allow EAP authentication on the AC and RADIUS
accounting on the Router. The user access process is as follows:
1. A WLAN user sends an EAP packet to the AC. Upon receipt, the AC terminates the EAP
packet, converts it to a RADIUS packet, and sends the RADIUS packet to the Router.
2. The Router functions as a RADIUS proxy to listen to and forward authentication packets
sent by the AC to the RADIUS server and authentication response packets replied by the
RADIUS to the AC. During this process, the Router saves the authorization information
delivered by the RADIUS server to the WLAN user.
3. After being authenticated, the WLAN user sends DHCP packets to the Router to obtain
an IP address. The Router first searches for the authorization information of the WLAN
user based on the MAC address. If the matching authorization information exists, the
Router assigns an available IP address to the WLAN user and uses the saved
authorization information to authorize the user. In the meantime, the Router sends an
Accounting Start packet to the RADIUS server to perform accounting for the WLAN
user.
4. The Router responds to the accounting packets sent by the AC, without sending them to
the RADIUS server.
RADIUS Internet
server
Router AC
L2 Switch
AP
AP
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a RADIUS server group, an authentication scheme, an accounting scheme,
and an address pool.
2. Bind the RADIUS server group, authentication scheme, accounting scheme, and address
pool to the domain.
3. Configure RADIUS proxy.
4. Configure BAS access.
5. Configure an IP address to be accessed by the AC.
NOTE
Five ports are available to listen to RADIUS packets by default: ports 1812, 1813, 1645, 1646, and
3799. To allow another port to listen to RADIUS packets, run the radius-server extended-source-ports
port-number port-number command in the system view to specify a listening port.
Data Preparation
l IP address of the RADIUS authentication server
l IP address of the RADIUS accounting server
Procedure
Step 1 Configure a RADIUS server group, an authentication scheme, an accounting scheme, and an
address pool.
# Configure a RADIUS server group named shiva.
<HUAWEI> system-view
[~HUAWEI] radius-server group shiva
[~HUAWEI] radius-server group shiva
[*HUAWEI-radius-shiva] radius-server authentication 10.1.123.151 1812
[*HUAWEI-radius-shiva] radius-server accounting 10.1.123.151 1813
[*HUAWEI-radius-shiva] commit
[~HUAWEI-radius-shiva] quit
# Configure an authentication scheme named rdp, with RADIUS proxy as the authentication
mode.
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme rdp
[*HUAWEI-aaa-authen-rdp] authentication-mode radius-proxy
[*HUAWEI-aaa-authen-rdp] commit
[~HUAWEI-aaa-authen-rdp] quit
# Configure an accounting scheme named rds, with RADIUS as the accounting mode.
[~HUAWEI-aaa] accounting-scheme rds
[*HUAWEI–aaa-accounting-rds] accounting-mode radius
[*HUAWEI–aaa-accounting-rds] commit
[~HUAWEI–aaa-accounting-rds] quit
Step 2 Configure a domain named radiusproxy and bind the authentication scheme rdp, accounting
scheme rds, and RADIUS server group shiva to the domain.
[~HUAWEI-aaa] domain radiusproxy
[*HUAWEI-aaa-domain-radiusproxy] authentication-scheme rdp
[*HUAWEI-aaa-domain-radiusproxy] accounting-scheme rds
[*HUAWEI-aaa-domain-radiusproxy] radius-server group shiva
[*HUAWEI-aaa-domain-radiusproxy] ip-pool pool1
[*HUAWEI-aaa-domain-radiusproxy] commit
[~HUAWEI-aaa-domain-radiusproxy] quit
[~HUAWEI-aaa] quit
NOTE
The IP address specified following radius-client is the IP address of the AC interface that sends
RADIUS packets. In this example, the RADIUS server group bound to the domain is the same as that
used for RADIUS proxy. In actual applications, the two RADIUS server groups can be different.
NOTE
This IP address is configured for communication with the AC. The RADIUS authentication packets
initiated on the AC are sent to this IP address. If the Router has another IP address to communicate with
the AC, this configuration is not needed.
NOTE
RADIUS proxy applies only to IPoE users and not PPPoE users.
Run the display domain command on the Router to check domain configurations.
<HUAWEI> display domain radiusproxy
------------------------------------------------------------------------------
Domain-name : radiusproxy
Domain-state : Active
Authentication-scheme-name : rdp
Accounting-scheme-name : rds
Authorization-scheme-name : -
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Primary-DNS-IPV6-address : -
Second-DNS-IPV6-address : -
Web-server-URL-parameter : No
Portal-server-URL-parameter : No
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
Time-range : Disable
Idle-cut direction : Both
Idle-data-attribute (time,flow) : 0, 60
User detect interval : 0s
User detect retransmit times : 0
Install-BOD-Count : 0
Report-VSM-User-Count : 0
Value-added-service : default
User-access-limit : 283648
Online-number : 0
Web-IP-address : -
Web-URL : -
Web-auth-server : -
Web-auth-state : -
Web-server-mode : get
Slave Web-IP-address : -
Slave Web-URL : -
Slave Web-auth-server : -
Slave Web-auth-state : -
Portal-server-IP : -
Portal-URL : -
Portal-force-times : 2
Service-policy(Portal) : -
PPPoE-user-URL : Disable
AdminUser-priority : 16
IPUser-ReAuth-Time : 300s
mscg-name-portal-key : -
Portal-user-first-url-key : -
User-session-limit : 4294967295
Ancp auto qos adapt : Disable
L2TP-group-name : -
User-lease-time-no-response : 0s
RADIUS-server-template : shiva
Two-acct-template : -
RADIUS-server-pre-template : -
-
-
HWTACACS-server-template : -
Bill Flow : Disable
Tunnel-acct-2867 : Disable
Qos-profile-name inbound : -
Qos-profile-name outbound : -
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
IP-warning-threshold(Low) : -
IPv6-warning-threshold : -
IPv6-warning-threshold(Low) : -
Multicast Forwarding : Yes
Multicast Virtual : No
Max-multilist num : 4
Multicast-profile : -
Multicast-profile ipv6 : -
IP-address-pool-name : pool1
Quota-out : Offline
Service-type : -
User-basic-service-ip-type : -/-/-
PPP-ipv6-address-protocol : Ndra
IPv6-information-protocol : Stateless dhcpv6
IPv6-PPP-assign-interfaceid : Disable
IPv6-PPP-NDRA-halt : Disable
IPv6-PPP-NDRA-unicast : Disable
Trigger-packet-wait-delay : 60s
Peer-backup : Enable
Reallocate-ip-address : Disable
Cui enable : Disable
Igmp enable : Enable
L2tp-user radius-force : Disable
Accounting dual-stack : Separate
Radius server domain-annex : -
Dhcp-option64-service : Disable
Parse-separator : -
Parse-segment-value : -
Dhcp-receive-server-packet : -
Http-hostcar : Disable
Public-address assign-first : Disable
Public-address nat : Enable
Dhcp-user auto-save : Disable
IP-pool usage-status threshold : 255 , 255
Select-Pool-Rule : gateway + local priority
AFTR name : -
Traffic-rate-mode : Separate
Traffic-statistic-mode : Separate
Rate-limit-mode-inbound : Car
Rate-limit-mode-outbound : Car
Service-change-mode : Stop-start
DAA Direction : both
------------------------------------------------------------------------------
Run the display radius-client configuration command on the Router to check RADIUS
proxy configurations.
[HUAWEI] display radius-client configuration
-----------------------------------------------------------------------------
IP-Address VPN-instance Shared-key Group
Domain-authorization Roam-domain
-----------------------------------------------------------------------------
10.1.0.201 -- ****** shiva
NO --
-----------------------------------------------------------------------------
1 Radius client(s) in total
Run the display radius-client statistics command to check statistics about RADIUS packets
exchanged between a RADIUS client and proxy.
<HUAWEI> display radius-client statistics client-ip 10.1.123.151
Authentication packets:
Access Requests : 0 Access Accepts : 0
Access Challenges : 0 Access Rejects : 0
Bad Authenticators : 0 Packets Dropped : 0
Accouting packets:
Account Requests : 0 Account Responses : 0
Bad Authenticators : 0 Packets Dropped : 0
DM packets:
Author Requests : 0 Author Acks : 0
Author Naks : 0
Abnormal Attribute Length packets:
Access Requests : 0 Account Requests : 0
Author Acks : 0 Author Naks : 0
Corrected Access Requests : 0
----End
Configuration Files
#
sysname HUAWEI
#
radius-server group shiva
radius-server authentication 10.1.123.151 1812 weight 0
radius-server accounting 10.1.123.151 1813 weight 0
#
aaa
authentication-scheme rdp
authentication-mode radius-proxy
#
accounting-scheme rds
accounting-mode radius
#
domain radiusproxy
authentication-scheme rdp
accounting-scheme rds
radius-server group shiva
ip-pool pool1
#
interface GigabitEthernet 5/0/3
undo shutdown
ip address 10.1.0.197 255.0.0.0
#
interface GigabitEthernet 5/0/4
undo shutdown
bas
#
access-type layer2-subscriber default-domain authentication radiusproxy
authentication-method bind
#
#
ip pool pool1 bas local
gateway 172.30.0.1 255.255.255.0
section 0 172.30.0.2 188.0.0.254
#
return
Networking Requirements
The networking is shown in Figure 9-16. The requirements are as follows:
l The Ethernet Layer 2 leased line users access the Internet by using GE 1/0/2.1 on the
Router.
l The user name is layer2lease1@isp1 and the password is Root@123 for the leased line.
l The VLAN ID for leased line users ranges from 1 to 100.
l The leased line users obtain IP addresses from the Router by using DHCP.
l RADIUS authentication and RADIUS accounting are used. The IP address of the
RADIUS server is 192.168.7.249. The authentication port number is 1645 and the
accounting port number is 1646. The RADIUS+1.1 protocol is adopted. The shared key
is itellin.
l The IP address of the DNS server is 192.168.7.252.
l The network-side interface is GE 1/0/1.
Figure 9-16 Networking for configuring the Ethernet Layer 2 leased line access service
VLAN2
. 192.168.7.1
..
.. GE1/0/2.1 GE1/0/1
. Internet
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure an authentication scheme.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme auth1
[*HUAWEI-aaa-authen-auth1] authentication-mode radius
[*HUAWEI-aaa-authen-auth1] commit
[~HUAWEI-aaa-authen-auth1] quit
If the access interface is an Ethernet sub-interface, you must configure a VLAN. If the access
interface is an Ethernet main interface, no VLAN is required.
You can configure multiple VLANs for an interface used for Layer 2 leased line access.
[~HUAWEI] license
[~HUAWEI-license] active bas slot 1
[*HUAWEI-license] commit
[~HUAWEI-license]quit
[~HUAWEI] interface GigabitEthernet 1/0/2.1
[*HUAWEI-GigabitEthernet1/0/2.1] user-vlan 1 100
[*HUAWEI-GigabitEthernet1/0/2.1-vlan-1-100] quit
[*HUAWEI-GigabitEthernet1/0/2.1] bas
[*HUAWEI-GigabitEthernet1/0/2.1-bas] access-type layer2-leased-line user-name
layer2lease1 password simple Root@123 default-domain authentication isp1
[*HUAWEI-GigabitEthernet1/0/2.1-bas] commit
[~HUAWEI-GigabitEthernet1/0/2.1-bas] quit
[~HUAWEI-GigabitEthernet1/0/2.1] quit
----End
Configuration Files
#
sysname HUAWEI
#
license
active bas slot 1
#
radius-server group rd1
radius-server authentication 192.168.7.249 1645 weight 0
radius-server accounting 192.168.7.249 1646 weight 0
radius-server shared-key itellin
radius-server type plus11
radius-server traffic-unit kbyte
#
interface GigabitEthernet1/0/2.1
user-vlan 1 100
bas
access-type layer2-leased-line user-name layer2lease1 password simple Root@123
default-domain authentication isp1
#
interface GigabitEthernet1/0/1
ip address 192.168.7.1 255.255.255.0
#
ip pool pool1 bas local
gateway 10.82.0.1 255.255.255.0
section 0 10.82.0.2 10.82.0.200
dns-server 192.168.7.252
#
aaa
authentication-scheme auth1
accounting-scheme acct1
domain default0
domain default1
domain default_admin
domain isp1
authentication-scheme auth1
accounting-scheme acct1
radius-server group rd1
ip-pool pool1
#
return
Networking Requirements
The networking is shown in Figure 9-17. The requirements are as follows:
l The user accesses the Internet by using GE 1/0/6.1 on the Router in the Ethernet Layer 3
leased line mode.
l The user name is layer3lease1@isp1 for the leased line.
l The network segment for the Layer 3 leased line user is 11.11.11.0/24.
l RADIUS authentication and RADIUS accounting are used. The IP address of the
RADIUS server is 192.168.8.249. The authentication port number is 1812 and the
accounting port number is 1813. The RADIUS+1.1 protocol is adopted. The shared key
is itellin.
l The network-side interface is GE 1/0/1.
Figure 9-17 Networking for configuring the Ethernet Layer 3 leased line access service
RADIUS server
192.168.8.249
192.168.1.2
Internet Internet
11.11.11.0/24 192.168.1.1
PC LSW Device
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure authentication and accounting schemes.
2. Configure a RADIUS server group.
3. Configure an authentication domain.
4. Configure a VLAN and an IP address for a sub-interface.
5. Configure a BAS interface and an upstream interface.
6. Configure a static route.
Data Preparation
To complete the configuration, you need the following data:
l Authentication template name and authentication mode
l Accounting template name and accounting mode
l RADIUS server group name, and IP addresses and port numbers of the RADIUS
authentication server and accounting server
l Gateway and DNS server addresses
l Domain name
l VLAN ID and IP address of the sub-interface
Procedure
Step 1 Configure an authentication scheme.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme auth1
[*HUAWEI-aaa-authen-auth1] authentication-mode radius
[*HUAWEI-aaa-authen-auth1] commit
[~HUAWEI-aaa-authen-auth1] quit
# Configure a VLAN.
l If the access interface is an Ethernet sub-interface, you must configure a VLAN. If the
access interface is an Ethernet main interface, no VLAN is required.
l You can configure only one VLAN for interfaces used for Layer 3 leased line access.
----End
Configuration Files
#
sysname HUAWEI
#
license
active bas slot 1
#
radius-server group rd1
radius-server authentication 192.168.8.249 1812 weight 0
radius-server accounting 192.168.8.249 1813 weight 0
radius-server shared-key itellin
radius-server type plus11
#
interface GigabitEthernet1/0/6
mode user-termination
#
interface GigabitEthernet1/0/6.1
control-vid 1 dot1q-termination
dot1q termination vid 3
ip address 192.168.1.1 255.255.255.0
bas
access-type layer3-leased-line user-name layer3lease1 password simple Root@123
default-domain authentication isp1
#
interface GigabitEthernet1/0/1
ip address 192.168.7.1 255.255.255.0
#
aaa
authentication-scheme auth1
accounting-scheme acct1
domain default0
domain default1
domain default_admin
domain isp1
authentication-scheme auth1
accounting-scheme acct1
radius-server group rd1
#
ip route-static 11.11.11.0 255.255.255.0 192.168.1.2
#
return
Networking Requirements
In web authentication mode, users must enter user names and passwords on a portal page
before accessing the Internet.
Figure 9-18 Networking for configuring Layer 2 IPoE access (web authentication)
P o rta l R A D IU S
se rv e r s e rve r
Access
N e tw o rk
PC R o u te r
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a pre-authentication domain named pre-web and an authentication domain named
after-auth.
2. Configure AAA schemes.
3. Create a RADIUS server group.
4. Configure forcible redirection to a specified web server in the pre-authentication domain
pre-web, and bind a user group that can access only limited resources, authentication
scheme (non-authentication), and accounting scheme (non-accounting) to the domain.
5. Bind an authentication scheme (RADIUS authentication) and accounting scheme
(RADIUS accounting) to the authentication domain after-auth.
6. Configure a pre-authentication domain and authentication domain on a BAS interface.
Procedure
Step 1 Create a pre-authentication domain and an authentication domain.
# Create a pre-authentication domain named pre-web and an authentication domain named
after-auth.
<HUAWEI> system-view
[~HUAWEI] aaa
[*HUAWEI-aaa] domain pre-web
[*HUAWEI-aaa-domain-pre-web] commit
[~HUAWEI-aaa-domain-pre-web] quit
[*HUAWEI-aaa] domain after-auth
[*HUAWEI-aaa-domain-after-auth] commit
[~HUAWEI-aaa-domain-after-auth] quit
[~HUAWEI] quit
Step 4 Configure forcible redirection to a specified web server in the pre-authentication domain pre-
web, and bind a user group that can access only limited resources, authentication scheme
(non-authentication), and accounting scheme (non-accounting) to the domain.
[~HUAWEI] user-group web-before
[*HUAWEI] aaa
[*HUAWEI-aaa] http-redirect enable
[*HUAWEI-aaa] domain pre-web
[*HUAWEI-aaa-domain-pre-web] authentication-scheme auth3
[*HUAWEI-aaa-domain-pre-web] accounting-scheme acct3
[*HUAWEI-aaa-domain-pre-web] ip-pool pool2
[*HUAWEI-aaa-domain-pre-web] user-group web-before
[*HUAWEI-aaa-domain-pre-web] web-server 192.168.8.251
[*HUAWEI-aaa-domain-pre-web] web-server url http://192.168.8.251
[*HUAWEI-slot-1] commit
[~HUAWEI-slot-1] quit
[*HUAWEI-behavior-perm1] commit
[~HUAWEI-behavior-perm1] quit
[~HUAWEI] traffic behavior deny1
[*HUAWEI-behavior-deny1] deny
[~HUAWEI-behavior-deny1] quit
[~HUAWEI] traffic behavior redirect
[*HUAWEI-behavior-redirect] http-redirect plus
[*HUAWEI-behavior-redirect] commit
[~HUAWEI-behavior-redirect] quit
[~HUAWEI] traffic policy web-out
[*HUAWEI-policy-web-out] share-mode
[*HUAWEI-policy-web-out] classifier web-be-permit behavior perm1
[*HUAWEI-policy-web-out] classifier web-out behavior web-out
[*HUAWEI-policy-web-out] commit
[~HUAWEI-policy-web-out] quit
[~HUAWEI] traffic policy web
[*HUAWEI-policy-web] share-mode
[*HUAWEI-policy-web] classifier web-be-permit behavior perm1
[*HUAWEI-policy-web] classifier http-before behavior http-discard
[*HUAWEI-policy-web] classifier redirect behavior redirect
[*HUAWEI-policy-web] classifier web-be-deny behavior deny1
[*HUAWEI-policy-web] commit
[~HUAWEI-policy-web] quit
Versions earlier than V600R007C00 do not require BAS activation by license. You can directly run the
bas enable command in the slot view.
[~HUAWEI] interface GigabitEthernet0/1/0
[*HUAWEI-GigabitEthernet0/1/0] bas
[*HUAWEI-GigabitEthernet0/1/0-bas] access-type layer2-subscriber default-domain
pre-authentication pre-web authentication after-auth
[*HUAWEI-GigabitEthernet0/1/0-bas] authentication-method web
----End
Configuration Files
#
sysname HUAWEI
#
license
active bas slot 1
#
user-group web-before
#
slot 1
http-reply enable
#
radius-server group rd2
radius-server authentication 192.168.8.249 1812 weight 0
domain after-auth
authentication-scheme auth2
accounting-scheme acct2
radius-server group rd2
#
interface GigabitEthernet0/1/0
bas
#
access-type layer2-subscriber default-domain pre-authentication pre-web
authentication after-auth
authentication-method web
#
traffic-policy web inbound
traffic-policy web-out outbound
Applicability
This example applies to ME60 series routers running V600R006C00 or later.
Networking Requirements
Web+MAC authentication is the most common authentication mode for Layer 2 IPoE access.
In web+MAC authentication mode, a user must enter the user name and password on a portal
page when accessing the Internet for the first time. The RADIUS server automatically records
the terminal's MAC address and associates it with the user name. When the user accesses the
Internet again within a certain time, the user does not need to enter the user name and
password again.
By default, the user enters the MAC authentication domain. If the user accesses the Internet
for the first time, the MAC address fails to be found on the RADIUS server and the
authentication fails. The user is forcibly switched to the web authentication domain and can
access only the web authentication page. On this page, the user enters the user name and
password for authentication. After the authentication is successful, the user enters the
authentication domain after-auth and can access the Internet properly. If the user accesses the
Internet not for the first time, the MAC address can be found on the RADIUS server and the
authentication succeeds. The user then enters the authentication domain after-auth and can
access the Internet properly.
Figure 9-19 Networking for configuring Layer 2 IPoE access (web+MAC authentication)
P o rta l R A D IU S
se rv e r s e rve r
Access
N e tw o rk
PC R o u te r
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Create a MAC authentication domain, a web authentication domain, and an authentication
domain.
# Create a MAC authentication domain named mac-auth, a web authentication domain
named web-auth, and an authentication domain named after-auth.
<HUAWEI> system-view
[*HUAWEI] aaa
[*HUAWEI-aaa] domain mac-auth
[*HUAWEI-aaa-domain-mac-auth] quit
[*HUAWEI-aaa] domain web-auth
[*HUAWEI-aaa-domain-web-auth] quit
[*HUAWEI-aaa] domain after-auth
[*HUAWEI-aaa-domain-after-auth] commit
[~HUAWEI-aaa-domain-after-auth] quit
[~HUAWEI-aaa] quit
# Create an authentication scheme named mac-auth, and configure the user to be redirected
to the web authentication domain web-auth when authentication fails in the authentication
scheme.
[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme mac-auth
[*HUAWEI-aaa-authen-mac-auth] authening authen-fail online authen-domain web-auth
[*HUAWEI-aaa-authen-mac-auth] commit
[~HUAWEI-aaa-authen-mac-auth] quit
Step 4 Enable MAC authentication in the MAC authentication domain mac-auth, and bind the
RADIUS server group d and authentication scheme mac-auth to the domain.
[~HUAWEI-aaa] domain mac-auth
[*HUAWEI-aaa-domain-mac-auth] radius-server group d
[*HUAWEI-aaa-domain-mac-auth] authentication-scheme mac-auth
[*HUAWEI-aaa-domain-mac-auth] accounting-scheme acct2
[*HUAWEI-aaa-domain-mac-auth] ip-pool pool2
[*HUAWEI-aaa-domain-mac-auth] mac-authentication enable
[*HUAWEI-aaa-domain-mac-auth] commit
[~HUAWEI-aaa-domain-mac-auth] quit
Step 5 Configure forcible redirection to a specified web server in the web authentication domain
web-auth, and bind a user group that can access only limited resources, authentication
scheme (non-authentication), and accounting scheme (non-accounting) to the domain.
[*HUAWEI] user-group web-before
[~HUAWEI] aaa
[*HUAWEI-aaa] http-redirect enable
[~HUAWEI-aaa] domain web-auth
[*HUAWEI-aaa-domain-web-auth] authentication-scheme auth3
[*HUAWEI-aaa-domain-web-auth] accounting-scheme acct3
[*HUAWEI-aaa-domain-web-auth] ip-pool pool2
[*HUAWEI-aaa-domain-web-auth] user-group web-before
[*HUAWEI-aaa-domain-web-auth] web-server 192.168.8.251
[*HUAWEI-aaa-domain-web-auth] web-server url http://192.168.8.251
[*HUAWEI-policy-web] share-mode
[*HUAWEI-policy-web] classifier web-be-permit behavior perm1
[*HUAWEI-policy-web] classifier http-before behavior http-discard
[*HUAWEI-policy-web] classifier redirect behavior redirect
[*HUAWEI-policy-web] classifier web-be-deny behavior deny1
[*HUAWEI-policy-web] commit
[~HUAWEI-policy-web] quit
Step 7 Run the default-user-name include mac-address command in the AAA view to directly use
the MAC address carried in a user connection request packet as the user name.
[*HUAWEI-aaa] default-user-name include mac-address -
[*HUAWEI-aaa] default-password simple Root@123
[*HUAWEI-aaa] commit
[~HUAWEI-aaa] quit
Step 8 Configure a MAC authentication domain, authentication domain, and authentication method
on a BAS interface.
[~HUAWEI] license
[*HUAWEI-license] active bas slot 1
[*HUAWEI-license] commit
[~HUAWEI-license] quit
NOTE
Versions earlier than V600R007C00 do not require BAS activation by license. You can directly run the
bas enable command in the slot view.
[~HUAWEI] interface GigabitEthernet0/1/0
[~HUAWEI-GigabitEthernet0/1/0] bas
[*HUAWEI-GigabitEthernet0/1/0-bas] access-type layer2-subscriber default-domain
pre-authentication mac-auth authentication after-auth
[*HUAWEI-GigabitEthernet0/1/0-bas] authentication-method web
----End
Configuration Files
#
sysname HUAWEI
#
license
active bas slot 1
#
user-group web-before
#
slot 1
http-reply enable
#
radius-server group rd2
radius-server authentication 192.168.8.249 1812 weight 0
radius-server accounting 192.168.8.249 1813 weight 0
radius-server shared-key-cipher Root@1234
#
radius-server group d
radius-server authentication 192.168.7.249 1812 weight 0
radius-server accounting 192.168.7.249 1813 weight 0
radius-server shared-key-cipher Root@1234
radius-server attribute translate
radius-attribute include HW-Auth-Type
radius-attribute translate extend HW-Auth-Type vendor-specific 2011 109 access-
request account
#
acl number 6004
rule 3 permit ip source user-group web-before destination user-group web-before
rule 5 permit ip source user-group web-before destination ip-address any
#
acl number 6005
rule 5 permit ip source user-group web-before destination ip-address
192.168.8.251 0
rule 10 permit ip source ip-address 192.168.8.251 0 destination user-group web-
before
rule 15 permit ip source user-group web-before destination ip-address
192.168.8.252 0
rule 20 permit ip source ip-address 192.168.8.252 0 0 destination user-group web-
before
rule 25 permit ip source user-group web-before destination ip-address 127.0.0.1 0
rule 30 permit ip source ip-address 127.0.0.1 0 destination user-group web-before
#
acl number 6006
rule 5 permit ip destination user-group web-before
#
acl number 6008
rule 5 permit tcp source user-group web-before destination-port eq www
rule 10 permit tcp source user-group web-before destination-port eq 8080
#
acl number 6010
#
traffic classifier web-out operator or
if-match acl 6006
traffic classifier web-be-permit operator or
if-match acl 6005
traffic classifier http-before operator or
if-match acl 6010
traffic classifier web-be-deny operator or
if-match acl 6004
traffic classifier redirect operator or
if-match acl 6008
#
traffic behavior http-discard
car cir 0 cbs 0 green pass red discard
traffic behavior web-out
deny
traffic behavior perm1
traffic behavior deny1
deny
traffic behavior redirect
http-redirect
#
traffic policy web-out
share-mode
classifier web-be-permit behavior perm1
classifier web-out behavior web-out
traffic policy web
share-mode
classifier web-be-permit behavior perm1
classifier http-before behavior http-discard
classifier redirect behavior redirect
classifier web-be-deny behavior deny1
#
ip pool pool2 bas local
gateway 172.16.1.1 255.255.255.0
section 0 172.16.1.2 172.16.1.200
dns-server 192.168.8.252
#
aaa
http-redirect enable
default-user-name include mac-address -
authentication-scheme auth2
authentication-scheme auth3
authentication-mode none
authentication-scheme mac-auth
authening authen-fail online authen-domain web-auth
#
accounting-scheme acct2
accounting-scheme acct3
accounting-mode none
#
domain mac-auth
authentication-scheme mac-auth
accounting-scheme acct2
ip-pool pool2
mac-authentication enable
radius-server group d
domain web-auth
authentication-scheme auth3
accounting-scheme acct3
ip-pool pool2
user-group web-before
web-server 192.168.8.251
web-server url http://192.168.8.251
web-server url-parameter
domain after-auth
authentication-scheme auth2
accounting-scheme acct2
radius-server group rd2
#
interface GigabitEthernet0/1/0
bas
#
access-type layer2-subscriber default-domain pre-authentication mac-auth
authentication after-auth
authentication-method web
#
traffic-policy web inbound
traffic-policy web-out outbound
Networking Requirements
On the network shown in Figure 9-20, when WLAN users access the Internet, EAP packets
are used for RADIUS authentication on the AC. The Router is then used for RADIUS
accounting. The user access process is as follows:
1. A WLAN user sends an EAP packet to the AC. The AC terminates the EAP packet and
sends a RADIUS packet to the Router.
2. RouterThe Router functions as a RADIUS proxy. The Router listens to authentication
packets sent from the AC to the RADIUS server and forwards them to the RADIUS
server, and listens to authentication response packets sent by the RADIUS server and
forwards them to the AC. In the proxy process, the Router saves the authorization
information delivered by the RADIUS server to the user account.
3. After the authentication is successful, the user sends a DHCP packet to the Router to
obtain an IP address. During address obtainment, the Router queries the authorization
information saved for the user account in the proxy process based on the user's MAC
address. If the user account's authorization information exists, the Router assigns an idle
IP address to the user and uses the saved authorization information to authorize the user.
In addition, the Router sends an accounting start packet to the RADIUS server for user
accounting.
4. The Router directly responds to accounting packets sent by the AC without sending them
to the RADIUS server.
Figure 9-20 Networking for configuring WLAN user access based on RADIUS proxy
authentication
R A D IU S In te rn e t
se rve r
R o u te r AC
L 2 S w itc h
AP
AP
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a RADIUS server group, an authentication scheme, an accounting scheme,
and an address pool.
2. Bind the RADIUS server group, authentication scheme, accounting scheme, and address
pool to the domain.
3. Configure the RADIUS proxy function.
4. Configure BAS access on an interface.
5. Configure an IP address for AC access on an interface.
NOTE
By default, the Router can listen to RADIUS packets through ports 1812, 1813, 1645, 1646, and 3799.
To use another port to listen to RADIUS packets, run the radius-server extended-source-ports port-
number port-number command in the system view to specify a listening port.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure a RADIUS server group, an authentication scheme, an accounting scheme, and an
address pool.
# Configure a RADIUS server group named shiva.
<HUAWEI> system-view
[~HUAWEI] radius-server group shiva
[*HUAWEI-radius-shiva] radius-server authentication 10.1.123.151 1812
[*HUAWEI-radius-shiva] radius-server accounting 10.1.123.151 1813
[*HUAWEI-radius-shiva] commit
[~HUAWEI-radius-shiva] quit
Step 2 Configure a domain named radiusproxy, and bind the authentication scheme rdp, accounting
scheme rds, and RADIUS server group shiva to the domain.
[~HUAWEI-aaa] domain radiusproxy
[*HUAWEI-aaa-domain-radiusproxy] authentication-scheme rdp
[*HUAWEI-aaa-domain- radiusproxy] accounting-scheme rds
[*HUAWEI-aaa-domain- radiusproxy] radius-server group shiva
[*HUAWEI-aaa-domain- radiusproxy] ip-pool a
NOTE
The IP address configured after radius-client is the interface IP address for the AC to send RADIUS
packets. In this example, the RADIUS server group bound to the domain is the same as that for
RADIUS proxy. In practice, the RADIUS server group bound to a domain may be different from that for
RADIUS proxy.
NOTE
This IP address is used for AC access. RADIUS authentication packets sent by the AC should be sent to
this address. If the Router has another IP address connected to the AC, you may not configure the IP
address.
NOTE
The BAS access configuration on an interface in RADIUS proxy scenarios is the same as that in IPoE
access scenarios. RADIUS proxy applies only to IPoE users and not PPPoE users.
Traffic-unit : B
ClassAsCar : NO
User-name-format : Domain-included
Option82 parse mode : -
Attribute-translation: NO
Packet send algorithm: Master-Backup
Tunnel password : cipher
Run the display domain command on the Router to check domain configurations.
[*HUAWEI-aaa] display domain radiusproxy
------------------------------------------------------------------------------
Domain-name : radiusproxy
Domain-state : Active
Authentication-scheme-name : rdp
Accounting-scheme-name : rds
Authorization-scheme-name : -
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Primary-DNS-IPV6-address : -
Second-DNS-IPV6-address : -
Web-server-URL-parameter : No
Portal-server-URL-parameter : No
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
Time-range : Disable
Idle-cut direction : Both
Idle-data-attribute (time,flow) : 0, 60
User detect interval : 0s
User detect retransmit times : 0
Install-BOD-Count : 0
Report-VSM-User-Count : 0
Value-added-service : default
User-access-limit : 283648
Online-number : 0
Web-IP-address : -
Web-URL : -
Web-auth-server : -
Web-auth-state : -
Web-server-mode : get
Slave Web-IP-address : -
Slave Web-URL : -
Slave Web-auth-server : -
Slave Web-auth-state : -
Portal-server-IP : -
Portal-URL : -
Portal-force-times : 2
Service-policy(Portal) : -
PPPoE-user-URL : Disable
AdminUser-priority : 16
IPUser-ReAuth-Time : 300s
mscg-name-portal-key : -
Portal-user-first-url-key : -
User-session-limit : 4294967295
Ancp auto qos adapt : Disable
L2TP-group-name : -
User-lease-time-no-response : 0s
RADIUS-server-template : shiva
Two-acct-template : -
RADIUS-server-pre-template : -
-
-
HWTACACS-server-template : -
Bill Flow : Disable
Tunnel-acct-2867 : Disable
Qos-profile-name inbound : -
Qos-profile-name outbound : -
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
IP-warning-threshold(Low) : -
IPv6-warning-threshold : -
IPv6-warning-threshold(Low) : -
Multicast Forwarding : Yes
Multicast Virtual : No
Max-multilist num : 4
Multicast-profile : -
Multicast-profile ipv6 : -
IP-address-pool-name : a
Quota-out : Offline
Service-type : -
User-basic-service-ip-type : -/-/-
PPP-ipv6-address-protocol : Ndra
IPv6-information-protocol : Stateless dhcpv6
IPv6-PPP-assign-interfaceid : Disable
IPv6-PPP-NDRA-halt : Disable
IPv6-PPP-NDRA-unicast : Disable
Trigger-packet-wait-delay : 60s
Peer-backup : Enable
Reallocate-ip-address : Disable
Cui enable : Disable
Igmp enable : Enable
L2tp-user radius-force : Disable
Accounting dual-stack : Separate
Radius server domain-annex : -
Dhcp-option64-service : Disable
Parse-separator : -
Parse-segment-value : -
Dhcp-receive-server-packet : -
Http-hostcar : Disable
Public-address assign-first : Disable
Public-address nat : Enable
Dhcp-user auto-save : Disable
IP-pool usage-status threshold : 255 , 255
Select-Pool-Rule : gateway + local priority
AFTR name : -
Traffic-rate-mode : Separate
Traffic-statistic-mode : Separate
Rate-limit-mode-inbound : Car
Rate-limit-mode-outbound : Car
Service-change-mode : Stop-start
DAA Direction : both
------------------------------------------------------------------------------
Run the display radius-client configuration command on the Router to check RADIUS
proxy configurations.
[*HUAWEI] display radius-client configuration
-----------------------------------------------------------------------------
IP-Address VPN-instance Shared-key Group
Domain-authorization Roam-domain
-----------------------------------------------------------------------------
10.1.0.201 -- ****** shiva
NO --
-----------------------------------------------------------------------------
1 Radius client(s) in total
----End
Configuration Files
#
sysname HUAWEI
#
license
Networking Requirements
Dumb terminals refer to printers and access control devices on a campus network. Generally,
these devices are not assigned IP addresses. Dumb terminals access the Internet in static user
mode, and authentication based on a sub-interface's VLAN ID is used.
On the network shown in Figure 9-21, the printer accesses the Router through GE 0/1/2.1 in
static user mode. The fixed IP address is 172.192.0.8.
Figure 9-21 Networking for configuring dumb terminal access based on a VLAN ID
NOTE
In te rfa c e 1 In te rfa c e 2 In te rn e t
1 7 2 .1 9 2 .0 .8 1 9 2 .1 6 8 .8 .1
R o u te r
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an authentication scheme, with local authentication specified.
2. Configure an address pool, with the IP address 172.192.0.8 reserved for the printer.
3. Configure an authentication domain named printer.
4. Configure a BAS interface, with the default authentication domain set to printer.
5. Configure a static user.
Data Preparation
To complete the configuration, you need the following data:
l Authentication scheme name and authentication mode
l Address pool name, gateway address, and DNS server address
l Domain name
l BAS interface parameters
Procedure
Step 1 Configure an authentication scheme, with local authentication specified.
[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme local
[*HUAWEI-aaa-authen-local] authentication-mode local
[*HUAWEI-aaa-authen-local] commit
[~HUAWEI-aaa-authen-local] quit
[~HUAWEI-ip-pool-pool1] quit
Versions earlier than V600R007C00 do not require BAS activation by license. You can directly run the
bas enable command in the slot view.
[~HUAWEI] interface GigabitEthernet 0/1/2.1
[*HUAWEI-GigabitEthernet0/1/2.1] user-vlan 100
[~HUAWEI-GigabitEthernet0/1/2.1-vlan-100-100] quit
[*HUAWEI-GigabitEthernet0/1/2.1] bas
[*HUAWEI-GigabitEthernet0/1/2.1-bas] access-type layer2-subscriber
[*HUAWEI-GigabitEthernet0/1/2.1-bas] default-domain authentication printer
[*HUAWEI-GigabitEthernet0/1/2.1-bas] authentication-method bind
[*HUAWEI-GigabitEthernet0/1/2.1-bas] ip-trigger
[*HUAWEI-GigabitEthernet0/1/2.1-bas] arp-trigger
[*HUAWEI-GigabitEthernet0/1/2.1-bas] commit
[~HUAWEI-GigabitEthernet0/1/2.1-bas] quit
[~HUAWEI-GigabitEthernet0/1/2.1] quit
NOTE
In this example, binding authentication is configured. A user name and password for authentication are
automatically generated. The automatically generated user name and password must be the same as the
created local user name and password because local authentication is used. The user name and password
configured using the default-user-name and default-password commands in the AAA view are used as
the automatically generated user name and password. For details, see "Configuration Files."
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet0/1/2.1
user-vlan 100
bas
access-type layer2-subscriber default-domain authentication printer
ip-trigger
arp-trigger
authentication-method bind
#
ip pool pool1 bas local
gateway 172.192.0.1 255.255.255.0
section 0 172.192.0.2 172.192.0.200
excluded-ip-address 172.192.0.8
#
aaa
default-user-name include ip-address
default-password cipher Root@123
authentication-scheme local
authentication-mode local
domain printer
authentication-scheme local
accounting-scheme default0
ip-pool pool1
#
local-aaa-server
user 172.192.0.8@isp1 password cipher Root@123 authentication-type B
#
static-user 172.192.0.8 172.192.0.8 interface GigabitEthernet0/1/2.1 vlan 100
detect
static-user detect interval 1
#
return
Networking Requirements
Dumb terminals refer to printers and access control devices on a campus network. Generally,
these devices are not assigned IP addresses. Dumb terminals access the Internet in static user
mode, and authentication based on MAC addresses is used.
On the network shown in Figure 9-22, the printer accesses the Router through GE 0/1/2.
Figure 9-22 Networking for configuring dumb terminal access based on a MAC address
NOTE
In te rfa c e 1 in te rfa c e 2 In te rn e t
1 7 2 .1 9 2 .0 .8 1 9 2 .1 6 8 .8 .1
R o u te r
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure an authentication scheme.
[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme local
[*HUAWEI-aaa-authen-local] authentication-mode local
[*HUAWEI-aaa-authen-local] commit
[~HUAWEI-aaa-authen-local] quit
NOTE
Versions earlier than V600R007C00 do not require BAS activation by license. You can directly run the
bas enable command in the slot view.
[~HUAWEI] interface GigabitEthernet 0/1/2
[*HUAWEI-GigabitEthernet0/1/2] bas
[*HUAWEI-GigabitEthernet0/1/2-bas] access-type layer2-subscriber
[*HUAWEI-GigabitEthernet0/1/2-bas] default-domain authentication printer
[*HUAWEI-GigabitEthernet0/1/2-bas] authentication-method bind
[*HUAWEI-GigabitEthernet0/1/2-bas] ip-trigger
[*HUAWEI-GigabitEthernet0/1/2-bas] arp-trigger
[*HUAWEI-GigabitEthernet0/1/2-bas] commit
[~HUAWEI-GigabitEthernet0/1/2-bas] quit
[~HUAWEI-GigabitEthernet0/1/2] quit
NOTE
In this example, binding authentication is configured. A user name and password for authentication are
automatically generated. The automatically generated user name and password must be the same as the
created local user name and password because local authentication is used. The user name and password
configured using the default-user-name and default-password commands in the AAA view are used as
the automatically generated user name and password. For details, see "Configuration Files."
Step 7 Configure a static user. If the network has multiple printers, perform the following
configuration for each printer.
[*HUAWEI] static-user 172.192.0.8 gateway 172.192.0.1 interface GigabitEthernet
0/1/2 mac-address 0026-73b5-dfc8 domain-name printer detect
[*HUAWEI]static-user detect interval 1
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet0/1/2
bas
access-type layer2-subscriber default-domain authentication printer
ip-trigger
arp-trigger
authentication-method bind
#
ip pool pool1 bas local
gateway 172.192.0.1 255.255.255.0
section 0 172.192.0.2 172.192.0.200
excluded-ip-address 172.192.0.8
#
aaa
default-user-name include ip-address
default-password cipher Root@123
authentication-scheme local
authentication-mode local
domain printer
authentication-scheme local
accounting-scheme default0
ip-pool pool1
#
local-aaa-server
user 172.192.0.8@printer password cipher Root@123 authentication-type B
#
static-user 172.192.0.8 gateway 172.192.0.1 interface GigabitEthernet0/1/2 mac-
address 0026-73b5-dfc8 domain-name printer detect
static-user detect interval 1
#
return
Point-to-Point Protocol over Ethernet (PPPoE) allows a remote access device to provide
access services for hosts on Ethernet networks and to implement user access control and
accounting. This chapter describes how to configure PPPoE and provides networking
applications.This feature is not supported on the M2E.This feature is supported only on the
Admin-VS.
Carrier
PPPoE
network DSLAM server
device
Internet
Client CPE
device
l When a PPPoE session is established between a host and a device, it is needed for each
host. Each host is a PPPoE client, and a carrier network device is the PPPoE server.
Figure 10-2 shows the networking of this mode. Each host has an account for access
control and accounting. Each host must have the PPPoE client dialup software installed
to function as a PPPoE client. This networking applies to campuses and residential areas.
PPPoE client
PPPoE
server
Host A
Internet
PPPoE client
Host B
Services are interrupted if the memory size of the master MPU is inconsistent with that of the slave
MPU.
If the number of connection Do not enable the chasten The chasten function does
requests is restricted based function based on a not take effect and users
on a specified MAC address specified MAC address after cannot be blocked.
of a PPPoE user, the chasten one-to-many mapping
function takes effect only between one MAC address
when one MAC address and multiple sessions is
maps to multiple sessions. enabled.
If the chasten function for
PPPoE users who go online
through inter-board trunk
interfaces is implemented
based on a specified board,
after the master main control
board on which the inter-
board trunk interfaces reside
is switched, the number of
connection requests must be
recalculated.
If the number of connection Do not enable the chasten The chasten function does
requests is restricted based function based on a not take effect and users
on a specified MAC address specified MAC address after cannot be blocked.
of a PPPoE user, the chasten one-to-many mapping
function takes effect only between one MAC address
when one MAC address and multiple sessions is
maps to multiple sessions. enabled.
If the chasten function for
PPPoE users who go online
through inter-board trunk
interfaces is implemented
based on a specified board,
after the master main control
board on which the inter-
board trunk interfaces reside
is switched, the number of
connection requests must be
recalculated.
If the number of connection Do not enable the chasten The chasten function does
requests is restricted based function based on a not take effect and users
on a specified MAC address specified MAC address after cannot be blocked.
of a PPPoE user, the chasten one-to-many mapping
function takes effect only between one MAC address
when one MAC address and multiple sessions is
maps to multiple sessions. enabled.
If the chasten function for
PPPoE users who go online
through inter-board trunk
interfaces is implemented
based on a specified board,
after the master main control
board on which the inter-
board trunk interfaces reside
is switched, the number of
connection requests must be
recalculated.
Usage Scenario
As network data services are developing rapidly, broadband users are increasing explosively.
Carriers need an access device that can provide access services for multiple remote hosts and
also provide user access control and accounting. Ethernet is the most economical technology
for connecting multiple hosts to access devices, and PPP provides well-developed user access
control and accounting. However, PPP cannot be applied to Ethernet. To address this problem,
PPPoE has been developed. PPPoE is a link layer protocol that transmits PPP datagrams
through PPP sessions established over point-to-point connections on Ethernet networks. As a
supplement to PPP, PPPoE allows a remote access device to provide access services for hosts
on Ethernet networks and to implement user access control and accounting. With these
features, PPPoE is widely acknowledged among broadband access carriers, and therefore
widely applied.
Pre-configuration Tasks
Before configuring PPPoE access services, complete the following tasks:
Configuration Procedures
Perform the following configurations as required.
Configure a VT.
Mandatory
Optional
10.6.1 Configuring a VT
Layer 2 protocols cannot directly carry each other. Before configuring PPPoE access, create a
virtual template (VT).
Context
Layer 2 protocols, such as PPP can communicate only over a virtual access (VA) session. A
VA session, however, cannot be manually created or configured. Instead, a VA session is
automatically generated after PPPoE services are configured and PPPoE parameters are
configured in a VT.
Based on interface parameters defined in a VT, a device can automatically create VA
interfaces for Layer 2 communication.
l PPP packets are encapsulated based on parameters configured in a VT. A VT defines
NCP parameters, such as IP addresses and upper-layer application protocols.
l A VA session transmits data between the local and remote ends based on parameters
defined in a VT.
When a VT is used for PPPoE services, the link layer protocol can only be PPP, and the
network layer protocol can only be IP.
Before deleting a VT, ensure that the VT is not in use and the VA session automatically
generated upon VT creation has been deleted.
Procedure
Step 1 Run system-view
Step 4 (Optional) Perform the following steps to configure PPP negotiation parameters:
l Run ppp timer { negotiate seconds | retransmit retry-times } *
A PPP negotiation timeout period and the maximum number of retransmission times
allowed are configured.
l Run ppp delay-lcp-negotiation [ force ]
Delayed LCP packet transmission is configured.
l Run ppp keepalive { interval interval-time | retransmit times | response-timeout
response-timeout-time } * [ datacheck | no-datacheck ]
A PPP detection interval and the maximum number of retransmission times allowed are
configured.
l Run ppp keepalive adjustment { system-state | retransmit }
Adjustment of the number of PPP detection times is enabled.
l Run mtu mtu
An MTU is configured in the VT.
l Run ppp mru mru
An MRU is configured for PPP negotiation.
l Run pppoe-motm motm-value
The device is configured to encapsulate clock synchronization information to the MOTM
tag in a PPPoE active discovery message (PADM).
l Run quit
Return to the system view.
l Run pppoe ppp-max-payload enable
The device is enabled to negotiate the MRU in compliance with standard protocols.
----End
Context
After a VT is configured, bind it to an interface. The type of the interface to which a VT is
bound varies depending on the user access type.
Procedure
Step 1 Run system-view
Specify a main interface for PPPoE access users and a sub-interface for PPPoEoVLAN access
users.
----End
Context
PPPoE uses the client/server model. A PPPoE client initiates a connection request to a PPPoE
server. After a session is established, the PPPoE server provides access control and
authentication for the PPPoE client. To help clients identify PPPoE servers, configure a name,
service name, and service name matching mode for each PPPoE server. To allow successful
PPPoE negotiation between Huawei and non-Huawei devices, configure the timing for
sending PADM or PADN packets and a delimiter between MOTM items.
Procedure
Step 1 Run system-view
Step 6 Run pppoe-server send { padm | padn } [ ipcp | ip6cp | { first | last | all } ncp ]
----End
Context
If users access the network by using a sub-interface, the sub-interface needs to be bound to a
VLAN.
You can bind a sub-interface to a VLAN or configure QinQ on a sub-interface. When binding
a sub-interface to a VLAN, you need the following parameters:
l Sub-interface number
l VLAN ID
l QinQ ID
NOTE
l On each main interface, you can set the user-vlan any-other on only one sub-interface. On one sub-
interface, user-vlan any-other cannot be set together with user-vlan start-vlan nor user-vlan qinq.
l The user-vlan command cannot be configured on a sub-interface of a Layer 2 interface.
l If dot1q termination, QinQ termination, QinQ stacking, or vlan-type dot1q has been configured on a
sub-interface, the user-vlan cannot be configured on this sub-interface.
l Different sub-interfaces cannot be configured with user-side VLANs with the same VLAN ID.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number.subinterface-number
A sub-interface is created and the sub-interface view is displayed.
Step 3 Run user-vlan { start-vlan [ end-vlan ] [ qinq start-qinq-id [ end-qinq-id ] ] | any-other }
A user-side VLAN is created.
Step 4 Run commit
The configuration is committed.
----End
Context
When configuring a BAS interface, you need the following parameters:
l BAS interface number
l Access type and authentication scheme
l (Optional) Maximum number of users that are allowed to access through the BAS
interface and maximum number of users that are allowed to access through a specified
VLAN
l (Optional) Default domain, roaming domain, and domains that users are allowed to
access
l (Optional) Whether to enable the functions of accounting packet copy and locating a user
Perform the following steps on the NE40E:
Procedure
Step 1 Run system-view
The system view is displayed.
The bas command run in the view of an interface configures the interface as a BAS interface.
A GE interface or its sub-interface, an Eth-Trunk interface or its sub-interface, an ATM
interface or its sub-interface, or a VE interface or its sub-interface can be configured as a BAS
interface.
The access type is set to Layer 2 subscriber access and the attributes of this access type are
configured.
When setting the access type on the BAS interface, you can set the service attributes of the
access users at the same time. You can also set these attributes in later configurations.
The access type cannot be configured on the Ethernet interface that is added to an Eth-Trunk
interface. You can configure the access type of such an Ethernet interface only on the
associated Eth-Trunk interface.
Step 5 (Optional) Run access-limit number [ start-vlan start-vlan [ end-vlan end-vlan ] [ qinq qinq-
vlan ] [ user-type { ipoe | pppoe } ] ]
The number of users that are allowed access through the interface is configured.
l Or run:
default-domain authentication ppp-user domain-name
The default authentication domain for PPP users is specified.
NOTE
The function of locating a user through the virtual BAS (VBAS) is enabled.
An accounting request packet that the NE40E sends to a RADIUS server is allowed to carry
the link-account attribute.
Before running the command, set the access type to Layer 2 subscriber access.
The command affects RADIUS No. 25 attribute in accounting request packets sent by the
NE40E to a RADIUS accounting server.
An interface fills the link-account information in the RADIUS No. 25 attribute class if both
the following situations are met:
l Users getting online from the interface do not need to be authenticated, and RADIUS
accounting is configured on the interface.
l For common Layer 2 users, VLANs and VLAN descriptions are configured on the
interface.
Step 10 (Optional) Run block [ start-vlan { start-vlan [ end-vlan end-vlan ] [ qinq pe-vlan ] | any
qinq start-qinq-vlan [ end-qinq-vlan ] } | pvc start-vpi/start-vci [ end-vpi/end-vci ] ]
PPP slow reply is configured on the BAS interface, allowing the BAS interface to send PPP
echo packets to the CPU for processing.
----End
Context
To filter users based on source MAC addresses, configure an ACL rule. When a DHCP or
PPP user attempts to go online, match the user's source MAC address against the ACL rule. If
matched, the user is allowed to go online.
Perform the following steps on the NE40E:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run acl { name link-acl-name { link | [ link ] number link-acl-number } | [ number ] link-
acl-number } [ match-order { config | auto } ]
The ACL view is displayed.
Step 3 Run rule [ rule-id ] { deny | permit } source-mac source-mac sourcemac-mask
An ACL rule is configured.
NOTE
When a BAS interface uses a filter-policy to filter users, note the following:
l If the action specified in the ACL rule is permit, only users matching the rule are
allowed to access the Router.
l If the action specified in the ACL rule is deny, users matching the rule are not allowed to
access the Router, and the other users are allowed to access the Router.
l If the ACL does not have any rules, the BAS interface that references this ACL does not
filter access users based on users' MAC addresses.
l If the ACL referenced by the BAS interface does not exist, the BAS interface does not
filter access users based on users' MAC addresses.
Step 4 Run quit
Return to the system view.
Step 5 (Optional) Run ppp keepalive slow acl acl-num source-mac
PPP slow reply is configured for PPP echo packets with a specified MAC address.
Step 6 Run interface interface-type interface-number [ .subinterface-number ]
The interface view is displayed.
Step 7 Run bas
A BAS interface is created and the BAS interface view is displayed.
Step 8 Run filter-policy acl acl-number ppp
The function of filtering DHCP users that attempt to go online based on ACL rules on a BAS
interface is configured.
NOTE
l Before running the filter-policy acl command, the BAS interface must already have the access-type
command configured.
l An access type can be bound to only one ACL on an interface.
l Because IP addresses are assigned to DHCP users based on the MAC addresses contained in user DHCP
packets, if you run the filter-policy acl acl-number dhcp command to filter users, the command filters
users based on source MAC addresses contained in the DHCP packets, rather than those contained in the
Ethernet headers. This command cannot filter out attackers whose MAC addresses contained in Ethernet
headers are inconsistent with those contained in DHCP packets. To protect the device from this type of
attack, run the dhcp check chaddr command.
l The filter-policy acl acl-number ppp command applies to PPPoE, PPoEoA, and L2TP users.
----End
Context
User routes include routes generated by an address pool, and routes generated based on either
the Framed-Route attribute or IP-Netmask attribute delivered by the RADIUS server.
Management users can advertise routes to the management network while users accessing the
Internet can advertise routes to the Internet. Routes are classified based on tags and imported
using routing policies. This process allows various routes to be advertised to specific
networks.
Procedure
l Configure a tag value of a route for a specified type of address pool, such as local or
remote address pools.
a. Run system-view
The system view is displayed.
b. Run ip unr { framed-route-tag tag-value | framed-ip-netmask-tag tag-value |
framed-ip-address-tag tag-value } *
The route tag is configured.
c. Run commit
The configuration is committed.
l Configure a tag value of a route for a single address pool.
a. Run system-view
The system view is displayed.
b. Run ip pool (system view)
The IP address pool view is displayed.
c. Run unr tag tag-value
The route tag is configured.
d. Run commit
The configuration is committed.
----End
Follow-up Procedure
Create a routing policy. Specify a route tag to classify routes. Use OSPF or BGP to import
various routes. For details, see Routing Policy Configuration.
Context
On live networks, unauthorized users may use a brute force attack to crack the password of an
authorized user or the number of access users. To prevent this problem, configure the
maximum number of users allowed to go online through a board.
Multiple users may use the same MAC address for network access. To allow PPPoE users to
use the same MAC address to go online through the same device, configure the maximum
number of users allowed to go online through a MAC address.
When PPPoE users are online, a downstream device failure will cause the NE40E to receive a
large number of NCP negotiation requests from some users, resulting in high CPU usage.
Therefore, the number of NCP negotiation times must be limited.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run pppoe-server slot-number max-sessions session-number
The maximum number of users allowed to go online through a board is configured.
Step 3 Run pppoe-server max-sessions remote-mac session-number
The maximum number of users allowed to go online through a MAC address is configured.
Step 4 Run pppoe-server negotiation times limit
The number of NCP negotiation times is limited.
Step 5 Run commit
The configuration is committed.
----End
Procedure
l Configure URPF for PPPoE-type users.
a. Run system-view
----End
Context
After a PPPoE user goes online, the device periodically sends Echo Request packets to the
client.
When receiving an Echo Reply packet from the user, the device compares the magic number
carried in the packet with that learned during LCP negotiation. If the two magic numbers are
the same, the user is considered online. Otherwise, the user is considered offline.
Procedure
Step 1 Run system-view
The PPP magic number check function is enabled so that the device compares the magic
number in a received Echo Reply packet with that learned during LCP negotiation.
----End
Context
On the network shown in Figure 10-4, service packets carry 802.1p values to identify their
priorities. The BRAS can identify service priorities based on the 802.1p values of received
Layer 2 service packets and transmit the service packets to corresponding VPNs. To allow
this, enable a BAS interface to transmit packets to different VPNs based on 802.1p priorities
of the packets and also bind VPN instances to different 802.1p priorities.
VPN1
802.1P 1
HSI 802.1P 1
BRAS
802.1P 2 802.1P 3
Layer2
Network 802.1P 2
VPN2
VoIP
802.1P 3
VPN3
iTV
AAA/DHCP Server
Procedure
Step 1 Create a VPN instance. (Both user and service VPN instances must be configured.)
1. Run system-view
The IPv4 address family is enabled for the VPN instance, and the VPN instance IPv4
address family view is displayed.
4. Run route-distinguisher route-distinguisher
The binding between VPN instances and 802.1p priorities cannot be modified or deleted if the
BAS interface has online users.
4. Run quit
Return to the sub-interface view.
5. Run bas
The sub-interface is configured as a BAS interface, and the BAS interface view is
displayed.
6. Run access-type layer2-subscriber [ default-domain { authentication [ force |
replace ] dname | pre-authentication predname } * | bas-interface-name bname |
accounting-copy radius-server rd-name ] *
The access type of the BAS interface is configured as Layer 2 subscriber access.
7. Run authentication-method { bind | { fast | web } }
An authentication method is configured for the BAS interface.
8. Run 802.1p-to-vpn
The BAS interface is enabled to transmit packets to different VPNs based on the 802.1p
priorities of the packets.
9. Run quit
Return to the sub-interface view.
10. Run quit
Return to the system view.
Step 5 Configure a network-side ACL and define redirection for the ACL.
1. Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } |
[ number ] basic-acl-number } [ match-order { config | auto } ]
A basic ACL is created.
2. Run rule [ rule-id ] { deny | permit } [ fragment-type { fragment | non-fragment |
non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address
The VPN instance bound to the sub-interface must be the service VPN instance created
in Step 1.
4. Run ip address ip-address { mask | mask-length }
----End
Context
On the network shown in Figure 10-5, a CPE uses PPPoE dialup to obtain an IP address from
a BRAS. By default, the CPE can use the IP address to establish a BGP connection with the
BRAS, and the BRAS can learn the BGP route from the CPE. However, traffic cannot be
forwarded through the BGP route. After BGP route forwarding is enabled between a CPE and
BRAS, access user information is added to information about the BGP routes with the next
hops being the IP addresses of PPPoE users, allowing traffic to be forwarded through the BGP
route between the CPE and BRAS.
user1
I n t e r n et
CPE BRAS
user2
Procedure
Step 1 Run system-view
----End
Procedure
l Run the display pppoe statistics command to check statistics about PPPoE packets and
authentication messages.
l Run the display pppoe statistics online-fail-record command to check statistics about
PPPoE user login failures due to the limit on the number of access users (configured
using the access-ip-limit command).
----End
Example
Run the display pppoe statistics command to view PPPoE packet statistics on the board in
slot 1.
<HUAWEI> display pppoe statistics slot 1
---------------------------------------------------------------------
PPPoE Statistic Information
Slot: 1
---------------------------------------------------------------------
ACTIVE_SESSION : 3 TOTAL_SESSION : 3
RECV_PADI_PKT : 6 DISCARD_PADI_PKT : 2
SEND_PADO_PKT : 4
RECV_PADR_PKT : 4 DISCARD_PADR_PKT : 1
SEND_PADS_PKT : 3 DISCARD_PADR_SAMEMAC: 0
SEND_NULL_PADS_PKT : 0
RECV_PADT_PKT : 0 DISCARD_PADT_PKT : 0
SEND_PADT_PKT : 0
SEND_PADM_PKT : 0
SEND_PADM_URL_PKT : 0
SEND_PADM_MOTM_PKT : 0
SEND_PADN_PKT : 0
RECV_SESSION_PKT : 9 DISCARD_SESSION_PKT : 0
SEND_SESSION_PKT : 9
RECV_PKT : 19 DISCARD_PKT : 3
---------------------------------------------------------------------
Invalid PAD Packets
---------------------------------------------------------------------
Invalid Version : 0
Invalid PAD Code : 0
Invalid PAD Tags : 0
Invalid PAD Tag length : 0
Invalid PAD Type : 0
Invalid PADI Session : 0
Invalid PADR Session : 0
Invalid PAD packet length : 0
Other Invalid PAD packets : 0
Total Invalid PAD packets : 0
---------------------------------------------------------------------
Run the display pppoe statistics online-fail-record command to view statistics about PPPoE
user login failures due to access IP limit.
<HUAWEI> display pppoe statistics online-fail-record slot 3
---------------------------------------------------------------------
---------------------------------------------------------------------
Context
The address allocation mode varies according to the CPE working mode. For details, see the
following table.
CPE Working Scenario IPv6 Address
Mode Configuration Mode
NOTE
l Layer 2 IPv6 leased-line access equals the situation where the CPE works in unnumbered or
numbered routing mode.
l Layer 3 users of a leased line obtain their addresses from the access router. The NE40E is in charge
of only authentication and accounting, not address allocation.
If an IPv4 network is upgraded to an IPv6 network, the CPE working mode and authentication
mode do not need to be changed unless there are special service requirements. In PPP
authentication mode, either ND or DHCPv6 can be used for address authentication. In bind
authentication mode, using DHCPv6 for address allocation is recommended. In 802.1X or
Web authentication mode, using DHCPv6 for address allocation is recommended if user
terminals support DHCPv6.
In addition to choosing an address allocation mode, perform the following steps on the
NE40E if needed:
Procedure
Step 1 Run system-view
The IP type that is used for the services of users logging in from the domain is specified. If
address allocation of the specified IP type fails, users are not allowed to log in.
The ppp address-release separate and any-address-release offline commands are mutually
exclusive.
The ppp address-release separate command takes effect for both PPPoX and L2TP users.
----End
Context
Layer 2 protocols, such as PPP can communicate only over a virtual access (VA) session. A
VA session, however, cannot be manually created or configured. Instead, a VA session is
automatically generated after PPPoE services are configured and PPPoE parameters are
configured in a VT.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface virtual-template virtual-template-number
A VT is created and its view is displayed, or the view of an existing VT is displayed.
----End
Context
After a VT is configured, bind it to an interface. The type of the interface to which a VT is
bound varies depending on the user access type.
l The VT configured for PPPoE services must be bound to a main interface.
l The VT configured for PPPoEoVLAN services must be bound to a sub-interface.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number [ . subinterface-number ]
The interface or sub-interface view is displayed.
Specify a main interface for PPPoE access users and a sub-interface for PPPoEoVLAN access
users.
Step 3 Run pppoe-server bind virtual-template vt-number
A VT is bound to the interface.
Step 4 Run commit
The configuration is committed.
----End
Context
If users access the network by using a sub-interface, the sub-interface needs to be bound to a
VLAN.
You can bind a sub-interface to a VLAN or configure QinQ on a sub-interface. When binding
a sub-interface to a VLAN, you need the following parameters:
l Sub-interface number
l VLAN ID
l QinQ ID
NOTE
l On each main interface, you can set the user-vlan any-other on only one sub-interface. On one sub-
interface, user-vlan any-other cannot be set together with user-vlan start-vlan nor user-vlan qinq.
l The user-vlan command cannot be configured on a sub-interface of a Layer 2 interface.
l If dot1q termination, QinQ termination, QinQ stacking, or vlan-type dot1q has been configured on a
sub-interface, the user-vlan cannot be configured on this sub-interface.
l Different sub-interfaces cannot be configured with user-side VLANs with the same VLAN ID.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number.subinterface-number
A sub-interface is created and the sub-interface view is displayed.
Step 3 Run user-vlan { start-vlan [ end-vlan ] [ qinq start-qinq-id [ end-qinq-id ] ] | any-other }
A user-side VLAN is created.
Step 4 Run commit
The configuration is committed.
----End
Context
When configuring a BAS interface, you need the following parameters:
l BAS interface number
l Access type and authentication scheme
l Specified domains for the BAS interface
– Default authentication domain
If no domain name is entered during user authentication, the NE40E regards the
user as a member in the default authentication domain by default.
– Roaming domain
The roaming domain is used for users whose domain names are unidentified. If a
user enters an unidentified domain name during authentication, the NE40E
classifies the user as a roaming domain user and conducts the following
authentication.
– Domain for user access
If a domain for user access is specified on a BAS interface, users can log in to the
NE40E from the domain. If they log in to the NE40E from other domains, the
NE40E will deny their access requests.
– Domain denying user access
If a domain denying user access is specified on a BAS interface, users cannot log in
to the NE40E from the domain. If they log in to the NE40E from other domains, the
NE40E will accept their access requests.
l Additional functions of the BAS interface
– Access triggered by IPv6 packets
– Access triggered by NS or NA packets
– BAS interface name
Knowing the BAS interface name facilitates memorization and management.
– Accounting packet copy
The accounting packet copy function sends accounting information to two RADIUS
servers at the same time and waits for their responses. The function is used when
original accounting information needs to be stored on multiple devices (for
example, the multi-carrier networking scenario). After the function is configured,
accounting packets are sent to two RADIUS servers simultaneously (as the original
accounting information) to facilitate later account settlement.
l Packet processing mode
– access-line-id
On a broadband telecommunication network, the DSLAM obtains DHCP packets
and adds access-line-id information to them. access-line-id records information
about the user's physical interface. As the access-line-id information is transmitted
to the NE40E, DHCP server, and RADIUS server, the devices are informed of the
user location. The management system then implements proper security and address
allocation strategies based on the user location information.
– link-account
If only RADIUS accounting is used, the RADIUS accounting server uses
VLAN/PVC descriptions to identify common Layer 2 users and uses interface
descriptions to identify Layer 3 leased line users. The BRAS encapsulates the
descriptions into the Class attributes and sends it to the RADIUS accounting server.
Perform the following steps on the NE40E.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number [ .subinterface-number ]
The interface view is displayed.
Step 3 Run bas
A BAS interface is created, and the BAS interface view is displayed.
You can configure an interface as the BAS interface by running the bas command in the
interface view. An Ethernet interface or its sub-interface, or an Eth-Trunk interface or its sub-
interface can be set to a BAS interface.
----End
Context
IPv6 network segment routes and address pool routes are classified based on tags and
imported using routing policies. This process allows various routes to be advertised to specific
networks. IPv6 network segment routes are generated based on Delegated-IPv6-Prefix
attributes that are delivered by a RADIUS server.
Procedure
l Configure a tag value of a route for a specified type of address pool, such as local or
remote address pools.
a. Run system-view
----End
Follow-up Procedure
Create a routing policy. Specify a route tag to classify routes. Use OSPFv3 or BGP+ to import
different routes. For details, see Routing Policy Configuration.
Context
After a PPPoE user goes online, the device periodically sends Echo Request packets to the
client.
When receiving an Echo Reply packet from the user, the device compares the magic number
carried in the packet with that learned during LCP negotiation. If the two magic numbers are
the same, the user is considered online. Otherwise, the user is considered offline.
Procedure
Step 1 Run system-view
The PPP magic number check function is enabled so that the device compares the magic
number in a received Echo Reply packet with that learned during LCP negotiation.
----End
Procedure
l Run the display access-user command to check information about all access users. You
can specify the command parameters to view the specific user information.
l Run the display sub-interface interface-type interface-number pevlan pe-vlan-id
[ cevlan ce-vlan-id ] command to check information about a sub-interface bound to a
specified VLAN on an interface.
l Run the display bas-interface command to check information about the BAS interface.
l Run the display vlan-statistics interface interface-type interface-number.subinterface-
number pevlan pe-vlan-id [ cevlan ce-vlan-id ] [ verbose ] command to check statistics
about traffic and PPP packets on a specified sub-interface bound to a specified VLAN.
NOTE
NOTE
Configuring the ui-mode type1 command in the system view influences the output format of the
display command.
----End
Example
Run the display access-user command. If the IPoEv6 access service is configured
successfully, and you can view information about all access users.
<HUAWEI> display access-user
------------------------------------------------------------------------------
Total users : 9
IPv4 users : 9
IPv6 users : 0
Dual-Stack users : 0
Lac users : 0
RUI local users : 0
RUI remote users : 0
Wait authen-ack : 0
Authentication success : 9
Accounting ready : 9
Accounting state : 0
Wait leaving-flow-query : 0
Wait accounting-start : 0
Wait accounting-stop : 0
Wait authorization-client : 0
Wait authorization-server : 0
------------------------------------------------------------------------------
Domain-name Online-user
------------------------------------------------------------------------------
default0 : 0
default1 : 0
default_admin : 0
wq : 0
chen : 0
isp7 : 0
gaoli : 0
ly : 0
test : 0
lsh : 9
------------------------------------------------------------------------------
The used CID table are :
20-28
------------------------------------------------------------------------------
Run the display sub-interface interface-type interface-number pevlan pe-vlan-id [ cevlan ce-
vlan-id ] command, you can view information about the sub-interface bound to VLAN 1000
on Eth-Trunk 11.
<HUAWEI> display sub-interface Eth-Trunk11 pevlan 1000
Sub-interface: Eth-Trunk11.1000
Sub-interface-status: UP
PeVlan/CeVlan: 1000/0
The BAS function has been enabled
Run the display bas-interface command, you can view brief information about all BAS
interfaces.
<HUAWEI> display bas-interface
---------------------------------------------------------------------------
Interface BASIF-access-type config-state access-number
---------------------------------------------------------------------------
Eth-Trunk0 Layer2-subscriber Updated 0
Eth-Trunk0.1 Layer2-subscriber Updated 1
Eth-Trunk0.1234 Layer2-subscriber Updated 0
----------------------------------------------------------------------
Total 3 BASIF is configured
Run the display ppp slot slot-number chasten-user command, you can view information
about the users that are forbidden to access the interface board in slot 1.
<HUAWEI> system-view
[HUAWEI] display ppp slot 1 chasten-user
------------------GLOBAL PPP CHASTEN USERS SLOT 1 ---------------------
To be possibly blocked User Num: 0 (online-fail)
To be possibly blocked User Num: 0 (quick-offline)
To be possibly blocked User Num by Option105: 0 (online-fail)
To be possibly blocked User Num by Option105: 1 (quick-offline)
(1):MAC 00-02-01-01-01-01 Option105(circuitid:123 remoteid:abcde) will be free
after 89s (quick-offline)
Blocked User Num : 0 (online-fail)
Blocked User Num : 1 (quick-offline)
------------------PPPOE VLAN CHASTEN USERS SLOT 1 ---------------------
To be possibly blocked User Num: 0 (online-fail)
To be possibly blocked User Num: 0 (quick-offline)
To be possibly blocked User Num by Option105: 0 (online-fail)
To be possibly blocked User Num by Option105: 0 (quick-offline)
Blocked User Num : 0 (online-fail)
Blocked User Num : 0 (quick-offline)
If the ui-mode type1 command is not configured, run the display ppp user-id user-id
command to display PPP configurations.
<HUAWEI> display ppp user-id 100
--------------------------------------------------------------------------
Basic information of user
--------------------------------------------------------------------------
User Name :huawei@test1
Session ID :1
User Mac :0016-ecaa-975b
Interface :Eth-Trunk3.409
PeVlan/CeVlan :409/0
VPI/VCI :0/0
IP :10.0.0.200
Gateway :10.0.0.1
User IP Netmask(Client) :255.255.255.0
User IP Netmask(Radius):255.255.255.128
User IP Netmask(Result) :255.255.255.128
Primary DNS :0.0.0.0
Second DNS :0.0.0.0
IPV6 Interface IDType :AUTO
IPv6 Local InterfaceID :2 e0:fcff:fe5f:d7ae
IPv6 Peer InterfaceID :2 16:ec0 :1 aa:975b
--------------------------------------------------------------------------
LCP information
--------------------------------------------------------------------------
Authentication :CHAP
MTU :1480
MRU :1492
MagicNumber :0x2a954e9b
CalledNumber :
CallingNumber :
Keep Alive Time :300
Retransmit Times :10
--------------------------------------------------------------------------
LAC-LNS information
--------------------------------------------------------------------------
Lac-PeerIp :0.0.0.0
Lac-PeerTunnelId :0
Lac-PeerSessionId :0
Lac-LocalIp :0.0.0.0
Lac-LocalTunnelId :0
Lac-LocalSessionId :0
Lac-SrcUDPPort :0
Lac-DstUDPPort :0
Lns-PeerIp :0.0.0.0
Lns-PeerTunnelId :0
Lns-PeerSessionId :0
Lns-LocalIp :0.0.0.0
Lns-LocalTunnelId :0
Lns-LocalSessionId :0
Lns-SrcUDPPort :0
Lns-DstUDPPort :0
--------------------------------------------------------------------------
Procedure
l Run the reset pppoe statistics { slot slot-id | interface interface-type interface-number }
command to clear PPPoE packet statistics.
l Run the reset pppoe statistics online-fail-record { slot slot-id } command to clear
statistics about PPPoE user login failures due to access IP limit (maximum number of
access users).
----End
Networking Requirements
On the network shown in Figure 10-6, subscriber1 belongs to VLAN1, and subscriber2
belongs to VLAN2. The network-side interface on the Router is GE 0/1/1. To allow
subscriber1 and subscriber2 to use IPv4 addresses to go online, configure PPPoEoVLAN
access. The requirements are as follows:
l Subscribers belong to domain isp1 and use PPPoEoVLAN to go online through GE
0/1/2.1 on the Router. The LAN switch marks the priorities of user packets from VLAN1
and VLAN2.
l RADIUS authentication and accounting are used.
l The IP address of the RADIUS server is 192.168.7.249. The authentication port number
is 1645, and the accounting port number is 1646. RADIUS+1.1 is used, with the
password hello .
l The IP address of the DNS server is 192.168.7.252.
Figure 10-6 Networking for configuring PPPoEoVLAN access for IPv4 users
NOTE
Interfaces 1 and 2 in this example are GE0/1/1 and GE0/1/2.1, respectively.
VLAN1
subscriber1@isp1
Internet
interface2 interface1
192.168.7.1/24
Device
VLAN2
subscriber2@isp1
Configuration Roadmap
1. Configure a VT.
2. Configure AAA schemes.
3. Configure a RADIUS server group.
4. Configure an IPv4 address pool.
5. Configure a domain.
6. Bind the VT to a sub-interface.
7. Configure a BAS interface.
Data Preparation
l VT number
l Authentication and accounting schemes and their names
l RADIUS server group name and server address
l DNS server address
l User domain
l BAS interface parameters
Procedure
Step 1 Configure a VT.
<HUAWEI> system-view
[~HUAWEI] interface virtual-template 1
[*HUAWEI-Virtual-Template1] ppp authentication-mode chap
[*HUAWEI-Virtual-Template1] quit
[*HUAWEI] commit
[*HUAWEI-ip-pool-pool1] commit
[~HUAWEI-ip-pool-pool1] section 0 10.82.0.2 10.82.0.200
[*HUAWEI-ip-pool-pool1] dns-server 192.168.7.252
[*HUAWEI-ip-pool-pool1] quit
[*HUAWEI] commit
Step 7 Configure user VLANs on the sub-interface and bind the VT to it.
# Configure user VLANs on GE 0/1/2.1 and bind the VT to it.
[~HUAWEI] interface gigabitethernet 0/1/2.1
[*HUAWEI] commit
[~HUAWEI-GigabitEthernet0/1/2.1] user-vlan 1 2
[*HUAWEI-GigabitEthernet0/1/2.1-vlan-1-2] quit
[*HUAWEI-GigabitEthernet0/1/2.1] pppoe-server bind virtual-template 1
[*HUAWEI] commit
NOTE
In this example, users go online with the domain name isp1 being carried in the user name. Therefore,
the BAS interface does not need to have any authentication domain configured. If users go online
without the domain name being carried in the user name, you must specify an authentication domain on
the BAS interface.
DNS1 :192.168.7.252
Position : Local Status : Unlocked
Gateway : 10.82.0.1 Mask : 255.255.0.0
Vpn instance : --
Profile-Name : - Server-Name : -
Codes: CFLCT(conflicted)
---------------------------------------------------------------------------
ID start end total used idle CFLCT disable reserved
---------------------------------------------------------------------------
0 10.82.0.2 10.82.0.200 98 0 98 0
0 0
---------------------------------------------------------------------------
# Check information about the domain named isp1. The command output shows that the
address pool named pool1 is bound to the domain.
<HUAWEI> display domain isp1
------------------------------------------------------------------------------
Domain-name : isp1
Domain-state : Active
Authentication-scheme-name : auth1
Accounting-scheme-name : acct1
Authorization-scheme-name :
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Web-server-URL-parameter : No
Slave Web-IP-address : -
Slave Web-URL : -
Slave Web-auth-server : -
Slave Web-auth-state : -
Portal-server-URL-parameter : No
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
User-group-name : -
Idle-data-attribute (time,flow) : 0, 60
Install-BOD-Count : 0
Report-VSM-User-Count : 0
Value-added-service : COPS
User-access-limit : 279552
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-server-IP : -
Portal-URL : -
Portal-force-times : 2
PPPoE-user-URL : Disable
IPUser-ReAuth-Time(second) : 300
mscg-name-portal-key : -
Portal-user-first-url-key : -
Ancp auto qos adapt : Disable
Service-type : STB
RADIUS-server-template : rd5
Two-acct-template : -
HWTACACS-server-template : -
Bill Flow : Disable
Tunnel-acct-2867 : Disabled
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
IPv6-warning-threshold : -
Multicast Forwarding : Yes
Multicast Virtual : No
Max-multilist num : 4
Multicast-profile : -
Multicast-profile ipv6 : -
IP-address-pool-name : pool1
Quota-out : Offline
Service-type : -
User-basic-service-ip-type : -/-/-
PPP-ipv6-address-protocol : Ndra
IPv6-information-protocol : Stateless dhcpv6
IPv6-PPP-assign-interfaceid : Disable
Trigger-packet-wait-delay : 60s
Peer-backup : enable
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname HUAWEI
#
radius-server group rd1
radius-server authentication 192.168.7.249 1645 weight 0
radius-server accounting 192.168.7.249 1646 weight 0
radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^%
radius-server type plus11
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface GigabitEthernet0/1/2
#
interface GigabitEthernet0/1/2.1
pppoe-server bind Virtual-Template 1
user-vlan 1 2
bas
access-type layer2-subscriber
#
interface GigabitEthernet0/1/1
ip address 192.168.7.1 255.255.255.0
#
ip pool pool1 bas local
gateway 10.82.0.1 255.255.255.0
section 0 10.82.0.2 10.82.0.200
dns-server 192.168.7.252
#
aaa
authentication-scheme auth1
accounting-scheme acct1
domain default0
domain default1
domain default_admin
domain isp1
authentication-scheme auth1
accounting-scheme acct1
radius-server group rd1
ip-pool pool1
#
return
Networking Requirements
On the network shown in Figure 10-7, to allow the IPv6 user to go online, configure PPPoE
access. The requirements are as follows:
l The subscriber belongs to domain isp5 and uses PPPoE to go online through GE 0/1/2.1
on the Router.
l RADIUS authentication and accounting are used.
l The IP address of the RADIUS server is 3001:0410::1:1. The authentication port number
is 1645, and the accounting port number is 1646. RADIUS+1.1 is used, with the
password hello.
l The DNS server address is 3001:0410::1:2.
access
network Internet
interface2 interface1
subscriber1 2011::1/64
@isp5 Device
Configuration Roadmap
1. Configure a VT.
2. Configure AAA schemes.
3. Configure a RADIUS server group.
4. Configure a local IPv6 prefix pool.
5. Configure a local IPv6 address pool and bind the address pool to the prefix pool.
6. Configure an AAA domain and bind it to the IPv6 address pool.
7. Configure interfaces.
Data Preparation
l VT number
l Authentication and accounting schemes and their names
l RADIUS server group name and server address
l Start and end VLAN IDs of GE 0/1/2.1
l Local prefix pool name
l Assignable IPv6 prefixes and prefix lengths
l Local address pool name
l Domain name
Procedure
Step 1 Configure a VT.
<HUAWEI> system-view
[~HUAWEI] interface virtual-template 5
[*HUAWEI-Virtual-Template5] ppp authentication-mode chap
[*HUAWEI-Virtual-Template5] quit
[*HUAWEI] commit
# Check information about the address pool named pool1. The command output shows that
the address pool is a user-side local address pool and it is bound to the local prefix pool
named pre1.
<HUAWEI> display ipv6 pool pool1
----------------------------------------------------------------------
Pool name : pool1
Pool No : 4
Pool-constant-index :-
Pool type : BAS LOCAL
Preference : 0
Renew time : 50
Rebind time : 80
Status : UNLOCKED
Refresh interval : 0 Days 0 Hours 0 Minutes
Used by domain : 1
Dhcpv6 Unicast : disable
Dhcpv6 rapid-commit: disable
Dns list : -
Dns server master : 3001:0410::1:2
Dns server slave : -
AFTR name : -
----------------------------------------------------------------------
Prefix-Name Prefix-Type
----------------------------------------------------------------------
pre1 LOCAL
----------------------------------------------------------------------
# Check information about the domain named isp5. The command output shows that the
domain is bound to the IPv6 address pool named pool1.
<HUAWEI> display domain isp5
------------------------------------------------------------------------------
Domain-name : isp5
Domain-state : Active
Authentication-scheme-name : auth5
Accounting-scheme-name : acct5
Authorization-scheme-name :
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Web-server-URL-parameter : No
Slave Web-IP-address : -
Slave Web-URL : -
Slave Web-auth-server : -
Slave Web-auth-state : -
Portal-server-URL-parameter : No
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
User-group-name : -
Idle-data-attribute (time,flow) : 0, 60
Install-BOD-Count : 0
Report-VSM-User-Count : 0
Value-added-service : COPS
User-access-limit : 279552
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-server-IP : -
Portal-URL : -
Portal-force-times : 2
PPPoE-user-URL : Disable
RADIUS-server-template : rd5
Two-acct-template : -
HWTACACS-server-template : -
Bill Flow : Disable
Tunnel-acct-2867 : Disabled
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
IPv6-warning-threshold : -
Multicast Forwarding : Yes
Multicast Virtual : No
Max-multilist num : 4
Multicast-profile : -
Multicast-profile ipv6 : -
IPv6-Pool-name : pool1
Quota-out : Offline
Service-type : -
User-basic-service-ip-type : -/-/-
PPP-ipv6-address-protocol : Ndra
IPv6-information-protocol : Stateless dhcpv6
IPv6-PPP-assign-interfaceid : Disable
Trigger-packet-wait-delay : 60s
Peer-backup : enable
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname HUAWEI
#
ipv6
#
radius-server group rd5
radius-server authentication 3001:0410::1:1 1645 weight 0
radius-server accounting 3001:0410::1:1 1646 weight 0
radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^%
#
interface Virtual-Template5
ppp authentication-mode chap
#
ipv6 prefix pre1 local
prefix 2010:2021::/64
#
ip pool pool1 bas local
prefix pre1
dns-server 3001:0410::1:2
#
aaa
authentication-scheme default0
authentication-scheme default1
authentication-scheme auth5
authentication-mode radius
#
accounting-scheme default0
accounting-scheme default1
accounting-scheme acct5
accounting-mode radius
#
domain isp5
authentication-scheme auth5
accounting-scheme acct5
ipv6-pool pool1
radius-server group rd5
#
#
interface GigabitEthernet0/1/2.1
pppoe-server bind Virtual-Template 5
ipv6 enable
ipv6 address auto link-local
bas
access-type layer2-subscriber default-domain authentication isp5
#
interface GigabitEthernet0/1/1
ipv6 enable
ipv6 address 2011::1/64 eui-64
ipv6 address auto link-local
#
return
Networking Requirements
On the network in Figure 10-8, to allow the IPv4/IPv6 dual-stack user to go online, configure
PPPoE access. The requirements are as follows:
l The subscriber belongs to domain isp5 and uses PPPoE to go online through GE 0/1/2 on
the Device.
l RADIUS authentication and accounting are used.
l The IP address of the RADIUS server is 10.6.55.55. The authentication port number is
1645, and the accounting port number is 1646. The standard RADIUS protocol is used,
with the password hello.
l The IP addresses of the two DNS servers are 3001:0410::1:2 and 10.10.10.1,
respectively.
Figure 10-8 Networking for configuring PPPoE access for IPv4/IPv6 dual-stack users
NOTE
Interfaces 1 and 2 in this example are GE0/1/1 and GE0/1/2, respectively.
Access Internet
Network interface2 interface1
subscriber 2011::1/64
@isp5 Device
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a VT.
2. Configure AAA schemes.
3. Configure a RADIUS server group.
4. Configure a local IPv4 address pool.
5. Configure a local IPv6 prefix pool.
6. Configure a local IPv6 address pool and bind the prefix pool to the address pool.
7. Configure an AAA domain and bind the IPv4 and IPv6 address pools to the domain.
8. Configure interfaces.
Data Preparation
To complete the configuration, you need the following data:
l VT number
Procedure
Step 1 Configure a VT.
<HUAWEI> system-view
[~HUAWEI] interface virtual-template 5
[*HUAWEI-Virtual-Template5] ppp authentication-mode chap
[*HUAWEI-Virtual-Template5] quit
[*HUAWEI] commit
[*HUAWEI-ipv6-pool-pool1] quit
[*HUAWEI] commit
DNS1 :10.10.10.1
Position : Local Status : Unlocked
Gateway : 10.10.10.2 Mask : 255.255.255.0
Vpn instance : --
Profile-Name : - Server-Name : -
Codes: CFLCT(conflicted)
---------------------------------------------------------------------------
ID start end total used idle CFLCT disable reserved
---------------------------------------------------------------------------
0 10.10.10.3 10.10.10.100 98 0 98 0 0 0
---------------------------------------------------------------------------
# Check information about the prefix pool named pre1. The command output shows that the
prefix pool is a local prefix pool and the prefix address is 2010:2021::/64.
<HUAWEI> display ipv6 prefix pre1
-------------------------------------------------------------
Prefix Name : pre1
Prefix Index : 4
Prefix constant index: -
Prefix Type : LOCAL
Prefix Address : 2010:2021::
Prefix Length : 64
Reserved Type : NONE
Valid Lifetime : 3 Days 0 Hours 0 Minutes
Preferred Lifetime: 2 Days 0 Hours 0 Minutes
IfLocked : Unlocked
Vpn instance : -
Conflict address : -
Free Prefix Count : 262144
Used Prefix Count : 0
Reserved Prefix Count: 0
-------------------------------------------------------------
# Check information about the address pool named pool1. The command output shows that
the address pool is a user-side local address pool and it is bound to the local prefix pool
named pre1.
<HUAWEI> display ipv6 pool pool1
----------------------------------------------------------------------
Pool name : pool1
Pool No : 4 Pool-constant-index :-
Pool type : BAS LOCAL
Preference : 0
Renew time : 50
Rebind time : 80
Status : UNLOCKED
Refresh interval : 0 Days 0 Hours 0 Minutes
Used by domain : 1
Dhcpv6 Unicast : disable
Dhcpv6 rapid-commit: disable
Dns list : -
Dns server master : -
Dns server slave : -
AFTR name : -
----------------------------------------------------------------------
Prefix-Name Prefix-Type
----------------------------------------------------------------------
pre1 LOCAL
----------------------------------------------------------------------
# Check information about the domain named isp5. The command output shows that the IPv6
address pool named pool1 and the IPv4 address pool named pool2 are bound to the domain.
<HUAWEI> display domain isp5
------------------------------------------------------------------------------
Domain-name : isp5
Domain-state : Active
Authentication-scheme-name : auth5
Accounting-scheme-name : acct5
Authorization-scheme-name :
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Web-server-URL-parameter : No
Slave Web-IP-address : -
Slave Web-URL : -
Slave Web-auth-server : -
Slave Web-auth-state : -
Portal-server-URL-parameter : No
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
User-group-name : -
Idle-data-attribute (time,flow) : 0, 60
Install-BOD-Count : 0
Report-VSM-User-Count : 0
Value-added-service : COPS
User-access-limit : 279552
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-server-IP : -
Portal-URL : -
Portal-force-times : 2
PPPoE-user-URL : Disable
IPUser-ReAuth-Time(second) : 300
mscg-name-portal-key : -
Portal-user-first-url-key : -
Ancp auto qos adapt : Disable
Service-type : STB
RADIUS-server-template : rd5
Two-acct-template : -
HWTACACS-server-template : -
Bill Flow : Disable
Tunnel-acct-2867 : Disabled
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
IPv6-warning-threshold : -
Multicast Forwarding : Yes
Multicast Virtual : No
Max-multilist num : 4
Multicast-profile : -
Multicast-profile ipv6 : -
IP-address-pool-name : pool2
IPv6-Pool-name : pool1
Quota-out : Offline
Service-type : -
User-basic-service-ip-type : -/-/-
PPP-ipv6-address-protocol : Ndra
IPv6-information-protocol : Stateless dhcpv6
IPv6-PPP-assign-interfaceid : Disable
Trigger-packet-wait-delay : 60s
Peer-backup : enable
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname HUAWEI
#
#
radius-server group rd5
radius-server authentication 10.6.55.55 1645 weight 0
radius-server accounting 10.6.55.55 1646 weight 0
radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^%
#
interface Virtual-Template5
ppp authentication-mode pap
#
ip pool pool1 bas local
gateway 10.10.10.2 255.255.255.0
section 0 10.10.10.3 10.10.10.100
dns-server 10.10.10.1
#
ipv6 prefix pre1 local
prefix 2010:2021::/64
#
ipv6 pool pool1 bas local
prefix pre1
#
aaa
authentication-scheme default0
authentication-scheme default1
authentication-scheme auth5
authentication-mode radius
#
accounting-scheme default0
accounting-scheme default1
accounting-scheme acct5
accounting-mode radius
#
domain isp5
authentication-scheme auth5
accounting-scheme acct5
ip-pool pool2
ipv6-pool pool1
radius-server group rd5
#
#
interface GigabitEthernet0/1/2
pppoe-server bind Virtual-Template 5
ipv6 enable
ipv6 address auto link-local
bas
access-type layer2-subscriber default-domain authentication isp5
#
interface GigabitEthernet0/1/1
ipv6 enable
ipv6 address 2011::1/64 eui-64
ipv6 address auto link-local
#
return
Figure 10-9 Networking for connecting BRAS users to the Internet through VLL
Switch
User
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the VE interface for terminating the VLL packets and the VE interface for
accessing the Internet on the Router. Bind the two VE interfaces to a VE-Group.
2. Configure the VLL.
3. Enable VLL access.
4. Configure the BRAS access service and configure VE5/0/1 as the BAS interface.
Data Preparation
To complete the configuration, you need the following data:
l VE-Group number
l MPLS LSR IDs of the PE and P routers, namely, the IP addresses of their Loopback1
interfaces
Configuration Procedure
1. Create two VE interfaces on the PE2 and bind the two interfaces to a VE-Group.
# Create interface VE5/0/0 to terminate the MPLS L2VPN packets.
<HUAWEI> system-view
[~HUAWEI] sysname PE2
[*PE2] commit
[~PE2] interface virtual-ethernet5/0/0
[*PE2-Virtual-Ethernet5/0/0] ve-group 1 l2-terminate
[*PE2-Virtual-Ethernet5/0/0] quit
[*PE2] commit
[*PE2-Virtual-Ethernet5/0/1] quit
[*PE2] commit
– Configure P.
<HUAWEI> system-view
[~HUAWEI] sysname P
[*P] commit
[~P] mpls lsr-id 2.2.2.9
[*P] mpls
[*P-mpls] quit
[*P] commit
[~P] mpls ldp
[*P-mpls-ldp] quit
[*P] interface gigabitethernet1/0/0
[*P-GigabitEthernet1/0/0] mpls
[*P-GigabitEthernet1/0/0] mpls ldp
[*P-GigabitEthernet1/0/0] undo shutdown
[*P-GigabitEthernet1/0/0] quit
[*P] commit
[~P] interface gigabitethernet2/0/0
[*P-GigabitEthernet2/0/0] mpls
[*P-GigabitEthernet2/0/0] mpls ldp
[*P-GigabitEthernet2/0/0] undo shutdown
[*P-GigabitEthernet2/0/0] quit
[*P] commit
[~P] quit
– Configure PE2.
[~PE2] mpls lsr-id 3.3.3.9
[*PE2] mpls
[*PE2-mpls] quit
[*PE2] commit
[~PE2] mpls ldp
[*PE2-mpls-ldp] quit
[*PE2] commit
[~PE2] interface gigabitethernet5/0/0
[*PE2-GigabitEthernet5/0/0] mpls
[*PE2-GigabitEthernet5/0/0] mpls ldp
[*PE2-GigabitEthernet5/0/0] undo shutdown
[*PE2-GigabitEthernet5/0/0] quit
[*PE2] commit
[~PE2] quit
– Configure PE2.
[~PE2] mpls ldp remote-peer pe1
[*PE2-mpls-ldp-remote-1] remote-ip 1.1.1.9
[*PE2-mpls-ldp-remote-1] quit
[*PE2] commit
[~PE2] quit
3. Configure the BRAS access service. Configure VE5/0/1 as the BAS interface so that
users connect to the Internet through VE5/0/1.
# Configure a virtual template interface.
[~PE2] interface virtual-template 1
[*PE2-Virtual-Template1] ppp authentication-mode chap
[*PE2-Virtual-Template1] quit
[*PE2] commit
Configuration Files
The following are the configuration files of the routers.
l Configuration file of PE1
#
sysname PE1
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
mpls ldp
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
mpls ldp remote-peer pe2
remote-ip 3.3.3.9
#
interface GigabitEthernet5/0/0.1
vlan-type dot1q 1
mpls l2vc 3.3.3.9 101
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
l Configuration file of P
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 10.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
l Configuration file of PE2
#
sysname PE2
#
radius-server group rd1
radius-server authentication 192.168.7.249 1645 weight 0
radius-server accounting 192.168.7.249 1646 weight 0
radius-server shared-key itellin
radius-server type plus11
radius-server traffic-unit kbyte
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer pe1
remote-ip 1.1.1.9
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 2.1.1.2 255.255.255.0
#
interface GigabitEthernet5/0/0
undo shutdown
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface Virtual-Ethernet5/0/0
undo shutdown
ve-group 1 l2-terminate
#
interface Virtual-Ethernet5/0/0.1
vlan-type dot1q 1
mpls l2vc 1.1.1.9 101
#
interface Virtual-Ethernet5/0/1
undo shutdown
ve-group 1 l3-access
#
interface Virtual-Ethernet5/0/1.1
undo shutdown
user-vlan 1 2 qinq 100
bas
access-type layer2-subscriber
authentication-method ppp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ip pool pool1 bas local
gateway 172.82.1.1 255.255.255.0
section 0 172.82.1.2 172.82.1.200
dns-server 192.168.7.252
#
aaa
authentication-scheme auth1
accounting-scheme acct1
domain isp1
authentication-scheme auth1
accounting-scheme acct1
radius-server group rd1
ip-pool pool1
#
ospf 1
area 0.0.0.0
network 10.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
Networking Requirements
On the network shown in Figure 10-10, subscriber1 belongs to VLAN1, and subscriber2
belongs to VLAN2. The network-side interface on the Router is GE 0/1/1. To allow
subscriber1 and subscriber2 to use IPv4 addresses to go online, configure PPPoEoVLAN
access. The requirements are as follows:
l Subscribers belong to domain isp1 and use PPPoEoVLAN to go online through GE
0/1/2.1 on the Router. The LAN switch marks the priorities of user packets from VLAN1
and VLAN2.
l RADIUS authentication and accounting are used.
l The IP address of the RADIUS server is 192.168.7.249. The authentication port number
is 1645, and the accounting port number is 1646. RADIUS+1.1 is used, with the
password hello .
l The IP address of the DNS server is 192.168.7.252.
Figure 10-10 Networking for configuring PPPoEoVLAN access for IPv4 users
NOTE
Interfaces 1 and 2 in this example are GE0/1/1 and GE0/1/2.1, respectively.
VLAN1
subscriber1@isp1
Internet
interface2 interface1
192.168.7.1/24
Device
VLAN2
subscriber2@isp1
Configuration Roadmap
1. Configure a VT.
2. Configure AAA schemes.
3. Configure a RADIUS server group.
4. Configure an IPv4 address pool.
5. Configure a domain.
6. Bind the VT to a sub-interface.
7. Configure a BAS interface.
Data Preparation
l VT number
l Authentication and accounting schemes and their names
l RADIUS server group name and server address
l DNS server address
l User domain
l BAS interface parameters
Procedure
Step 1 Configure a VT.
<HUAWEI> system-view
[~HUAWEI] interface virtual-template 1
[*HUAWEI-Virtual-Template1] ppp authentication-mode chap
[*HUAWEI-Virtual-Template1] quit
[*HUAWEI] commit
[*HUAWEI-ip-pool-pool1] quit
[*HUAWEI] commit
Step 7 Configure user VLANs on the sub-interface and bind the VT to it.
# Configure user VLANs on GE 0/1/2.1 and bind the VT to it.
[~HUAWEI] interface gigabitethernet 0/1/2.1
[*HUAWEI] commit
[~HUAWEI-GigabitEthernet0/1/2.1] user-vlan 1 2
[*HUAWEI-GigabitEthernet0/1/2.1-vlan-1-2] quit
[*HUAWEI-GigabitEthernet0/1/2.1] pppoe-server bind virtual-template 1
[*HUAWEI] commit
NOTE
In this example, users go online with the domain name isp1 being carried in the user name. Therefore,
the BAS interface does not need to have any authentication domain configured. If users go online
without the domain name being carried in the user name, you must specify an authentication domain on
the BAS interface.
DNS1 :192.168.7.252
# Check information about the domain named isp1. The command output shows that the
address pool named pool1 is bound to the domain.
<HUAWEI> display domain isp1
------------------------------------------------------------------------------
Domain-name : isp1
Domain-state : Active
Authentication-scheme-name : auth1
Accounting-scheme-name : acct1
Authorization-scheme-name :
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Web-server-URL-parameter : No
Slave Web-IP-address : -
Slave Web-URL : -
Slave Web-auth-server : -
Slave Web-auth-state : -
Portal-server-URL-parameter : No
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
User-group-name : -
Idle-data-attribute (time,flow) : 0, 60
Install-BOD-Count : 0
Report-VSM-User-Count : 0
Value-added-service : COPS
User-access-limit : 279552
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-server-IP : -
Portal-URL : -
Portal-force-times : 2
PPPoE-user-URL : Disable
IPUser-ReAuth-Time(second) : 300
mscg-name-portal-key : -
Portal-user-first-url-key : -
Ancp auto qos adapt : Disable
Service-type : STB
RADIUS-server-template : rd5
Two-acct-template : -
HWTACACS-server-template : -
Bill Flow : Disable
Tunnel-acct-2867 : Disabled
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
IPv6-warning-threshold : -
Multicast Forwarding : Yes
Multicast Virtual : No
Max-multilist num : 4
Multicast-profile : -
Multicast-profile ipv6 : -
IP-address-pool-name : pool1
Quota-out : Offline
Service-type : -
User-basic-service-ip-type : -/-/-
PPP-ipv6-address-protocol : Ndra
IPv6-information-protocol : Stateless dhcpv6
IPv6-PPP-assign-interfaceid : Disable
Trigger-packet-wait-delay : 60s
Peer-backup : enable
------------------------------------------------------------------------------
State :
Used
User name :
ceshi9
User IP address :
10.144.254.250
User IP netmask :
255.255.255.255
User Primary-DNS :
103.44.168.6
User Secondary-DNS :
103.44.168.7
Agent-Circuit-Id :
-
Agent-Remote-Id :
-
Access-line-id Information(pppoe+):
-
User-Group :
-
Next-hop :
-
Policy-route-IPV6-address :
-
AAA:
RADIUS-server-template :
pppoe
Authen result :
Success
Author result :
Success
Action flag :
Idle
Authen state :
Authed
Author state :
Idle
Quota-out :
Offline
Realtime-accounting-switch :
Close
Realtime-accounting-interval(sec) :
-
Realtime-accounting-send-update :
No
Realtime-accounting-traffic-update :
No
Accounting state :
Ready
MTU :
1280
MRU :
1280
Time remained(s) :
86398(s)
Idle-cut direction :
Both
Dot1X:
EAP user :
No
MD5 end :
No
VPN&Policy-
route:
Vpn-Instance :
-
Multicast
Service:
Multicast-profile :
-
Multicast-profile-ipv6 :
-
IGMP enable :
Yes
ACL&QoS:
Inbound Family-profile-name :
1M
Outbound Family-profile-name :
1M
Inbound cir :
1024(kbps)
Inbound pir :
0(kbps)
Inbound cbs :
1024000(bytes)
Inbound pbs :
0(bytes)
Outbound cir :
1024(kbps)
Outbound pir :
0(kbps)
Outbound cbs :
1024000(bytes)
Outbound pbs :
0(bytes)
Inbound pir :
0(kbps)
Inbound cbs :
2941323(bytes)
Inbound pbs :
0(bytes)
Outbound pir :
0(kbps)
Outbound cbs :
2941323(bytes)
Outbound pbs :
0(bytes)
UpPriority :
Unchangeable
DownPriority :
Unchangeable
Flow
Statistic:
Flow-Statistic-Up :
Yes
Flow-Statistic-Down :
Yes
Up packets number(high,low) :
(0,17)
Up bytes number(high,low) :
(0,2320)
Dslam
information :
Circuit
ID :-
Remote
ID :-
0(Kbps)
----End
Configuration Files
#
sysname HUAWEI
#
radius-server group rd1
radius-server authentication 192.168.7.249 1645 weight 0
radius-server accounting 192.168.7.249 1646 weight 0
radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^%
radius-server type plus11
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface GigabitEthernet0/1/2
#
interface GigabitEthernet0/1/2.1
pppoe-server bind Virtual-Template 1
user-vlan 1 2
bas
access-type layer2-subscriber
authentication-method ppp
qos-profile 10M inbound
qos-profile 10M outbound
#
qos-profile 10M
car cir 1024 cbs 1024000 green pass red discard
#
interface GigabitEthernet0/1/1
ip address 192.168.7.1 255.255.255.0
#
ip pool pool1 bas local
gateway 10.82.0.1 255.255.255.0
section 0 10.82.0.2 10.82.0.200
dns-server 192.168.7.252
#
aaa
authentication-scheme auth1
accounting-scheme acct1
domain default0
domain default1
domain default_admin
domain isp1
authentication-scheme auth1
accounting-scheme acct1
radius-server group rd1
ip-pool pool1
#
return
Networking Requirements
For example, wired users, wireless users, and dumb terminals in faculty dormitory areas,
student dormitory areas, and office areas implement IPv4/IPv6 dual-stack access based on
web authentication. When a user accesses the Internet for the first time, the user enters the
MAC authentication domain. During web authentication, the user must enter the user name
and password. The RADIUS server automatically records the terminal's MAC address and
associates it with the user name and password. The user automatically accesses the Internet
when going online again. This authentication mode is called MAC authentication. If the user
fails authentication, the user is redirected to the web authentication domain. A user in the web
authentication domain can access only limited network addresses, such as the web server's
address. When a user in the domain accesses an authorized address, the user is redirected to a
specified web server. The user must enter the correct user name and password. After the
authentication is successful, the user enters the authentication domain and can access network
resources properly. When the user logs in to next time, the Router authenticates the user based
on the terminal's MAC address.
l RADIUS authentication and RADIUS accounting are used.
l The IP address of the RADIUS server is 10.1.2.10. The authentication and accounting
ports are 1812 and 1813, respectively. The standard RADIUS protocol is adopted, with
the key being Root@1234.
l The IP addresses of the two DNS servers are 3001:DA8:20D:30::30 and 10.1.6.2,
respectively.
l The IP address of the web server is 10.1.1.10, and the key is Root@123.
Figure 10-11 Networking for configuring IPv4/IPv6 dual-stack access based on web+MAC
authentication
NOTE
DNS P o rta l
se rve r(IP v6 ) se rve r
A cce s s
N e tw o rk In te rfa ce 1 In te rn e t
PC
DNS R A D IU S
se rve r(IP v4 ) se rve r
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Enable IPv6 packet forwarding.
<HUAWEI> system-view
[~HUAWEI] ipv6
Step 2 Create a MAC authentication domain, a web authentication domain, and an authentication
domain.
[~HUAWEI] aaa
[*HUAWEI-aaa] domain mac-domain
[~HUAWEI-aaa-domain-mac-domain] quit
[*HUAWEI-aaa] domain web-domain
[~HUAWEI-aaa-domain-web-domain] quit
[*HUAWEI-aaa] domain after-domain
[*HUAWEI-aaa-domain-after-domain] commit
[~HUAWEI-aaa-domain-after-domain] quit
[~HUAWEI-aaa] quit
# Create a RADIUS server group named group1, configure the hw-auth-type attribute for
authentication request packets in the RADIUS server group, and configure attribute
translation to translate the hw-auth-type attribute into Huawei proprietary No. 109 attribute.
[~HUAWEI] radius-server group group1
[*HUAWEI-radius-group1] radius-server authentication 10.1.2.10 1812
[*HUAWEI-radius-group1] radius-server accounting 10.1.2.10 1813
[*HUAWEI-radius-group1] radius-server shared-key-cipher Root@1234
[*HUAWEI-radius-group1] radius-attribute include hw-auth-type
[*HUAWEI-radius-group1] radius-server attribute translate
[*HUAWEI-radius-group1] radius-attribute translate extend hw-auth-type vendor-
specific 2011 109 access-request account
[*HUAWEI-radius-group1] commit
[~HUAWEI-radius-group1] quit
Step 5 Enable MAC authentication in the MAC authentication domain mac-domain, and bind the
RADIUS server group group1 and authentication scheme portal-mac-auth to the domain.
[~HUAWEI] user-group mac-group
[~HUAWEI] aaa
[*HUAWEI-aaa] domain mac-domain
[*HUAWEI-aaa-domain-mac-domain] radius-server group group1
[*HUAWEI-aaa-domain-mac-domain] authentication-scheme portal-mac-auth
[*HUAWEI-aaa-domain-mac-domain] accounting-scheme radius
[*HUAWEI-aaa-domain-mac-domain] ip-pool pool1
[*HUAWEI-aaa-domain-mac-domain] ipv6-pool pool1
[*HUAWEI-aaa-domain-mac-domain] mac-authentication enable
[*HUAWEI-aaa-domain-mac-domain] user-group mac-group
[*HUAWEI-aaa-domain-mac-domain] commit
[~HUAWEI-aaa-domain-mac-domain] quit
[~HUAWEI-aaa] quit
Step 6 Configure forcible redirection to a specified web server in the web authentication domain
web-domain, and bind a user group that can access only limited resources, authentication
scheme (non-authentication), and accounting scheme (non-accounting) to the domain.
[~HUAWEI] user-group web-group
[~HUAWEI] aaa
[*HUAWEI-aaa] http-redirect enable
[*HUAWEI-aaa] domain web-domain
[*HUAWEI-aaa-domain-web-domain] authentication-scheme none
[*HUAWEI-aaa-domain-web-domain] accounting-scheme none
[*HUAWEI-aaa-domain-web-domain] ip-pool pool1
[*HUAWEI-aaa-domain-web-domain] ipv6-pool pool1
[*HUAWEI-aaa-domain-web-domain] user-group web-group
[*HUAWEI-aaa-domain-web-domain] web-server 10.1.1.10
[*HUAWEI-aaa-domain-web-domain] web-server url http://10.1.1.10
[*HUAWEI-aaa-domain-web-domain] commit
[~HUAWEI-aaa-domain-web-domain] quit
[~HUAWEI-aaa] quit
Step 7 Configure ACL rules for the web authentication domain web-domain.
l # Configure IPv4 ACL rules.
[~HUAWEI] acl number 6000
[*HUAWEI-acl-ucl-6000] rule 5 permit ip source ip-address 10.1.1.10 0
destination user-group web-group
[*HUAWEI-acl-ucl-6000] rule 10 permit ip source user-group web-group
destination ip-address 10.1.1.10 0
[*HUAWEI-acl-ucl-6000] rule 15 permit ip source ip-address 10.1.6.2 0
destination user-group web-group
[*HUAWEI-acl-ucl-6000] rule 20 permit ip source user-group web-group
destination ip-address 10.1.6.2 0
[~HUAWEI-acl-ucl-6000] quit
[~HUAWEI] acl number 6001
[*HUAWEI-acl-ucl-6001] rule 5 permit tcp source user-group web-group
destination-port eq www
[*HUAWEI-acl-ucl-6001] rule 10 permit tcp source user-group web-group
destination-port eq 8080
[*HUAWEI-acl-ucl-6001] rule 15 permit ip source user-group web-group
[~HUAWEI-acl-ucl-6001] quit
[~HUAWEI] acl number 6002
[*HUAWEI-acl-ucl-6002] rule 5 permit ip source user-group web-group
destination user-group web-group
[*HUAWEI-acl-ucl-6002] rule 10 permit ip source user-group web-group
destination ip-address any
[~HUAWEI-acl-ucl-6002] quit
[~HUAWEI] acl number 6003
[*HUAWEI-acl-ucl-6003] rule 5 permit ip destination user-group web-group
[~HUAWEI-acl-ucl-6003] quit
Step 9 Run the default-user-name include mac-address command in the AAA view to directly use
the MAC address carried in a user connection request packet as the user name.
[*HUAWEI-aaa] default-user-name include mac-address -
[*HUAWEI-aaa] commit
[~HUAWEI-aaa] quit
Step 11 Enable IPv6 and configure the MAC authentication domain, authentication domain, and
authentication method on a BAS interface.
[~HUAWEI] license
[*HUAWEI-license] active bas slot 1
[~HUAWEI-license] quit
[~HUAWEI] interface gigabitethernet0/1/0
[*HUAWEI-GigabitEthernet0/1/0] ipv6 enable
[*HUAWEI-GigabitEthernet0/1/0] ipv6 nd autoconfig managed-address-flag
[*HUAWEI-GigabitEthernet0/1/0] ipv6 nd autoconfig other-flag
[*HUAWEI-GigabitEthernet0/1/0] bas
[*HUAWEI-GigabitEthernet0/1/0-bas] access-type layer2-subscriber default-domain
pre-authentication mac-domain authentication after-domain
[*HUAWEI-GigabitEthernet0/1/0-bas] authentication-method web
[*HUAWEI-GigabitEthernet0/1/0-bas] authentication-method-ipv6 web
4. The user enters the user name and password, and accesses the Internet after the
authentication succeeds.
5. Run the display domain mac-domain command to check that the IPv4 and IPv6 address
pools are bound to the domain mac-domain.
----End
Configuration Files
#
sysname HUAWEI
#
license
active bas slot 1
#
ipv6
#
user-group after-domain
user-group web-domain
user-group mac-domain
#
dhcpv6 duid 12345678
#
slot 1
http-reply enable
#
radius-server group group1
radius-server shared-key-cipher Root@1234
radius-server authentication 10.1.2.10 1812 weight 0
radius-server accounting 10.1.2.10 1813 weight 0
radius-server attribute translate
radius-attribute include HW-Auth-Type
radius-attribute translate extend HW-Auth-Type vendor-specific 2011 109 access-
request account
#
acl ipv6 number 6000
rule 5 deny ipv6 source user-group web-group destination ipv6-address
3001:DA8:20D:30::30/128
rule 10 deny ipv6 source ipv6-address 3001:DA8:20D:30::30/128 destination user-
group web-group
#
acl ipv6 number 6000
rule 5 permit tcp source user-group web-group destination-port eq www
rule 10 permit tcp source user-group web-group destination-port eq 8080
rule 15 permit ipv6 source user-group web-group
#
acl number 6000
rule 5 permit ip source ip-address 10.1.1.10 0 destination user-group web-group
rule 10 permit ip source user-group web-group destination ip-address 10.1.1.10 0
rule 15 permit ip source ip-address 10.1.6.2 0 destination user-group web-group
rule 20 permit ip source user-group web-group destination ip-address 10.1.6.2 0
#
acl number 6001
rule 5 permit tcp source user-group web-group destination-port eq www
rule 10 permit tcp source user-group web-group destination-port eq 8080
rule 15 permit ip source user-group web-group
#
acl number 6002
rule 5 permit ip source user-group web-group destination user-group web-group
rule 10 permit ip source user-group web-group destination ip-address any
#
acl number 6003
rule 5 permit ip destination user-group web-group
#
acl number 6010
#
ip-pool pool1
ipv6-pool pool1
user-group web-group
web-server 10.1.1.10
web-server url http://10.1.1.10
domain after-domain
authentication-scheme radius
accounting-scheme radius
radius-server group group1
#
interface GigabitEthernet0/1/0
ipv6 enable
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
bas
#
access-type layer2-subscriber default-domain pre-authentication mac-domain
authentication after-domain
authentication-method web
authentication-method-ipv6 web
#
traffic-policy before-auth-in inbound
traffic-policy before-auth-out outbound
#
web-auth-server 10.1.1.10 key cipher Root@1234
Configure 802.1X access services to exchange messages between access users and
authentication servers.This feature is not supported on the M2E.This feature is supported only
on the Admin-VS.
11.1 Overview of 802.1X Access
IEEE 802.1X authentication allows only authorized users or devices to access a network,
which improves network security.
11.2 802.1X Authentication Features Supported by the NE40E
Different authentication modes can be configured for 802.1X authentication.
11.3 Configuring 802.1X Access Services
Before configuring 802.1X access services, familiarize yourself with the usage scenario,
complete the pre-configuration tasks, and obtain the data required for the configuration.
11.4 Configuration Examples for 802.1X Access
This section provides examples for configuring 802.1X authentication, including networking
requirements, configuration notes, and configuration roadmap.
through the Ethernet interface to which the user or device is connected. After authentication is
successful, normal traffic can pass through the Ethernet interface. This mechanism improves
network security by allowing only authorized users or devices to access the network.
NOTE
Services are interrupted if the memory size of the master MPU is inconsistent with that of the slave
MPU.
Authentication Mode
l EAP termination authentication: The NE40E terminates the EAP packets sent from the
client, parses user names and passwords, encrypts the passwords, and sends the packets
to an AAA server for authentication. EAP termination authentication includes the
Password Authentication Protocol (PAP) authentication and Challenge Handshake
Authentication Protocol (CHAP) authentication.
– PAP is a two-way handshake authentication protocol that uses plaintext passwords.
It has low security.
– CHAP is a three-way handshake authentication protocol that uses ciphertext
passwords, and therefore is more secure than PAP.
l EAP relay authentication: The NE40E directly encapsulates 802.1X user authentication
information and EAP packets into the attribute fields of RADIUS packets, and sends the
RADIUS packets to an AAA server.
Usage Scenario
To prevent unauthorized users or devices from gaining access to a network and ensure
network security, you can configure 802.1X access services to allow only authorized users to
access the network.
Pre-configuration Tasks
l Configure link-layer protocol parameters for interfaces to go Up at the link layer.
l Configure a routing protocol to implement IP connectivity of the network.
Configuration Procedures
Perform one or more of the following configurations as required.
Context
After a dot1x template is created in the system view, configure parameters for the dot1x
template:
l Run the eap-end command to specify the authentication method for 802.1X users using
the dot1x template. Choose EAP termination mode or EAP relay mode as required.
l Run the authentication timeout command in the template view to set the timeout period
for the BRAS to wait for an EAP Response packet from the authentication server. If the
BRAS does not receive an EAP Response packet from the authentication server within a
specified timeout period, the BRAS considers that a user goes offline and logs out the
user.
l During 802.1X authentication, the BRAS sends an EAP-Request/Identity packet to the
client. If you want the BRAS to retransmit the packet when the client does not respond,
run the request command to set the timeout period for the BRAS to wait for an EAP-
Response/Identity packet from the client and the number of retransmissions of EAP-
Request/Identity packets. If the client does not respond with an EAP-Response/Identity
packet within the timeout period and after packet retransmissions reach the specified
number, the user is logged out.
l If users go online through 802.1X authentication, run the reauthentication interval
command to set the interval for the BRAS to send re-authentication request packets. If
re-authentication fails, the users are logged out to ensure that only authorized users can
access the network.
l In some cases, accounting continues after 802.1X users go offline. To resolve such
issues, run the keepalive command to set the number of and timeout period for
handshake packet retransmissions between the EAP client and server. If the client does
not respond within the timeout period and after handshake packet retransmissions reach
the specified number, the user is logged out.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run dot1x-template dot1x-template-number
A dot1x template is created and the dot1x template view is displayed.
Dot1x templates are identified by numbers. The Router has a default dot1x template
numbered 1. This template can be modified but cannot be deleted.
Step 3 (Optional) Run eap-end [ chap | pap ]
The EAP authentication method is set for 802.1X users.
Step 4 (Optional) Run authentication timeout time
The timeout period for the BRAS to wait for an EAP Response packet from the authentication
server is set.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
The AAA domain view is displayed.
Step 4 Run dot1x-template dot1x-template-number
A dot1x template is bound to a domain.
Step 5 Run commit
The configuration is committed.
----End
Context
When a user accesses the network through a main interface, you do not need to bind the main
interface to a VLAN. When a user accesses the network through a sub-interface, you need to
bind the sub-interface to a VLAN.
You can bind a sub-interface to a VLAN or configure QinQ on a sub-interface. When binding
a sub-interface to a VLAN, you need the following parameters:
l Number of the sub-interface
l VLAN ID
l QinQ ID
NOTE
l Each main interface can be configured with only one any-other sub-interface. The user-vlan any-
other parameter cannot be configured together with the user-vlan start-vlan parameter or the user-
vlan qinq parameter on the same sub-interface.
l If a sub-interface has configured with dot1q termination, QinQ termination, QinQ stacking, or
VLAN-type dot1q, the user-vlan command cannot be run on the sub-interface.
l User VLANs with the same VLAN ID cannot be configured on different sub-interfaces.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number.subinterface-number
A sub-interface is created and the sub-interface view is displayed.
Step 3 Run user-vlan { start-vlan-id [ end-vlan-id ] [ qinq start-pe-vlan [ end-pe-vlan ] ] } | any-
other }
User-side VLANs are created.
Step 4 Run commit
The configuration is committed.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number [ .subinterface-number [ p2p | p2mp ] ]
The user-side interface view is displayed.
Step 3 Run commit
The configuration is committed.
Step 4 Run bas
A BAS interface is created, and the BAS interface view is displayed.
You can configure an interface as the BAS interface by running the bas command in the
interface view. An Ethernet interface, an Eth-Trunk interface, a Virtual Ethernet (VE)
interface or a sub-interface of the preceding interfaces can be configured as a BAS interface.
Step 5 Perform one or more operations in Table 11-1 to set the desired interface parameters.
----End
Procedure
l Run the display dot1x-template number command to check dot1x template
configurations.
l Run the display bas-interface command to check BAS interface configurations.
----End
Example
Run the display dot1x-template number command to view configurations of the dot1x
template numbered 1.
<HUAWEI> display dot1x-template 1
Template index : 1
Reauthentication switch : On
Keepalive switch : Off
Reauthentication interval(S) : 3600
Keepalive retransmit : 0
Keepalive interval(S) : 20
Request interval(S) : 30
Request retransmit : 2
Run the display bas-interface command to view configurations of all BAS interfaces.
<HUAWEI> display bas-interface
---------------------------------------------------------------------------
Interface BASIF-access-type config-state access-number
---------------------------------------------------------------------------
Eth-Trunk0 Layer2-subscriber Updated 0
Eth-Trunk0.1 Layer2-subscriber Updated 1
Eth-Trunk0.1234 Layer2-subscriber Updated 0
----------------------------------------------------------------------
Total 3 BASIF is configured
Networking Requirements
To prevent unauthorized users or devices from gaining access to a network and ensure
network security, you can configure 802.1X access services to allow only authorized users to
access the network. As shown in Figure 11-1,
l Subscriber belongs to the domain isp4 and accesses the Internet through GE 1/0/2 on the
Router in 802.1X authentication mode.
l RADIUS authentication and RADIUS accounting are used.
NOTE
In the 802.1X system, the NE40E functions as a relay device, which must use the RADIUS server
to transmit EAP packets.
l The IP address of the RADIUS server is 192.168.7.249. The authentication port is
numbered 1645 and the accounting port is numbered 1646. The RADIUS+1.1 protocol is
adopted, with the key being itellin.
l The IP address of the DNS server is 192.168.7.252.
l The network-side interface on the NE40E is GE 2/0/1.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a dot1x template.
2. Configure an authentication scheme.
3. Configures an accounting scheme.
4. Configure a RADIUS server group.
5. Configure an address pool.
6. Configure a domain named isp4.
7. Configure a BAS interface.
Data Preparation
To complete the configuration, you need the following data:
l dot1x template name
l Timeout period for the BRAS to wait for an EAP Response packet from the
authentication server
l Timeout period for the BRAS to wait for an EAP-Response/Identity packet from the
client and the number of retransmissions of EAP-Request/Identity packets
l Number of and timeout period for handshake packet retransmissions between the EAP
client and server
l IP address of the RADIUS server
l Address pool name, gateway address, IP address range, and DNS server address
Procedure
Step 1 Configure a dot1x template.
<HUAWEI> system-view
[~HUAWEI] sysname Router
[*HUAWEI] commit
[~Router] dot1x-template 4
[*Router-dot1x-template-4] authentication timeout 20
[*Router-dot1x-template-4] request interval 20 retransmit 3
[*Router-dot1x-template-4] reauthentication interval 1800
[*Router-dot1x-template-4] keepalive interval 15 retransmit 2
[*Router-dot1x-template-4] commit
[~Router-dot1x-template-4] quit
----End
Configuration Files
#
sysname Router
#
license
active bas slot 1
#
radius-server group rd4
radius-server authentication 192.168.7.249 1645 weight 0
radius-server accounting 192.168.7.249 1646 weight 0
radius-server shared-key itellin
radius-server type plus11
radius-server traffic-unit kbyte
#
interface GigabitEthernet1/0/2.1
user-vlan 100
bas
access-type layer2-subscriber default-domain authentication isp4
authentication-method dot1x
#
ip pool pool4 bas local
gateway 10.82.1.1 255.255.255.0
section 0 10.82.1.2 10.82.1.200
dns-server 192.168.7.252
#
dot1x-template 4
authentication timeout 20
request retransmit 3 interval 20
reauthentication interval 1800
keepalive retransmit 2 interval 15
#
aaa
authentication-scheme auth4
accounting-scheme acct4
domain isp4
authentication-scheme auth4
accounting-scheme acct4
radius-server group rd4
dot1x-template 4
ip-pool pool4
#
return
Networking Requirements
On the network shown in Figure 11-2, to allow the user to go online, configure 802.1X
access. The requirements are as follows:
l The user belongs to the domain isp4 and accesses the Internet through GE 0/1/0 on the
Router in 802.1X mode.
l RADIUS authentication and RADIUS accounting are used.
NOTE
In the 802.1X system, the NE40E functions as a relay device, which must use the RADIUS server
to transmit EAP packets.
l The IP address of the RADIUS server is 192.168.7.249. The authentication and
accounting ports are 1645 and 1646, respectively. The RADIUS+1.1 protocol is adopted,
with the key being itellin.
D N S se rve r R A D IU S se rve r
1 9 2 .1 6 8 .7 .2 5 2 1 9 2 .1 6 8 .7 .2 4 9
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a dot1x template.
2. Configure a BAS interface.
Data Preparation
To complete the configuration, you need the following data:
l dot1x template name
l Timeout period for waiting for an EAP response packet from the authentication server
l Number of packet retransmissions by the client and timeout period
l Number of handshake packet retransmissions between the EAP client and server and
timeout period
l RADIUS server address
l Address pool name, gateway address, address range, and DNS server address
Procedure
Step 1 Configure a dot1x template.
<HUAWEI> system-view
[~HUAWEI] dot1x-template 4
[*HUAWEI-dot1x-template-4] authentication timeout 20
[*HUAWEI-dot1x-template-4] request interval 20 retransmit 3
[*HUAWEI-dot1x-template-4] reauthentication interval 1800
[*HUAWEI-dot1x-template-4] keepalive interval 15 retransmit 2
[*HUAWEI-dot1x-template-4] commit
[~HUAWEI-dot1x-template-4] quit
Versions earlier than V600R007C00 do not require BAS activation by license. You can directly run the
bas enable command in the slot view.
[~HUAWEI] interface gigabitEthernet 0/1/0.1
[*HUAWEI-GigabitEthernet0/1/0.1] user-vlan 100
[HUAWEI-GigabitEthernet0/1/0.1-vlan-100] quit
[~HUAWEI-GigabitEthernet0/1/0.1] bas
[*HUAWEI-GigabitEthernet0/1/0.1-bas] access-type layer2-subscriber
[*HUAWEI-GigabitEthernet0/1/0.1-bas] default-domain authentication isp4
[*HUAWEI-GigabitEthernet0/1/0.1-bas] authentication-method dot1x
[*HUAWEI-GigabitEthernet0/1/0.1-bas] commit
[~HUAWEI-GigabitEthernet0/1/0.1-bas] quit
[~HUAWEI-GigabitEthernet0/1/0.1] quit
----End
Configuration Files
#
sysname HUAWEI
#
radius-server group rd4
radius-server authentication 192.168.7.249 1645 weight 0
An L2TP tunnel can be established to provide access services for enterprises, small-scale
ISPs, and mobile office staff.This feature is not supported on the S2E.This feature is
supported only on the Admin-VS.
DeviceB
DeviceA
Remote Internet Private
user network
PPPoE LNS
LAC
/ISDN
Tunnel
Remote
branch
On the network shown in Figure 12-1, the typical L2TP networking consists of the following
parts:
l Remote system: A remote system is a remote user or a remote branch that connects to the
intranet of an enterprise. It is usually a host of a dial-up user or a device on a private
network.
l L2TP Access Concentrator (LAC): An LAC is the endpoint of an L2TP tunnel and is
located between the LNS and the remote system to transmit packets between the LNS
and the remote system. It encapsulates the packets received from the remote system into
L2TP packets, sends the packets to the LNS, decapsulates the packets received from the
LNS, and sends the packets to the remote system.
l L2TP Network Server (LNS): An LNS is a device that provides PPP and L2TP
processing capabilities and is usually located at the edge of an enterprise intranet. As the
other end of an L2TP tunnel, the LNS is the logical end point of the PPP sessions
transmitted by the LAC through the tunnel. L2TP establishes an L2TP tunnel on the
public network to extend PPP connections of the remote system from the original NAS
to the LNS on the enterprise intranet.
A device that functions as both an LNS and LAC is called an L2TP Tunnel Switch (LTS).
LAC/LTS in L2TP
scenarios.
l Flexible access to a VPN
is not supported for
LAC/LTS/LNS users in
L2TP access scenarios.
l The bound tunnel source
interface on the LNS side
cannot be a PWIF
interface.
In L2TP LNS user traffic If the board where the If the half-line-rate
forwarding scenarios, the outbound interface resides forwarding mode is not
high-performance does not have an eTM configured, packet loss may
forwarding mode can be subcard installed, run the occur during LNS user
configured only when the forward-mode loopback l2tp traffic forwarding.
board where the outbound command to configure the
interface resides has an eTM LNS user access board to
subcard installed. work in half-line-rate
Otherwise, you need to run forwarding mode.
the forward-mode
{ through | loopback } l2tp
command to configure the
board from which LNS
users go online to work in
half-line-rate forwarding
mode.
LAC/LTS in L2TP
scenarios.
l Flexible access to a VPN
is not supported for
LAC/LTS/LNS users in
L2TP access scenarios.
l The bound tunnel source
interface on the LNS side
cannot be a PWIF
interface.
In L2TP LNS user traffic If the board where the If the half-line-rate
forwarding scenarios, the outbound interface resides forwarding mode is not
high-performance does not have an eTM configured, packet loss may
forwarding mode can be subcard installed, run the occur during LNS user
configured only when the forward-mode loopback l2tp traffic forwarding.
board where the outbound command to configure the
interface resides has an eTM LNS user access board to
subcard installed. work in half-line-rate
Otherwise, you need to run forwarding mode.
the forward-mode
{ through | loopback } l2tp
command to configure the
board from which LNS
users go online to work in
half-line-rate forwarding
mode.
LAC/LTS in L2TP
scenarios.
l Flexible access to a VPN
is not supported for
LAC/LTS/LNS users in
L2TP access scenarios.
l The bound tunnel source
interface on the LNS side
cannot be a PWIF
interface.
In L2TP LNS user traffic If the board where the If the half-line-rate
forwarding scenarios, the outbound interface resides forwarding mode is not
high-performance does not have an eTM configured, packet loss may
forwarding mode can be subcard installed, run the occur during LNS user
configured only when the forward-mode loopback l2tp traffic forwarding.
board where the outbound command to configure the
interface resides has an eTM LNS user access board to
subcard installed. work in half-line-rate
Otherwise, you need to run forwarding mode.
the forward-mode
{ through | loopback } l2tp
command to configure the
board from which LNS
users go online to work in
half-line-rate forwarding
mode.
Usage Scenario
When an L2TP user goes online, the LAC sets up a tunnel with the remote LNS and sends the
packets to the LNS through the tunnel. When the NE40E functions as an LAC, you must
configure an L2TP group, that is, enable LAC on the NE40E.
When the NE40E functions as an LAC, the process of initiating an L2TP connection after the
L2TP user goes online is shown in Figure 12-2.
(1) The NE40E reads the domain name contained in the user name.
(2) The NE40E reads the L2TP group name specified for the domain.
(3) The NE40E reads the LNS address specified for the L2TP group.
(4) The NE40E initiates a connection with the LNS.
Pre-configuration Tasks
Before configuring an LAC, complete the following tasks:
l Configuring PPPoX access services, including configuring the virtual template, AAA
scheme, and BAS interface, and specifying a virtual template for an interface
l Configuring the domain to which L2TP users belong
l Configuring the RADIUS server group if the users in the specified domain use the L2TP
attributes delivered by the RADIUS server
l Enabling L2TP
Configuration Procedures
Enabling L2TP
Configuring an
L2TP Connection on
the LNS
Configuring L2TP
Tunnel
Authentication
Configuring L2TP
User Attributes
Configuring AAA
Schemes
Configuring LAC-
side User Access
必选步骤
可选步骤
Context
L2TP functions can be used only after L2TP is enabled. When L2TP is disabled, even if L2TP
parameters are configured, the NE40E does not provide L2TP functions.
Perform the following steps on the NE40E:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run l2tp enable
L2TP is enabled.
Step 3 Run commit
The configuration is committed.
----End
Context
When an LAC and an LNS are interconnected, the LAC must have a route to the LNS. For
example, when the NE40E functions as an LNS, if the LNS is configured with a loopback
interface, a route to the loopback interface must be configured on the LAC.
Perform the following steps on the NE40E:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run l2tp-group group-name
The L2TP group view is displayed.
Step 3 Run tunnel name name
The name of the local end of a tunnel is specified.
The tunnel name is used for tunnel negotiation between the LAC and LNS. In different tunnel
authentication modes, the tunnel name must meet different requirements.
l In local authentication mode, only the tunnel password is needed. The tunnel name is
used by the LNS to select an L2TP group to respond to a connection request from the
LAC. There is no special requirement on the format of the tunnel name. The tunnel name
configured on the LAC must be the same as the receiver tunnel name configured on the
LNS. No tunnel name needs to be configured on the LNS. In strict local authentication
mode, the LAC checks the validity of the tunnel name and password of the remote LNS.
If the LNS tunnel name and password delivered by the RADIUS server or the locally
configured LNS tunnel name and password are different from those of the remote LNS,
the check fails and the tunnel cannot be established.
l In AAA authentication mode, an L2TP tunnel is treated as a user, and the tunnel name is
required to be in the format of username@domain. When establishing an L2TP tunnel,
the LAC or LNS must forward the received user name and password to the AAA server
for authentication. In addition, the user name and password must be configured on the
AAA server.
Step 4 Run start l2tp { ip ip-address [ weight lns-weight | preference preference | remote lns-name
| identifier-name identifier-name ] * } &<1-8>
An L2TP connection is configured on the LAC.
NOTE
l When configuring an L2TP connection on the LAC, you must specify the IP addresses and weights
of the LNSs. Up to eight LNSs can be configured in each L2TP group.
l The L2TP group is configured as the LAC in this configuration.
l The IP address of the LNS is optional. If the IP address of the LNS is delivered by the RADIUS
server, you do not need to configure it.
l The LNS weights are applicable to only the load balancing mode. In load balancing mode, the
NE40E allocates sessions to the LNSs in the proportion of their weights. In other modes, the NE40E
sets up connections to the LNSs in the sequence in which the LNSs are configured until an LNS
responds. Then, the other LNSs function as backups.
l preference preference configured in the start l2tp command takes effect only after the tunnel
priority command is run to configured priority-based load balancing for the LNS. The NE40E
establishes a tunnel with the LNS with the highest priority. If the LNS with the highest priority is
unavailable, the NE40E selects an LNS based on the LNS priorities in descending order. If multiple
LNSs have the same priority, the NE40E establishes tunnels with the LNSs, and load balancing is
implemented between these tunnels.
l If the LAC is configured to check the tunnel name of the LNS, the remote lns-name parameter must
be configured in the start l2tp command. This setting allows L2TP tunnel authentication to be
enabled.
NOTE
l When the LAC initiates a tunnel setup request, it sends the source IP address of the local end to the LNS
for the communication between the LAC and LNS. To improve reliability of the communication between
the LAC and LNS, you can configure the source interface of the tunnel. Then, the LAC uses the IP
address of the specified interface as the source address to set up a tunnel.
l The configuration of the IP of the tunnel source in the L2TP groups, of the source interface bounded to
the LNS groups and of the RBS tunnel source of dual-device hot backup cannot be the same.
Step 16 (Optional) Run qos link-adjustment vendor redback { lns | lac } * [ slot slot-id ]
Redback packet adjustment is configured so that user traffic statistics is collected based on the
redback mode.
This command is supported only on the Admin VS.
Step 17 Run commit
The configuration is committed.
----End
Context
An L2TP tunnel supports either local or remote authentication (RADIUS authentication).
NOTE
l The new password is at least eight characters long and contains at least two of upper-case letters,
lower-case letters, digits, and special characters.
l When configuring an authentication password, select the ciphertext mode becasue the password is
saved in configuration files in simple text if you select simple text mode, which has a high risk. To
ensure device security, change the password periodically.
Procedure
l Local authentication
If local authentication is used, the LAC or LNS must use only the tunnel password, but
not the tunnel name. The tunnel name is used by the LNS to select an L2TP group to
respond to the LAC connection request. The format of the tunnel name is not restricted;
however, the tunnel name configured on the LAC must be the same as remote tunnel
name configured on the LNS.
a. Run system-view
You can decide whether to enable tunnel authentication before creating a tunnel
connection. To ensure tunnel security, it is recommended that tunnel authentication
be enabled.
The tunnel authentication request can be initiated by the LAC or the LNS. As long
as one end is enabled with tunnel authentication, the identity authentication is
performed in the tunnel setup process. The tunnel can be set up only if the
passwords of both ends are the same and not null; otherwise, the local end
automatically tears down the tunnel. If tunnel authentication is disabled on both
ends, tunnel authentication is not performed, irrespective of whether passwords on
both ends are the same.
The tunnel authentication strict command configuration takes effect only for the
L2TP group on the LAC. After strict tunnel authentication is configured, the LAC
performs validity check on the remote LNS's tunnel name and password. If the LNS
tunnel name and password delivered by the RADIUS server or locally configured
are different from those of the remote LNS, tunnel establishment fails. After strict
tunnel authentication is configured, you can configure the RADIUS server to
deliver the Tunnel-Server-Auth-ID attribute or configure an LNS tunnel name in the
L2TP group view of the LAC based on site requirements.
e. Run tunnel password { simple | cipher } password [ lns-ip lns-ip-address ]
f. Run commit
The configuration is committed.
l Remote authentication (RADIUS authentication)
If remote authentication is used, the LAC or LNS takes the L2TP tunnel as a user;
therefore, the format of the tunnel name must be username@domain. When the tunnel is
set up, the LAC or LNS sends the received user name and password of each other to the
AAA server (RADIUS server) for authentication. The AAA server must be configured
with the identical user name and password.
a. Run system-view
The system view is displayed.
b. Run l2tp-group group-name
The L2TP group view is displayed.
c. Run tunnel authentication
Tunnel authentication is enabled.
You can decide whether to enable tunnel authentication before creating a tunnel
connection. To ensure tunnel security, it is recommended that tunnel authentication
be enabled.
The tunnel authentication request can be initiated by the LAC or the LNS. As long
as one end is enabled with tunnel authentication, the identity authentication is
performed in the tunnel setup process. The tunnel can be set up only if the
passwords of both ends are the same and not null; otherwise, the local end
automatically tears down the tunnel. If tunnel authentication is disabled on both
ends, tunnel authentication is not performed, irrespective of whether passwords on
both ends are the same.
d. Run tunnel aaa-authentication
The AAA tunnel authentication is enabled.
AAA tunnel authentication indicates that the L2TP tunnel is not authenticated
locally, but authenticated on the AAA server (RADIUS server).
e. Run commit
The configuration is committed.
l Forcible RADIUS tunnel authentication
a. Run system-view
The system view is displayed.
b. Run l2tp-group group-name
The L2TP group view is displayed.
c. Run tunnel radius-force
The forcible tunnel authentication is enabled.
Forcible RADIUS tunnel authentication indicates that the RADIUS server
determines whether tunnel authentication is performed. If the attributes delivered by
the RADIUS server contain the tunnel password, the tunnel password is used for
tunnel authentication; otherwise, tunnel authentication is not performed.
d. Run commit
The configuration is committed.
----End
Context
After configuring an L2TP group, you can apply the L2TP group to a domain. Then, the
domain and the L2TP tunnel can be associated. By associating a domain with an L2TP tunnel,
the NE40E delivers the services of an ISP in a batch to the access server (LNS) of the ISP
using the associated L2TP tunnel. In this manner, multi-ISP service wholesale is
implemented.
Do as follows on the NE40E:
NOTE
l The new password is at least eight characters long and contains at least two of upper-case letters,
lower-case letters, digits, and special characters.
l When configuring an authentication password, select the ciphertext mode becasue the password is
saved in configuration files in simple text if you select simple text mode, which has a high risk. To
ensure device security, change the password periodically.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
The domain view is displayed.
Step 4 Run l2tp-group group-name
An L2TP group is specified for the domain.
Step 5 (Optional) Run l2tp-user radius-force
Users in the specified domain use the L2TP attributes delivered by the RADIUS server.
The L2TP attributes for domain users can be specified by the L2TP group that belongs to the
domain or delivered by the RADIUS server. When domain users use the L2TP attributes
delivered by the RADIUS server, you do not need to specify the L2TP group for the domain,
the L2TP group is invalid even though is specified.
The RADIUS server can deliver the attributes such as tunnel-type(64), tunnel_client_endpoint
(66), tunnel_server_endpoint (67), tunnel-client-auth-id (90), tunnel_password(69), and
tunnel-assignment-id(82). If the RADIUS server does not deliver the L2TP group name, the
NE40E considers the user as an ordinary PPP user.
The L2TP attributes delivered by the RADIUS server have a higher priority than the local
L2TP attributes. For example, if the LNS address configured in group lac1 is 10.10.10.1 and
the RADIUS server delivers the LNS address 10.20.20.1 and L2TP group lac1, the LNS
address 10.20.20.1 takes effect. If the RADIUS server delivers only the L2TP group lac1, the
LNS address 10.10.10.1 takes effect.
NOTE
The L2TP group name and the tunnel type must be delivered together so that the L2TP attributes
delivered by the RADIUS server can take effect and the functions of the L2TP user can be implemented.
The L2TP attributes delivered by the RADIUS server have a higher priority than the local
L2TP attributes. If the L2TP attributes are not delivered by the RADIUS server, do not run
this command. Otherwise, L2TP dial-up fails.
The LAC is configured to authenticate an L2TP user using the domain name of the user. This
means that the LAC sends the domain name of the user and the set password to the RADIUS
server for authentication.
If the l2tp-authorize command is configured for a domain, there are the following cases:
l When a new PPP user is to be authenticated by the RADUIS server, and the domain of
the PPP user is configured with the l2tp-authorize command, the authentication is set to
be the virtual user authentication in the user information table. Otherwise, the original
processing flow is followed.
l In the virtual router authentication, the LAC sends the user name (the domain name of
the user) and the password (huawei by default) to the RADIUS server.
l If the RADIUS server denies the authentication or the sending of the user name and
password fails, the LAC sends the original PPP user name to the RADIUS server for the
secondary authentication.
l If the RADIUS server accepts the authentication request, but tunnel-type and
TunnelServerEndpoint delivered by the RADUIS server are incorrect, the LAC sends the
original PPP user name to the RADIUS server for the secondary authentication.
l If the RADIUS server accepts the authentication request, and tunnel-type and
TunnelServerEndpoint delivered by the RADUIS server are correct, accounting is
performed for the PPP user, and the user name used in the accounting is the original PPP
user name.
If the l2tp-authorize command is not configured for a domain, the LAC sends the user name
and password entered by the user to the RADIUS server for authentication.
----End
Context
This configuration is used to authenticate the identity information (user name and password)
of a remote dial-in user using AAA. The LAC can initiate a tunnel establishment request only
after the user identity is authenticated. Otherwise, the LAC does not establish a tunnel for the
user.
Two AAA authentication modes are supported: local authentication and remote
authentication.
Procedure
Step 1 If the local authentication mode is used, you need to configure a local user name and
password on the LAC. The LAC authenticates a dial-in user by checking whether the user
name and password of the user are the same as the locally configured user name and
password.
Step 2 If the remote authentication mode is used, you need to configure a user name and password on
the RADIUS server. The LAC sends the user name and password of a dial-in user to the
RADIUS server, and the RADIUS server authenticates the user.
Step 3 For details about AAA operations, see Configuring AAA Schemes. For details about
RADIUS server operations, see Configuring a RADIUS.
----End
Context
In L2TP access scenarios, users access the network through the LAC. Therefore, you need to
configure an access mode and access interface on the LAC.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface virtual-template virtual-template-number
A VT is created and its view is displayed, or the view of an existing VT is displayed.
This interface is the physical interface through which users go online. The main interface
view is displayed for PPPoE access users and the sub-interface view is displayed for
PPPoEoVLAN access users.
The access type and relevant attributes are configured for Layer 2 access users.
When setting the access type on a BAS interface, you can set the service attributes of the
access users at the same time or later.
The access type cannot be configured on the Ethernet interface that is added to an Eth-Trunk
interface. You can configure the access type only on the Eth-Trunk interface.
----End
Procedure
l Run the display l2tp-group [ group-name ] command to check the L2TP group
configuration.
l Run the display l2tp session lac [ session-item session-id | source-ip source-ip-address |
destination-ip destination-ip-address ] command to check information about the current
LAC session.
l Run the display l2tp tunnel lac [ tunnel-item tunnel-id | tunnel-name remote-name ]
command to check information about the tunnel on the LAC.
l Run the display l2tp tunnel [ lac slot slot-id ] [ tunnel-item tunnel-id | tunnel-name
remote-name ]command to view information about L2TP tunnels.
l Run the display l2tp session { lac slot slot-id } [ session-item session-id | source-ip
source-ip-address | destination-ip destination-ip-address ]command to view information
about L2TP sessions.
----End
Example
Run the display l2tp-group command, and you can view the following:
l GroupType is displayed as REQUEST_DIALIN_L2TP.
l LnsIPAddress and LnsWeight are respectively displayed as the IP addresses and
weights of the LNSs.
l Source Ip is displayed as the IP address assigned to the source interface of the tunnel.
<HUAWEI> display l2tp-group lac
-----------------------------------------------
L2tp-index : 3
Group-Name : lac
Description :
GroupType : REQUEST_DIALIN_L2TP
TunnelAuth : Not tunnel authentication
Tunnel aaa Auth : Not tunnel aaa-authentication
Tunnel Avp46 : Not tunnel Avp46
Local tunnel name : lac
Tunnel RecvWindow : 0
Encrypt : 0
avp-hidden : 0
Algorithm : Load-sharing
Radius-auth : 0
Hello interval : 60
Retransmit : 5
Timeout : 2
Idle cut : 60
Session limit : 65535
Used : 2
IfIndex : 0xffffffff
Source Ip : 255.255.255.255
VTNum : 65535
DefaultDomain :
DomainType : default
TunnelAlarm : on
MTUFlag : Enable
MSSFlag : Enable
Tunnel per user : 0
Config Dscp : 255
ForceChap : 0
LcpReg : 0
LcpMisReg : 0
LnsNum : 2
LnsIPAddress : 2
1): 55.55.55.55 w: 1
2): 55.55.55.55 w: 1
LnsName : 2
1): NULL
2): NULL
LnsWeight :
1): 5
2): 5
3): 5
4): 5
5): 5
6): 5
7): 5
8): 5
UsedLnsNum : 2
-----------------------------------------------
Usage Scenario
When the NE40E functions as an LNS, you must configure the L2TP group, that is, enable
LNS on the NE40E. The LNS responds to the tunnel setup request from the LAC,
authenticates users, and then assigns IP addresses to them.
The NE40E provides a tunnel board to process the tunnel service. In this manner, the NE40E
can function as multiple LNSs with each LNS being configured with an IP address.
The NE40E manages the LNS service by using LNS groups. An LNS group functions as an
LNS. You can configure an IP address for an LNS group and specify the tunnel board for it.
NOTE
l When the NE40E functions as an LNS, it is recommended that the IP address of the loopback
interface be used as the IP address of the LNS.
l The LNS cannot use the DHCP server to allocate IP addresses to users because the LNS does not
know users' MAC addresses. Therefore, the LNS allocates only IP address in the local address pool
to users.
l When the LNS interconnects with an LAC, the LNS must have a route to the LAC. For example,
when the NE40E functions as an LAC, if the LAC is configured with a source interface on the
tunnel, the route to the source interface must be configured on the LNS.
Pre-configuration Task
Before configuring the LNS, complete the following tasks:
l Enabling L2TP
l Creating a virtual template for L2TP connection setup
l Configuring the local address pool in which the IP addresses are allocated to L2TP users
l Configuring the domain of L2TP users and specifying the address pool for the domain
Configuration Procedures
Enabling L2TP
Configuring an
L2TP Connection on
the LNS
Configuring L2TP
Tunnel
Authentication
Configuring User
Authentication on
the LNS
Create an LNS
group
Configuring AAA
Schemes
Configuring an
Address Assignment
Mode
必选步骤
可选步骤
Context
L2TP functions can be used only after L2TP is enabled. When L2TP is disabled, even if L2TP
parameters are configured, the NE40E does not provide L2TP functions.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run l2tp enable
L2TP is enabled.
Step 3 Run commit
The configuration is committed.
----End
Context
The LNS can receive tunnel setup requests from different LACs by using different virtual
templates. After receiving a tunnel setup request, the LNS checks the LAC name. The LNS
allows the remote end to set up the tunnel if the LAC name is consistent with the name of the
valid remote end.
The L2TP group is configured as the LNS (ACCEPT_DIALIN_L2TP) in this configuration.
NOTE
l When the NE40E functions as an LNS to interconnect with another Huawei device that functions as
an LAC, it is recommended that you set the MTU in the virtual template to be less than 1462
(assume that the interface MTU is 1500).
l When the NE40E functions as an LNS to interconnect with an LAC that does not support L2TP
packet fragmentation, it is recommended that you set the MTU in the virtual template to a value
smaller than 1454 (assume that the interface MTU on the LAC is 1500). If an L2TP packet is longer
than 1500, the packet is fragmented into invalid packets on the LAC.
l If the MTU is configured manually, ensure that the MTUs negotiated by the L2TP user, LAC, and
LNS are the same.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run l2tp-group group-name
The L2TP group view is displayed.
Step 3 Run allow l2tp virtual-template virtual-template-number remote remote-name
An L2TP connection is configured on the LNS.
Except for the default L2TP group default-lns, all L2TP groups must be configured with
remote-name when the connection on the LNS is configured.
NOTE
In an L2TP group, the start command and the allow command conflict with each other. This means that
if you run either of the commands, the other command becomes invalid.
Step 9 (Optional) Run qos link-adjustment vendor redback { lns | lac } * [ slot slot-id ]
Redback packet adjustment is configured so that user traffic statistics is collected based on the
redback mode.
This command is supported only on the Admin VS.
Step 10 (Optional) Run avp nas-port enable
The LNS is enabled to parse the NAS-Port attribute carried in the AVP100 field of an ICRQ
message received from the LAC.
Step 11 (Optional) Run radius-attribute include nas-port lns
The LNS is enabled to encapsulate the NAS-Port attribute received from the LAC into a
packet to be sent to the RADIUS server.
----End
Context
An L2TP tunnel supports either local or remote authentication (RADIUS authentication).
Perform the following steps on the NE40E:
NOTE
l The new password is at least eight characters long and contains at least two of upper-case letters,
lower-case letters, digits, and special characters.
l When configuring an authentication password, select the ciphertext mode becasue the password is
saved in configuration files in simple text if you select simple text mode, which has a high risk. To
ensure device security, change the password periodically.
Procedure
l Local authentication
If local authentication is used, the LAC or LNS must use only the tunnel password, but
not the tunnel name. The tunnel name is used by the LNS to select an L2TP group to
respond to the LAC connection request. The format of the tunnel name is not restricted;
however, the tunnel name configured on the LAC must be the same as remote tunnel
name configured on the LNS.
a. Run system-view
The system view is displayed.
b. Run l2tp-group group-name
The L2TP group view is displayed.
c. Run tunnel name tunnel-name [ lns-ip lns-ip-address ]
The local tunnel name is specified.
d. Run tunnel authentication [ strict ]
Tunnel authentication is enabled.
You can decide whether to enable tunnel authentication before creating a tunnel
connection. To ensure tunnel security, it is recommended that tunnel authentication
be enabled.
The tunnel authentication request can be initiated by the LAC or the LNS. As long
as one end is enabled with tunnel authentication, the identity authentication is
performed in the tunnel setup process. The tunnel can be set up only if the
passwords of both ends are the same and not null; otherwise, the local end
automatically tears down the tunnel. If tunnel authentication is disabled on both
ends, tunnel authentication is not performed, irrespective of whether passwords on
both ends are the same.
The tunnel authentication strict command configuration takes effect only for the
L2TP group on the LAC. After strict tunnel authentication is configured, the LAC
performs validity check on the remote LNS's tunnel name and password. If the LNS
tunnel name and password delivered by the RADIUS server or locally configured
are different from those of the remote LNS, tunnel establishment fails. After strict
tunnel authentication is configured, you can configure the RADIUS server to
deliver the Tunnel-Server-Auth-ID attribute or configure an LNS tunnel name in the
L2TP group view of the LAC based on site requirements.
e. Run tunnel password { simple | cipher } password [ lns-ip lns-ip-address ]
If remote authentication is used, the LAC or LNS takes the L2TP tunnel as a user;
therefore, the format of the tunnel name must be username@domain. When the tunnel is
set up, the LAC or LNS sends the received user name and password of each other to the
AAA server (RADIUS server) for authentication. The AAA server must be configured
with the identical user name and password.
a. Run system-view
You can decide whether to enable tunnel authentication before creating a tunnel
connection. To ensure tunnel security, it is recommended that tunnel authentication
be enabled.
The tunnel authentication request can be initiated by the LAC or the LNS. As long
as one end is enabled with tunnel authentication, the identity authentication is
performed in the tunnel setup process. The tunnel can be set up only if the
passwords of both ends are the same and not null; otherwise, the local end
automatically tears down the tunnel. If tunnel authentication is disabled on both
ends, tunnel authentication is not performed, irrespective of whether passwords on
both ends are the same.
d. Run tunnel aaa-authentication
AAA tunnel authentication indicates that the L2TP tunnel is not authenticated
locally, but authenticated on the AAA server (RADIUS server).
e. Run commit
The configuration is committed.
l Forcible RADIUS tunnel authentication
a. Run system-view
The system view is displayed.
b. Run l2tp-group group-name
The L2TP group view is displayed.
c. Run tunnel radius-force
The forcible tunnel authentication is enabled.
Forcible RADIUS tunnel authentication indicates that the RADIUS server
determines whether tunnel authentication is performed. If the attributes delivered by
the RADIUS server contain the tunnel password, the tunnel password is used for
tunnel authentication; otherwise, tunnel authentication is not performed.
d. Run commit
The configuration is committed.
----End
Context
Authentication on the LNS involves mandatory CHAP authentication and PPP LCP re-
authentication.
Perform the following steps on the NE40E:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run l2tp-group group-name
The L2TP group view is displayed.
Step 3 Run mandatory-lcp [ on-mismatch [ strict ] ]
The mandatory LCP re-negotiation is performed.
Step 4 Run mandatory-chap
The mandatory CHAP authentication is performed.
Step 5 Run commit
----End
Context
Each LNS group requires a source IP address (interface IP address) to communicate with the
LAC. The NE40E determines the LNS group that processes the request from a certain LAC
based on this IP address.
Perform the following steps on the NE40E:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run lns-group group-name
An LNS group is created and the LNS group view is displayed.
Step 3 (Optional) Run description description-information
A description is configured for an LNS group.
Step 4 Run bind slot slot-id
A tunnel board is bound to the LNS group.
Multiple tunnel boards can be configured on the NE40E. You can specify the tunnel board for
an LNS group. Multiple tunnel boards can be bound to an LNS group. The round robin load
balancing is performed among the tunnel boards based on tunnels.
Step 5 Run bind source interface-type interface-number
An interface is bound to the LNS group.
The configuration of the IP of the source interface bounded to the LNS groups, of the tunnel
source in the L2TP groups and of the RBS tunnel source of dual-device hot backup cannot be
the same.
Step 6 (Optional) Run tunnel load-balance by-tunnel
Tunnel load balancing based on the number of tunnels on tunnel boards bound to an LNS
group is enabled.
Step 7 (Optional) Run tunnel load-balance by-session
Tunnel load balancing based on the number of sessions on tunnel boards bound to an LNS
group is enabled.
Step 8 Run quit
When the NE40E functions as an LNS, the system performance is degraded if too many L2TP
tunnels are established. To prevent this, you can limit the number of L2TP tunnels.
If the number of L2TP tunnels established on a tunnel board reaches the upper limit, you can
enable the block function for the tunnel board. Then, L2TP tunnels cannot be established on
the tunnel board.
The tunnel board of an LNS is enabled to send packets to the network-side outbound interface
board connected to an LAC based on hardware.
The LNS is enabled to re-mark the priorities of service packets entering a tunnel after
performing CAR.
The configuration takes effect only for tunnels established after the command is run.
NOTE
When an LNS is configured to re-mark the priorities of packets entering a tunnel after performing CAR,
the LNS does not support last-mile QoS.
The maximum number of concurrent L2TP sessions allowed for an L2TP tunnel is
configured. Excess session requests are denied.
----End
Context
This configuration is used to authenticate the identity information (user name and password)
of a remote dial-in user using AAA. The LAC can initiate a tunnel establishment request only
after the user identity is authenticated. Otherwise, the LAC does not establish a tunnel for the
user.
Two AAA authentication modes are supported: local authentication and remote
authentication.
Procedure
Step 1 If the local authentication mode is used, you need to configure a local user name and
password on the LAC. The LAC authenticates a dial-in user by checking whether the user
name and password of the user are the same as the locally configured user name and
password.
Step 2 If the remote authentication mode is used, you need to configure a user name and password on
the RADIUS server. The LAC sends the user name and password of a dial-in user to the
RADIUS server, and the RADIUS server authenticates the user.
Step 3 For details about AAA operations, see Configuring AAA Schemes. For details about
RADIUS server operations, see Configuring a RADIUS.
----End
Context
In L2TP access scenarios, the LAC is responsible for user access, and the LNS assigns IP
addresses to users.
Perform the following steps on the NE40E.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run bgp over lns enable
BGP is enabled to iterate UNR routes so that the routes between devices attached to a CPE
and the BRAS are reachable.
Clients are attached to a CPE which is connected to an LNS through an LAC. The CPE uses
L2TP dial-up to obtain an IP address from the LNS functioning as a BRAS. After the LNS
learns the BGP route from the CPE, traffic cannot be forwarded through the BGP route
between clients, or other devices attached to the CPE and the BRAS. You can enable BGP to
dynamically learn and iterate UNR routes so that the CPE and the attached devices can
communicate with the LNS.
Step 4 For details about address management, see IPv4 Address management and IPv6 Address
Management.
----End
Procedure
l Run the display l2tp-group [ group-name ] command to view configurations of the
L2TP group.
l Run the display lns-group { all | name lns-name } command to view configurations of
the LNS group.
l Run the display l2tp session lns slot slot-id [ session-item session-id | source-ip source-
ip-address | destination-ip destination-ip-address ] command to view information about
the current LNS session.
l Run the display l2tp tunnel-limit command to view the maximum number of L2TP
tunnels.
l Run the display l2tp blocked-slot command to view blocked tunnel boards.
l Run the display l2tp tunnel [ lns slot slot-id ] [ tunnel-item tunnel-id | tunnel-name
remote-name ] command to check information about the tunnel on the LNS.
l Run the display l2tp pim-sm tunnel [ slot slot-id | tunnel-item tunnel-id ] command to
check information about users for whom PIM-SM multicast is enabled based on a
specified tunnel or tunnel board.
----End
Example
After configurations are complete, run the display 12tp-group command. If the following is
displayed, it indicates that configurations succeed.
l In configurations of the L2TP group, GroupType is displayed as
ACCEPT_DIALIN_L2TP.
l If LCP re-negotiation is configured, LcpReg is 1 in configurations of the L2TP group.
l If CHAP re-authentication is configured, FroceChap is 1 in configurations of the L2TP
group.
<HUAWEI> display l2tp-group lns1
-----------------------------------------------
L2tp-index : 7
Group-Name : lns1
Description :
GroupType : ACCEPT_DIALIN_L2TP
TunnelAuth : Not tunnel authentication
Tunnel aaa Auth : Not tunnel aaa-authentication
Tunnel Avp46 : Not tunnel Avp46
Local tunnel name : R06
Tunnel RecvWindow : 0
Encrypt : 0
avp-hidden : 0
Algorithm : Load-sharing
Radius-auth : 0
Hello interval : 60
Retransmit : 5
Timeout : 2
Idle cut : 60
Session limit : 65535
Used : 0
IfIndex : 0xffffffff
Source Ip : 255.255.255.255
VTNum : 15
RemoteName : dd1
DefaultDomain : dd1
DomainType : default
TunnelAlarm : on
MTUFlag : Enable
MSSFlag : Enable
Tunnel per user : 0
Config Dscp : 255
ForceChap : 0
LcpReg : 0
LcpMisReg : 0
LnsNum : 0
LnsIPAddress : 0
LnsName : 0
LnsWeight :
1): 5
2): 5
3): 5
4): 5
5): 5
6): 5
7): 5
8): 5
UsedLnsNum : 0
UnLnsNum : 0
QOS-mode : tunnel
QOS-Profile In :
QOS-Profile Out :
RemoteUsed : 0
-----------------------------------------------
Run the display lns-group command and you can view loopback interfaces and tunnel boards
to which the LNS group is bound.
<HUAWEI> display lns-group name lns1
Description :
Slot : 1
Interface : LoopBack0
Run the display l2tp session command to view information about the current LNS session.
<HUAWEI> display l2tp session lns slot 1
LocalSID RemoteSID LocalTID RemoteTID UserID UserName
------------------------------------------------------------------------------
278 24768 13921 7958 62172 user5@hz
355 24769 4561 13818 62173 user9@hz
Total 2, 2 printed from slot 1
Run the display l2tp blocked-slot command, and you can view the blocked tunnel boards
where no new L2TP tunnel can be set up.
<HUAWEI> display l2tp blocked-slot
slot 1
slot 2
Run the display l2tp tunnel-limit command to view the maximum number of L2TP tunnels.
<HUAWEI> display l2tp tunnel-limit
Info: This syntax is applicable only to LNS.
tunnel-limit = 49152
used-tunnel = 6886
Run the display l2tp tunnel [ lns slot slot-id ] [ tunnel-item tunnel-id | tunnel-name remote-
name ] command. The command output shows LNS tunnel information.
<HUAWEI> display l2tp tunnel
---------------------------------------------------------
-----------tunnel information in LAC----------------------
Such tunnel name does not exist !
---------------------------------------------------------
-----------tunnel information in LNS----------------------
The tunnel information of board 1
LocalTID RemoteTID RemoteAddress Port Sessions RemoteName
L2TPTunnelStartTime
------------------------------------------------------------------------------
3 2 40.40.40.1 1701 1 hhw
2011-12-15 17:00:48(Continuance:0 days 00 hours 04 mins)
------------------------------------------------------------------------------
Total 1, 1 printed from slot 1
Run the display l2tp statistics lns command. The command output shows global statistics on
the LNS.
<HUAWEI> display l2tp statistics lns
------------------LNS Statistics-----------------------
LNSCurrentUpTunnelNum : 10
LNSCurrentUpSessionNum : 10
LNSTotalEstablishedTunnelNum(H,L) : (1,100)
LNSTotalEstablishedSessionNum(H,L): (1,100)
LNSTotalTearDownTunnelNum(H,L) : (1,90)
LNSTotalTearDownSessionNum(H,L) : (1,90)
Run the display l2tp pim-sm tunnel command to check information about users for whom
PIM-SM multicast is enabled based on a specified tunnel or tunnel board.
<HUAWEI> display l2tp pim-sm tunnel
The slot 1:
-----------------------------------------------------------------------------
LocalTID RemoteAddress TotalSessions PimsmSessions RemoteName
----------------------------------------------------------------------------
50 10.1.1.1 3 3 lac@sqc
74 20.1.1.1 10 10 lac@sqc1
----------------------------------------------------------------------------
Total 2, 2 printed from slot 1
The slot 2:
----------------------------------------------------------------------------
LocalTID RemoteAddress TotalSessions PimsmSessions RemoteName
----------------------------------------------------------------------------
65 30.1.1.1 3 3 lac@sqc2
----------------------------------------------------------------------------
Total 1, 1 printed from slot 2
Context
For details about the implementation principle of L2TP tunnel switching, see Configuring the
L2TP Tunnel Switching. When the NE40E functions as an LTS, you must configure L2TP
groups to function as the LAC and LNS, respectively. That is, enable the LTS feature on the
NE40E. On one hand, the LTS functions as an LNS to respond to tunnel connection requests
initiated by the LAC on the user side. On the other hand, the LTS functions as an LAC to
initiate tunnel connection requests to the LNS (or another LTS node) on the server side.
Therefore, you must create two L2TP groups when configuring the LTS. One functions as the
LNS to receive tunnel connection requests from the LAC, and the other functions as the LAC
to send tunnel connection requests to the LNS. When the LTS functions as the LNS, the L2TP
group responds to the LAC as the peer end of the tunnel. When the LTS functions as the LAC,
the L2TP group must be bound to the LTS domain to trigger tunnel establishment. In a
common L2TP scenario, if an address pool instead of an L2TP group is bound to the LTS
domain, the LTS terminates the tunnel and assigns IP addresses to users. However, tunnel
establishment is triggered to implement tunnel switching only when an L2TP group that
functions as the LAC is bound to the LTS domain.
The configuration of the LTS functioning as the LNS is the same as that of the LNS. For
details, see Configuring an LNS.
The configuration of the LTS functioning as the LAC is the same as that of the LAC. For
details, see Configuring an LAC.
NOTE
You must specify the LAC-side L2TP group for the LTS domain. The address pool, however, does not
need to be specified.
Usage Scenario
In the application scenario of L2TP service wholesale, the LAC works on only the service
wholesale, whereas the service control point is actually the LNS. An L2TP tunnel is set up
between the LAC and the LNS. Therefore, you need to control the traffic that enters the L2TP
tunnel and the service traffic in the tunnel on the LNS in a refined manner to minimize the
effect of the unnecessary competition for service traffic between the LAC and the LNS on the
service quality. In addition, carriers can control the traffic of different services that enter the
backbone network to limit the burst traffic of users in the tunnel.
L2TP HQoS performs QoS scheduling on users at the LNS side, which aims at carrying out a
comprehensive and detailed planning on the traffic that goes into the L2TP tunnel and the
service traffic in the tunnel.
Pre-configuration Task
Before configuring L2TP HQoS, complete the following tasks:
l Installing the tunnel board on the NE40E
l Configuring L2TP for L2TP users to go online
Configuration Procedures
Mandatory procedure
Optional procedure
Context
Perform the following steps on the NE40E that functions as the LNS:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run qos-profile qos-profile-name
A QoS profile is created and the QoS profile view is displayed.
Step 3 Run user-queue cir cir-value [ [ pir pir-value ] | [ flow-queue flow-queue-name ] | [ flow-
mapping mapping-name ] | [ user-group-queue group-name ] | [ service-template service-
template-name ] ] *[ inbound | outbound ]
Queue scheduling parameters are set for user queues.
Step 4 Run commit
The configuration is committed.
----End
Context
Perform the following steps on the NE40E that functions as the LNS:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
The domain view is displayed.
The displayed view is of the domain where the L2TP users reside.
Step 4 Run qos-profile qos-profile { inbound | outbound } lns-gts
The QoS profile is applied to the domain and the scheduling mode is set to LNS scheduling.
Step 5 Run commit
The configuration is committed.
----End
Context
Perform the following steps on the NE40E that functions as the LNS:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run l2tp-group group-name
The L2TP group is created and the L2TP group view is displayed.
The L2TP group must be the L2TP group of the LNS.
Step 3 Run qos scheduling-mode { session | tunnel }
The L2TP HQoS scheduling mode is set.
L2TP HQoS has the following scheduling modes:
l Scheduling by tunnel: In this mode, user services are not differentiated. As a result,
tunnel traffic, not user traffic is scheduled into user queues.
l Scheduling by session: In this mode, user traffic is scheduled into user queues with
priorities ranging from 1 to 8 and tunnel traffic is scheduled into group queues. SP or
WFQ scheduling can be performed between any of the user queues.
Step 4 (Optional) Run user-group-queue user-group-queue-name [ inbound | outbound ]
NOTE
If the scheduling is set to be performed by session, this command must be run; otherwise, you do not
need to run this command.
----End
Context
All L2TP HQoS configurations are complete.
Procedure
l Run the display l2tp-group group-name command to check configurations of the L2TP
group.
----End
Example
Run the display l2tp-group group-name command, and you can view the name of the QoS
profile and scheduling mode configured for the L2TP group.
-----------------------------------------------
L2tp-index : 7
Group-Name : lns1
Description :
GroupType : ACCEPT_DIALIN_L2TP
TunnelAuth : Not tunnel authentication
Tunnel aaa Auth : Not tunnel aaa-authentication
Tunnel Avp46 : Not tunnel Avp46
Local tunnel name : R06
Tunnel RecvWindow : 0
Encrypt : 0
avp-hidden : 0
Algorithm : Load-sharing
Radius-auth : 0
Hello interval : 60
Retransmit : 5
Timeout : 2
Idle cut : 60
Session limit : 65535
Used : 0
IfIndex : 0xffffffff
Source Ip : 255.255.255.255
VTNum : 15
RemoteName : dd1
DefaultDomain : dd1
DomainType : default
TunnelAlarm : on
MTUFlag : Enable
MSSFlag : Enable
Tunnel per user : 0
Config Dscp : 255
ForceChap : 0
LcpReg : 0
LcpMisReg : 0
LnsNum : 0
LnsIPAddress : 0
LnsName : 0
LnsWeight :
1): 5
2): 5
3): 5
4): 5
5): 5
6): 5
7): 5
8): 5
UsedLnsNum : 0
UnLnsNum : 0
QOS-mode : tunnel
QOS-Profile In :
QOS-Profile Out :
RemoteUsed : 0
-----------------------------------------------
Usage Scenario
This section describes the optional configurations relevant to the L2TP connection. These
configurations can be used when the NE40E functions as an LAC, an LNS, or an LTS. In
most cases, default configurations are used.
Optional configurations of an L2TP connection include tunnel authentication, AVP hidden in
transmission, hello interval, control packet retransmission, and idle-cut timer of a tunnel.
Pre-configuration Tasks
Before tuning an L2TP connection, complete the following task:
Enabling L2TP
Configuration Procedures
Mandatory procedure
Optional procedure
Context
Perform the following steps on the NE40E:
Procedure
l Add attribute AVP 22 to L2TP packets.
In the scenario where the NE40E functions as an LAC, you can determine whether to
add attribute AVP 22 to the ICRQ packets sent by the LAC, when an L2TP user goes
online.
a. Run system-view
The system view is displayed.
b. Run l2tp calling-number-avp enable
Attribute AVP 22 is added to L2TP packets.
c. Run l2tp-group group-name
The L2TP group view is displayed.
d. Run calling-number-avp format { version1 | include [ delimiter delimiter ]
{ option82 [ delimiter delimiter ] | mac [ delimiter delimiter ] | interface
[ delimiter delimiter ] | domain [ delimiter delimiter ] | sysname [ delimiter
Or run:
Pvlan is an outer VLAN and Cvlan is an inner VLAN. If the interface to which
users are connected is an ATM interface, Pvlan:Cvlan is replaced with Vpi:Vci. If
the system name contains more than 30 characters, the first 30 characters are used.
If packets sent from different DSLAMs have the same CE-VLAN ID, and the CE-
VLAN ID must be identified in the ICRQ packets to be sent by the LAC, configure
an offset for the CE-VLAN ID.
NOTE
The calling-number-avp cevlan-offset command takes effect only after the CE-VLAN ID
to be encapsulated in ICRQ packets has been specified in the calling-number-avp format
include cevlan [ delimiter delimiter command.
The format for encapsulating BAS interface information into AVP 22 attributes
carried in L2TP packets is set to slot/port.
i. Run commit
NOTE
After the AVP is hidden, if AAA authentication is used for the tunnel, the two ends must use
the same password.
d. Run commit
The configuration is committed.
l Configure AVP46 for the tunnel.
After AVP46 is enabled, information about the tunnel deletion cause is added to the
STOPCCN packet that is sent from the NE40E to the peer when the tunnel is deleted.
a. Run system-view
The system view is displayed.
b. Run l2tp-group group-name
The L2TP group view is displayed.
c. Run tunnel avp46
AVP 46 is enabled for the tunnel.
d. Run commit
The configuration is committed.
l Configure attribute AVP 47 for the tunnel.
After attribute AVP 47 is configured, the NE40E marks the DSCP value of the L2TP
control packets used to establish the L2TP tunnel, the packets with different DSCP
values have different priorities.
a. Run system-view
The system view is displayed.
b. Run l2tp-group group-name
The L2TP group view is displayed.
c. Run set-dscp-outer dscp
The NE40E marks the DSCP value of the L2TP control packets used to establish
the L2TP tunnel. The NE40E then negotiates with the peer device (LNS) for
attribute AVP 47.
d. Run commit
The configuration is committed.
----End
Context
To check the connectivity of the tunnel, the LAC and the LNS send hello packets periodically
and the receiver of the hello packet returns a response.
If the LAC or LNS fails to receive hello response packets in the specified time period, the
packets are re-sent. If the response is not received after the packets are re-sent for a specified
number of times (see Configuring Control Packet Retransmission), the L2TP tunnel is
regarded disconnected, and all sessions on the tunnel are deleted.
Perform the following steps on the NE40E:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run l2tp-group group-name
The L2TP group view is displayed.
Step 3 Run tunnel timer hello hello-interval
The Hello interval is configured.
Step 4 (Optional) Run tunnel hello peer-check
The NE40E is configured to send Hello packets after a Hello interval from when it receives
Hello packets from the peer end.
Step 5 Run commit
The configuration is committed.
----End
Context
When setting up a tunnel, the LAC and LNS interact and negotiate with each other by
exchanging control packets. If one end fails to receive the response from the peer in a
specified period due to network congestion, the local end retransmits the control packet to the
peer. You can configure the interval at which control packets are retransmitted and the number
of retransmission times.
Perform the following steps on the NE40E:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run l2tp-group group-name
The L2TP group view is displayed.
Step 3 Run tunnel retransmit times
The number of retransmission times is configured.
Or run:
tunnel timeout interval
The interval at which control packets are retransmitted is configured.
If a large number of L2TP tunnels are established, it is recommended that the timeout period
for L2TP packet retransmission be set to 5 seconds.
Step 4 Run commit
The configuration is committed.
----End
Context
The idle-cut timer specifies the period during which a tunnel exists after the number of
sessions in the tunnel reaches 0. When the timer expires, the tunnel is deleted.
Perform the following steps on the NE40E:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run l2tp-group group-name
The L2TP group view is displayed.
Step 3 Run tunnel idle-cut time
The idle-cut timer is configured.
If the idle-cut timer of the tunnel is set to 0, it indicates that the tunnel will not be deleted
automatically. However, if the remote end deletes the tunnel, it cannot be set up again.
----End
Context
Some LNSs consider 0 as an invalid VLAN ID and some LNSs consider 4096 as an invalid
VLAN ID. You need to configure the invalid VLAN ID according to the specification of the
remote LNS.
Procedure
Step 1 Run system-view
The default invalid VLAN ID in the calling-station-id attribute delivered from the L2TP user
(LAC) to the LNS is configured to be 0.
----End
Prerequisites
The L2TP connection parameters are adjusted.
Procedure
l Run the display l2tp-group [ group-name ] command to check the L2TP group
configuration.
----End
Example
Run the display l2tp-group [ group-name ] command to view the L2TP group configuration.
l If tunnel authentication is enabled, TunnelAuth is displayed as Use tunnel
authentication, and TunnelPassword is displayed as the configured tunnel password.
l If RADIUS mandatory authentication is enabled for the tunnel, Radius-auth is
displayed as 1.
l If AAA authentication is enabled for the tunnel, Tunnel aaa Auth is displayed as Use
tunnel aaa-authentication.
l If AVP hidden in transmission is configured, avp-hidden is displayed as 1.
l Hello interval is displayed as the configured hello interval.
l Retransmit is displayed as the number of retransmission times of control packets.
l Timeout is displayed as the interval at which control packets are retransmitted.
l Idle cut is displayed as the idle-cut timer for the tunnel.
<HUAWEI> display l2tp-group lns1
-----------------------------------------------
L2tp-index : 7
Group-Name : lns1
Description :
GroupType : ACCEPT_DIALIN_L2TP
TunnelAuth : Not tunnel authentication
Tunnel aaa Auth : Not tunnel aaa-authentication
Tunnel Avp46 : Not tunnel Avp46
Local tunnel name : R06
TunnelPassword : ******
Tunnel RecvWindow : 0
Encrypt : 0
avp-hidden : 0
Algorithm : Load-sharing
Radius-auth : 0
Hello interval : 60
Retransmit : 5
Timeout : 2
Idle cut : 60
Session limit : 65535
Used : 0
IfIndex : 0xffffffff
Source Ip : 255.255.255.255
VTNum : 15
RemoteName : dd1
DefaultDomain : dd1
DomainType : default
TunnelAlarm : on
MTUFlag : Enable
MSSFlag : Enable
Tunnel per user : 0
Config Dscp : 255
ForceChap : 0
LcpReg : 0
LcpMisReg : 0
LnsNum : 0
LnsIPAddress : 0
LnsName : 0
LnsWeight :
1): 5
2): 5
3): 5
4): 5
5): 5
6): 5
7): 5
8): 5
UsedLnsNum : 0
UnLnsNum : 0
QOS-mode : tunnel
QOS-Profile In :
QOS-Profile Out :
RemoteUsed : 0
-----------------------------------------------
Context
By monitoring L2TP, you can know the L2TP operating status. You can run the associated
command to delete an L2TP tunnel only when there is no user, a network fault occurs, or a
device requests an L2TP tunnel to be torn down. In routine maintenance, you can run the
following commands in any view to check the L2TP operation. To clear an L2TP tunnel, run
the reset command. An L2TP tunnel cannot be restored after it is cleared. Exercise caution
when running the command.
Procedure
Step 1 Run the reset l2tp tunnel { lac | lns slot slot-id } { tunnel-item tunnel-id | tunnel-name
remote-name } command to forcibly clear an L2TP tunnel.
NOTE
After the l2tp tunnel auto-reset enable command is configured, an LAC or LNS automatically removes
an L2TP tunnel if no session control message is received from the remote end after 127 ICRQ or ICRP
messages are sent within 10 minutes. You do not need to run the reset l2tp tunnel command to forcibly
remove an L2TP tunnel.
----End
Networking Requirements
As shown in Figure 12-7, PC1 is connected to the Public Switched Telephone Network
(PSTN) through a modem, and is then connected to the LAC, namely, NE40E A, across the
PSTN. PC2 is connected to NE40E A through a tunnel. The LAC and the LNS are connected
through the Internet. The LAC and the LNS communicate with each other through a tunnel.
Users access the tunnel by using domain names. On both the LAC and the LNS, the user
name and the password are authenticated by RADIUS.
Interfaces1 is GE0/1/0.
Modem
Configuration Roadmap
A user intends to communicate with the server in the headquarters. The IP address of the
server is a private IP address. In this manner, the user cannot access the server directly
through the Internet. A VPN is needed to help the user access the data of the internal network.
The user is connected through the domain huawei.com and obtains an IP address from the
address pool of the LNS.
Data Preparation
To complete the configuration, you need the following data:
l Consistent user name, domain name, and password of the NE40E on both the LAC side
and the LNS side
l The protocol used on the LNS side, tunnel authentication mode (CHAP is used),
password for the tunnel, tunnel name and remote peer name
l Number, IP address, and network mask of the virtual template
l L2TP group number
l Number, range, and address mask of the remote address pool
Procedure
Step 1 Configure the user side.
Create a dial-in connection, and an access number named huawei1. In addition, receive the
address assigned by the LNS server.
Enter the user name "vpdnuser@huawei.com" in the dial-up terminal window that pops up,
with the password being Hello. Note that the user name and password should have been
registered on the LNS server of the company.
Step 2 Configure NE40E A that functions as an LAC.
In this example, the IP address of GE 0/1/0 on the LAC that connects the tunnel is
202.38.160.1; the IP address of GE 0/1/0 on the LNS that connects the tunnel is 202.38.160.2.
# Configure IP addresses for GE 0/1/0.
<Device> system-view
[~Device] sysname DeviceA
[*DeviceA] interface gigabitethernet 0/1/0
[*DeviceA-GigabitEthernet0/1/0] ip address 202.38.160.1 255.255.255.0
[*DeviceA-GigabitEthernet0/1/0] commit
[~DeviceA-GigabitEthernet0/1/0] quit
# Enable Basic L2TP Functions and configure an L2TP connection on the LAC.
[~DeviceA] l2tp enable
[*DeviceA] l2tp-group 1
[*DeviceA-l2tp-1] tunnel name LAC
[*DeviceA-l2tp-1] start l2tp ip 202.38.160.2
[*DeviceA-l2tp-1] tunnel source gigabitethernet 0/1/0
[*DeviceA-l2tp-1] commit
[~DeviceA-l2tp-1] quit
# Set the name of local tunnel end on the LNS and the name of the peer tunnel end.
[*DeviceB-l2tp-1] tunnel name LNS
[*DeviceB-l2tp-1] allow l2tp virtual-template 1 remote LAC
---------------------------------------------------------
-----------tunnel information in LNS----------------------
The tunnel information of k board 0
LocalTID RemoteTID RemoteAddress Port Sessions RemoteName
---------------------------------------------------------
13921 7958 202.38.160.1 57344 1
LAC
---------------------------------------------------------
Total 1,1 printed from slot 0
# Run the display l2tp session command. You can check whether the L2TP session is set up.
Take the display on the LNS side as an example.
[~DeviceB] display l2tp session lns slot 1
LocalSID RemoteSID LocalTID RemoteTID UserID
UserName
------------------------------------------------------------------------------
------------------------------------------------------------------------------
# In this manner, VPN users can access the server in the headquarters.
----End
Configuration Files
l Configuration file of Device A
#
sysname DeviceA
#
l2tp enable
#
radius-server group radius1
radius-server authentication 20.20.20.1 1812
radius-server accounting 20.20.20.1 1813
radius-server shared-key itellin
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface GigabitEthernet0/2/0
undo shutdown
#
interface GigabitEthernet0/2/0.100
pppoe-server bind Virtual-Template 1
undo shutdown
user-vlan 1 100
bas
access-type layer2-subscriber default-domain authentication huawei.com
#
interface gigabitethernet0/1/0
undo shutdown
ip address 202.38.160.1 255.255.255.0
#
l2tp-group 1
tunnel password simple 1qaz#EDC
tunnel name LAC
start l2tp ip 202.38.160.2
tunnel source gigabitethernet 0/1/0
#
aaa
domain huawei.com
authentication-scheme default1
accounting-scheme default1
radius-server group radius1
l2tp-group 1
#
return
#
l2tp enable
#
radius-server group radius1
radius-server authentication 20.20.20.1 1812
radius-server accounting 20.20.20.1 1813
radius-server shared-key itellin
#
interface gigabitethernet0/1/0
undo shutdown
ip address 202.38.160.2 255.255.255.0
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface LoopBack0
ip address 192.168.10.1 255.255.255.255
#
l2tp-group 1
mandatory-chap
allow l2tp virtual-template 1 remote LAC
tunnel password simple 1qaz#EDC
tunnel name LNS
#
lns-group group1
bind slot 1
bind source gigabitethernet0/1/0
#
ip pool 1 bas local
gateway 192.168.0.2 255.255.255.0
section 0 192.168.0.10 192.168.0.100
#
aaa
domain huawei.com
authentication-scheme default1
accounting-scheme default1
radius-server group radius1
ip pool 1
#
return
Networking Requirements
As shown in Figure 12-8, the process of a VPN user accessing the company headquarters is
as follows:
l The VPN user is connected to the NAS through the PSTN; the LNS at the company
headquarters is connected to the NAS. The VPN user needs to initiate a tunnel
connection request to the LNS.
l The LNS verifies the user name and password after receiving this connection request,
and assigns a private IP address to the VPN user.
l The VPN user communicates with the company headquarters by using the tunnel
between the VPN user and LNS.
l The VPN user accesses the Internet by using domain1 and obtains an IP address from
address pool pool1.
PSTN Internet
L2TP tunnel
Configuration Roadmap
The configuration roadmap is as follows:
1. Install the client software on the user side and configure corresponding parameters.
2. Configure an LNS:
– Create a virtual template.
– Configure the L2TP group and attributes.
– Configure the address pool and domain.
– Configure the LNS group and attributes.
Data Preparation
To complete the configuration, you need the following data:
l User name and password on client and LNS
l Loopback address
l Name, network segment, and gateway of the address pool
l Name of the domain that the client belongs to
NOTE
Procedure
Step 1 Configure the devices on the user side.
# The host on the user side must be installed with the L2TP client software and connected to
the Internet using dial-up. Then, configure the host as follows (the configuration process is
related to the client software):
l Set the user name and password of the VPN on the user side to vpdnuser and
1qaz@WSX respectively.
l Set the IP address of the LNS as the IP address of the NE40E interface that connects to
the Internet (In this example, the IP address of the interface connected to the tunnel on
the LNS is 11.11.11.1).
l Modify attributes of the connection and use L2TP.
# Configure the name of the LNS and the name of the peer end of the tunnel.
[*Device-l2tp-lns1] tunnel name LNS
[*Device-l2tp-lns1] allow l2tp virtual-template 1 remote vpdnuser
NOTE
Except the default LNS of the L2TP group, others must be configured with a remote lac-name.
default-lns is the default group of the LNS. When the NE40E functions as an LNS, if the tunnel name
sent by the LAC does not match the tunnel names configured in L2TP groups, the NE40E uses default-
lns as the L2TP group.
Run the tunnel name command to configure the remote lac-name on the LAC. By default, the remote
lac-name is the host name of the LAC.
# Enable tunnel authentication and set the password for tunnel authentication.
[*Device-l2tp-lns1] tunnel authentication
[*Device-l2tp-lns1] tunnel password simple 1qaz#EDC
[*Device-l2tp-lns1] commit
[~Device-l2tp-lns1] quit
[~Device-LoopBack0] quit
# Create an LNS group named group1, bind the tunnel board in slot 1 and loopback 0 to the
LNS group.
[~Device] lns-group group1
[*Device-lns-group-group1] bind slot 1
[*Device-lns-group-group1] bind source loopback 0
[*Device-lns-group-group1] commit
[~Device-lns-group-group1] quit
------------------------------------------------------------------------------
# Run the display l2tp session command on the LNS, and you can check whether the L2TP
session is set up.
<Device> display l2tp session lns slot
LocalSID RemoteSID LocalTID RemoteTID UserID UserName
------------------------------------------------------------------------------
------------------------------------------------------------------------------
In this manner, the VPN user can access the LNS at the company headquarters.
----End
Configuration Files
Configuration file of the Device
#
sysname Device
#
l2tp enable
#
radius-server group radius1
radius-server authentication 20.20.20.1 1812
radius-server accounting 20.20.20.1 1813
radius-server shared-key itellin
#
interface Virtual-Template1
ppp authentication-mode auto
#
interface GigabitEthernet0/1/0
undo shutdown
ip address 11.11.11.1
#
interface LoopBack0
Networking Requirements
As shown in Figure 12-9, DeviceA functions as an LAC and DeviceB functions as an LNS;
the domain name of the headquarters of enterprise01 is isp1 and PC1 is a user of enterprise01;
the domain name of the headquarters of enterprise 02 is isp2 and PC2 is a user of
enterprise02.
Figure 12-9 Networking for configuring access to L3VPNs through L2TP tunnels
NOTE
Headquarter01
Loopback0 Loopback0 vrf1
WAN
L2TP Tunnel isp1
interface1
PC1 interface1
Access interface2
user1@isp1
Network interface3 isp2
interface2
DeviceA DeviceB
L2TP Tunnel LNS
LAC vrf2
Headquarter02
PC2 Loopback1 Loopback1
user1@isp2
Device Interface IP Address
DeviceA GigabitEthernet0/1/1.1 11.11.11.1/24
GigabitEthernet0/1/1.2 12.12.12.1/24
GigabitEthernet0/2/0.100 -
LoopBack0 1.1.1.1/32
LoopBack1 2.2.2.2/32
DeviceB GigabitEthernet0/1/1.1 11.11.11.2/24
GigabitEthernet0/1/1.2 12.12.12.2/24
LoopBack0 3.3.3.3/32
LoopBack1 4.4.4.4/32
Configuration Roadmap
Multiple enterprises share the same LNS, and users of different enterprises need to
communicate with their headquarters. The network addresses of the headquarters are private
addresses. Generally, users cannot directly access the Intranet server through the Internet. By
using VPNs and multi-instances, users can access the Intranet data.
NOTE
Data Preparation
To complete the configuration, you need the following data:
l User names and passwords of PC1 and PC2
l Tunnel password, and local tunnel name and remote tunnel name on the LNS
l Names, RDs, and VPN targets of VPN instances
l Numbers of virtual templates and numbers of L2TP groups
l Number, range, and mask of the remote address pool
NOTE
Procedure
Step 1 Configure the devices at the user side.
To create a dial-in connection, dial the access number specified on DeviceA, and receive
addresses assigned by the LNS.
On PC1, input the user name user1@isp1 and password in the displayed dial-up terminal
window (The user name and password have been registered on the LNS).
On PC2, input the user name user1@isp2 and password in the displayed dial-up terminal
window (The user name and password have been registered on the LNS).
Step 2 Configure DeviceA that functions as an LAC.
# Configure virtual template 1.
<Device> system-view
<~Device> sysname DeviceA
[*DeviceA] interface virtual-template 1
[*DeviceA-Virtual-Template1] ppp authentication-mode chap
[*DeviceA-Virtual-Template1] commit
[~DeviceA-Virtual-Template1] quit
# Configure the LAC interface that connects to the LNS and create sub-interfaces for the
interface.
[~DeviceA] interface gigabitethernet0/1/1.1
[*DeviceA-GigabitEthernet0/1/1.1] vlan-type dot1q 1
[*DeviceA-GigabitEthernet0/1/1.1] ip address 11.11.11.1 255.255.255.0
[*DeviceA-GigabitEthernet0/1/1.1] commit
[~DeviceA-GigabitEthernet0/1/1.1] quit
[~DeviceA] interface gigabitethernet0/1/1.2
[*DeviceA-GigabitEthernet0/1/1.2] vlan-type dot1q 2
[*DeviceA-GigabitEthernet0/1/1.2] ip address 12.12.12.1 255.255.255.0
[*DeviceA-GigabitEthernet0/1/1.2] commit
[~DeviceA-GigabitEthernet0/1/1.2] quit
# Configure routes.
[~DeviceA] ip route-static 3.3.3.3 255.255.255.255 11.11.11.2
[~DeviceA] ip route-static 4.4.4.4 255.255.255.255 12.12.12.2
# Create sub-interfaces.
[~DeviceB] interface gigabitethernet0/1/1.1
[*DeviceB-GigabitEthernet0/1/1.1] vlan-type dot1q 1
[*DeviceB-GigabitEthernet0/1/1.1] ip address 11.11.11.2 255.255.255.0
[*DeviceB-GigabitEthernet0/1/1.1] commit
[~DeviceB-GigabitEthernet0/1/1.1] quit
[~DeviceB] interface gigabitethernet0/1/1.2
[*DeviceB-GigabitEthernet0/1/1.2] vlan-type dot1q 2
[*DeviceB-GigabitEthernet0/1/1.2] ip address 12.12.12.2 255.255.255.0
[*DeviceB-GigabitEthernet0/1/1.2] commit
[~DeviceB-GigabitEthernet0/1/1.2] quit
# Create LNS group 1, and bind the tunnel source interface to the tunnel board.
[~DeviceB] lns-group group1
[*DeviceB-lns-group-group1] bind slot 1
[*DeviceB-lns-group-group1] bind source loopback 0
[*DeviceB-lns-group-group1] bind source loopback 1
[*DeviceB-lns-group-group1] commit
[~DeviceB-lns-group-group1] quit
# Configure routes.
[~DeviceB] ip route-static 1.1.1.1 255.255.255.255 11.11.11.1
----End
Configuration Files
l Configuration file of DeviceA
#
sysname DeviceA
#
l2tp enable
#
radius-server group radius1
radius-server authentication 20.20.20.1 1812
radius-server accounting 20.20.20.1 1813
radius-server shared-key itellin
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface GigabitEthernet0/2/0
undo shutdown
#
interface GigabitEthernet0/2/0.100
pppoe-server bind Virtual-Template 1
undo shutdown
user-vlan 1 100
bas
access-type layer2-subscriber
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
l2tp-group lac1
tunnel password simple 1qaz#EDC
tunnel name lac1
start l2tp ip 3.3.3.3
tunnel source LoopBack0
#
l2tp-group lac2
tunnel password simple 1qaz#EDC
tunnel name lac2
start l2tp ip 4.4.4.4
tunnel source LoopBack1
#
aaa
domain isp1
authentication-scheme default1
accounting-scheme default1
radius-server group radius1
l2tp-group lac1
domain isp2
authentication-scheme default1
accounting-scheme default1
radius-server group radius1
l2tp-group lac2
#
interface GigabitEthernet0/1/1.1
undo shutdown
vlan-type dot1q 1
ip address 11.11.11.1 255.255.255.0
#
interface GigabitEthernet0/1/1.2
undo shutdown
vlan-type dot1q 2
ip address 12.12.12.1 255.255.255.0
#
ip route-static 3.3.3.3 255.255.255.255 11.11.11.2
ip route-static 4.4.4.4 255.255.255.255 12.12.12.2
#
return
l Configuration file of DeviceB
#
sysname DeviceB
#
l2tp enable
#
radius-server group radius1
radius-server authentication 20.20.20.1 1812
radius-server accounting 20.20.20.1 1813
radius-server shared-key itellin
#
interface Virtual-Template1
ppp authentication-mode chap
#
ip vpn-instance vrf1
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
ip vpn-instance vrf2
route-distinguisher 100:2
vpn-target 100:2 export-extcommunity
vpn-target 100:2 import-extcommunity
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
l2tp-group lns1
allow l2tp virtual-template 1 remote lac1
tunnel password simple 1qaz#EDC
tunnel name lns1
#
l2tp-group lns2
allow l2tp virtual-template 1 remote lac2
tunnel password simple 1qaz#EDC
tunnel name lns2
#
lns-group group1
bind slot 1
bind source LoopBack0
bind source LoopBack1
#
ip pool pool1 bas local
vpn-instance vrf1
gateway 10.10.0.1 255.255.255.0
section 0 10.10.0.10 10.10.0.100
#
ip pool pool2 bas local
vpn-instance vrf2
gateway 10.10.0.1 255.255.255.0
section 0 10.10.0.10 10.10.0.100
#
aaa
domain isp1
authentication-scheme default1
accounting-scheme default1
radius-server group radius1
vpn-instance vrf1
ip-pool pool1
domain isp2
authentication-scheme default1
accounting-scheme default1
radius-server group radius1
vpn-instance vrf2
ip-pool pool2
#
interface GigabitEthernet0/1/1.1
undo shutdown
vlan-type dot1q 1
ip address 11.11.11.2 255.255.255.0
#
interface GigabitEthernet0/1/1.2
undo shutdown
vlan-type dot1q 2
ip address 12.12.12.2 255.255.255.0
#
ip route-static 1.1.1.1 255.255.255.255 11.11.11.1
ip route-static 2.2.2.2 255.255.255.255 12.12.12.1
#
return
Networking Requirements
As shown in Figure 12-10, DeviceA, DeviceB, and DeviceC function as the LAC, LTS, and
LNS respectively.
l A user dials in through PPPoE by using user name user1@domain1 and password hello.
l RADIUS authentication and RADIUS accounting are used.
l DeviceB and DeviceC do not perform authentication or accounting for the user.
l DeviceC allocates an IP address to the user from the local address pool.
Interfaces 1 is GE0/1/0.1.
RADIUS
20.20.20.1
Loopback0 Loopback0
30.30.30.1 40.40.40.1
Headquarter
PSTN/ISDN
interface1 Tunnel1 Tunnel1
DeviceA DeviceB DeviceC
LAC LTS LNS
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure the user side.
Enter user1@domain1 as the user name and Hello as the password in the PPPoE dial-up
dialog box to dial in.
Step 2 Configure DeviceA (LAC).
# Configure virtual template 1.
<Device> system-view
<~Device> sysname DeviceA
[*DeviceA] interface virtual-template 1
[*DeviceA-Virtual-Template1] ppp authentication-mode chap
[*DeviceA-Virtual-Template1] commit
[~DeviceA-Virtual-Template1] quit
[*DeviceA-aaa-domain-domain1] commit
[~DeviceA-aaa-domain-domain1] quit
[~DeviceA-aaa] quit
NOTE
The user name user1@domain1 and the password Hello must be configured on the RADIUS server.
# Configure loopback 0.
[~DeviceB] interface loopback 0
[*DeviceB-LoopBack0] ip address 30.30.30.1 255.255.255.255
[*DeviceB-LoopBack0] commit
[~DeviceB-LoopBack0] quit
# Enable the L2TP service and configure an L2TP group to function as an LNS.
[~DeviceB] l2tp enable
[~DeviceB] l2tp-group lns1
[*DeviceB-l2tp-lns1] tunnel name lns1
[*DeviceB-l2tp-lns1] allow l2tp virtual-template 1 remote lac1
[*DeviceB-l2tp-lns1] tunnel authentication
[*DeviceB-l2tp-lns1] tunnel password simple 1qaz#EDC
[*DeviceB-l2tp-lns1] commit
[~DeviceB-l2tp-lns1] quit
# Create an LNS group named group1, and bind the tunnel source interface to the tunnel
board.
[~DeviceB] lns-group group1
[*DeviceB-lns-group-group1] bind slot 1
[*DeviceB-lns-group-group1] bind source loopback 0
[*DeviceB-lns-group-group1] commit
[~DeviceB-lns-group-group1] quit
# Configure loopback 0.
[~DeviceC] interface loopback 0
[*DeviceC-LoopBack0] ip address 40.40.40.1 255.255.255.255
[*DeviceC-LoopBack0] commit
[~DeviceC-LoopBack0] quit
# Create an LNS group named group1, and bind the tunnel source interface to the tunnel
board.
[~DeviceC] lns-group group1
[*DeviceC-lns-group-group1] bind slot 1
[*DeviceC-lns-group-group1] bind source loopback 0
[*DeviceC-lns-group-group1] commit
[~DeviceC-lns-group-group1] quit
[*DeviceC-aaa-domain-domain1] commit
[~DeviceC-aaa-domain-domain1] quit
[~DeviceC-aaa] quit
Check the status of the tunnel when the user gets online.
<HUAWEI> display l2tp tunnel
---------------------------------------------------------
-----------tunnel information in LAC----------------------
Total 0,0 printed
---------------------------------------------------------
-----------tunnel information in LNS----------------------
The tunnel information of K board 1
LocalTID RemoteTID RemoteAddress Port Sessions RemoteName
------------------------------------------------------------------------------
39 4 30.30.30.1 1701 1 user1@domain1
------------------------------------------------------------------------------
Total 1, 1 printed from slot 0
----End
Configuration Files
l Configuration file of DeviceA
#
l2tp enable
#
radius-server group radius1
radius-server authentication 20.20.20.1 1812
radius-server accounting 20.20.20.1 1813
radius-server shared-key itellin
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface GigabitEthernet0/1/0
undo shutdown
#
interface GigabitEthernet0/1/0.1
pppoe-server bind Virtual-Template 1
undo shutdown
user-vlan 1 100
bas
access-type layer2-subscriber
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 100.100.100.1 255.255.255.0
#
l2tp-group lac1
tunnel password simple 1qaz#EDC
tunnel name LAC1
start l2tp ip 30.30.30.1
#
aaa
domain domain1
authentication-scheme default1
accounting-scheme default1
radius-server group radius1
l2tp-group lac1
#
ip route-static 30.30.30.1 255.255.255.255 100.100.100.2
#
return
Networking Requirement
As shown in Figure 12-11, the NE40E functions as the LNS of the L2TP tunnel. The process
of a VPN user accessing the company headquarters is as follows:
l The user dials up to access the Internet.
l The NAS authenticates the user and initiates a request for setting up a tunnel to the LNS
if it finds that the user is a VPN user.
l After a tunnel is set up between the NAS and the LNS, the NAS sends packets carrying
the contents negotiated between the NAS and the VPN user to the LNS.
l The LNS determines whether to accept the connection according to the negotiation.
l The user communicates with the company headquarters through the tunnel between the
NAS and the LNS.
l The user accesses the network by using the domain doma1 and obtains its IP address
from the address pool pool1.
L2TP QoS scheduling needs to be set for the LNS, ensuring that multiple users go online
using one tunnel and all users in the domain share a CIR of 100 Mbit/s and a PIR of 200
Mbit/s.
Figure 12-11 Networking for configuring L2TP tunnel-based QoS scheduling for user access
NAS
Internet
Access
Tunnel
Network
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the LAC.
2. Configure the LNS, with the NE40E functioning as the LNS.
3. Configure the scheduling profile and QoS profile.
4. Apply the QoS profile to the domain.
5. Configure L2TP QoS scheduling by tunnel for the L2TP group.
Data Preparation
To complete the configuration, you need the following data:
l Loopback address
l Name, network segment, and gateway of the address pool
l Name of the domain to which users belong
l Names of the scheduling profile and QoS profile
Procedure
Step 1 Configure the user side.
Enter vpdnuser@doma1 as the VPN user name, 1qaz@WSX as the password, and 170 as
the dial-in number in the dial-up window to dial in. In the displayed dial-up dialog box, enter
username as the user name and Userpass0 as the password for RADIUS authentication.
Step 2 Configure the NAS.
The configuration procedure is not provided here. For details, see the relevant manual.
Use the NAS as the LAC.
# Configure 170 as the dial-in number on the NAS.
# Create a VPN user on the RADIUS server with user name username and password
Userpass0, and configure the IP address for the LNS (In this case, the IP address of the LNS
is 192.168.0.1).
# Set the local device name to lac and perform tunnel authentication with the tunnel
authentication password being 1qaz#EDC.
# Configure tunnel authentication and set the password for tunnel authentication.
[*Device-l2tp-lns1] tunnel authentication
[*Device-l2tp-lns1] tunnel password simple 1qaz#EDC
[*Device-l2tp-lns1] commit
[~Device-l2tp-lns1] quit
# Define an address pool and allocate IP addresses for the dial-in users.
[~Device] ip pool pool1 bas local
[*Device-ip-pool-pool1] gateway 10.10.10.1 255.255.255.0
[*Device-ip-pool-pool1] section 0 10.10.10.2 10.10.10.100
[*Device-ip-pool-pool1] commit
[~Device-ip-pool-pool1] quit
# Configure loopback 0.
[~Device] interface loopback0
[*Device-LoopBack0] ip address 192.168.0.1 255.255.255.255
[*Device-LoopBack0] commit
[~Device-LoopBack0] quit
Run the display domain command to check the QoS profile configured for the L2TP group.
<HUAWEI> display domain doma1
------------------------------------------------------------------------------
Domain-name : doma1
Domain-state : Active
...............
L2TP-QosProfile-inbound : pro1
...............
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname HUAWEI
#
l2tp enable
#
radius-server group radius1
radius-server authentication 20.20.20.1 1812
radius-server accounting 20.20.20.1 1813
Networking Requirement
As shown in Figure 12-12, the NE40E functions as the LNS of the L2TP tunnel. The process
of a VPN user accessing the company headquarters is as follows:
l The LNS determines whether to accept the connection according to the negotiation.
l The user communicates with the company headquarters through the tunnel between the
NAS and the LNS.
l The user accesses the network using the domain doma1 and obtains its IP address from
the address pool pool1.
L2TP QoS scheduling by session needs to be configured for the LNS, ensuring the following:
l Each user in the domain uses the CIR of 10 Mbit/s and the PIR of 20 Mbit/s.
l All users on the L2TP tunnel share the PIR of 100 Mbit/s.
Figure 12-12 Networking for configuring L2TP session-based QoS scheduling for user access
NAS
Internet
Access
Tunnel
Network
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the LAC.
2. Configure the LNS, with the NE40E functioning as the LNS.
3. Configure the scheduling profile and QoS profile.
4. Apply the QoS profile to the domain.
5. Configure L2TP QoS scheduling by session for the L2TP group.
Data Preparation
To complete the configuration, you need the following data:
l Loopback address
l Name, network segment, and gateway of the address pool
l Name of the domain to which users belong
l Names of the scheduling profile and QoS profile
Procedure
Step 1 Configure the user side.
Enter vpdnuser@doma1 as the VPN user name, 1qaz@WSX as the password, and 170 as
the dial-in number in the dial-up window to dial in. In the displayed dial-up dialog box, enter
username as the user name and Userpass0 as the password for RADIUS authentication.
Step 2 Configure the NAS.
The configuration procedure is not provided here. For details, see the relevant manual.
Use the NAS as the LAC.
# Configure 170 as the dial-in number on the NAS.
# Create a VPN user on the RADIUS server with user name username and password
Userpass0, and configure the IP address for the LNS (In this case, the IP address of the LNS
is 192.168.0.1).
# Set the local device name to lac and perform tunnel authentication with the tunnel
authentication password being 1qaz#EDC.
Step 3 Configure the NE40E (LNS).
# Create a virtual template and configure it.
<Device> system-view
[~Device] interface virtual-template 1
[*Device-Virtual-Template1] ppp authentication-mode chap
[*Device-Virtual-Template1] commit
[~Device-Virtual-Template1] quit
# Configure the name of the LNS and the name of the peer end of the tunnel.
[*Device-l2tp-lns1] tunnel name LNS
[*Device-l2tp-lns1] allow l2tp virtual-template 1 remote lac
# Configure tunnel authentication and set the password for tunnel authentication.
[*Device-l2tp-lns1] tunnel authentication
[*Device-l2tp-lns1] tunnel password simple 1qaz#EDC
[*Device-l2tp-lns1] commit
[~Device-l2tp-lns1] quit
# Configure loopback 0.
[~Device] interface loopback 0
[*Device-LoopBack0] ip address 192.168.0.1 255.255.255.255
[*Device-LoopBack0] commit
[~Device-LoopBack0] quit
Step 6 Set QoS scheduling by session for the L2TP group, and apply user-group-queue pro2 to the
L2TP group.
[~Device] l2tp-group lns1
[*Device-l2tp-lns1] qos scheduling-mode session
[*Device-l2tp-lns1] user-group-queue pro2 inbound
[*Device-l2tp-lns1] commit
[~Device-l2tp-lns1] quit
Run the display l2tp-group command to check the scheduling mode configured for the L2TP
group.
<HUAWEI> display l2tp-group lns1
-----------------------------------------------
L2tp-index : 3
Group-Name :
lns1
.........
QOS-mode : session
.........
-----------------------------------------------
Run the display domain command to check the QoS profile configured for the L2TP group.
----End
Configuration Files
#
sysname HUAWEI
#
l2tp enable
#
radius-server group radius1
radius-server authentication 20.20.20.1 1812
radius-server accounting 20.20.20.1 1813
radius-server shared-key itellin
#
qos-profile pro1
user-queue cir 10000 pir 20000 inbound
user-queue cir 10000 pir 20000 outbound
#
user-group-queue pro2
shaping 100000 inbound
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface GigabitEthernet0/1/0
undo shutdown
#
interface GigabitEthernet0/1/0.2
pppoe-server bind Virtual-Template 1
user-vlan 270 277
undo shutdown
bas
access-type layer2-subscriber
#
interface LoopBack0
ip address 192.168.0.1 255.255.255.255
#
l2tp-group lns1
allow l2tp virtual-template 1 remote lac
tunnel password simple 1qaz#EDC
tunnel name LNS
qos scheduling-mode session
user-group-queue pro2 inbound
#
lns-group group1
bind slot 1
bind source LoopBack0
#
ip pool pool1 bas local
gateway 10.10.10.1 255.255.255.0
section 0 10.10.10.2 10.10.10.100
#
aaa
domain doma1
radius-server group radius1
authentication-scheme default1
accounting-scheme default1
ip-pool pool1
qos-profile pro1 inbound lns-gts
#
return
Networking Requirements
As shown in Figure 12-13, a single LNS cannot transmit all L2TP services. In such a case,
you can enable LNS load balancing to load-balance L2TP services among multiple LNSs
based on LNS weights.
DeviceB
Internet
DeviceA
L2TP
Access
Network Headquarter
L2TP
VPN Client LAC
DeviceC
LNS
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the dial-up connection at the user side.
2. Configure the LAC (when configuring the L2TP connection on the LAC, configure two
LNSs in the L2TP group and specify the IP addresses and weights of these LNSs).
3. Configure the LNS.
Data Preparation
To complete the configuration, you need the following data:
l User name and password of PC1
l Tunnel password, tunnel name on the LNS, and tunnel name on the LAC
l Number of the virtual template and the L2TP group number
l Number, range, and mask of the remote address pool
NOTE
Procedure
Step 1 Configure the user side.
To create a dial-up connection, dial the access number specified on NE40E A, and receive IP
addresses assigned by the LNS server.
Enter the user name user1@isp1 and the password (already registered on the LNS) in the
displayed dial-up terminal window on PC1.
Step 2 Configure DeviceA that functions as an LAC.
# Configure virtual template 1.
<Device> system-view
[Device] sysname DeviceA
[*DeviceA] interface virtual-template 1
[*DeviceA-Virtual-Template1] ppp authentication-mode chap
[*DeviceA-Virtual-Template1] commit
[~DeviceA-Virtual-Template1] quit
# Create Loopback 0.
[~DeviceA] interface loopback0
[*DeviceA-LoopBack0] ip address 1.1.1.1 255.255.255.255
[*DeviceA-LoopBack0] commit
[~DeviceA-LoopBack0] quit
# Set up tunnels for L2TP load balancing and specify relevant attributes.
[~DeviceA] l2tp enable
[~DeviceA] l2tp-group lac1
[*DeviceA-l2tp-lac1] tunnel name lac1
[*DeviceA-l2tp-lac1] start l2tp ip 3.3.3.3 ip 4.4.4.4
[*DeviceA-l2tp-lac1] tunnel load-sharing
[*DeviceA-l2tp-lac1] tunnel authentication
[*DeviceA-l2tp-lac1] tunnel password simple 1qaz#EDC
[*DeviceA-l2tp-lac1] tunnel source loopback0
[*DeviceA-l2tp-lac1] commit
[~DeviceA-l2tp-lac1] quit
# Configure routes.
[~DeviceA] ip route-static 3.3.3.3 255.255.255.255 11.11.11.2
[~DeviceA] ip route-static 4.4.4.4 255.255.255.255 12.12.12.2
# Configure routes.
[~DeviceB] ip route-static 1.1.1.1 255.255.255.255 11.11.11.1
[*DeviceC-ip-pool-pool1] commit
[~DeviceC-ip-pool-pool1] quit
# Configure routes.
[~DeviceC] ip route-static 1.1.1.1 255.255.255.255 12.12.12.1
----End
Configuration Files
l Configuration file of ~DeviceA
#
sysname ~DeviceA
#
l2tp enable
#
radius-server group radius1
radius-server authentication 20.20.20.1 1812
radius-server accounting 20.20.20.1 1813
radius-server shared-key itellin
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface GigabitEthernet0/2/0.100
pppoe-server bind Virtual-Template 1
undo shutdown
user-vlan 1 100
bas
access-type layer2-subscriber
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
l2tp-group lac1
tunnel password simple 1qaz#EDC
tunnel name lac1
start l2tp ip 3.3.3.3 ip 4.4.4.4 weight 5
tunnel load-sharing
tunnel source LoopBack0
#
aaa
domain isp1
authentication-scheme default1
accounting-scheme default1
radius-server group radius1
l2tp-group lac1
#
interface GigabitEthernet0/1/1
undo shutdown
ip address 11.11.11.1 255.255.255.0
#
interface GigabitEthernet0/1/2
undo shutdown
ip address 12.12.12.1 255.255.255.0
#
ip route-static 3.3.3.3 255.255.255.255 11.11.11.2
ip route-static 4.4.4.4 255.255.255.255 12.12.12.2
#
return
l Configuration file of ~DeviceB
#
sysname ~DeviceB
#
l2tp enable
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
l2tp-group lns1
allow l2tp virtual-template 1 remote lac1
tunnel password simple 1qaz#EDC
tunnel name lns1
#
lns-group group1
bind slot 1
bind source LoopBack0
#
ip pool pool1 bas local
gateway 10.10.0.1 255.255.255.0
section 0 10.10.0.2 10.10.0.100
#
aaa
domain isp1
authentication-scheme default1
accounting-scheme default1
ip-pool pool1
#
interface GigabitEthernet0/1/1
undo shutdown
ip address 11.11.11.2 255.255.255.0
#
ip route-static 1.1.1.1 255.255.255.255 11.11.11.1
#
return
l Configuration file of ~DeviceC
#
sysname ~DeviceC
#
l2tp enable
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
l2tp-group lns1
allow l2tp virtual-template 1 remote lac1
tunnel password simple 1qaz#EDC
tunnel name lns1
#
lns-group group1
bind slot 1
bind source LoopBack1
#
ip pool pool1 bas local
gateway 10.10.0.101 255.255.255.0
section 0 10.10.0.102 10.10.0.200
#
aaa
domain isp1
authentication-scheme default1
accounting-scheme default1
ip-pool pool1
#
interface GigabitEthernet0/1/1
undo shutdown
ip address 12.12.12.2 255.255.255.0
#
ip route-static 1.1.1.1 255.255.255.255 12.12.12.1
#
return
Networking Requirements
The network is shown in Figure 12-14. To save public network addresses, the carrier expects
to use private network addresses but not public network addresses to establish L2TP tunnels.
Figure 12-14 Networking for configuring an L2TP tunnel on a VPN for user access
NOTE
interface2
Access interface1
Network vr f 1
PC1 L2T interface1
DeviceA PT DeviceB
user1@isp1 u nne isp1
l
WAN Headquarter01
n e l
DeviceC T un LNS
Access L 2TP interface3
PC2 vr f 2
Network
Headquarter02
interface1
isp2
interface2
user1@isp2
Device Tunnel Interface IP Address Loopback Interface IP Address
DeviceA GE 0/1/1 10.0.0.1/24 Loopback 0 1.1.1.1
DeviceB GE 0/1/1 10.0.0.2/24 Loopback 0 3.3.3.3
DeviceB GE 0/1/2 10.10.0.2/24 Loopback 1 4.4.4.4
DeviceC GE 0/1/1 10.10.0.1/24 Loopback 1 2.2.2.2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the dial-up connection at the user side.
2. Configure the LAC.
3. Configure the LNS.
Data Preparation
To complete the configuration, you need the following data:
l User names and passwords of PC1 and PC2
l Tunnel password, tunnel name on the LNS, and tunnel name on the LAC
l VPN instance name
l Numbers of virtual templates and L2TP groups
l Number, range, and mask of the remote address pool
Procedure
Step 1 Configure the user side.
To create a dial-up connection, dial the access number specified on Device A, and receive
addresses assigned by the LNS server.
Enter the user name user1@isp1 and the password (already registered on the LNS) in the
displayed dial-up terminal window on PC1.
Enter the user name user1@isp2 and password (already registered on the LNS) in the
displayed dial-up terminal window on PC2.
# Bind the LAC interface connected to the LNS to the VPN instance.
[~DeviceA] interface gigabitethernet0/1/1
[*DeviceA-GigabitEthernet0/1/1] ip binding vpn-instance vrf1
[*DeviceA--GigabitEthernet0/1/1] ip address 10.0.0.1 255.255.255.0
[*DeviceA--GigabitEthernet0/1/1] commit
[~DeviceA--GigabitEthernet0/1/1] quit
# Create Loopback 0.
[~DeviceA] interface loopback0
[*DeviceA-LoopBack0] ip binding vpn-instance vrf1
[*DeviceA-LoopBack0] ip address 1.1.1.1 255.255.255.255
[*DeviceA-LoopBack0] commit
[~DeviceA-LoopBack0] quit
[*DeviceA-radius-radius1] commit
[~DeviceA-radius-radius1] quit
# Configure routes.
[~DeviceA] ip route-static vpn-instance vrf1 3.3.3.3 255.255.255.255 10.0.0.2
# Bind the LAC interface connected to the LNS to the VPN instance.
[DeviceC] interface gigabitethernet0/1/1
[~DeviceC] interface gigabitethernet0/1/1
[*DeviceC-GigabitEthernet0/1/1] ip binding vpn-instance vrf2
[*DeviceC-GigabitEthernet0/1/1] ip address 10.10.0.1 255.255.255.0
[*DeviceC-GigabitEthernet0/1/1] commit
[~DeviceC-GigabitEthernet0/1/1] quit
# Create Loopback 1.
[~DeviceC] interface loopback1
[*DeviceC-LoopBack1] ip binding vpn-instance vrf2
[*DeviceC-LoopBack1] ip address 2.2.2.2 255.255.255.255
[*DeviceC-LoopBack1] commit
[~DeviceC-LoopBack1] quit
# Configure routes.
[~DeviceC] ip route-static vpn-instance vrf2 4.4.4.4 255.255.255.255 10.10.0.2
# Create LNS group 1, and bind the tunnel board and the interfaces to the LNS group.
[~DeviceB] lns-group group1
[*DeviceB-lns-group-group1] bind slot 1
[*DeviceB-lns-group-group1] bind source LoopBack0
[*DeviceB-lns-group-group1] bind source LoopBack1
[*DeviceB-lns-group-group1] commit
[~DeviceB-lns-group-group1] quit
# Configure routes.
[~DeviceB] ip route-static vpn-instance vrf1 1.1.1.1 255.255.255.255 10.0.0.1
[~DeviceB] ip route-static vpn-instance vrf2 2.2.2.2 255.255.255.255 10.10.0.1
----End
Configuration Files
l Configuration file of Device A
#
sysname DeviceA
#
l2tp enable
#
radius-server group radius1
radius-server authentication 10.0.0.249 1812
radius-server accounting 10.0.0.249 1813
radius-server shared-key itellin
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface GigabitEthernet0/2/0.100
undo shutdown
pppoe-server bind Virtual-Template 1
user-vlan 1 100
bas
access-type layer2-subscriber
#
ip vpn-instance vrf1
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
interface LoopBack0
ip binding vpn-instance vrf1
ip address 1.1.1.1 255.255.255.255
l2tp-group lac1
tunnel password simple 1qaz#EDC
tunnel name lac1
start l2tp ip 3.3.3.3
tunnel source LoopBack0
#
aaa
domain isp1
authentication-scheme default1
accounting-scheme default1
radius-server group radius1
l2tp-group lac1
#
interface GigabitEthernet0/1/1
undo shutdown
ip binding vpn-instance vrf1
ip address 10.0.0.1 255.255.255.0
#
ip route-static vpn-instance vrf1 3.3.3.3 255.255.255.255 10.0.0.2
#
return
l Configuration file of Device C
#
sysname DeviceC
#
l2tp enable
#
radius-server group radius1
radius-server authentication 10.10.0.249 1812
radius-server accounting 10.10.0.249 1813
radius-server shared-key itellin
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface GigabitEthernet0/2/0.100
undo shutdown
pppoe-server bind Virtual-Template 1
user-vlan 1 100
bas
access-type layer2-subscriber
#
ip vpn-instance vrf2
route-distinguisher 200:1
vpn-target 200:1 export-extcommunity
vpn-target 200:1 import-extcommunity
#
interface LoopBack0
ip binding vpn-instance vrf1
ip address 2.2.2.2 255.255.255.255
l2tp-group lac2
Networking Requirements
As shown in Figure 12-15, the NE40E A and NE40E B function as the PE on the MPLS
backbone; NE40E A functions as the LAC; NE40E B functions as the LNS; an L2TP tunnel is
set up on the VPN. Loopback 0 belongs to VRF 1, loopback 1 also belongs to VRF 2.
Figure 12-15 Networking diagram for establishing an L2TP Tunnel on an L3VPN for user
access
NOTE
LoopBack0 LoopBack0
VRF1 L2TP Tunnel
MPLS isp1
PC1 interface1 interface2
Access Headquarter01
DeviceA interface2
user1@isp2 Network DeviceB
Configuration Roadmap
1. Set up an MPLS VPN on the backbone network.
2. Bind the interface of the L2TP tunnel to the VPN instance.
3. Configure dial-up parameters at the user side.
4. Configure a LAC.
5. Configure an LNS.
Data Preparation
To complete the configuration, you need the following data:
l MPLS LSR ID of each PE, which is the IP address of Loopback 2
l Usernames and passwords of PC1 and PC2
l Tunnel password, the tunnel name on the LNS, and the tunnel name on the LAC
l VPN instance
l Numbers of two VT interfaces and numbers of two L2TP groups
l Number, range, and mask of the remote address pool
Procedure
Step 1 Configure the devices on the user side.
To create a dialup connection, dial the access number specified on Device A, and receive
addresses assigned by the LNS server.
Regarding PC1, input the user name user1@isp1 and password in the ejected dial-up terminal
window (The user name and password have been registered on the LNS).
Regarding PC2, input the user name user1@isp2 and password in rejected dial-up terminal
window (The user name and password have been registered on the LNS).
Step 2 Configure DeviceA (the LAC side).
# Configure VT interface 1.
<Device> system-view
[~Device] sysname DeviceA
[*DeviceA] interface virtual-template 1
[*DeviceA-Virtual-Template1] ppp authentication-mode chap
[*DeviceA-Virtual-Template1] commit
[~DeviceA-Virtual-Template1] quit
[*DeviceA-l2tp-lac1] commit
[~DeviceA-l2tp-lac1] quit
[~DeviceA] l2tp-group lac2
[*DeviceA-l2tp-lac2] tunnel name lac2
[*DeviceA-l2tp-lac2] start l2tp ip 10.4.1.3
[*DeviceA-l2tp-lac2] tunnel authentication
[*DeviceA-l2tp-lac2] tunnel password simple 1qaz#EDC
[*DeviceA-l2tp-lac2] tunnel source loopback1
[*DeviceA-l2tp-lac2] commit
[~DeviceA-l2tp-lac2] quit
# Create VT interface 1.
[~DeviceB] interface virtual-template 1
# Create LNS group 1, and bind the tunnel board and the interfaces to the LNS group.
[~DeviceB] lns-group group1
[*DeviceB-lns-group-group1] bind slot 1
[*DeviceB-lns-group-group1] bind source LoopBack0
[*DeviceB-lns-group-group1] bind source LoopBack1
[*DeviceB-lns-group-group1] commit
[~DeviceB-lns-group-group1] quit
[~DeviceB-aaa] quit
----End
Configuration Files
l Configuration file of DeviceA
#
sysname DeviceA
#
mpls lsr-id 1.1.1.9
mpls
lsp-trigger all
#
mpls ldp
#
radius-server group radius1
radius-server authentication 10.0.0.249 1812
radius-server accounting 10.0.0.249 1813
radius-server shared-key itellin
#
ip vpn-instance vrf1
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
ip vpn-instance vrf2
route-distinguisher 200:1
vpn-target 200:1 export-extcommunity
vpn-target 200:1 import-extcommunity
#
l2tp-group lac1
tunnel password simple 1qaz#EDC
tunnel name lac1
start l2tp ip 10.3.1.3
tunnel source LoopBack0
l2tp-group lac2
13.1 Overview
In multi-device backup, a VRRP backup group can be created to achieve BRAS user
information backup. In this manner, services can be flexibly controlled and managed.
13.2 Licensing Requirements and Limitations for User Access Multi-Device Backup--M2E
13.3 Licensing Requirements and Limitations for User Access Multi-Device Backup--M2F
13.4 Licensing Requirements and Limitations for User Access Multi-Device Backup--M2H
13.5 Licensing Requirements and Limitations for User Access Multi-Device Backup--M2K
13.6 Configuring Multi-Device Backup for IPv4 User Information
After multi-device backup of IPv4 user information is enabled, users do not need to re-dial up,
QoS scheduling remains unchanged, accounting information is not lost, and users can go
online through new locations after a master/backup switchover.
13.7 Configuring Multi-Device Backup for IPv6 BRAS User Information
After multi-device backup of BRAS user information is enabled on IPv6 networks, users do
not need to re-dial up, QoS scheduling remains unchanged, accounting information is not lost,
and users can go online through new locations after a master/backup switchover.
13.8 Configuring Multicast Two-node Hot Backup
Configuring multicast two-node hot backup improves reliability for networks that bear
multicast services. This feature ensures multicast service continuity in case of a BRAS failure.
13.9 Configuring L2TP Two-node Hot Backup
L2TP two-node hot backup can be configured on LACs, improving L2TP access reliability.
L2TP two-node hot backup allows users to get online again without re-dialing up if a network
fault occurs.
13.1 Overview
In multi-device backup, a VRRP backup group can be created to achieve BRAS user
information backup. In this manner, services can be flexibly controlled and managed.
BRAS User Information Backup
Currently, information about IPoE dynamic users, PPPoE users, web authentication users, and
static users can be backed up on Ethernet sub-interfaces, QinQ sub-interfaces, and Eth-trunk
interfaces whose members reside on the same board.
Information to be backed up includes:
l Basic user information, including the user MAC address, session ID, IP address, user
name, authentication information, and Option 60.
l Accounting information, including the accounting ID, traffic information, and duration.
l QoS information, including the user priority and QoS profiles.
l Physical location information, including the inner and outer VLAN IDs and Option 82.
The backup information has the following functions:
l Authentication and authorization information: Users do not need to re-dial for
authentication.
l Accounting information: The Service Detailed Records (SDRs) is not lost after a master/
backup BRAS switchover.
l Access location information: Binding users can go online at a new location.
l QoS information: QoS scheduling remains unchanged before and after a master/backup
BRAS switchover.
Restrictions on L2TP hot Do not deploy features that The function does not take
backup: conflict with LAC hot effect on the backup device.
l Only LAC hot backup is backup after deploying LAC
supported. hot backup.
When traffic is forwarded Do not deploy URPF on the Traffic fails to be forwarded.
through the protection network side in RUI
tunnel, enabling URPF on a scenarios.
network-side interface may
cause a URPF check failure.
Therefore, you are advised
to disable URPF on a
network-side interface based
on the actual deployment
scenario. Forwarded traffic
includes IPoE/PPP/L2TP
user traffic passing through
the protection tunnel.
The backup device fails to Do not ping users on the Users cannot be pinged on
ping users (users on the backup device. the backup device.
backup device are in the
slave state and cannot be
pinged but the users can be
pinged on the master
device).
Restrictions on IPv6 hot Do not deploy features that The function does not take
backup: conflict with IPv6 hot effect on the backup device.
l Multi-device hot backup backup after deploying IPv6
for static IPv6 users is hot backup.
not supported.
l In ND mode, only the
unshared prefix
assignment is supported.
l IPv6 services' protection
tunnels support only the
MPLS LSP mode (6PE
and 6VPE models).
l IPv6 address pools do
not support inter-chassis
borrowing (local RUI-
slave address pools
cannot be used to assign
IP addresses to the
master device).
l IPv6 hot backup does not
support exclusively used
address pools.
l IPv6 hot backup does not
support the mapping of
RADIUS authorization
address pool names to
the local device.
l IPv6 multicast does not
support hot backup.
Restrictions on L2TP hot Do not deploy features that The function does not take
backup: conflict with LAC hot effect on the backup device.
l Only LAC hot backup is backup after deploying LAC
supported. hot backup.
When traffic is forwarded Do not deploy URPF on the Traffic fails to be forwarded.
through the protection network side in RUI
tunnel, enabling URPF on a scenarios.
network-side interface may
cause a URPF check failure.
Therefore, you are advised
to disable URPF on a
network-side interface based
on the actual deployment
scenario. Forwarded traffic
includes IPoE/PPP/L2TP
user traffic passing through
the protection tunnel.
The backup device fails to Do not ping users on the Users cannot be pinged on
ping users (users on the backup device. the backup device.
backup device are in the
slave state and cannot be
pinged but the users can be
pinged on the master
device).
Restrictions on IPv6 hot Do not deploy features that The function does not take
backup: conflict with IPv6 hot effect on the backup device.
l Multi-device hot backup backup after deploying IPv6
for static IPv6 users is hot backup.
not supported.
l In ND mode, only the
unshared prefix
assignment is supported.
l IPv6 services' protection
tunnels support only the
MPLS LSP mode (6PE
and 6VPE models).
l IPv6 address pools do
not support inter-chassis
borrowing (local RUI-
slave address pools
cannot be used to assign
IP addresses to the
master device).
l IPv6 hot backup does not
support exclusively used
address pools.
l IPv6 hot backup does not
support the mapping of
RADIUS authorization
address pool names to
the local device.
l IPv6 multicast does not
support hot backup.
Restrictions on L2TP hot Do not deploy features that The function does not take
backup: conflict with LAC hot effect on the backup device.
l Only LAC hot backup is backup after deploying LAC
supported. hot backup.
When traffic is forwarded Do not deploy URPF on the Traffic fails to be forwarded.
through the protection network side in RUI
tunnel, enabling URPF on a scenarios.
network-side interface may
cause a URPF check failure.
Therefore, you are advised
to disable URPF on a
network-side interface based
on the actual deployment
scenario. Forwarded traffic
includes IPoE/PPP/L2TP
user traffic passing through
the protection tunnel.
The backup device fails to Do not ping users on the Users cannot be pinged on
ping users (users on the backup device. the backup device.
backup device are in the
slave state and cannot be
pinged but the users can be
pinged on the master
device).
Restrictions on IPv6 hot Do not deploy features that The function does not take
backup: conflict with IPv6 hot effect on the backup device.
l Multi-device hot backup backup after deploying IPv6
for static IPv6 users is hot backup.
not supported.
l In ND mode, only the
unshared prefix
assignment is supported.
l IPv6 services' protection
tunnels support only the
MPLS LSP mode (6PE
and 6VPE models).
l IPv6 address pools do
not support inter-chassis
borrowing (local RUI-
slave address pools
cannot be used to assign
IP addresses to the
master device).
l IPv6 hot backup does not
support exclusively used
address pools.
l IPv6 hot backup does not
support the mapping of
RADIUS authorization
address pool names to
the local device.
l IPv6 multicast does not
support hot backup.
Configuration Procedures
Perform one or more of the following configurations as required.
Prerequisites
Before establishing a multi-device backup platform, complete the following tasks:
l Configure peer BFD, link BFD, or Ethernet OAM on the user side.
Background
Based on a VRRP backup group, a multi-device backup platform runs the Huawei-proprietary
Redundancy User Information (RUI) protocol to back up user information between devices,
which allows for more flexible user service management and improves service reliability.
Establishing a multi-device backup platform involves configuring basic functions of a VRRP
backup group, a remote backup service (RBS), and a remote backup profile (RBP).
Perform the following steps on each of devices that back up one another:
Procedure
l Configure basic functions of a VRRP backup group.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number [.subinterface-number ]
The view of the interface on which a VRRP backup group is configured is
displayed.
c. Run vrrp vrid virtual-router-id virtual-ip virtual-address
A VRRP backup group is created, and a virtual IP address is assigned to the VRRP
backup group.
NOTE
The same VRID and virtual IP address must be set on each of devices that back up one
another.
d. Run admin-vrrp vrid virtual-router-id [ ignore-if-down ]
This VRRP backup group is configured as an mVRRP backup group.
e. Run vrrp vrid virtual-router-id priority priority-value
The priority of a device in the VRRP backup group is configured.
The devices in the VRRP backup group must be assigned different VRRP priorities.
The device with a higher priority serves as the master one.
f. Run vrrp vrid virtual-router-id preempt-mode timer delay delay-value
The preemption delay is set in a VRRP backup group.
Run this command on the master VRRP device so that the backup VRRP device
becomes the master one only after the fault is rectified and services are restored.
The preemption delay is related to service types in the following scenarios:
n In an IPv4 single-stack scenario, the minimum preemption delay is 10 minutes.
Increase the value by 1 for every 6K users. If 256K users get online through a
device, setting the value to 40 minutes is recommended.
n In an IPv4 and IPv6 dual-stack scenario, the minimum preemption delay is 10
minutes. Increase the value by 1 for every 6K users. If 128K users get online
through a device, setting the value to 40 minutes is recommended.
n When the IPv4 single-stack and EDSG services are configured, the minimum
preemption delay is 15 minutes. Increase the value by 1 for every 4K users. If
256K users get online through a device, setting the value to 60 minutes is
recommended.
n When the IPv4 and IPv6 dual-stack and EDSG services are configured, the
minimum preemption delay is 15 minutes. Increase the value by 1 for every
4K users. If 128K dual-stack users get online through a device, setting the
value to 60 minutes is recommended.
g. Run commit
The configuration is committed.
l Configure an RBP.
a. (Optional) Run peer-backup batch access enable
The device is configured to allow users to get online when performing batch
backup.
b. Run system-view
The system view is displayed.
c. Run remote-backup-profile profile-name
An RBP is created, and the RBP view is displayed.
d. Run peer-backup hot
Inter-device hot backup is enabled.
e. Run vrrp-id vrid interface interface-type interface-number
The RBP is bound to the VRRP backup group.
n In multi-device backup networking, using load balancing improves link usage.
To load-balance traffic, use either of the following parameters:
○ odd-mac: user packets with odd MAC addresses
○ even-mac: user packets with even MAC addresses
n If odd-mac or even-mac is not configured, the vrrp-id command only binds a
single VRRP backup group ID to an RBP and associates the RBP with a single
VRRP sub-interface. If load balancing is required, run the vrrp-id command
twice, with odd-mac and even-mac configured, respectively. Two VRRP
backup group IDs must be bound to the same RBP and be associated with
different VRRP sub-interfaces. In addition, odd-mac and even-mac must be
configured for different VRRP backup groups with specific IDs. The two
devices that load-balance traffic must have the same configuration, including
the binding between the VRRP backup group ID and even or odd MAC
address type.
n Before modifying the setting of odd-mac or even-mac, run the undo vrrp-id
vrid command to delete the configuration. Then run the vrrp-id vrid command
to reconfigure the setting.
f. Run backup-id backup-id remote-backup-service service-name
The RBP is associated with the RBS, and the user backup ID in the RBP is set.
backup-id sets a user backup ID. The RBP to which a user belongs can be
determined based on the backup-id and RBS. Note that the same backup-id value
must be set for devices that back up one another in the same RBP, and different
backup-id values must be set in other RBPs.
g. Run service-type { arp | l2tp | bras | multicast | igmp | igmp-snooping | no-host-
multicast | dhcp-server }
NOTE
The RBS has no secure authentication mechanism by default. Binding the RBS to an SSL policy
to improve security is recommended.
d. Run peer peer-ip-address source source-ip-address port port-id
peer-ip-address sets the IP address of a remote device that backs up the local
device. source-ip-address sets the IP address of a local device. The remote IP
address must already exist on the remote device's main interface, sub-interface, or
logical interface (for example, loopback interface). The local IP address must
already exist on the local device's main interface, sub-interface, or logical interface.
The local and remote IP addresses must be pinged by each other.
port-id indicates the listening port number of a server. The same TCP port number
must be set on devices that back up one another.
e. (Optional) Run batch-backup service-type { arp | all | bras | l2tp | multicast |
igmp-snooping | dhcp-server } now
The device is enabled to immediately back up user services configured in the RBS.
f. (Optional) Run track interface interface-name [ weight weight ]
The RBS is configured to monitor the network-side interface status and check
whether the TCP connection for the RBS fails or recovers.
is 0.5 Gbit/s. If you use interface B as a reference interface and set its weight to 10,
the weight of interface A is 50 and that of interface C is 5.
NOTE
The threshold for a master/backup switchover due to uplink failures and the
duration before the switchover is complete are set.
When you run the track interface command, the weights specified must comply
with the rules of the master/backup VRRP switchover. If a master/backup
switchover is performed based on the fault rate of uplinks but a master/backup
VRRP switchover is not performed, the backup device forwards the network-side
traffic back to the master device for processing after receiving the traffic from the
master device. In this case, the master device is congested with traffic because the
master/backup switchover is not performed at the same time as the master/backup
VRRP switchover.
If the track interface command is run in the RBS view, the device automatically
deletes the track interface and switchover uplink commands after the track
interface-group command is run. The device then determines a master/backup
switchover based on the track monitor-group command.
i. (Optional) Run track route-monitor-group group-name switchover failure-ratio
percent
A link fault threshold (in percentage) that triggers a master/backup switchover is set
for the route monitor group on the network side.
If the track interface command is run in the RBS view, the device automatically
deletes the track interface command after the track route-monitor-group
switchover failure-ratio command is run. The device then determines a master/
backup switchover based on the track route-monitor-group switchover failure-
ratio command.
j. (Optional) Run track bfd-session bfd-session
The RBS tracks the BFD status so that the RBS can rapidly monitor the remote
device status.
NOTE
This step is recommended. Before running this command, ensure that a peer BFD session is
established between the master and backup devices on the network side.
k. (Optional) Run radius-authorization source same-as nas-logic-ip
The device is configured to reply to the RADIUS server with packets in which the
source IP address is the same as the NAS IP address.
l. Run commit
The configuration is committed.
----End
Context
User information remote backup is enabled by default for users who get online through an
AAA domain. To disable this function, run the undo peer-backup enable command.
Information about authenticated users will then not be backed up even if hot backup is
enabled on the user access interface.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
The AAA domain view is displayed.
Step 4 Run undo peer-backup enable
User information remote backup is disabled for users getting online from a specified domain.
NOTE
The user information remote backup configuration cannot be modified in the view of an AAA domain
where users have logged in. To be specific, if user information remote backup configuration is disabled,
the peer-backup enable command cannot be run. If user information remote backup configuration is
enabled, the undo peer-backup enable command cannot be run.
----End
Context
To allow users to log in through the backup device twice authentication, perform the
following operations on the devices that back up each other:
Procedure
Step 1 Run system-view
The logic IP address, logic interface, and logic host name are configured. Ensure that the
devices that back up each other send the same information about NAS-IP-Address, NAS-Port,
NAS-Port-ID, and Option 82 contained in the packets to the RADIUS and DHCP servers.
By default, you are advised to set NAS-IP-Address on the master device to be the same as that
on the backup device. If you run the radius-authorization source same-as nas-logic-ip
command to set NAS-IP-Address to the source IP address of packets sent to the RADIUS
server, the master and backup devices must have different NAS-IP-Address values. If the
RASIUS server checks binding authentication, the master and backup devices must have the
same NAS-IP-Address value. In this case, NAS-IP-Address cannot be set to the source IP
address of packets sent to the RADIUS server.
----End
Context
To ensure that user traffic can be backed up in real time, perform the following operations on
the devices that back up each other:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run remote-backup-profile profile-name
The RBP view is displayed.
Step 3 Run traffic backup { interval interval-value [ threshold threshold-value ] | threshold
threshold-value [ interval interval-value ] }
The interval for backing up traffic or the traffic threshold is set.
Step 4 Run commit
The configuration is committed.
----End
Context
In the dual-system hot backup scenario, BRASs control the advertisement of UNRs of
configured address pools in either of the following modes:
l Manual control: If two BRASs work in load balancing mode, each BRAS is configured
with two address pools. One is the primary address pool and the other is the secondary
address pool. The primary address pool on one BRAS is the secondary address pool on
the other BRAS. The cost value of the primary address pool must be smaller than that of
the secondary address pool on the same BRAS, allowing the primary address pool to be
preferentially used. The cost values can be set in a routing policy, which allows the UNR
of the primary address pool to have higher route precedence than that of the secondary
address pool. For information about how to configure a routing policy, see Configuring a
Routing Policy in HUAWEI NE40E-M2 Series Universal Service Router Configuration
Guide - IP Routing.
l Automatic route advertisement is easier to configure than manual route advertisement.
Automatic route advertisement prevents the problem that if a fault in a BRAS occurs and
a master/backup BRAS switchover is implemented, UNRs cannot be automatically
advertised after the BRAS recovers. The default route cost can be used to control route
preference. If dual-system hot backup is configured on BRASs, a routing protocol
imports UNRs and trusts UNR preference values. This allows the network segment route
of the primary address pool to have higher route precedence than that of the secondary
address pool.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run peer-backup route-cost auto-advertising
The BRAS is configured to use default cost values of routes to control route preference when
the routes are generated. The route can be an address pool UNR or a route to a loopback
interface of the LAC on an L2TP tunnel.
NOTE
The address pool routes are not updated in real time whether or not the BRAS is configured to use
default cost values of routes to control route preference. The route control takes effect only when the
address pool is re-bound to the PBS.
----End
Follow-up Procedure
To use a routing policy to allow the UNR of the primary address pool to be the highest, run
the import-route unr route-policy route-policy-name command in the IS-IS, OSPF, or BGP
view:
l In the IS-IS view:
Run the import-route unr route-policy route-policy-name command.
l In the OSPF view:
Run the import-route unr route-policy route-policy-name command.
l In the BGP view:
Run the import-route unr route-policy route-policy-name command.
To persevere cost values of UNRs imported by a routing protocol, perform one of the
following steps based on the type of routing protocol:
l In the IS-IS view:
Run the import-route unr inherit-cost command.
l In the OSPF view, run the following commands:
a. default cost inherit-metric
b. import-route unr
l In the BGP view:
Run the import-route unr command.
Context
If the exclusive IP address pool mode is used, a great number of address pools are needed.
This wastes addresses. The shared IP address pool mode resolves this problem. To use the
shared IP address pool mode:
l Do not bind address pools to the RBP.
l Both the master and backup devices must advertise their network segment routes to
address pools and be configured with a route policy to ensure that the route advertised by
the master device has a higher priority. This prevents load balancing on the network-side
devices.
l A protection tunnel, for example, an LSP, must be set up between the master and backup
devices. If the uplink of a user fails, the downstream traffic of the user is diverted to the
protection tunnel.
l Bind the address pool to the RBS by running the ip-pool pool-name in the RBS view.
This ensures that traffic at the network side can be forwarded through the protection
tunnel before the host route is generated.
NOTE
Only the primary address pool needs to be bound to the RBS. The secondary address pool does not
need to be bound to the RBS.
Perform the following steps on each of the devices that back up each other:
Procedure
l Configure the protection path in IP redirection mode for public users.
To configure the protection path in IP redirection mode, deploy a directly connected link
between the devices that back up each other.
a. Run system-view
The system view is displayed.
b. Run remote-backup-service service-name
The RBS view is displayed.
c. Run protect redirect ip-nexthop ip-address interface interface-type interface-
number
The protection path is configured to work in IP redirection mode for public users.
The peer IP address and local outbound interface must be specified.
d. Run ip-pool pool-name
The primary address pool is bound to the RBS.
e. Run commit
The configuration is committed.
l Configure the protection path in tunnel mode for public users.
a. Run system-view
The system view is displayed.
b. Run remote-backup-service service-name
The RBS view is displayed.
c. Run protect tnl-policy policy-name peer-ip ip-address [ interface interface-type
interface-number ]
The protection path is configured to be the label switched path (LSP), Multiprotocol
Label Switching (MPLS) Traffic Engineering (TE) tunnel, or Generic Routing
Encapsulation (GRE) tunnel for public users. The tunnel type is specified by the
tunnel policy, and the outbound interface is optional.
d. Run ip-pool pool-name
The primary address pool is bound to the RBS.
e. Run commit
The protection tunnel is configured for VPN users. You need to specify the VPN
instance name. The peer IP address is the IP address of the loopback interface that
is bind to the VPN instance on the peer device. In this case, the tunnel type cannot
be specified. Instead, the tunnel is automatically selected by the device. The
outbound interface is optional.
d. Run ip-pool pool-name
The protect lsp-tunnel for-all-instance peer-ip command configures a protection tunnel template
for both the public network and VPNs. After the command is run, a public protection tunnel is
automatically created, and a VPN protection tunnel is triggered by user login, without needing to
configure a protection tunnel for each VPN. This function simplifies tunnel configuration.
To configure a specific public protection tunnel, run the protect tnl-policy policy-name peer-ip
ip-address [ interface interface-type interface-number ] command; to configure a specific VPN
protection tunnel, run the protect ip-vpn-instance vpn-instance-name peer-ip ip-address
[ interface interface-type interface-number ] command. These two commands can be configured
together with the protect lsp-tunnel for-all-instance peer-ip command. In this situation, the
protect lsp-tunnel for-all-instance peer-ip command takes precedence.
----End
Context
The master and backup devices are configured with address pools in shared mode. If a link
fault triggers a master/backup device switchover, the backup device (now the master device)
can continue to assign addresses of the original master device (now the backup device) to
users by using a remote DHCP server. This prevents address pool resource wastes.
Procedure
Step 1 Configure address pools on the master and backup devices.
1. Run system-view
A local primary address pool and an rui-slave (local rui-slave) secondary address pool
are configured on the master or backup device.
NOTE
A remote DHCP server can be used to allocate addresses for users logging in to the master and
backup devices. If a remote DHCP server is used, a remote address pool must be configured on the
master device; a remote rui-slave address pool must be configured on the backup device; the
address pools must be associated with the DHCP server group on the remote DHCP server.
3. Run gateway ip-address mask
The gateway IP address and subnet mask are used to check whether an address segment
is in the same subnet as the gateway. Therefore, the gateway IP address and subnet mask
must be configured before the address segment.
4. Run section section-num start-ip-address [ end-ip-address ]
If both the master and backup devices have two address pools configured, the primary
and secondary address pools must use different address ranges on the master and backup
devices. The master device's primary address pool and the backup device's secondary
address pool share an address range. The master device's secondary address pool and the
backup device's primary address pool share an address range. This prevents address
conflict after a master/backup device switchover occurs.
NOTE
If an rui-slave address pool (configured using the local rui-slave parameter) is used, the remote
DHCP server and its parameters must be configured.
If an rui-slave address pool (configured using the local rui-slave parameter) is bound to an RBS,
the address pool automatically uses the peer IP address in the RBS as a DHCP server IP address,
without additional configuration.
Before performing the following step, ensure that the dhcp-server group group-name remote-
backup-service rbs-name command is run in the system view to specify the name of a DHCP
server group and associate the DHCP server group with a specified RBS.
5. (Optional) Run dhcp-server group group-name
The remote DHCP server that is configured for the secondary address pool on the backup
device must be mapped to the master device. On a network where the master and backup
devices balance traffic, the remote DHCP server that is configured for the secondary
address pool on the master device must also be mapped to the backup device.
6. Run commit
A source address pool can be mapped to multiple target address pools in ascending order
by node-id, which means that the mapping starts from the target address pool with the
smallest node-id.
This example assumes that a remote DHCP server is used to allocate addresses and if its
address resources are exhausted, the local address pool is used to allocate addresses. This
requires the secondary address pool on the backup device to have a higher priority than
the primary address pool. Assume that the local address pool is used to allocate
addresses, and if its address resources are exhausted, the remote DHCP server is used to
allocate addresses. This requires the primary address pool to have a higher priority than
the secondary address pool.
4. (Optional) Run frame-route metric metric-num
NOTE
Only PPP leased line users are supported.
5. Run commit
----End
Context
In hot backup scenarios, the mapping between address pools and BAS-IP addresses must be
specified on the web authentication server for each pair of master and backup devices. An IP
address pool is shared only between the master and backup devices. Therefore, each pair of
master and backup devices must have a source IP address to communicate with the web
authentication server. The web-auth-server source [ vpn-instance vpn-instance-name ]
source-ip-address command specifies the source IP address of portal packets sent by the
router to the web authentication server as the BAS-IP address.
In CoA and DM applications, the RADIUS authorization server sends requests to the Router,
and the Router responds to the RADIUS authorization server. The RADIUS server then
checks the source IP address of reply packets for security. In N:1 hot backup scenarios, the
RADIUS authorization server determines the IP address of the Router to which authorization
packets are sent based on user's bill information. This IP address can be a NAS-IP address or
the address that the Router uses to exchange accounting-start packets with the RADIUS
server.
To ensure that the RADIUS authorization server sends authorization packets to the exact
Router, run the radius-authorization source command to specify a source IP address for
each pair of master and backup devices. To ensure that the source IP address in the packets
sent by the Router to the RADIUS server is the same as the NAS-IP address, run the radius-
authorization source same-as nas-logic-ip command. Alternatively, run the radius-
authorization source [ vpn-instance vpn-instance-name ] source-ip-address command to
specify a source IP address.
Perform the following operations on both routers that back up each other:
Procedure
l Configure the source IP address of portal packets sent by the Router to the web
authentication server as the BAS-IP address, which is used independently by the web
authentication server.
a. Run system-view
The system view is displayed.
b. Run interface loopback loopBack interface number interface-number
A loopback interface is created, and the interface view is displayed.
c. Run ip address ip address { mask | mask-length }
An IP address is configured for the loopback interface.
d. Run quit
Exit the interface view.
e. Run remote-backup-service service-name
The remote backup service view is displayed.
NOTE
If a NAS-IP address is specified in the RADIUS server template, run the radius-
authorization source same-as nas-logic-ip the command; otherwise, run the radius-
authorization source [ vpn-instance vpn-instance-name ] source-ip-address command.
g. Run commit
The configuration is committed.
----End
Context
Perform the following steps on each of the devices that back up each other:
Procedure
Step 1 Run system-view
The system view is displayed.
NOTE
----End
Context
In RUI scenarios, if both the master and backup devices receive DHCPv4 Release messages,
the logout reason recorded on the master and backup device may be different due to a time
sequence problem. To enable the backup device to discard DHCPv4 Release messages
without processing, run the access packet dhcp release rui-slave discard command so that
the logout reasons are consistent on the master and backup device.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run access packet dhcp release rui-slave discard
The backup device is enabled to discard DHCPv4 Release messages in RUI scenarios.
----End
Context
In a dual-device hot backup scenario, after users access the master device, they will access the
backup device. When modifying the user access rate, you can perform the following steps to
modify the upper threshold for the rate. After the modification is complete, the system
dynamically adjusts the user access rate based on the CPU usage, with the rate never
exceeding the upper threshold.
Procedure
Step 1 Run system-view
An upper threshold is configured for the user access rate on the backup device in a dual-
device hot backup scenario.
This command must be run on both the master and backup devices.
----End
Context
In a dual-device hot backup scenario, if IP addresses are allocated using a RADIUS server
instead of an address pool, you need to bind a static route tag to the RBS and specify a cost
for the static route. If an NNI on the master device fails, the outbound interface of the static
route can be directed to the protection tunnel to switch traffic to the backup device. This
reduces the impact of the fault on user services.
Procedure
Step 1 Run system-view
Step 3 Run static-route if-match NULL interface-number tag tag-num [ metric metric-num ] [ rui-
slave ]
A static route tag is bound to the RBS, and a cost is specified for the static route.
This command must be run on both the master and backup devices. In addition, rui-slave
must be configured on the backup device. Otherwise, traffic flaps between the two devices.
If metric metric-num is configured, the cost configured on the master device must be less
than that configured on the backup device, so that the route on the master device is
preferentially selected.
----End
Context
In RUI scenarios where one MAC address maps to multiple sessions, users with the same
MAC address may go online from different devices and be assigned the same session ID. In
this case, if the master device backs up user entries to the backup device, the users may fail to
go online due to a session ID conflict. Therefore, configure different session ID ranges on the
master and backup devices to prevent the master and backup device from assigning the same
session ID to users.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run pppoe-server rui remote-mac session-id start-session-id start-session-id end-session-
id end-session-id
A session ID range is configured for PPPoE users.
Step 3 Run commit
The configuration is committed.
----End
Context
Run the following commands to check the previous configuration.
Procedure
l Run the display remote-backup-profile [ profile-name ] command to check RBP
information.
l Run the display remote-backup-service [ service-name [ verbose ] ] command to check
RBS information.
l Run the display backup-user [ user-id user-id | username user-name ] command to
check backup user information.
Example
Run the display remote-backup-profile command to view RBP information, including the
name of the remote backup service, name of the interface bound to a Virtual Router
Redundancy Protocol (VRRP) backup group, name of the user access interface bound to the
RBP, protocol used to detect the link status, RBP status, and backup mode.
<HUAWEI>display remote-backup-profile profile1
--------------------------------------------
Profile-Index : 0x802
Profile-Name : profile1
Service : bras
Remote-backup-service: service1
Backup-ID : 10
track protocol : VRRP
VRRP-ID : 1
VRRP-Interface : GigabitEthernet0/1/0.2
Access-Control : Odd-Mac
State : Master
Peer State : Slave
VRRP-ID : 2
VRRP-Interface : GigabitEthernet0/1/0.3
Access-Control : Even-Mac
State : Slave
Peer State : Master
Interface :
GigabitEthernet0/1/0.1
Backup mode : hot
Slot-Number : 1
Card-Number : 0
Port-Number : 0
Traffic interval : 10(minutes)
Run the display remote-backup-service command to view information about the RBS,
including the server index number, server name, TCP connection status, remote IP address,
local IP address, TCP port number, tunnel name, and IP address pool name.
<HUAWEI>display remote-backup-service rui
----------------------------------------------------------
Service-Index : 0
Service-Name : rui
TCP-State : Connected
Peer-ip : 10.0.0.1
Source-ip : 10.0.0.2
TCP-Port : 11111
Track-BFD : --
Track-interface0 : GigabitEthernet0/3/0
Weight :10
Track-interface1 : GigabitEthernet0/3/1
Weight :10
Last up time :2011-08-25 11:56:37
-----------------------------------------------------------------
r4 metric 20
remotev4 metric 10
ipv6 pool:
1234 metric 10
iana_yyz metric 10
iapd_yyz metric 10
lo metric 10
loc_vpn metric 10
nd metric 10
pd metric 10
remote_del_yyz metric 10
remotev6_yyz metric 10 Failure ratio : 50%
Failure duration :0 min
Rbs-ID : 0
Protect-type : public(lsp)
Tunnel-policy : tp1
Peer-ip : 10.0.0.1
Vrfid : 0
Tunnel-state : UP
Tunnel-OperFlag: NORMAL
Spec-interface : Null
Total users : 100
Path 1:
Tunnel-index : 0xc000003
Out-interface : GigabitEthernet0/3/2
Vc-label : 0
User-number : 100
Run the display backup-user command to view information about backup users, including
the number of local and remote users.
<HUAWEI> display backup-user
Remote-backup-service: rbs2
Total Users Numer: 10
------------------------------------------------------------------------
100 101 102 103 104 105 106 107 108 109
------------------------------------------------------------------------
Local Users Number :10
Remote Users Number :0
Run the display access-user interface command to view information about the access users
on a specified interface.
<HUAWEI>display access-user interface GigabitEthernet 0/1/2.1
------------------------------------------------------------------------------
UserID Username Interface IP address MAC
Vlan IPv6 address Access type
------------------------------------------------------------------------------
1 user1@huawei GE0/1/2.1 192.168.7.199 0016-ecb7-a879
-/- - PPPoE
------------------------------------------------------------------------------
2 user2@huawei GE0/1/2.1 - 0016-ecb7-a876
-/- - 99::/64 PPPoE
Normal users : 0
RUI Local users : 2
RUI Remote users : 0
Total users : 2
Configuration Procedures
Perform one or more of the following configurations (excluding checking the configuration)
as required.
Prerequisites
Before establishing a multi-device backup platform, complete the following tasks:
l Configure peer BFD, link BFD, or Ethernet OAM on the user side.
l Configure peer BFD on the network side.
l Configure a local or remote address pool. The same address pool must be configured on
devices that back up one another.
Background
Based on a VRRP backup group, a multi-device backup platform runs the Huawei-proprietary
Redundancy User Information (RUI) protocol to back up user information between devices,
which allows for more flexible user service management and improves service reliability.
Establishing a multi-device backup platform involves configuring basic functions of a VRRP
backup group, a remote backup service (RBS), and a remote backup profile (RBP).
Perform the following steps on each of devices that back up one another:
Procedure
l Configure basic functions of a VRRP backup group.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number [.subinterface-number ]
The view of the interface on which a VRRP backup group is configured is
displayed.
c. Run vrrp vrid virtual-router-id virtual-ip virtual-address
A VRRP backup group is created, and a virtual IP address is assigned to the VRRP
backup group.
NOTE
The same VRID and virtual IP address must be set on each of devices that back up one
another.
d. Run admin-vrrp vrid virtual-router-id [ ignore-if-down ]
This VRRP backup group is configured as an mVRRP backup group.
e. Run vrrp vrid virtual-router-id priority priority-value
The priority of a device in the VRRP backup group is configured.
The devices in the VRRP backup group must be assigned different VRRP priorities.
The device with a higher priority serves as the master one.
f. Run vrrp vrid virtual-router-id preempt-mode timer delay delay-value
The preemption delay is set in a VRRP backup group.
Run this command on the master VRRP device so that the backup VRRP device
becomes the master one only after the fault is rectified and services are restored.
The preemption delay is related to service types in the following scenarios:
n In an IPv4 single-stack scenario, the minimum preemption delay is 10 minutes.
Increase the value by 1 for every 6K users. If 256K users get online through a
device, setting the value to 40 minutes is recommended.
n In an IPv4 and IPv6 dual-stack scenario, the minimum preemption delay is 10
minutes. Increase the value by 1 for every 6K users. If 128K users get online
through a device, setting the value to 40 minutes is recommended.
n When the IPv4 single-stack and EDSG services are configured, the minimum
preemption delay is 15 minutes. Increase the value by 1 for every 4K users. If
256K users get online through a device, setting the value to 60 minutes is
recommended.
n When the IPv4 and IPv6 dual-stack and EDSG services are configured, the
minimum preemption delay is 15 minutes. Increase the value by 1 for every
4K users. If 128K dual-stack users get online through a device, setting the
value to 60 minutes is recommended.
g. Run commit
The configuration is committed.
l Configure an RBP.
a. (Optional) Run peer-backup batch access enable
The device is configured to allow users to get online when performing batch
backup.
b. Run system-view
The system view is displayed.
c. Run remote-backup-profile profile-name
An RBP is created, and the RBP view is displayed.
d. Run peer-backup hot
Inter-device hot backup is enabled.
e. Run vrrp-id vrid interface interface-type interface-number
The RBP is bound to the VRRP backup group.
n In multi-device backup networking, using load balancing improves link usage.
To load-balance traffic, use either of the following parameters:
○ odd-mac: user packets with odd MAC addresses
○ even-mac: user packets with even MAC addresses
n If odd-mac or even-mac is not configured, the vrrp-id command only binds a
single VRRP backup group ID to an RBP and associates the RBP with a single
VRRP sub-interface. If load balancing is required, run the vrrp-id command
NOTE
The RBS has no secure authentication mechanism by default. Binding the RBS to an SSL policy
to improve security is recommended.
d. Run peer peer-ip-address source source-ip-address port port-id
Parameters of a TCP connection for the RBS are set.
peer-ip-address sets the IP address of a remote device that backs up the local
device. source-ip-address sets the IP address of a local device. The remote IP
address must already exist on the remote device's main interface, sub-interface, or
logical interface (for example, loopback interface). The local IP address must
already exist on the local device's main interface, sub-interface, or logical interface.
The local and remote IP addresses must be pinged by each other.
port-id indicates the listening port number of a server. The same TCP port number
must be set on devices that back up one another.
NOTE
NOTE
This step is recommended. Before running this command, ensure that a peer BFD session is
established between the master and backup devices on the network side.
k. (Optional) Run radius-authorization source same-as nas-logic-ip
The device is configured to reply to the RADIUS server with packets in which the
source IP address is the same as the NAS IP address.
l. Run commit
The configuration is committed.
----End
Context
User information remote backup is enabled by default for users who get online through an
AAA domain. To disable this function, run the undo peer-backup enable command.
Information about authenticated users will then not be backed up even if hot backup is
enabled on the user access interface.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
NOTE
The user information remote backup configuration cannot be modified in the view of an AAA domain
where users have logged in. To be specific, if user information remote backup configuration is disabled,
the peer-backup enable command cannot be run. If user information remote backup configuration is
enabled, the undo peer-backup enable command cannot be run.
----End
Context
To allow users to log in through the backup device twice authentication, perform the
following operations on the devices that back up each other:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run remote-backup-profile profile-name
The RBP view is displayed.
Step 3 Run service-type bras
The RBS of the BRAS user information is enabled.
Step 4 Run nas { logic-ip ip-address | logic-port [ interface-name | interface-type interface-number ]
| logic-sysname host-name }
The logic IP address, logic interface, and logic host name are configured. Ensure that the
devices that back up each other send the same information about NAS-IP-Address, NAS-Port,
NAS-Port-ID, and Option 82 contained in the packets to the RADIUS and DHCP servers.
By default, you are advised to set NAS-IP-Address on the master device to be the same as that
on the backup device. If you run the radius-authorization source same-as nas-logic-ip
command to set NAS-IP-Address to the source IP address of packets sent to the RADIUS
server, the master and backup devices must have different NAS-IP-Address values. If the
RASIUS server checks binding authentication, the master and backup devices must have the
same NAS-IP-Address value. In this case, NAS-IP-Address cannot be set to the source IP
address of packets sent to the RADIUS server.
Step 5 Run commit
----End
Context
To ensure that user traffic can be backed up in real time, perform the following operations on
the devices that back up each other:
Procedure
Step 1 Run system-view
----End
Context
If the exclusive IP address pool mode is used, a great number of address pools are needed.
This wastes addresses. The shared IP address pool mode addresses this problem. To adopt the
shared IP address pool mode, the following conditions must be met:
l The address pool is bound to an RBS, that is, the ip-pool pool-name [ metric metric-
num ] or ipv6-pool pool-name [ metric metric-value ] command is configured in the
RBS view. This ensures that network-side traffic can be forwarded through the protection
tunnel before the host route is generated.
NOTE
Only the primary address, not the secondary address pool, is bound to the RBS.
Perform the following configurations on the devices that back up each other:
Procedure
l Configure a protection tunnel template for public and private networks.
a. Run system-view
The protection tunnel template is configured for both public and private networks.
NOTE
n For an IPv4 user, run the ip-pool pool-name [ metric metric-num ] command.
n For an IPv6 user, run the ipv6-pool pool-name [ metric metric-value ]
command.
e. (Optional) Run dhcpv6-server destination destination-ipv6-address source
source-ipv6-address [ vpn-instance vpn-instance ]
Context
In exclusive address pool mode, an address pool is configured for each interface and bound to
an RBP. When an RBP is in the master state, the RBP advertises network segment routes of
the address pool to the network side. When an RBP is in the backup state, the RBP withdraws
network segment routes of the address pool. In this way, the RBP controls the advertisement
and withdrawal of network-side routes to ensure that network-to-user traffic is always
forwarded on the master device. The forwarding paths of network-to-user traffic are therefore
controlled based on interfaces.
Perform the following steps on an RBP backup group.
Procedure
l RADIUS-authorized address pool scenarios:
a. Run system-view
The system view is displayed.
b. Run ipv6 pool pool-name bas local
A local IPv6 address pool is created and the IPv6 address pool view is displayed.
c. Run prefix
The IPv6 prefix pool view is displayed and prefixes are configured in the IPv6
prefix pool.
d. Run quit
Exit the IPv6 prefix pool view.
e. Run quit
Exit the IPv6 address pool view.
f. Run remote-backup-profile profile-name
The remote backup profile view is displayed.
g. Run ipv6-pool source-pool-name include destination-pool-name [ node node-id ]
A source IPv6 address pool is mapped to a destination address pool.
h. Run ipv6-pool destination-pool-name
An IPv6 address pool is configured.
The name of the IPv6 address pool is specified by destination-pool-name in the
preceding step.
i. Run commit
f. Run quit
Exit the AAA domain view.
g. Run quit
Exit the AAA view.
h. Run ipv6 pool pool-name bas local
A local IPv6 address pool is created.
i. Run prefix
Prefixes are configured in the IPv6 prefix pool.
j. Run quit
Exit the IPv6 address pool view.
k. Run remote-backup-profile profile-name
The remote backup profile view is displayed.
l. Run ipv6-pool source-pool-name include destination-pool-name [ node node-id ]
A source IPv6 address pool is mapped to a destination address pool.
m. Run ipv6-pool destination-pool-name
An IPv6 address pool is configured.
The name of the IPv6 address pool is specified by destination-pool-name in the
preceding step.
n. Run commit
The configuration is committed.
----End
Context
In hot backup scenarios, the mapping between address pools and BAS-IP addresses must be
specified on the web authentication server for each pair of master and backup devices. An IP
address pool is shared only between the master and backup devices. Therefore, each pair of
master and backup devices must have a source IP address to communicate with the web
authentication server. The web-auth-server source [ vpn-instance vpn-instance-name ]
source-ip-address command specifies the source IP address of portal packets sent by the
router to the web authentication server as the BAS-IP address.
In CoA and DM applications, the RADIUS authorization server sends requests to the Router,
and the Router responds to the RADIUS authorization server. The RADIUS server then
checks the source IP address of reply packets for security. In N:1 hot backup scenarios, the
RADIUS authorization server determines the IP address of the Router to which authorization
packets are sent based on user's bill information. This IP address can be a NAS-IP address or
the address that the Router uses to exchange accounting-start packets with the RADIUS
server.
To ensure that the RADIUS authorization server sends authorization packets to the exact
Router, run the radius-authorization source command to specify a source IP address for
each pair of master and backup devices. To ensure that the source IP address in the packets
sent by the Router to the RADIUS server is the same as the NAS-IP address, run the radius-
authorization source same-as nas-logic-ip command. Alternatively, run the radius-
authorization source [ vpn-instance vpn-instance-name ] source-ip-address command to
specify a source IP address.
Perform the following operations on both routers that back up each other:
Procedure
l Configure the source IP address of portal packets sent by the Router to the web
authentication server as the BAS-IP address, which is used independently by the web
authentication server.
a. Run system-view
The system view is displayed.
b. Run interface loopback loopBack interface number interface-number
A loopback interface is created, and the interface view is displayed.
c. Run ip address ip address { mask | mask-length }
An IP address is configured for the loopback interface.
d. Run quit
Exit the interface view.
e. Run remote-backup-service service-name
The remote backup service view is displayed.
f. Run web-auth-server source [ vpn-instance vpn-instance-name ] source-ip-
address
The loopback interface's IP address is configured as the BAS-IP address used
independently by the web authentication server.
g. Run commit
The configuration is committed.
l Set the source IP address of the master and backup devices to be the same as the NAS-IP
address of the RADIUS authorization server.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run ip address ip address { mask | mask-length }
An IP address is configured for the interface.
d. Run quit
Exit the interface view.
NOTE
If a NAS-IP address is specified in the RADIUS server template, run the radius-
authorization source same-as nas-logic-ip the command; otherwise, run the radius-
authorization source [ vpn-instance vpn-instance-name ] source-ip-address command.
g. Run commit
The configuration is committed.
----End
Context
Perform the following steps on each of the devices that back up each other:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed. The interface is the user access interface.
Step 3 Run remote-backup-profile profile-name
The RBP is bound to the interface.
NOTE
----End
Context
In a dual-device hot backup scenario, after users access the master device, they will access the
backup device. When modifying the user access rate, you can perform the following steps to
modify the upper threshold for the rate. After the modification is complete, the system
dynamically adjusts the user access rate based on the CPU usage, with the rate never
exceeding the upper threshold.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run peer-backup rui-trigger-speed trigger-speed
An upper threshold is configured for the user access rate on the backup device in a dual-
device hot backup scenario.
This command must be run on both the master and backup devices.
Step 3 Run commit
The configuration is committed.
----End
Context
In a dual-device hot backup scenario, if IP addresses are allocated using a RADIUS server
instead of an address pool, you need to bind a static route tag to the RBS and specify a cost
for the static route. If an NNI on the master device fails, the outbound interface of the static
route can be directed to the protection tunnel to switch traffic to the backup device. This
reduces the impact of the fault on user services.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run remote-backup-service service-name
The RBS view is displayed.
Step 3 Run static-route if-match NULL interface-number tag tag-num [ metric metric-num ] [ rui-
slave ]
A static route tag is bound to the RBS, and a cost is specified for the static route.
This command must be run on both the master and backup devices. In addition, rui-slave
must be configured on the backup device. Otherwise, traffic flaps between the two devices.
If metric metric-num is configured, the cost configured on the master device must be less
than that configured on the backup device, so that the route on the master device is
preferentially selected.
Step 4 Run commit
The configuration is committed.
----End
Context
In RUI scenarios where one MAC address maps to multiple sessions, users with the same
MAC address may go online from different devices and be assigned the same session ID. In
this case, if the master device backs up user entries to the backup device, the users may fail to
go online due to a session ID conflict. Therefore, configure different session ID ranges on the
master and backup devices to prevent the master and backup device from assigning the same
session ID to users.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run pppoe-server rui remote-mac session-id start-session-id start-session-id end-session-
id end-session-id
A session ID range is configured for PPPoE users.
Step 3 Run commit
The configuration is committed.
----End
Context
Run the following commands to check the previous configuration.
Procedure
l Run the display remote-backup-profile [ profile-name ] command to check RBP
information.
Example
Run the display remote-backup-profile command to view RBP information, including the
name of the remote backup service, name of the interface bound to a Virtual Router
Redundancy Protocol (VRRP) backup group, name of the user access interface bound to the
RBP, protocol used to detect the link status, RBP status, and backup mode.
<HUAWEI>display remote-backup-profile profile1
--------------------------------------------
Profile-Index : 0x802
Profile-Name : profile1
Service : bras
Remote-backup-service: service1
Backup-ID : 10
track protocol : VRRP
VRRP-ID : 1
VRRP-Interface : GigabitEthernet0/1/0.2
Access-Control : Odd-Mac
State : Master
Peer State : Slave
VRRP-ID : 2
VRRP-Interface : GigabitEthernet0/1/0.3
Access-Control : Even-Mac
State : Slave
Peer State : Master
Interface :
GigabitEthernet0/1/0.1
Backup mode : hot
Slot-Number : 1
Card-Number : 0
Port-Number : 0
Traffic interval : 10(minutes)
Run the display remote-backup-service command to view information about the RBS,
including the server index number, server name, TCP connection status, remote IP address,
local IP address, TCP port number, tunnel name, and IP address pool name.
<HUAWEI>display remote-backup-service rui
----------------------------------------------------------
Service-Index : 0
Service-Name : rui
TCP-State : Connected
Peer-ip : 10.0.0.1
Source-ip : 10.0.0.2
TCP-Port : 11111
Track-BFD : --
Track-interface0 : GigabitEthernet0/3/0
Weight :10
Track-interface1 : GigabitEthernet0/3/1
Weight :10
Last up time :2011-08-25 11:56:37
-----------------------------------------------------------------
Run the display backup-user command to view information about backup users, including
the number of local and remote users.
<HUAWEI> display backup-user
Remote-backup-service: rbs2
Total Users Numer: 10
------------------------------------------------------------------------
100 101 102 103 104 105 106 107 108 109
------------------------------------------------------------------------
Local Users Number :10
Remote Users Number :0
Run the display access-user interface command to view information about the access users
on a specified interface.
<HUAWEI>display access-user interface GigabitEthernet 0/1/2.1
------------------------------------------------------------------------------
UserID Username Interface IP address MAC
Vlan IPv6 address Access type
------------------------------------------------------------------------------
1 user1@huawei GE0/1/2.1 192.168.7.199 0016-ecb7-a879
-/- - PPPoE
------------------------------------------------------------------------------
2 user2@huawei GE0/1/2.1 - 0016-ecb7-a876
-/- - 99::/64 PPPoE
Normal users : 0
RUI Local users : 2
RUI Remote users : 0
Total users : 2
Pre-configuration Tasks
Before configuring multicast two-node hot backup, complete the following tasks:
l Establish a multi-device backup platform.
l Configure multi-device backup for IPv4 BRAS user information.
Configuration Procedure
Perform one or more of the following configurations (excluding checking the configuration)
as required.
Context
Perform the following steps on both routers that back up each other:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run remote-backup-profile profile-name
The RBP view is displayed.
Step 3 Run service-type multicast
A multicast RBS is enabled.
NOTE
After the undo service-type multicast command is run, the system does not back up the IGMP packets
to be received, which does not affect the IGMP packets that have been backed up.
----End
Context
In the multicast two-node hot backup scenario, a DHCP STB connects to the master and
backup routers through Smart-link, E-Trunk, or VLL networking. If a fault occurs on the
network side, the standby link takes over traffic from the active link. However, the access
network does not detect the fault and continues to send IGMP packets to the master router
along the faulty link. In this case, IGMP packet duplication needs to be enabled by running
the dhcp-stb igmp-copy command, ensuring that the backup router receive the IGMP
packets.
If a DHCP STB is dual-homed to the master and backup routers, both routers can receive the
IGMP messages. In this case, the undo dhcp-stb igmp-copy command is used to disable
IGMP packet duplication, thereby reducing resource consumption.
The IGMP messages sent by a PPPoE terminal can arrive only at a single router. In this case,
the master and backup routers have to duplicate IGMP packets and send them to each other.
Neither the dhcp-stb igmp-copy nor undo dhcp-stb igmp-copy command needs to be
executed.
Procedure
Step 1 Run system-view
NOTE
After the undo dhcp-stb igmp-copy command is executed, the system stops backing up the IGMP
packets from a DHCP STB, which does not affect the IGMP packets that have been backed up.
----End
Prerequisites
Multicast two-node hot backup configuration is complete.
Procedure
l Run the display remote-backup-profile [ profile-name ] command to view RBP
information.
l Run the display multicast-rui statistic all command to view statistics about multicast
two-node hot backup of access users.
----End
Example
After multicast two-node hot backup configuration is complete, run the display remote-
backup-profile command. If the following information is displayed, the preceding
configurations are successful:
Master MPU receive from LPU: 0 Slave MPU send to LPU: 0 Receive fail:
0 Send fail: 0 Receive success: 0 Send
success: 0 ------------------------------------------------------------ IO board:
(Slot 2) Master LPU send to MPU: 0 Slave LPU receive from MPU: 0 Send fail:
0 Receive fail: 0 Send success: 0
Receive success: 0
Context
NOTE
The RADIUS server cannot deliver the Tunnel-Client-Endpoint attribute during L2TP hot backup
configuration.
Prerequisites
Before establishing a multi-device backup platform, complete the following tasks:
l Configure peer BFD, link BFD, or Ethernet OAM on the user side.
Background
Based on a VRRP backup group, a multi-device backup platform runs the Huawei-proprietary
Redundancy User Information (RUI) protocol to back up user information between devices,
which allows for more flexible user service management and improves service reliability.
Establishing a multi-device backup platform involves configuring basic functions of a VRRP
backup group, a remote backup service (RBS), and a remote backup profile (RBP).
Perform the following steps on each of devices that back up one another:
Procedure
l Configure basic functions of a VRRP backup group.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number [.subinterface-number ]
The view of the interface on which a VRRP backup group is configured is
displayed.
c. Run vrrp vrid virtual-router-id virtual-ip virtual-address
A VRRP backup group is created, and a virtual IP address is assigned to the VRRP
backup group.
NOTE
The same VRID and virtual IP address must be set on each of devices that back up one
another.
d. Run admin-vrrp vrid virtual-router-id [ ignore-if-down ]
This VRRP backup group is configured as an mVRRP backup group.
e. Run vrrp vrid virtual-router-id priority priority-value
The priority of a device in the VRRP backup group is configured.
The devices in the VRRP backup group must be assigned different VRRP priorities.
The device with a higher priority serves as the master one.
f. Run vrrp vrid virtual-router-id preempt-mode timer delay delay-value
The preemption delay is set in a VRRP backup group.
Run this command on the master VRRP device so that the backup VRRP device
becomes the master one only after the fault is rectified and services are restored.
The preemption delay is related to service types in the following scenarios:
n In an IPv4 single-stack scenario, the minimum preemption delay is 10 minutes.
Increase the value by 1 for every 6K users. If 256K users get online through a
device, setting the value to 40 minutes is recommended.
n In an IPv4 and IPv6 dual-stack scenario, the minimum preemption delay is 10
minutes. Increase the value by 1 for every 6K users. If 128K users get online
through a device, setting the value to 40 minutes is recommended.
n When the IPv4 single-stack and EDSG services are configured, the minimum
preemption delay is 15 minutes. Increase the value by 1 for every 4K users. If
256K users get online through a device, setting the value to 60 minutes is
recommended.
n When the IPv4 and IPv6 dual-stack and EDSG services are configured, the
minimum preemption delay is 15 minutes. Increase the value by 1 for every
4K users. If 128K dual-stack users get online through a device, setting the
value to 60 minutes is recommended.
g. Run commit
The configuration is committed.
l Configure an RBP.
a. (Optional) Run peer-backup batch access enable
The device is configured to allow users to get online when performing batch
backup.
b. Run system-view
The system view is displayed.
c. Run remote-backup-profile profile-name
An RBP is created, and the RBP view is displayed.
d. Run peer-backup hot
Inter-device hot backup is enabled.
e. Run vrrp-id vrid interface interface-type interface-number
The RBP is bound to the VRRP backup group.
n In multi-device backup networking, using load balancing improves link usage.
To load-balance traffic, use either of the following parameters:
○ odd-mac: user packets with odd MAC addresses
○ even-mac: user packets with even MAC addresses
n If odd-mac or even-mac is not configured, the vrrp-id command only binds a
single VRRP backup group ID to an RBP and associates the RBP with a single
VRRP sub-interface. If load balancing is required, run the vrrp-id command
twice, with odd-mac and even-mac configured, respectively. Two VRRP
backup group IDs must be bound to the same RBP and be associated with
different VRRP sub-interfaces. In addition, odd-mac and even-mac must be
configured for different VRRP backup groups with specific IDs. The two
devices that load-balance traffic must have the same configuration, including
the binding between the VRRP backup group ID and even or odd MAC
address type.
n Before modifying the setting of odd-mac or even-mac, run the undo vrrp-id
vrid command to delete the configuration. Then run the vrrp-id vrid command
to reconfigure the setting.
f. Run backup-id backup-id remote-backup-service service-name
The RBP is associated with the RBS, and the user backup ID in the RBP is set.
backup-id sets a user backup ID. The RBP to which a user belongs can be
determined based on the backup-id and RBS. Note that the same backup-id value
must be set for devices that back up one another in the same RBP, and different
backup-id values must be set in other RBPs.
g. Run service-type { arp | l2tp | bras | multicast | igmp | igmp-snooping | no-host-
multicast | dhcp-server }
NOTE
The RBS has no secure authentication mechanism by default. Binding the RBS to an SSL policy
to improve security is recommended.
d. Run peer peer-ip-address source source-ip-address port port-id
peer-ip-address sets the IP address of a remote device that backs up the local
device. source-ip-address sets the IP address of a local device. The remote IP
address must already exist on the remote device's main interface, sub-interface, or
logical interface (for example, loopback interface). The local IP address must
already exist on the local device's main interface, sub-interface, or logical interface.
The local and remote IP addresses must be pinged by each other.
port-id indicates the listening port number of a server. The same TCP port number
must be set on devices that back up one another.
e. (Optional) Run batch-backup service-type { arp | all | bras | l2tp | multicast |
igmp-snooping | dhcp-server } now
The device is enabled to immediately back up user services configured in the RBS.
f. (Optional) Run track interface interface-name [ weight weight ]
The RBS is configured to monitor the network-side interface status and check
whether the TCP connection for the RBS fails or recovers.
is 0.5 Gbit/s. If you use interface B as a reference interface and set its weight to 10,
the weight of interface A is 50 and that of interface C is 5.
NOTE
The threshold for a master/backup switchover due to uplink failures and the
duration before the switchover is complete are set.
When you run the track interface command, the weights specified must comply
with the rules of the master/backup VRRP switchover. If a master/backup
switchover is performed based on the fault rate of uplinks but a master/backup
VRRP switchover is not performed, the backup device forwards the network-side
traffic back to the master device for processing after receiving the traffic from the
master device. In this case, the master device is congested with traffic because the
master/backup switchover is not performed at the same time as the master/backup
VRRP switchover.
If the track interface command is run in the RBS view, the device automatically
deletes the track interface and switchover uplink commands after the track
interface-group command is run. The device then determines a master/backup
switchover based on the track monitor-group command.
i. (Optional) Run track route-monitor-group group-name switchover failure-ratio
percent
A link fault threshold (in percentage) that triggers a master/backup switchover is set
for the route monitor group on the network side.
If the track interface command is run in the RBS view, the device automatically
deletes the track interface command after the track route-monitor-group
switchover failure-ratio command is run. The device then determines a master/
backup switchover based on the track route-monitor-group switchover failure-
ratio command.
j. (Optional) Run track bfd-session bfd-session
The RBS tracks the BFD status so that the RBS can rapidly monitor the remote
device status.
NOTE
This step is recommended. Before running this command, ensure that a peer BFD session is
established between the master and backup devices on the network side.
k. (Optional) Run radius-authorization source same-as nas-logic-ip
The device is configured to reply to the RADIUS server with packets in which the
source IP address is the same as the NAS IP address.
l. Run commit
The configuration is committed.
----End
Context
The Router assigns an integer value as an L2TP tunnel ID and the ID starts with 1. In the two-
node hot backup load balancing scenario, tunnel information is backed up between the master
and slave Routers. During backup, identical tunnel IDs may exist on a single Router. The set
l2tp tunnel base-id base-id command can be used to specify a base value that one Router
uses to allocate tunnel IDs (Tunnel ID = Base value + Index starting with 1). The other Router
uses the default base value of 0. The settings ensure to a certain extent that each tunnel ID is
unique on a single Router.
Perform the following steps on either of the master and slave Routers:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run set l2tp tunnel base-id base-id
A base value for L2TP tunnel IDs is set.
NOTE
l If a tunnel ID carried in backup information is the same as a local tunnel ID, the Router deletes the
existing local tunnel information and accepts the backup tunnel information.
l The set l2tp tunnel base-id base-id command cannot be used on the Router that has established
L2TP tunnels and allocated tunnel IDs.
----End
Context
For details, see L2TP Protocol Configuration in the HUAWEI NE40E-M2 Series Universal
Service Router Configuration Guide - User Access.
NOTE
The preference of the route from the LNS to the master LAC is higher than that of the route from the
LNS to the backup LAC. The LNS will switch traffic to the route destined for the backup LAC only
when a fault occurs on the network side of the master LAC.
Context
Perform the following steps on each of Routers that back up each other:
Procedure
Step 1 Run system-view
NOTE
If information about an L2TP tunnel, an L2TP session, or a PPPoE session has been backed up, the
undo service-type l2tp command cannot be run.
----End
Context
If L2TP hot backup is configured, the LACs can be configured to control route advertisement
in either of the following modes:
l Manual control: A LAC uses a loopback interface to establish an L2TP tunnel with an
LNS. Two LACs are configured with hot backup and work in load balancing mode. The
master LAC advertises the cost value of the route to the loopback IP address is smaller
than that the slave LAC advertises, allowing the route to the loopback address on the
master LAC to be preferentially used. The cost values can be set in a routing policy,
which allows the route to the loopback IP address of the master LAC to have higher
route precedence than that to the loopback IP address of the slave LAC. For information
about how to configure a routing policy, see Routing Policy Configuration in HUAWEI
NE40E-M2 Series Universal Service Router Configuration Guide - IP Routing.
l Automatic control: A routing policy can be configured to trust cost values of imported
routes to loopback IP addresses of the LACs. This control mode is easier to configure
than manual control. Automatic control prevents the problem that if a fault in a LAC
occurs and a mater/slave LAC switchover is implemented, the route to the loopback IP
address cannot be automatically advertised after the LAC recovers.
Procedure
Step 1 Run system-view
The LAC is enabled to trust cost values of imported routes to control route preference.
----End
Follow-up Procedure
To use a routing policy to allow the route to the loopback IP address of the master LAC be the
highest, run the import-route unr route-policy route-policy-name command in the IS-IS,
OSPF, or BGP view:
Context
When deploying L2TP LAC 2:1 hot backup, you can run the l2tp lac session-limit command
to set the maximum number of users allowed on an L2TP LAC to 64K.
Procedure
Step 1 Run system-view
----End
Context
In L2TP hot backup scenarios, if a customer has a small network bandwidth and a fault occurs
on the access side, traffic is forwarded to a backup device through an L2TP protection tunnel.
Traffic switching may sharpen network congestion and affect customer services, such as
fixed-line services. To prevent traffic switching, run the l2tp protect-tunnel disable
command to disable the L2TP traffic protection mechanism.
If a customer has a large network bandwidth, traffic switching does not affect customer
services. Therefore, you do not need to run the l2tp protect-tunnel disable command to
disable the L2TP traffic protection mechanism.
Procedure
Step 1 Run system-view
----End
Context
Run the following commands to check the previous configuration.
Procedure
l Run the display remote-backup-profile [ profile-name ] command to check RBP
information.
l Run the display l2tp tunnel rui [ tunnel-item tunnel-id | tunnel-name remote-name |
bas-interface { interface-name | interface-type interface-number } | remote-backup-
profile profile-name | remote-backup-service service-name ] command to check L2TP
tunnel backup information.
l Run the display l2tp session rui [ session-item session-id | source-ip source-ip-address
| destination-ip destination-ip-address | bas-interface { interface-name | interface-type
interface-number } | remote-backup-profile profile-name | remote-backup-service
service-name ] command to check L2TP session backup information.
l Run the display l2tp statistics rui [ verbose ] command to check L2TP tunnel backup
statistics.
l Run the display l2tp lac abnormal-rui-users command to check information about
users that have abnormal online status on a device enabled with L2TP two-node hot
backup.
l Run the display access-user domain command to display information about the access
users in a specified domain.
----End
Example
After completing L2TP two-node hot backup configurations, run the display remote-backup-
profile command. If the following information is displayed, the preceding configurations are
successful:
l The value of the Service field is bras l2tp.
<HUAWEI> display remote-backup-profile profile1
-----------------------------------------------
Profile-Index : 0x800
Profile-Name : profile1
Service : bras l2tp
Remote-backup-service : s1
Backup-ID : 10
track protocol : VRRP
VRRP-ID : 1
VRRP-Interface : Eth-Trunk1.2
Interface :
Eth-Trunk1.1
State : Master
Peer State : Slave
Run the display access-user domain command. If the following information is displayed, the
preceding configurations are successful:
[HUAWEI] display access-user domain huawei
------------------------------------------------------------------------------
UserID Username Interface IP address MAC
Context
After the preceding configurations are complete, run the following display commands to view
backup information and check the configurations. For details, see HUAWEI NE40E-M2 Series
Universal Service Router Command Reference.
Procedure
Step 1 Run display remote-backup-profile [profile-name | {slot slot-id [profile-name]} | {slave
[profile-name ] } ]
RBP information is displayed.
Step 2 Run display remote-backup-service [ service-name [ verbose ] ]
RBS information is displayed.
Step 3 Run display multicast-rui statistic all
Statistics about multicast two-node hot backup of access users are displayed.
----End
Context
Backup information cannot be restored after you clear it. Exercise caution when performing
this operation.
To clear the backup information, run the following reset commands in the system view.
Procedure
Step 1 Run reset remote-backup-service service-name statistic
Statistics about multicast two-node hot backup of access users are cleared.
----End
Usage Scenario
With the rapid development of IP technologies, various value-added services are widely used
on the Internet. Carrier-class services, such as emerging IPTV, NGN, 4G, VIP customers'
leased line, and VPN interconnection, have high requirements for IP network reliability. IP
network reliability for carrier-class services includes device, link, and network reliability. On
a bearer network, the availability of a network device is required to reach 99.999%; that is, the
device downtime in a year must be less than 5 minutes. High reliability is a basic requirement
for carrier-class devices and must be considered by telecom carriers during network
construction.
The NE40E functions as an edge router that carries multiple services. It is connected to a core
network to implement Layer 3 routing functions and to the aggregation layer to terminate
Layer 2 user packets for user access. The NE40E can carry multiple services, such as triple
play services (HSI, VoIP, and IPTV). Therefore, The NE40E must have high reliability. The
NE40E provides service-level high-reliability technologies. Non-stop data flow forwarding
does not mean that user services are not interrupted. If a network node or link fails, user
traffic is switched to a backup device. If user information is not synchronized to a backup
device, user services are still interrupted. High reliability has been considered when the
NE40E is designed to function as a network edge service aggregation and control device,
which ensures that users' HSI, IPTV, and VoIP services are not interrupted if a network node
or link fault occurs. RUI is designed to meet the preceding reliability requirements.
If the upstream device is a firewall, disable the IP spoofing attack defense function on the firewall.
l Downstream device: An aggregation switch is used as the downstream device to learn
MAC addresses from Layer 2 VLAN packets.
Solution Limitations
l An exclusive address pool is an address pool or address segment exclusively used by a
backup group or link. Generally, an exclusive address pool is used for services that can
be assigned private IP addresses, such as VoIP services. This address pool is not
recommended for services that use public IP addresses, such as HSI services, because IP
address resources are wasted.
l In exclusive address pool mode, the master and backup devices cannot advertise the
same network segment route. Advertising the same network segment route will cause
load balancing on the upstream CRs and network-to-user traffic forwarding errors.
Networking Requirements
On the network shown in Figure 13-1, the user logs in to Device A and Device B through a
LAN switch. The two Devices run VRRP to determine the master/backup status. Basic user
access functions are configured on Device A and Device B so that the user goes online
through the master device. If the master device or the link on the network or user side of the
master device fails, service traffic needs to be quickly switched to the backup device.
In exclusive address pool mode, each RBP must be bound to an address pool, though the
address pools bound to the RBPs of Device A and Device B must have the same address
segment. Network-side traffic is sent back through an advertised network-side route. If the
master/backup status of Device A and Device B changes, the network-side route of Device A
is withdrawn. Device B then advertises the network-side route.
Figure 13-1 Example for configuring RUI in exclusive address pool mode
NOTE
Interface 1 and interface 2 in this example are GE0/1/0 and GE0/2/2 , respectively.
CR1 CR2
interface1 interface1
LanSwitch
User
Device Interface IP Address
Device A Eth-Trunk3.501 192.168.254.2/29
Loopback 0 172.20.1.1/32
Loopback 10 172.20.1.3/32
GE 0/1/0 172.20.0.33/30
GE 0/2/2 172.20.0.57/30
Device B Eth-Trunk3.501 192.168.254.3/29
Loopback 0 172.20.1.1/32
Loopback 10 172.20.1.2/32
GE 0/1/0 172.20.0.34/30
GE 0/2/2 172.20.0.58/30
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
l VRRP ID
l IP address of each interface on Routers that back up each other
l Backup ID, which works together with an RBS to identify an RBP to which the user
belongs
Procedure
Step 1 Configure interfaces for connecting Device A and Device B to the LAN switch, and assign IP
addresses to them.
Step 3 Establish a dual-device backup platform. The configuration on Device A is used in this
example. The configuration on Device B is similar to that on Device A.
NOTE
In this example, only RUI-related configurations are described. For other configurations, see the
corresponding configuration guide.
# Configure a BFD session on the access side to rapidly detect faults in interfaces or links and
trigger a master/backup VRRP switchover. 192.168.254.3 is the IP address of Eth-Trunk
3.4001 on Device B.
[~DeviceA] bfd
[*DeviceA-bfd] quit
[*DeviceA]bfd eth-trunk3-peer bind peer-ip 192.168.254.3 source-ip 192.168.254.2
[*DeviceA-bfd-session-bfd] discriminator local 2
[*DeviceA-bfd-session-bfd] discriminator remote 3
[*DeviceA-bfd-session-bfd] commit
[~DeviceA-bfd-session-bfd] quit
# Configure a VRRP backup group on Eth-Trunk 3.4001, and configure the VRRP backup
group to track the BFD session and network-side interface.
[~DeviceA] interface interface Eth-Trunk3.4001
[*DeviceA-Eth-Trunk3.4001] vrrp vrid 3 virtual-ip 192.168.254.1
[*DeviceA-Eth-Trunk3.4001] admin-vrrp vrid 3
[*DeviceA-Eth-Trunk3.4001]vrrp vrid 3 priority 120
[*DeviceA-Eth-Trunk3.4001]vrrp vrid 3 preempt-mode timer delay 1200
[*DeviceA-Eth-Trunk3.4001]vrrp vrid 3 track interface GigabitEthernet0/1/0
reduced 30
[*DeviceA-Eth-Trunk3.4001]vrrp vrid 3 track bfd-session 2 peer
[*DeviceA-Eth-Trunk3.4001] commit
[~DeviceA-Eth-Trunk3.4001] quit
NOTE
Different priorities must be configured for devices in a VRRP backup group. The device with a high
priority is the master device.
# Configure an RBS.
[~DeviceA] remote-backup-service rbs_qhmd
[*DeviceA-rm-backup-rbs_qhmd] peer 172.20.1.2 source 172.20.1.3 port 2046
[*DeviceA-rm-backup-rbs_qhmd] track interface GigabitEthernet0/1/0
[*DeviceA-rm-backup-rbs_qhmd]track interface GigabitEthernet0/2/2
[*DeviceA-rm-backup-rbs_qhmd commit
[~DeviceA-rm-backup-rbs_qhmd] quit
NOTE
Ensure that the master and backup devices can ping each other.
# Configure an RBP.
[~DeviceA] remote-backup-profile rbp3
[*DeviceA-rm-backup-prf-rbp3] service-type bras
[*DeviceA-rm-backup-prf-rbp3] backup-id 3 remote-backup-service rbs_qhmd
[*DeviceA-rm-backup-prf-rbp3] peer-backup hot
[*DeviceA-rm-backup-prf-rbp3] vrrp-id 3 interface Eth-Trunk3.4001
[*DeviceA-rm-backup-prf-rbp3] nas logic-port Gigabitethernet 0/1/3
[*DeviceA-rm-backup-prf-rbp3] nas logic-sysname zhuji
[*DeviceA-rm-backup-prf-rbp3] nas logic-ip 172.20.1.1
[*DeviceA-rm-backup-prf-rbp3] commit
[~DeviceA-rm-backup-prf-rbp3] quit
Step 4 Configure IP address pool binding. The configuration on Device A is used in this example.
The configuration on Device B is similar to that on Device A.
# Configure an address pool.
<HUAWEI> system-view
[~HUAWEI] ip pool dmtjs_xi bas local
[*HUAWEI-ip-pool-dmtjs_xi] gateway 192.168.1.1 255.255.255.0
[*HUAWEI-ip-pool-dmtjs_xi] section 0 192.168.1.2 192.168.1.254
[*HUAWEI-ip-pool-dmtjs_xi] dns-server 192.168.1.1
[*HUAWEI-ip-pool-dmtjs_xi] commit
[~HUAWEI-ip-pool-dmtjs_xi] quit
Step 5 Configure authentication and accounting policies for user access. The configuration on
Device A is used in this example. The configuration on Device B is similar to that on Device
A.
<HUAWEI> system-view
[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme wu
[*HUAWEI-aaa-authen-wu] authentication-mode none
[*HUAWEI-aaa-authen-wu] commit
[~HUAWEI-aaa-authen-wu] quit
[*HUAWEI-aaa] accounting-scheme wu
[*HUAWEI-aaa-accounting-wu] accounting-mode none
[*HUAWEI-aaa-accounting-wu] commit
[~HUAWEI-aaa-accounting-wu] quit
[*HUAWEI-aaa] domain dmtjs_xi
[*HUAWEI-aaa-dmtjs_xi] authentication-scheme wu
[*HUAWEI-aaa-dmtjs_xi] accounting-scheme wu
[*HUAWEI-aaa-dmtjs_xi] ip-pool dmtjs_xi
[*HUAWEI-ip-pool-dmtjs_xi] commit
[~HUAWEI-ip-pool-dmtjs_xi] quit
Step 6 Bind the RBP to Eth-Trunk3.501 from which users go online. The configuration on Device A
is used in this example. The configuration on Device B is similar to that on Device A.
[~DeviceA] interface Eth-Trunk3.501
[*DeviceA-Eth-Trunk3.501] user vlan 1
[*DeviceA-Eth-Trunk3.501-vlan-1-1] remote-backup-profile rbp3
[*DeviceA-Eth-Trunk3.501-vlan-1-1] quit
[*DeviceA-Eth-Trunk3.501] bas
[*DeviceA-Eth-Trunk3.501-bas]access-type layer2-subscriber default-domain
authentication dmtjs_xi
[*DeviceA-Eth-Trunk3.501-bas] authentication-method bind
[*DeviceA-Eth-Trunk3.501-bas] commit
[~DeviceA-Eth-Trunk3.501-bas] quit
Step 7 Configure advertisement of address pool routes. The configuration on Device A is used in this
example. The configuration on Device B is similar to that on Device A.
[~DeviceA] ospf 1
[*DeviceA-ospf-1] import-route unr
[*DeviceA-ospf-1] area 0
[*DeviceA-ospf-1-area-0.0.0.0] network 172.20.1.1 0.0.0.0
[*DeviceA-ospf-1-area-0.0.0.0] network 172.20.1.3 0.0.0.0
[*DeviceA-ospf-1-area-0.0.0.0] network 172.20.0.32 0.0.0.3
[*DeviceA-ospf-1-area-0.0.0.0] network 172.20.0.56 0.0.0.3
[*DeviceA-ospf-1-area-0.0.0.0] commit
[~DeviceA-ospf-1-area-0.0.0.0] quit
After successfully configuring the RBP, run the display remote-backup-profile command.
The RBS type is bras. The RBP named rbp3 is bound to Eth-Trunk3.501 from which users
go online. Device A is in the Master state.
<DeviceA> display remote-backup-profile rbp3
-----------------------------------------------
Profile-Index : 0x802
Profile-Name : rbp3
Service : bras
Remote-backup-service: service1
Backup-ID : 10
track protocol : VRRP
VRRP-ID : 3
VRRP-Interface : Eth-Trunk3.4001
Interface :
Eth-Trunk3.501
State : Master
Peer-state : Slave
Backup mode : hot
Slot-Number : 1
Card-Number : 0
Port-Number : 0
Nas logic-port : Gigabitethernet 0/1/3
Nas logic-ip : 172.20.1.1
Nas logic-sysname : zhuji
IP-Pool :
dmtjs_xi
Traffic interval : 10(minutes)
After successfully configuring the RBS, run the display remote-backup-service command.
The TCP connection is in the Connected state.
<DeviceA> display remote-backup-service rbs3
----------------------------------------------------------
Service-Index : 0
Service-Name : rbp3
TCP-State : Connected
Peer-ip : 172.20.1.2
Source-ip : 172.20.1.3
TCP-Port : 2046
Track-BFD : --
Track-interface0 : 0/1/0
Track-interface1 : 0/2/2
Last up time : 2016-06-02 16:15:8
Last down time : 2016-06-02 16:3:36
Last down reason : TCP closed for packet error.
--------------------------------------------------------
After users go online, run the display backup-user command to view user information that is
backed up.
<DeviceA> display backup-user
Remote-backup-service: rbs3
Total Users Numer: 3
------------------------------------------------------------------------
100 101 102
------------------------------------------------------------------------
Run the display access-user interface command to view online user information on a
specified interface.
<DeviceA> display access-user interface Eth-Trunk.501
------------------------------------------------------------------------------
UserID Username Interface IP address
MAC IPv6 address
------------------------------------------------------------------------------
--------------------------------------------------------------------------
100 user1@dmtjs_xi Eth-Trunk.501 192.168.1.10
0002-0101-0101 -
101 user2@dmtjs_xi Eth-Trunk.501 192.168.1.9
0002-0101-0102 -
102 user3@dmtjs_xi Eth-Trunk.501 192.168.1.8
0002-0101-0103 -
--------------------------------------------------------------------------
Total users :3
----End
Configuration Files
l Device A configuration file
#
sysname DeviceA
#
router id 172.20.1.3
#
vlan batch 2 to 9 11 to 504 506 to 3999 4001 to 4094
#
bfd
#
ip pool pool1 bas local
gateway 192.168.1.1 255.255.255.0
section 0 192.168.1.2 192.168.1.254
dns-server 192.168.1.1
#
aaa
authentication-scheme wu
authentication-mode none
accounting-scheme wu
accounting-mode none
domain dmtjs_xi
authentication-scheme wu
authentication-scheme wu
ip-pool dmtjs_xi
#
bfd eth-trunk3-peer bind peer-ip 192.168.254.3 source-ip 192.168.254.2
discriminator local 2
discriminator remote 3
#
interface GigabitEthernet0/1/3
description ToJiaohuanji
undo shutdown
eth-trunk 3
interface Eth-Trunk3.4001
encapsulation dot1q-termination
dot1q termination vid 4001
ip address 192.168.254.2 255.255.255.248
vrrp vrid 3 virtual-ip 192.168.254.1
admin-vrrp vrid 3
vrrp vrid 3 priority 120
vrrp vrid 3 preempt-mode timer delay 1200
vrrp vrid 3 track bfd-session 2 peer
vrrp vrid 3 track interface GigabitEthernet0/1/0 reduced 30
#
interface LoopBack0
ip address 172.20.1.1 255.255.255.255
#
interface LoopBack10
ip address 172.20.1.3 255.255.255.255
#
interface GigabitEthernet0/1/0
undo shutdown
ip address 172.20.0.33 255.255.255.252
#
interface GigabitEthernet0/2/2
undo shutdown
ip address 172.20.0.57 255.255.255.252
#
remote-backup-service rbs_qhmd
peer 172.20.1.2 source 172.20.1.3 port 2046
track interface gigabitethernet 0/1/0
track interface gigabitethernet 0/2/2
#
remote-backup-profile rbp3
service-type bras
backup-id 3 remote-backup-service rbs_qhmd
peer-backup hot
#
interface GigabitEthernet0/1/0
undo shutdown
ip address 172.20.0.34 255.255.255.252
#
interface GigabitEthernet0/2/2
undo shutdown
ip address 172.20.0.58 255.255.255.252
#
remote-backup-service rbs_qhmd
peer 172.20.1.3 source 172.20.1.2 port 2046
track interface gigabitethernet 0/1/0
track interface gigabitethernet 0/2/2
#
remote-backup-profile rbp3
service-type bras
backup-id 3 remote-backup-service rbs_qhmd
peer-backup hot
vrrp-id 3 interface Eth-Trunk3.4001
nas logic-port gigabitethernet0/1/3
nas logic-sysname zhuji
nas logic-ip 172.20.1.1
ip-pool dmtjs_xi
#
interface Eth-Trunk3.501
user-vlan 501
remote-backup-profile rbp3
bas
access-type layer2-subscriber default-domain authentication dmtjs_xi
authentication-method bind
#
#
ospf 1
import-route unr
area 0.0.0.0
network 172.20.0.32 0.0.0.3
network 172.20.0.56 0.0.0.3
network 172.20.1.2 0.0.0.0
network 172.20.1.3 0.0.0.0
#
return
Usage Scenario
With the rapid development of IP technologies, various value-added services are widely used
on the Internet. Carrier-class services, such as emerging IPTV, NGN, 4G, VIP customers'
leased line, and VPN interconnection, have high requirements for IP network reliability. IP
network reliability for carrier-class services includes device, link, and network reliability. On
a bearer network, the availability of a network device is required to reach 99.999%; that is, the
device downtime in a year must be less than 5 minutes. High reliability is a basic requirement
for carrier-class devices and must be considered by telecom carriers during network
construction.
The NE40E functions as an edge router that carries multiple services. It is connected to a core
network to implement Layer 3 routing functions and to the aggregation layer to terminate
Layer 2 user packets for user access. The NE40E can carry multiple services, such as triple
play services (HSI, VoIP, and IPTV). Therefore, The NE40E must have high reliability. The
If the upstream device is a firewall, disable the IP spoofing attack defense function on the firewall.
l Downstream device: An aggregation switch is used as the downstream device to learn
MAC addresses from Layer 2 VLAN packets.
Solution Limitations
l In shared address pool mode, an address pool (an IP network segment) is planned based
on services. A service (for example, Internet access or VoIP service) corresponds to a
domain's configuration. If terminals that go online through different access links have a
service (for example, Internet access service), the terminals share address pool resources
in a domain. This mode is called multi-link address pool sharing.
l During the actual deployment, planning address pools based on links is difficult, because
the number of public addresses is limited and dividing address pools causes address
resource waste. Address pools can be divided based on authentication domains, which
allows an address pool on the NE40E to be shared between links or backup groups. In
this situation, forwarding control cannot be performed by advertising or withdrawing a
network segment route of an address pool. To implement forwarding control, using a
shared address pool and tunnel protection is recommended.
Networking Requirements
On the network shown in Figure 13-2, the user logs in to Device A and Device B through a
LAN switch. The two Devices run VRRP to determine the master/backup status. Basic user
access functions are configured on Device A and Device B so that the user goes online
through the master device. If the master device or the link on the network or user side of the
master device fails, service traffic needs to be quickly switched to the backup device.
Figure 13-2 Example for configuring RUI in shared address pool mode
NOTE
Interface 1 interface 2 and interface 3 in this example are GE0/1/0, GE0/2/2 and GE0/1/2, respectively.
CR1 CR2
interface1 interface1
interface2 interface2
Devcie A Devcie B
interface3 interface3
Eth-Trunk3 VRRP Eth-Trunk3
LanSwitch
User
Device Interface IP Address
Device A Eth-Trunk3.501 192.168.254.2/29
Loopback 0 172.20.1.1/32
Loopback 10 172.20.1.3/32
Eth-Trunk 2 172.20.0.41/30
GE 0/1/0 172.20.0.33/30
GE 0/2/2 172.20.0.57/30
Device B Eth-Trunk3.501 192.168.254.3/29
Loopback 0 172.20.1.1/32
Loopback 10 172.20.1.2/32
Eth-Trunk 2 172.20.0.42/30
GE 0/1/0 172.20.0.34/30
GE 0/2/2 172.20.0.58/30
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
l VRRP ID
l IP address of each interface on Routers that back up each other
l Backup ID, which works together with an RBS to identify an RBP to which the user
belongs
Procedure
Step 1 Configure interfaces for connecting Device A and Device B to the LAN switch, and assign IP
addresses to them.
Step 2 Configure IP addresses for loopback and interconnection interfaces on Device A and Device
B.
Configure IP addresses for loopback interfaces. The configuration on Device A is used in this
example. The configuration on Device B is similar to that on Device A.
[~DeviceA]interface loopback10
[*DeviceA-loopback10]ip address 172.20.1.3 255.255.255.255
[*DeviceA-loopback10] commit
[~DeviceA-loopback10] quit
[~DeviceA]interface loopback0
[*DeviceA-loopback0]ip address 172.20.1.1 255.255.255.255
[*DeviceA-loopback0] commit
[~DeviceA-loopback0] quit
Step 3 Establish a dual-device backup platform. The configuration on Device A is used in this
example. The configuration on Device B is similar to that on Device A.
NOTE
In this example, only RUI-related configurations are described. For other configurations, see the
corresponding configuration guide.
# Configure a BFD session on the access side to rapidly detect faults in interfaces or links and
trigger a master/backup VRRP switchover. 192.168.254.3 is the IP address of Eth-Trunk
3.4001 on Device B.
[~DeviceA] bfd
[*DeviceA-bfd] quit
[*DeviceA]bfd eth-trunk3-peer bind peer-ip 192.168.254.3 source-ip 192.168.254.2
[*DeviceA-bfd-session-bfd] discriminator local 2
[*DeviceA-bfd-session-bfd] discriminator remote 3
[*DeviceA-bfd-session-bfd] commit
[~DeviceA-bfd-session-bfd] quit
# Configure a VRRP backup group on Eth-Trunk 3.4001, and configure the VRRP backup
group to track the BFD session and network-side interface.
[~DeviceA] interface Eth-Trunk3.4001
[*DeviceA-Eth-Trunk3.4001] vrrp vrid 3 virtual-ip 192.168.254.1
[*DeviceA-Eth-Trunk3.4001] admin-vrrp vrid 3
[*DeviceA-Eth-Trunk3.4001]vrrp vrid 3 priority 120
[*DeviceA-Eth-Trunk3.4001]vrrp vrid 3 preempt-mode timer delay 1200
[*DeviceA-Eth-Trunk3.4001]vrrp vrid 3 track interface GigabitEthernet0/1/0
reduced 30
[*DeviceA-Eth-Trunk3.4001]vrrp vrid 3 track bfd-session 2 peer
[*DeviceA-Eth-Trunk3.4001] commit
[~DeviceA-Eth-Trunk3.4001] quit
NOTE
Different priorities must be configured for devices in a VRRP backup group. The device with a high
priority is the master device.
# Configure an RBS.
[~DeviceA] remote-backup-service rbs_qhmd
[*DeviceA-rm-backup-rbs_qhmd] peer 172.20.1.2 source 172.20.1.3 port 2046
[*DeviceA-rm-backup-rbs_qhmd] track interface GigabitEthernet0/1/0
[*DeviceA-rm-backup-rbs_qhmd]track interface GigabitEthernet0/2/2
[*DeviceA-rm-backup-rbs_qhmd]protect redirect ip-nexthop 172.20.0.42 interface
Eth-Trunk2
[*DeviceA-rm-backup-rbs_qhmd commit
[~DeviceA-rm-backup-rbs_qhmd] quit
NOTE
Ensure that the master and backup devices can ping each other.
# Configure an RBP.
Step 4 Configure IP address pool binding. The configuration on Device A is used in this example.
The configuration on Device B is similar to that on Device A.
# Configure an address pool.
<HUAWEI> system-view
[~HUAWEI] ip pool dmtjs_xi bas local
[*HUAWEI-ip-pool-dmtjs_xi] gateway 192.168.1.1 255.255.255.0
[*HUAWEI-ip-pool-dmtjs_xi] section 0 192.168.1.2 192.168.1.254
[*HUAWEI-ip-pool-dmtjs_xi] dns-server 192.168.1.1
[*HUAWEI-ip-pool-dmtjs_xi] commit
[~HUAWEI-ip-pool-dmtjs_xi] quit
Step 5 Configure authentication and accounting policies for user access. The configuration on
Device A is used in this example. The configuration on Device B is similar to that on Device
A.
<HUAWEI> system-view
[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme wu
[*HUAWEI-aaa-authen-wu] authentication-mode none
[*HUAWEI-aaa-authen-wu] commit
[~HUAWEI-aaa-authen-wu] quit
[*HUAWEI-aaa] accounting-scheme wu
[*HUAWEI-aaa-accounting-wu] accounting-mode none
[*HUAWEI-aaa-accounting-wu] commit
[~HUAWEI-aaa-accounting-wu] quit
[*HUAWEI-aaa] domain dmtjs_xi
[*HUAWEI-aaa-dmtjs_xi] authentication-scheme wu
[*HUAWEI-aaa-dmtjs_xi] accounting-scheme wu
[*HUAWEI-aaa-dmtjs_xi] ip-pool dmtjs_xi
[*HUAWEI-ip-pool-dmtjs_xi] commit
[~HUAWEI-ip-pool-dmtjs_xi] quit
Step 6 Bind the RBP to Eth-Trunk3.501 from which users go online. The configuration on Device A
is used in this example. The configuration on Device B is similar to that on Device A.
[~DeviceA] interface Eth-Trunk3.501
[*DeviceA-Eth-Trunk3.501] user vlan 1
[*DeviceA-Eth-Trunk3.501-vlan-1-1] remote-backup-profile rbp3
[*DeviceA-Eth-Trunk3.501-vlan-1-1] quit
[*DeviceA-Eth-Trunk3.501] bas
[*DeviceA-Eth-Trunk3.501-bas]access-type layer2-subscriber default-domain
authentication dmtjs_xi
[*DeviceA-Eth-Trunk3.501-bas] authentication-method bind
[*DeviceA-Eth-Trunk3.501-bas] commit
[~DeviceA-Eth-Trunk3.501-bas] quit
Step 7 Configure advertisement of address pool routes. The configuration on Device A is used in this
example. The configuration on Device B is similar to that on Device A.
[~DeviceA] ospf 1
After successfully configuring the RBP, run the display remote-backup-profile command.
The RBS type is bras. The RBP named rbp3 is bound to Eth-Trunk3.501 from which users
go online. Device A is in the Master state.
<DeviceA> display remote-backup-profile rbp3
-----------------------------------------------
Profile-Index : 0x802
Profile-Name : rbp3
Service : bras
Remote-backup-service: service1
Backup-ID : 10
track protocol : VRRP
VRRP-ID : 3
VRRP-Interface : Eth-Trunk3.4001
Interface :
Eth-Trunk3.501
State : Master
Peer-state : Slave
Backup mode : hot
Slot-Number : 1
Card-Number : 0
Port-Number : 0
Nas logic-port : Gigabitethernet 0/1/3
Nas logic-ip : 172.20.1.1
Nas logic-sysname : zhuji
Traffic interval : 10(minutes)
After successfully configuring the RBS, run the display remote-backup-service command.
The TCP connection is in the Connected state.
<DeviceA> display remote-backup-service rbs_qhmd
----------------------------------------------------------
Service-Index : 0
Service-Name : rbs_qhmd
TCP-State : Connected
Peer-ip : 172.20.1.2
Source-ip : 172.20.1.3
TCP-Port : 2046
Track-BFD : --
Track-interface0 : 0/1/0
Weight : 10
Track-interface1 : 0/2/2
Weight : 10
SSL-Policy-Name : --
SSL-State : --
Uplink state : 2 (1:DOWN 2:UP)
Domain-map-list : --
----------------------------------------------------------
ip pool:
dmtjs_xi metric 10
ipv6 pool:
Failure ratio : 100%
Failure duration : 0 min
--------------------------------------------------------
After users go online, run the display backup-user command to view user information that is
backed up.
<DeviceA> display backup-user
Remote-backup-service: rbs3
Total Users Numer: 3
------------------------------------------------------------------------
100 101 102
------------------------------------------------------------------------
Run the display access-user interface command to view online user information on a
specified interface.
<DeviceA> display access-user interface Eth-Trunk.501
------------------------------------------------------------------------------
UserID Username Interface IP address
MAC IPv6 address
------------------------------------------------------------------------------
--------------------------------------------------------------------------
100 user1@dmtjs_xi Eth-Trunk.501 192.168.1.10
0002-0101-0101 -
101 user2@dmtjs_xi Eth-Trunk.501 192.168.1.9
0002-0101-0102 -
102 user3@dmtjs_xi Eth-Trunk.501 192.168.1.8
0002-0101-0103 -
--------------------------------------------------------------------------
Total users :3
----End
Configuration Files
l Device A configuration file
#
sysname DeviceA
#
router id 172.20.1.3
#
vlan batch 2 to 9 11 to 504 506 to 3999 4001 to 4094
#
bfd
#
ip pool dmtjs_xi bas local
gateway 192.168.1.1 255.255.255.0
section 0 192.168.1.2 192.168.1.254
dns-server 192.168.1.1
#
aaa
authentication-scheme wu
authentication-mode none
accounting-scheme wu
accounting-mode none
domain dmtjs_xi
authentication-scheme wu
authentication-scheme wu
ip-pool dmtjs_xi
#
bfd eth-trunk3-peer bind peer-ip 192.168.254.3 source-ip 192.168.254.2
discriminator local 2
discriminator remote 3
#
interface GigabitEthernet0/1/3
description ToJiaohuanji
undo shutdown
eth-trunk 3
interface Eth-Trunk3.4001
encapsulation 4001 dot1q-termination
dot1q termination vid 4001
#
vlan batch 2 to 9 11 to 504 506 to 3999 4001 to 4094
#
bfd
#
ip pool dmtjs_xi bas local rui-slave
gateway 192.168.1.1 255.255.255.0
section 0 192.168.1.2 192.168.1.254
dns-server 192.168.1.1
#
aaa
authentication-scheme wu
authentication-mode none
accounting-scheme wu
accounting-mode none
domain dmtjs_xi
authentication-scheme wu
authentication-scheme wu
ip-pool dmtjs_xi
#
bfd eth-trunk3-peer bind peer-ip 192.168.254.2 source-ip 192.168.254.3
discriminator local 3
discriminator remote 2
#
interface GigabitEthernet0/1/3
description ToJiaohuanji
undo shutdown
eth-trunk 3
interface Eth-Trunk3.4001
control-vid 4001 dot1q-termination
dot1q termination vid 4001
ip address 192.168.254.3 255.255.255.248
vrrp vrid 3 virtual-ip 192.168.254.1
admin-vrrp vrid 3
vrrp vrid 3 track bfd-session 3 peer
#
interface LoopBack0
ip address 172.20.1.1 255.255.255.255
#
interface LoopBack10
ip address 172.20.1.2 255.255.255.255
#
interface GigabitEthernet0/1/0
undo shutdown
ip address 172.20.0.34 255.255.255.252
#
interface GigabitEthernet0/2/2
undo shutdown
ip address 172.20.0.58 255.255.255.252
#
interface GigabitEthernet0/1/2
undo shutdown
eth-trunk 2
#
interface Eth-Trunk2
description Zhuji
ip address 172.20.0.42 255.255.255.252
#
remote-backup-service rbs_qhmd
peer 172.20.1.3 source 172.20.1.2 port 2046
track interface gigabitethernet 0/1/0
track interface gigabitethernet 0/2/2
protect redirect ip-nexthop 172.20.0.41 interface Eth-Trunk2
ip-pool dmtjs_xi metric 20
#
remote-backup-profile rbp3
service-type bras
backup-id 3 remote-backup-service rbs_qhmd
peer-backup hot
Networking Requirements
In Figure 13-3, users connect to Device A and Device B through a LAN switch. The two
devices run VRRP to determine the master and backup status. The basic user access functions
are configured on Device A and Device B, allowing users to go online through the master
device.
Automatic route advertisement is easier to configure than manual route advertisement.
Automatic route advertisement prevents the problem that if a fault in a BRAS occurs after a
master/slave BRAS switchover is implemented, UNRs cannot be automatically advertised
after the BRAS recovers. The default route cost can be used to control route preference. If
dual-system hot backup is configured on BRASs, a routing protocol imports UNRs and trusts
UNR preference values. This allows the network segment route of the primary address pool to
have higher route precedence than that of the secondary address pool.
To improve link usage, allow a VRRP backup group to transmit user packets with odd MAC
addresses and another VRRP backup group to transmit user packets with even MAC
addresses to load-balance user packets between Device A and Device B.
Interfaces 1 through 4 in this example are GE 0/1/0, GE 0/2/0, GE 0/3/0, GE 0/1/1, respectively.
IP/ MPLS
DeviceC
interface2 interface2
interface3
DeviceA DeviceB
interface4 interface3
interface1 interface1
10.0.1.1/24 10.0.1.2/24
Metro
Network
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic user access functions and ensure that the two routers have the same
configuration. For details, see HUAWEI NE40E-M2 Series Universal Service Router
Guide - User Access.
2. Establish a multi-system backup platform.
3. Set NAS parameters, the interval for backing up traffic, or the traffic threshold.
4. Configure a protection path for returned network-side traffic.
5. Bind an RBP to an interface from which users get online.
6. Enable a routing protocol to trust UNR cost values.
Data Preparation
To complete the configuration, you need the following data:
l VRRP ID
l the Routers that back up each other
l Backup ID, which is used together with the RBS to determine the RBP that the user
belongs to
Procedure
Step 1 Configure a multi-system backup platform. Device A is used as an example. The
configuration ofDevice B is similar to that of Device A.
NOTE
The example describes only the configurations related to user information backup.
# Configure BFD sessions named bfd and bfd2 at the access side to rapidly detect faults in
interfaces or links of two VRRP backup groups and trigger a master/backup VRRP
switchover if a fault occurs. Set the peer IP addresses for BFD sessions to 10.0.1.2 (IP address
of Device B's GE 0/1/0.2) and 101.0.0.2 (IP address of Device B's GE 0/1/0.3).
[~DeviceA] bfd
[*DeviceA-bfd] quit
[*DeviceA] bfd bfd bind peer-ip 10.0.1.2
[*DeviceA-bfd-session-bfd] discriminator local 1
[*DeviceA-bfd-session-bfd] discriminator remote 2
[*DeviceA-bfd-session-bfd] commit
[~DeviceA-bfd-session-bfd] quit
[~DeviceA] bfd bfd2 bind peer-ip 101.0.0.2
[*DeviceA-bfd-session-bfd2] discriminator local 3
[*DeviceA-bfd-session-bfd2] discriminator remote 4
[*DeviceA-bfd-session-bfd2] commit
[~DeviceA-bfd-session-bfd2] quit
# Configure a VRRP backup group on GE 0/1/0.2 and another one on GE 0/1/0.3, and enable
each VRRP backup group to track a specific BFD session and the network-side interface
status.
[~DeviceA] interface gigabitethernet 0/1/0.2
[*DeviceA-GigabitEthernet0/1/0.2] vlan-type dot1q 200
[*DeviceA-GigabitEthernet0/1/0.2] ip address 10.0.1.1 255.255.255.0
[*DeviceA-GigabitEthernet0/1/0.2] vrrp vrid 1 virtual-ip 10.0.1.100
[*DeviceA-GigabitEthernet0/1/0.2] admin-vrrp vrid 1
[*DeviceA-GigabitEthernet0/1/0.2] vrrp vrid 1 priority 120
[*DeviceA-GigabitEthernet0/1/0.2] vrrp vrid 1 track bfd-session 1 peer
[*DeviceA-GigabitEthernet0/1/0.2] vrrp vrid 1 track interface gigabitethernet
0/2/0 reduced 50
[*DeviceA-GigabitEthernet0/1/0.2] commit
[~DeviceA-GigabitEthernet0/1/0.2] quit
[~DeviceA] interface gigabitethernet 0/1/0.3
[*DeviceA-GigabitEthernet0/1/0.3] vlan-type dot1q 201
[*DeviceA-GigabitEthernet0/1/0.3] ip address 101.0.0.1 255.255.255.0
[*DeviceA-GigabitEthernet0/1/0.3] vrrp vrid 2 virtual-ip 101.0.0.100
[*DeviceA-GigabitEthernet0/1/0.3] admin-vrrp vrid 2
[*DeviceA-GigabitEthernet0/1/0.3] vrrp vrid 2 priority 100
[*DeviceA-GigabitEthernet0/1/0.3] vrrp vrid 2 preempt-mode timer delay 600
[*DeviceA-GigabitEthernet0/1/0.3] vrrp vrid 2 track bfd-session 3 peer
[*DeviceA-GigabitEthernet0/1/0.3] vrrp vrid 2 track interface gigabitethernet
0/2/0 reduced 50
[*DeviceA-GigabitEthernet0/1/0.3] commit
[~DeviceA-GigabitEthernet0/1/0.3] quit
NOTE
VRRP priorities should be configured on both devices to determine the master and backup status. A
device with the higher priority functions as the master device.
# Configure a RBS.
[~DeviceA] remote-backup-service service1
[*DeviceA-rm-backup-srv-service1] peer 88.88.88.88 source 22.22.22.22 port 2046
[*DeviceA-rm-backup-srv-service1] track interface gigabitethernet 0/2/0
[*DeviceA-rm-backup-srv-service1] commit
NOTE
To monitor the network-side peer BFD sessions that are established on the two Routers, run the track
bfd-session command in the RBS view, which helps rapidly monitor the peer status. The configuration
details are not provided. For details, see the command reference.
# Configure a RBP.
[~DeviceA] remote-backup-profile profile1
[*DeviceA-rm-backup-prf-profile1] peer-backup hot
[*DeviceA-rm-backup-prf-profile1] vrrp-id 1 interface gigabitethernet 0/1/0.2
even-mac
[*DeviceA-rm-backup-prf-profile1] vrrp-id 2 interface gigabitethernet 0/1/0.3 odd-
mac
[*DeviceA-rm-backup-prf-profile1] backup-id 10 remote-backup-service service1
[*DeviceA-rm-backup-prf-profile1] service-type bras
[*DeviceA-rm-backup-prf-profile1] quit
[*DeviceA] remote-backup-profile profile2
[*DeviceA-rm-backup-prf-profile2] peer-backup hot
[*DeviceA-rm-backup-prf-profile2] vrrp-id 1 interface gigabitethernet 0/1/0.2
[*DeviceA-rm-backup-prf-profile2] backup-id 10 remote-backup-service service1
[*DeviceA-rm-backup-prf-profile2] service-type bras
[*DeviceA-rm-backup-prf-profile2] commit
[~DeviceA-rm-backup-prf-profile2] quit
Step 2 Set NAS parameters and the interval for backing up traffic. The Device A is used as an
example. The configuration of Device B is similar to that of Device A.
# Set NAS parameters.
[~DeviceA] remote-backup-profile profile1
[*DeviceA-rm-backup-prf-profile1] nas logic-ip 1.2.3.4
[*DeviceA-rm-backup-prf-profile1] nas logic-port gigabitethernet 0/1/0
[*DeviceA-rm-backup-prf-profile1] nas logic-sysname huawei
[*DeviceA-rm-backup-prf-profile1] commit
Step 3 Bind pool1 configured in the AAA domain to the RBS and configure a protection path for
returned network-side traffic. The Device A is used as an example. The configuration of
Device B is similar to that of Device A.
[~DeviceA] remote-backup-service service1
[*DeviceA-rm-backup-srv-service1] ip-pool pool1
[*DeviceA-rm-backup-srv-service1] protect redirect ip-nexthop 10.1.1.7 interface
gigabitethernet 0/3/0
[*DeviceA-rm-backup-srv-profile1] commit
Step 4 Bind the RBP to GE 0/1/0.1 through which users get online. The Device A is used as an
example. The configuration of Device B is similar to that of Device A.
[~DeviceA] interface gigabitethernet 0/1/0.1
[*DeviceA-GigabitEthernet0/1/0.1] remote-backup-profile profile1
[*DeviceA-GigabitEthernet0/1/0.1] commit
[~DeviceA-GigabitEthernet0/1/0.1] quit
[~DeviceA] interface gigabitethernet 0/1/1.1
[*DeviceA-GigabitEthernet0/1/1.1] remote-backup-profile profile2
[*DeviceA-GigabitEthernet0/1/1.1] commit
[~DeviceA-GigabitEthernet0/1/1.1] quit
Step 5 Enable each router to use the default cost values of imported routes to control address pool
route priorities.
[DeviceA] peer-backup route-cost auto-advertising
NOTE
Perform one of the following steps based on the type of routing protocol:
l Run the import-route unr inherit-cost command in the IS-IS view.
l In the OSPF view, run the following commands:
1. default cost inherit-metric
2. import-route unr
l Run the import-route unr command in the BGP view.
When the RBS is configured successfully, you can view that the TCP connection status is
Connected.
<DeviceA> display remote-backup-service service1
----------------------------------------------------------
Service-Index : 0
Service-Name : service1
TCP-State : Connected
Peer-ip : 88.88.88.88
Source-ip : 22.22.22.22
TCP-Port : 2046
Track-BFD : --
Track-interface0 : GigabitEthernet0/2/0
Track-interface1 : --
----------------------------------------------------------
IP Pool:
pool1
ip pool:
poolv4_yyz metric 10
r3 metric 10
r4 metric 20
remotev4 metric 10
ipv6 pool:
1234 metric 10
iana_yyz metric 10
iapd_yyz metric 10
lo metric 10
loc_vpn metric 10
nd metric 10
pd metric 10
remote_del_yyz metric 10
remotev6_yyz metric 10
Failure ratio : 100%
Failure duration : 0 min
NAT instance : nat1
----------------------------------------------------------
Rbs-ID : 0
Protect-type : ip-redirect
Next-hop : 10.1.1.7
Vlanid : 0
Peer-ip : 10.1.1.7
Vrfid : 0
Tunnel-index : 0x0
Tunnel-state : UP
Tunnel-OperFlag: NORMAL
Spec-interface : GigabitEthernet0/3/0
Out-interface : GigabitEthernet0/3/0
User-number : 0
After users go online, you can view the information about backup users. The information
includes the number of locally logged-in users and the number of remotely logged-in users
whose information is backed up.
<HUAWEI> display backup-user
Remote-backup-service: service1
Total Users Numer: 10
------------------------------------------------------------------------
100 101 102 103 104 105 106 107 108 109
------------------------------------------------------------------------
Local Users Number :10
Remote Users Number :0
The information about online users on a specific interface can be displayed. The information
includes the number of non-RUI users, the number of local RUI users, the number of remote
RUI users, and the total number of users
<HUAWEI> display access-user interface GigabitEthernet 0/1/0.1
------------------------------------------------------------------------------
UserID Username Interface IP address MAC
Vlan IPv6 address Access type
------------------------------------------------------------------------------
120 user@lsh GE0/1/0.1 2.2.2.10 0002-0101-0101
50/- - IPoE
101 user@lsh GE0/1/0.1 2.2.2.9
0002-0101-0102 -
50/- - IPoE
102 user@lsh GE0/1/0.1 2.2.2.8
0002-0101-0103 -
50/- - IPoE
103 user@lsh GE0/1/0.1 2.2.2.7
0002-0101-0104 -
50/- - IPoE
104 user@lsh GE0/1/0.1 2.2.2.6
0002-0101-0105 -
50/- - IPoE
105 user@lsh GE0/1/0.1 2.2.2.5
0002-0101-0106 -
50/- - IPoE
106 user@lsh GE0/1/0.1 2.2.2.4
0002-0101-0107 -
50/- - IPoE
107 user@lsh GE0/1/0.1 2.2.2.3
0002-0101-0108 -
50/- - IPoE
108 user@lsh GE0/1/0.1 2.2.2.2
0002-0101-0109 -
50/- - IPoE
109 user@lsh GE0/1/0.1 2.2.2.11
0002-0101-0110 -
50/- - IPoE
--------------------------------------------------------------------------
Normal users : 0
RUI Local users : 10
RUI Remote users : 0
Total users : 10
----End
Configuration Files
l Configuration file of Device A
#
sysname DeviceA
#
ip pool pool1 bas local
gateway 16.0.0.1 255.255.255.0
section 0 16.0.0.2 16.0.0.100
#
aaa
domain userdomain1
authentication-scheme default0
accounting-scheme default0
ip-pool pool1
#
bfd bfd bind peer-ip 10.0.1.2
discriminator local 1
discriminator remote 2
commit
#
bfd bfd2 bind peer-ip 101.0.0.2
discriminator local 3
discriminator remote 4
commit
#
interface gigabitethernet 0/1/0.2
vlan-type dot1q 200
ip address 10.0.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.1.100
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 track bfd-session session-name bfd peer
vrrp vrid 1 track interface gigabitethernet 0/2/0 reduced 50
#
interface gigabitethernet 0/1/0.3
vlan-type dot1q 201
ip address 101.0.0.1 255.255.255.0
vrrp vrid 1 virtual-ip 101.0.0.100
admin-vrrp vrid 2
commit
#
interface gigabitethernet 0/1/0.2
vlan-type dot1q 200
ip address 10.0.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.1.100
admin-vrrp vrid 1
vrrp vrid 1 priority 100
vrrp vrid 1 preempt-mode timer delay 600
vrrp vrid 1 track bfd-session session-name bfd peer
vrrp vrid 1 track interface gigabitethernet 0/2/0 reduced 50
#
interface gigabitethernet 0/1/0.3
vlan-type dot1q 201
ip address 101.0.0.2 255.255.255.0
vrrp vrid 2 virtual-ip 101.0.0.100
admin-vrrp vrid 2
vrrp vrid 2 priority 120
vrrp vrid 2 track bfd-session session-name bfd2 peer
vrrp vrid 2 track interface gigabitethernet 0/2/0 reduced 50
#
remote-backup-service service1
peer 22.22.22.22 source 88.88.88.88 port 2046
track interface gigabitethernet 0/2/0
protect redirect ip-nexthop 10.1.1.6 interface gigabitethernet 0/3/0
#
remote-backup-profile profile1
service-type bras
backup-id 10 remote-backup-service service1
peer-backup hot
vrrp-id 1 interface gigabitethernet 0/1/0.2 even-mac
vrrp-id 2 interface gigabitethernet 0/1/0.3 odd-mac
nas logic-ip 1.2.3.4
nas logic-port gigabitethernet0/1/0
nas logic-sysname huawei
traffic backup interval 10
#
interface gigabitethernet 0/1/0.1
user-vlan 50
remote-backup-profile profile1
bas
access-type layer2-subscriber
authentication-method web
#
interface gigabitethernet 0/3/0
undo shutdown
ip address 10.1.1.7 255.255.255.0
#
peer-backup route-cost auto-advertising
return
Usage Scenario
With the rapid development of IP technologies, various value-added services are widely used
on the Internet. Carrier-class services, such as emerging IPTV, NGN, 4G, VIP customers'
leased line, and VPN interconnection, have high requirements for IP network reliability. IP
network reliability for carrier-class services includes device, link, and network reliability. On
a bearer network, the availability of a network device is required to reach 99.999%; that is, the
device downtime in a year must be less than 5 minutes. High reliability is a basic requirement
for carrier-class devices and must be considered by telecom carriers during network
construction.
The NE40E functions as an edge router that carries multiple services. It is connected to a core
network to implement Layer 3 routing functions and to the aggregation layer to terminate
Layer 2 user packets for user access. The NE40E can carry multiple services, such as triple
play services (HSI, VoIP, and IPTV). Therefore, The NE40E must have high reliability. The
NE40E provides service-level high-reliability technologies. Non-stop data flow forwarding
does not mean that user services are not interrupted. If a network node or link fails, user
traffic is switched to a backup device. If user information is not synchronized to a backup
device, user services are still interrupted. High reliability has been considered when the
NE40E is designed to function as a network edge service aggregation and control device,
which ensures that users' HSI, IPTV, and VoIP services are not interrupted if a network node
or link fault occurs. RUI is designed to meet the preceding reliability requirements.
Solution Limitations
l The VRRP switchback delay must be twice or three times the interval at which multicast
query packets are sent to ensure that entries on the master and backup devices are the
same. The default interval at which multicast query packets are sent is 60s.
l NE40Es function as multicast replication points, and the copy by session mode is used.
Networking Requirements
On the network shown in Figure 13-4, the user logs in to Device A and Device B through a
LAN switch. The two Devices run VRRP to determine the master/backup status. Basic user
access functions are configured on Device A and Device B so that the user goes online
through the master device. If the master device or the link on the network or user side of the
master device fails, service traffic needs to be quickly switched to the backup device.
Interface 1 and interface 2 in this example are GE0/1/0 and GE0/2/2 , respectively.
CR1 CR2
interface1 interface1
LanSwitch
User
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
l VRRP ID
l IP address of each interface on Routers that back up each other
l Backup ID, which works together with an RBS to identify an RBP to which the user
belongs
Procedure
Step 1 Configure interfaces for connecting Device A and Device B to the LAN switch, and assign IP
addresses to them.
Step 3 Establish a dual-device backup platform. The configuration on Device A is used in this
example. The configuration on Device B is similar to that on Device A.
NOTE
In this example, only RUI-related configurations are described. For other configurations, see the
corresponding configuration guide.
# Configure a BFD session on the access side to rapidly detect faults in interfaces or links and
trigger a master/backup VRRP switchover. 192.168.254.3 is the IP address of Eth-Trunk
3.4001 on Device B.
[~DeviceA] bfd
[*DeviceA-bfd] quit
[*DeviceA]bfd eth-trunk3-peer bind peer-ip 192.168.254.3 source-ip 192.168.254.2
[*DeviceA-bfd-session-bfd] discriminator local 2
[*DeviceA-bfd-session-bfd] discriminator remote 3
[*DeviceA-bfd-session-bfd] commit
[~DeviceA-bfd-session-bfd] quit
# Configure a VRRP backup group on Eth-Trunk 3.4001, and configure the VRRP backup
group to track the BFD session and network-side interface.
[~DeviceA] interface interface Eth-Trunk3.4001
[*DeviceA-Eth-Trunk3.4001] vrrp vrid 3 virtual-ip 192.168.254.1
[*DeviceA-Eth-Trunk3.4001] admin-vrrp vrid 3
[*DeviceA-Eth-Trunk3.4001]vrrp vrid 3 priority 120
[*DeviceA-Eth-Trunk3.4001]vrrp vrid 3 preempt-mode timer delay 1200
[*DeviceA-Eth-Trunk3.4001]vrrp vrid 3 track interface GigabitEthernet0/1/0
reduced 30
[*DeviceA-Eth-Trunk3.4001]vrrp vrid 3 track bfd-session 2 peer
[*DeviceA-Eth-Trunk3.4001] commit
[~DeviceA-Eth-Trunk3.4001] quit
NOTE
Different priorities must be configured for devices in a VRRP backup group. The device with a high
priority is the master device.
# Configure an RBS.
[~DeviceA] remote-backup-service rbs_qhmd
[*DeviceA-rm-backup-rbs_qhmd] peer 172.20.1.2 source 172.20.1.3 port 2046
[*DeviceA-rm-backup-rbs_qhmd] track interface GigabitEthernet0/1/0
[*DeviceA-rm-backup-rbs_qhmd]track interface GigabitEthernet0/2/2
[*DeviceA-rm-backup-rbs_qhmd commit
[~DeviceA-rm-backup-rbs_qhmd] quit
NOTE
Ensure that the master and backup devices can ping each other.
# Configure an RBP.
[~DeviceA] remote-backup-profile rbp3
[*DeviceA-rm-backup-prf-rbp3] service-type bras
[*DeviceA-rm-backup-prf-rbp3] service-type multicast
[*DeviceA-rm-backup-prf-rbp3] backup-id 3 remote-backup-service rbs_qhmd
[*DeviceA-rm-backup-prf-rbp3] peer-backup hot
[*DeviceA-rm-backup-prf-rbp3] vrrp-id 3 interface Eth-Trunk3.4001
[*DeviceA-rm-backup-prf-rbp3] commit
[~DeviceA-rm-backup-prf-rbp3] quit
Step 4 Configure IP address pool binding. The configuration on Device A is used in this example.
The configuration on Device B is similar to that on Device A.
# Configure an address pool.
<HUAWEI> system-view
[~HUAWEI] ip pool dmtjs_xi bas local
[*HUAWEI-ip-pool-dmtjs_xi] gateway 192.168.1.1 255.255.255.0
[*HUAWEI-ip-pool-dmtjs_xi] section 0 192.168.1.2 192.168.1.254
Step 5 Configure authentication and accounting policies for user access. The configuration on
Device A is used in this example. The configuration on Device B is similar to that on Device
A.
<HUAWEI> system-view
[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme wu
[*HUAWEI-aaa-authen-wu] authentication-mode none
[*HUAWEI-aaa-authen-wu] commit
[~HUAWEI-aaa-authen-wu] quit
[*HUAWEI-aaa] accounting-scheme wu
[*HUAWEI-aaa-accounting-wu] accounting-mode none
[*HUAWEI-aaa-accounting-wu] commit
[~HUAWEI-aaa-accounting-wu] quit
[*HUAWEI-aaa] domain dmtjs_xi
[*HUAWEI-aaa-dmtjs_xi] authentication-scheme wu
[*HUAWEI-aaa-dmtjs_xi] accounting-scheme wu
[*HUAWEI-aaa-dmtjs_xi] ip-pool dmtjs_xi
[*HUAWEI-ip-pool-dmtjs_xi] commit
[~HUAWEI-ip-pool-dmtjs_xi] quit
Step 6 Bind the RBP to Eth-Trunk 3.501 from which users go online. The configuration on Device A
is used in this example. The configuration on Device B is similar to that on Device A.
[~DeviceA] interface Eth-Trunk3.501
[*DeviceA-Eth-Trunk3.501] user vlan 501
[*DeviceA-Eth-Trunk3.501-vlan-501-501] remote-backup-profile rbp3
[*DeviceA-Eth-Trunk3.501-vlan-501-501] bas
[*DeviceA-Eth-Trunk3.501-bas]access-type layer2-subscriber default-domain
authentication dmtjs_xi
[*DeviceA-Eth-Trunk3.501-bas]multicast copy by-session
[*DeviceA-Eth-Trunk3.501-bas] authentication-method bind
[*DeviceA-Eth-Trunk3.501-bas] commit
[~DeviceA-Eth-Trunk3.501-bas] quit
Step 7 Configure advertisement of address pool routes. The configuration on Device A is used in this
example. The configuration on Device B is similar to that on Device A.
[~DeviceA] ospf 1
[*DeviceA-ospf-1] import-route unr
[*DeviceA-ospf-1] area 0
[*DeviceA-ospf-1-area-0.0.0.0] network 172.20.1.1 0.0.0.0
[*DeviceA-ospf-1-area-0.0.0.0] network 172.20.1.3 0.0.0.0
[*DeviceA-ospf-1-area-0.0.0.0] network 172.20.0.32 0.0.0.3
[*DeviceA-ospf-1-area-0.0.0.0] network 172.20.0.40 0.0.0.3
[*DeviceA-ospf-1-area-0.0.0.0] network 172.20.0.56 0.0.0.3
[*DeviceA-ospf-1-area-0.0.0.0] commit
[~DeviceA-ospf-1-area-0.0.0.0] quit
# Enable PIM on the network-side interface. The configuration on Device A is used in this
example. The configuration on Device B is similar to that on Device A.
[~DeviceA]interface GigabitEthernet0/1/0
[*DeviceA-GigabitEthernet0/1/0]undo shutdown
[*DeviceA-GigabitEthernet0/1/0]ip address 172.20.0.33 255.255.255.252
[*DeviceA-GigabitEthernet0/1/0]pim sm
[*DeviceA-GigabitEthernet0/1/0] commit
[~DeviceA-GigabitEthernet0/1/0] quit
[~DeviceA]interface GigabitEthernet0/2/2
[*DeviceA-GigabitEthernet0/2/2]undo shutdown
[*DeviceA-GigabitEthernet0/2/2]ip address 172.20.0.58 255.255.255.252
[*DeviceA-GigabitEthernet0/2/2]pim sm
[*DeviceA-GigabitEthernet0/2/2] commit
[~DeviceA-GigabitEthernet0/2/2] quit
# Enable IGMP and PIM on the access-side interface. The configuration on Device A is used
in this example. The configuration on Device B is similar to that on Device A.
[~DeviceA] interface Eth-Trunk3.501
[*DeviceA-Eth-Trunk3.501]pim sm
[*DeviceA-Eth-Trunk3.501]igmp enable
[*DeviceA-Eth-Trunk3.501] commit
[~DeviceA-Eth-Trunk3.501] quit
# Configure an RP.
[~DeviceA] pim
[*DeviceA-pim]static-rp 192.168.2.2
[*DeviceA-pim] commit
----End
Configuration Files
l Device A configuration file
#
sysname DeviceA
#
router id 172.20.1.3
#
vlan batch 2 to 9 11 to 504 506 to 3999 4001 to 4094
#
#
multicast routing-enable
#
pim
static-rp 192.168.2.2
#
bfd
#
ip pool pool1 bas local
gateway 192.168.1.1 255.255.255.0
section 0 192.168.1.2 192.168.1.254
dns-server 192.168.1.1
#
aaa
authentication-scheme wu
authentication-mode none
accounting-scheme wu
accounting-mode none
domain dmtjs_xi
authentication-scheme wu
authentication-scheme wu
ip-pool dmtjs_xi
#
bfd eth-trunk3-peer bind peer-ip 192.168.254.3 source-ip 192.168.254.2
discriminator local 2
discriminator remote 3
#
interface GigabitEthernet0/1/3
description ToJiaohuanji
undo shutdown
eth-trunk 3
interface Eth-Trunk3.4001
encapsulation 4001 dot1q-termination
dot1q termination vid 4001
ip address 192.168.254.2 255.255.255.248
vrrp vrid 3 virtual-ip 192.168.254.1
admin-vrrp vrid 3
vrrp vrid 3 priority 120
vrrp vrid 3 preempt-mode timer delay 1200
vrrp vrid 3 track bfd-session 2 peer
vrrp vrid 3 track interface GigabitEthernet0/1/0 reduced 30
#
interface LoopBack0
ip address 172.20.1.1 255.255.255.255
#
interface LoopBack10
ip address 172.20.1.3 255.255.255.255
#
interface GigabitEthernet0/1/0
undo shutdown
ip address 172.20.0.33 255.255.255.252
pim sm
#
interface GigabitEthernet0/2/2
undo shutdown
ip address 172.20.0.57 255.255.255.252
pim sm
remote-backup-service rbs_qhmd
peer 172.20.1.2 source 172.20.1.3 port 2046
track interface gigabitethernet 0/1/0
track interface gigabitethernet 0/2/2
ip-pool dmtjs_xi
#
remote-backup-profile rbp3
service-type bras
service-type multicast
backup-id 3 remote-backup-service rbs_qhmd
peer-backup hot
interface LoopBack0
ip address 172.20.1.1 255.255.255.255
#
interface LoopBack10
ip address 172.20.1.2 255.255.255.255
#
interface GigabitEthernet0/1/0
undo shutdown
ip address 172.20.0.34 255.255.255.252
pim sm
#
interface GigabitEthernet0/2/2
undo shutdown
ip address 172.20.0.58 255.255.255.252
pim sm
#
remote-backup-service rbs_qhmd
peer 172.20.1.3 source 172.20.1.2 port 2046
track interface gigabitethernet 0/1/0
track interface gigabitethernet 0/2/2
#
remote-backup-profile rbp3
service-type bras
service-type multicast
backup-id 3 remote-backup-service rbs_qhmd
peer-backup hot
vrrp-id 3 interface Eth-Trunk3.4001
#
interface Eth-Trunk3.501
user-vlan 501
remote-backup-profile rbp3
pim sm
igmp enable
bas
access-type layer2-subscriber default-domain authentication dmtjs_xi
multicast copy by-session
authentication-method bind
#
#
ospf 1
import-route unr
area 0.0.0.0
network 172.20.0.32 0.0.0.3
network 172.20.0.56 0.0.0.3
network 172.20.0.40 0.0.0.3
network 172.20.1.2 0.0.0.0
network 172.20.1.3 0.0.0.0
#
return
Networking Requirements
Due to IPv4 address depletion, carriers deploy IPv6. To help services with IPv4 hot backup be
smoothly evolved to IPv6 and to support IPv4 and IPv6 protection, IPv6 dual-device hot
backup must be deployed.
DHCP
AAA
IP Core
interface2 interface2
BRAS 1 BRAS 2
VRRP
interface1 interface1
SW1
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure routes to implement IP connectivity between devices and PBR on both
BRASs. For details, see HUAWEI NE40E-M2 Series Universal Service Router
Configuration Guide - IP Routing.
2. Configure basic user access functions and ensure that the two devices have the same
configuration. For details, see HUAWEI NE40E-M2 Series Universal Service Router
Configuration Guide - User Access.
3. Establish a multi-device backup platform. Configure an RBS on the network side of the
master and backup BRASs (BRAS1 and BRAS2). BRAS1 is the master Router and
BRAS2 is the backup Router.
4. Configure a VRRP backup group on the access side of two Routers (BRAS1 and
BRAS2) to determine the master and backup status. Create a BFD session, and configure
the VRRP backup group to track the BFD session.
5. Configure an RBP for backing up BRAS user information and multicast services.
6. Bind an RBP to an interface from which users get online.
NOTE
The configuration on BRAS2 is similar to the configuration on BRAS1. The configuration procedure on
BRAS1 is used in this example. For details about configurations on BRAS2, see the Configuration Files.
Data Preparation
To complete the configuration, you need the following data:
l VRRP parameters, such as a VRID and a preemption delay
l BFD parameters, such as the local and remote discriminators and expected minimum
interval at which BFD Control packets are sent and received
l IP address of each interface on BRAS1 and BRAS2
l Backup ID, which works together with an RBS to identify an RBP to which users belong
l User access parameters
Procedure
Step 1 Configure user access functions.
For configuration procedure, see configuration in HUAWEI NE40E-M2 Series Universal
Service Router Configuration Guide - User Access.
Step 2 Configure a VRRP backup group on the access side of two Routers (BRAS1 and BRAS2) to
determine the master and backup status. Create a BFD session and configure the VRRP
backup group to track the BFD session.
# Configure a BFD session on the access side to rapidly detect faults in interfaces or links and
trigger a master/backup VRRP switchover.
[~BRAS1] bfd
[*BRAS1] quit
[*BRAS1] bfd bfd1 bind peer-ip 10.1.1.2
[*BRAS1-bfd-session-bfd1] discriminator local 8
[*BRAS1-bfd-session-bfd1] discriminator remote 6
[*BRAS1-bfd-session-bfd1] commit
[~BRAS1-bfd-session-bfd1] quit
# Create a VRRP backup group on GE 3/1/10.1, and configure the VRRP backup group to
track the BFD session and a network-side interface.
[~BRAS1] interface GigabitEthernet 0/2/1.1
[*BRAS1-GigabitEthernet0/2/1.1] vlan-type dot1q 200
[*BRAS1-GigabitEthernet0/2/1.1] ip address 10.1.1.1 255.255.255.0
[*BRAS1-GigabitEthernet0/2/1.1] vrrp vrid 1 virtual-ip 10.1.1.100
[*BRAS1-GigabitEthernet0/2/1.1] admin-vrrp vrid 1
[*BRAS1-GigabitEthernet0/2/1.1] vrrp vrid 1 priority 180
[*BRAS1-GigabitEthernet0/2/1.1] vrrp vrid 1 preempt-mode timer delay
60
[*BRAS1-GigabitEthernet0/2/1.1] vrrp vrid 1 track interface GigabitEthernet 0/2/0
reduced 50
[*BRAS1-GigabitEthernet0/2/1.1] vrrp vrid 1 track bfd-session 8 peer
[*BRAS1-GigabitEthernet0/2/1.1] commit
[~BRAS1-GigabitEthernet0/2/1.1] quit
[*BRAS1-loopback1] commit
[~BRAS1-loopback1] quit
# Configure an RBS.
[~BRAS1] remote-backup-service rui
[*BRAS1-rm-backup-srv-rui] peer 10.1.2.2 source 10.1.2.1 port 6001
[*BRAS1-rm-backup-srv-rui] track interface GigabitEthernet0/2/0
[*BRAS1-rm-backup-srv-rui] commit
[~BRAS1-rm-backup-srv-rui] quit
# Configure an RBP.
[~BRAS1] remote-backup-profile p1
[*BRAS1-rm-backup-prf-p1] service-type bras
[*BRAS1-rm-backup-prf-p1] backup-id 101 remote-backup-service rui
[*BRAS1-rm-backup-prf-p1] peer-backup hot
[*BRAS1-rm-backup-prf-p1] vrrp-id 1 interface gigabitethernet 0/2/1.1
[*BRAS1-rm-backup-prf-p1] commit
[~BRAS1-rm-backup-prf-p1] quit
# Bind the RBP to the interface from which users get online.
[~BRAS1] interface gigabitethernet 0/2/1.333
[*BRAS1-GigabitEthernet0/2/1.333] remote-backup-profile p1
[*BRAS1-GigabitEthernet0/2/1.333] commit
[~BRAS1-GigabitEthernet0/2/1.333] quit
Step 4 Create a protection channel between the master and backup BRASs.
[~BRAS1] remote-backup-service rui
[*BRAS1-rm-backup-srv-rui] protect lsp-tunnel for-all-instance peer-ip 10.1.2.2
[*BRAS1-rm-backup-srv-rui] commit
[~BRAS1-rm-backup-srv-rui] quit
-----------------------------------------------
Profile-Index : 0x1000
Profile-Name : p1
Service: bras
Remote-backup-service : rui
Backup-ID : 101
track protocol : VRRP
VRRP-ID: 1
VRRP-Interface : Gigabitethernet 0/2/1.1
Access-conctrol: --
State : Master
Peer State : Slave
Interface:
GigabitEthernet0/2/1.333
Backup mode : hot
Slot-Number : 3
Card-Number : 1
Port-Number : 10
Traffic threshold : 50(MB)
Traffic interval : 10(minutes)
<BRAS2> display remote-backup-profile p2
-----------------------------------------------
Profile-Index : 0x1001
Profile-Name : p2
Service: bras
Remote-backup-service : rui
Backup-ID : 101
track protocol : VRRP
VRRP-ID: 1
VRRP-Interface : Gigabitethernet 0/2/1.1
Access-conctrol: --
State : Slave
Peer State : Master
Interface:
GigabitEthernet0/2/1.332
Backup mode : hot
Slot-Number : 1
Card-Number : 0
Port-Number : 10
Traffic threshold : 50(MB)
Traffic interval : 10(minutes)
----End
Configuration Files
l BRAS1 configuration file
#
sysname BRAS1
#
ipv6
#
bfd
#
mpls
#
mpls ldp
#
ipv6 prefix prefix1 local
prefix 2013::/64
#
ipv6 pool pool1 bas local
prefix prefix1
#
aaa
domain huawei
authentication-scheme default0
accounting-scheme default0
ipv6-pool pool1
#
remote-backup-service rui
peer 10.1.2.2 source 10.1.2.1 port 6001
protect lsp-tunnel for-all-instance peer-ip 10.1.2.2
track interface GigabitEthernet0/2/0
ipv6-pool pool1
#
remote-backup-profile p1
service-type bras
backup-id 101 remote-backup-service rui
peer-backup hot
vrrp-id 1 interface GigabitEthernet0/2/1.1
#
interface GigabitEthernet0/2/1.1
vlan-type dot1q 1
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.100
admin-vrrp vrid 1
vrrp vrid 1 priority 180
vrrp vrid 1 preempt-mode timer delay 60
vrrp vrid 1 track interface GigabitEthernet0/2/0 reduced
50
vrrp vrid 1 track bfd-session session-name bfd1 peer
#
interface GigabitEthernet0/2/1.333
ipv6 enable
ipv6 address auto link-local
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
user-vlan 2
remote-backup-profile p1
bas
access-type layer2-subscriber default-domain authentication huawei
authentication-method-ipv6 bind
#
interface LoopBack1
ip address 10.1.2.1 255.255.255.255
#
bfd bfd1 bind peer-ip 10.1.1.2
discriminator local 8
discriminator remote 6
commit
#
ospf 1
import-route direct
area 0.0.0.0
network 10.1.2.1 0.0.0.0
#
return
l BRAS2 configuration file
#
sysname BRAS2
#
ipv6
#
bfd
#
mpls
#
mpls ldp
#
ipv6 prefix prefix1 local
prefix 2013::/64
#
ipv6 pool pool1 bas local
prefix prefix1
#
aaa
domain huawei
authentication-scheme default0
accounting-scheme default0
ipv6-pool pool1
#
remote-backup-service rui
peer 10.1.2.1 source 10.1.2.2 port 6001
protect lsp-tunnel for-all-instance peer-ip 10.1.2.1
track interface GigabitEthernet0/2/0
#
remote-backup-profile p2
service-type bras
backup-id 101 remote-backup-service rui
peer-backup hot
vrrp-id 1 interface GigabitEthernet0/2/1.1
#
interface GigabitEthernet0/2/1.1
vlan-type dot1q 1
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.100
admin-vrrp vrid 1
vrrp vrid 1 priority 150
vrrp vrid 1 track interface GigabitEthernet0/2/0 reduced
50
vrrp vrid 1 track bfd-session session-name bfd1 peer
#
Networking Requirements
L2TP tunnels can be used to provide enterprise user access services and wholesale services.
As these services are the major services that operators provide and have high user experience
requirements, L2TP tunnels must support high reliability. L2TP two-node hot backup, in
addition to BRAS user information backup, is required on the master and slave Routers.
On the network as shown in Figure 13-6, users access LAC1 and LAC2 through a LAN
switch (LSW). The two LACs run VRRP to determine the master and backup status. Both
LACs are configured so that users get online through the master LAC. Each of LACs sets up
an L2TP tunnel with the LNS. L2TP two-node hot backup is configured on LAC1 and LAC2
so that users rapidly can restore services without re-dialing up if a fault occurs on the access
or network side.
Loopback
interface1 interface2
10.0.1.1/24 10.0.2.1/24
L2
LAC1 TP
Tu
nn
el
User VRRP+BFD 备份通道
Internet LNS
Network 保护隧道
l
n ne
LAC2 Tu
TP
L2
interface1 interface2
10.0.1.2/24 10.0.3.1/24
Loopback
Device Name Interface Name IP Address
LAC1 GE0/1/0.2 10.0.1.1/24 (IP address of the interface running VRRP)
GE0/2/0 10.0.2.1/24
Loopback1 7.7.7.7/32 (source IP address for LAC1 to establish a tunnel)
Loopback2 8.8.8.8/32 (source IP address for LAC2 to establish a tunnel)
Loopback3 10.0.0.1/32 (IP address of the data backup channel between LACs)
LAC2 GE0/1/0.2 10.0.1.2/24 (IP address of the interface running VRRP)
GE0/2/0 10.0.3.1/24
Loopback1 7.7.7.7/32 (source IP address for LAC1 to establish a tunnel)
Loopback2 8.8.8.8/32 (source IP address for LAC2 to establish a tunnel)
Loopback3 10.0.0.2/32 (IP address of the data backup channel between LACs)
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure routes to ensure IP connectivity between devices, then configure the route
policy on LAC1 and LAC2. For details, see HUAWEI NE40E-M2 Series Universal
Service Router Configuration Guide - IP Routing.
2. Configure basic user access functions and ensure that the two LACs have the same
configuration. For details, see HUAWEI NE40E-M2 Series Universal Service Router
Configuration Guide - User Access.
3. Each of LACs sets up an L2TP tunnel with the LNS.
4. Establish a multi-node backup platform. Configure an RBS on the network side of the
master and backup Routers (LAC1 and LAC2). LAC1 is the master and LAC2 is the
backup.
5. Configure a VRRP backup group on the access side of two Routers (LAC1 and LAC2)
to determine the master and backup status. Create a BFD session, and configure the
VRRP backup group to track the BFD session.
6. Configure an RBP for backing up BRAS user information and L2TP services, and enable
remote backup service for BRAS user information and L2TP services.
The configuration on LAC2 is similar to the configuration on LAC1. The configuration procedure on
LAC1 is used in this example. For details about configurations on LAC2, see the configuration file of
LAC2.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Assign an IP address to each loopback interface and configure a VT interface and a BAS
interface.
<Device> system-view
[Device] sysname LAC1
# Assign an IP address to a loopback interface directly connecting LAC1 to the LNS so that
the route to the loopback interface can be advertised.
[LAC1] interface loopback1
[LAC1-loopback1] ip address 7.7.7.7 32
[LAC1-loopback1] quit
# Assign an IP address to a loopback interface directly connecting LAC1 to the LAC2 so that
the route to the loopback interface can be advertised.
[LAC1] interface loopback2
[LAC1-loopback2] ip address 8.8.8.8 32
[LAC1-loopback2] quit
# Configure VT interface 1.
[LAC1] interface virtual-template 1
[LAC1-Virtual-Template1] ppp authentication-mode chap
[LAC1-Virtual-Template1] quit
In the two-node hot backup scenario, run the set l2tp tunnel base-id base-id command on either of
LACs to set a base value used by the LAC to allocate L2TP tunnel IDs. The other LAC uses the default
base value of 0. The settings ensure to a certain extent that each tunnel ID is unique on a single Router.
# Assign an IP address to a loopback interface directly connecting LAC1 to the LNS so that
the route to the loopback interface can be advertised.
[LAC1] interface gigabitethernet 0/2/0
[LAC1-GigabitEthernet0/2/0] ip address 10.0.2.1 255.255.255.0
[LAC1-GigabitEthernet0/2/0] quit
Step 3 Configure a VRRP backup group on the access side of two Routers (LAC1 and LAC2) to
determine the master and backup status. Create a BFD session, and configure the VRRP
backup group to track the BFD session.
# Configure a VRRP link BFD session to rapidly detect faults in interfaces or links and trigger
a master/backup VRRP switchover.
[LAC1] bfd bfd-acc bind peer-ip 10.0.1.2
[LAC1-bfd-session-bfd-acc] discriminator local 1
[LAC1-bfd-session-bfd-acc] discriminator remote 1
[LAC1-bfd-session-bfd-acc] commit
[LAC1-bfd-session-bfd-acc] quit
[LAC1-bfd-session-bfd-net] commit
[LAC1-bfd-session-bfd-net] quit
# Configure a VRRP backup group on GE 1/0/0.2, and configure the VRRP backup group to
track the BFD session and a network-side interface. Enable the original master VRRP device
to preempt the Master state after 30 minutes.
[LAC1] interface gigabitethernet 0/1/0.2
[LAC1-GigabitEthernet0/1/0.2] vlan-type dot1q 200
[LAC1-GigabitEthernet0/1/0.2] ip address 10.0.1.1 255.255.255.0
[LAC1-GigabitEthernet0/1/0.2] vrrp vrid 1 virtual-ip 10.0.1.100
[LAC1-GigabitEthernet0/1/0.2] admin-vrrp vrid 1
[LAC1-GigabitEthernet0/1/0.2] vrrp vrid 1 priority 120
[LAC1-GigabitEthernet0/1/0.2] vrrp vrid 1 preempt-mode timer delay 1800
[LAC1-GigabitEthernet0/1/0.2] vrrp vrid 1 track bfd-session 1 link
[LAC1-GigabitEthernet0/1/0.2] vrrp vrid 1 track bfd-session 1 peer
[LAC1-GigabitEthernet0/1/0.2] vrrp vrid 1 track interface gigabitethernet 2/0/0
reduced 50
[LAC1-GigabitEthernet0/1/0.2] quit
# Configure an RBS.
[LAC1] remote-backup-service s1
[LAC1-rm-backup-srv-s1] peer 10.0.0.2 source 10.0.0.1 port 4500
[LAC1-rm-backup-srv-s1] quit
# Configure an RBP for backing up BRAS user information and L2TP services.
[LAC1] remote-backup-profile p1
[LAC1-rm-backup-prf-p1] peer-backup hot
[LAC1-rm-backup-prf-p1] vrrp-id 1 interface gigabitethernet 0/1/0.2
[LAC1-rm-backup-prf-p1] backup-id 10 remote-backup-service s1
[LAC1-rm-backup-prf-p1] service-type bras
[LAC1-rm-backup-prf-p1] service-type l2tp
[LAC1-rm-backup-prf-p1] quit
# Bind the RBP to the interface from which users get online.
[LAC1] interface gigabitethernet 0/1/0.1
[LAC1-GigabitEthernet0/1/0.1] remote-backup-profile p1
[LAC1-GigabitEthernet0/1/0.1] quit
After successfully configuring L2TP two-node hot backup, run the display remote-backup-
profile command on each LAC. The RBS type is bras l2tp; LAC1 is in the Master state;
LAC2 is in the Slave state.
<lac1> display remote-backup-profile p1
-----------------------------------------------
Profile-Index : 0x800
Profile-Name : p1
----End
Configuration Files
l Configuration file of LAC1
#
sysname LAC1
#
radius-server group radius1
radius-server authentication 20.20.20.1 1812
radius-server accounting 20.20.20.1 1813
radius-server shared-key itellin
#
peer-backup route-cost auto-advertising
#
aaa
local-user a password cipher 1qaz@WSX
local-user a service-type ftp
local-user a ftp-directory cfcard:
local-user b password cipher abcd@EFG
local-user b service-type ftp
local-user c password simple Huawei-123
local-user c service-type ftp
authentication-scheme default1
authentication-mode radius local
#
domain domain1
l2tp-group lac1
radius-server group radius1
authentication-scheme default1
accounting-scheme default1
#
remote-backup-service s1
peer 10.0.0.2 source 10.0.0.1 port 4500
#
remote-backup-profile p1
service-type bras
service-type l2tp
peer-backup hot
vrrp-id 1 interface gigabitethernet 0/1/0.2
backup-id 10 remote-backup-service s1
#
interface virtual-template 1
ppp authentication-mode chap
#
interface GigabitEthernet0/1/0
speed auto
duplex auto
undo shutdown
ip address 128.3.150.242 255.255.0.0
#
interface GigabitEthernet 0/1/0.1
pppoe-server bind virtual-template 1
user-vlan 1 100
remote-backup-profile p1
#
bas
access-type layer2-subscriber
authentication-method ppp
#
#
interface gigabitethernet 0/1/0.2
vlan-type dot1q 200
ip address 10.0.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.1.100
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 1800
vrrp vrid 1 track bfd-session 1 link
vrrp vrid 1 track bfd-session 3 peer
vrrp vrid 1 track interface gigabitethernet 0/2/0 reduced 50
#
interface gigabitethernet 0/2/0
ip address 10.0.2.1 255.255.255.0
quit
#
interface LoopBack1
ip address 7.7.7.7 255.255.255.255
#
interface LoopBack2
ip address 8.8.8.8 255.255.255.255
#
interface LoopBack3
ip address 10.0.0.1 255.255.255.255
#
l2tp enable
l2tp-group lac1
tunnel name lac1
start l2tp ip 3.3.3.3
tunnel authentication
tunnel password simple Huawei-123
tunnel source loopback1 rui
tunnel timer hello 200
#
bfd bfd-net bind peer-ip 10.0.0.2
discriminator local 3
discriminator remote 3
commit
#
ospf 1
preference 100
default cost inherit-metric
import-route direct
area 0.0.0.0
network 10.0.0.0 0.0.0.255
network 10.0.2.0 0.0.0.255
network 10.0.3.0 0.0.0.255
#
l Configuration file of LAC2
#
sysname LAC2
#
radius-server group radius1
radius-server authentication 20.20.20.1 1812
radius-server accounting 20.20.20.1 1813
radius-server shared-key itellin
#
peer-backup route-cost auto-advertising
#
aaa
local-user a password cipher rere@ERS
local-user a service-type ftp
local-user a ftp-directory cfcard:
local-user b password cipher oipo@TRT
local-user b service-type ftp
local-user c password simple Huawei-123
local-user c service-type ftp
authentication-scheme default1
authentication-mode radius local
#
domain domain1
l2tp-group lac1
radius-server group radius1
authentication-scheme default1
accounting-scheme default1
#
remote-backup-service s1
peer 10.0.0.1 source 10.0.0.2 port 4500
#
remote-backup-profile p1
service-type bras
service-type l2tp
peer-backup hot
vrrp-id 1 interface gigabitethernet 0/1/0.2
backup-id 10 remote-backup-service s1
#
interface virtual-template 1
ppp authentication-mode chap
#
interface GigabitEthernet 0/1/0
speed auto
duplex auto
undo shutdown
ip address 128.3.150.241 255.255.0.0
#
interface GigabitEthernet 0/1/0.1
pppoe-server bind virtual-template 1
user-vlan 1 100
remote-backup-profile p1
#
bas
access-type layer2-subscriber
authentication-method ppp
#
#
interface gigabitethernet 0/1/0.2
vlan-type dot1q 200
ip address 10.0.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.1.100
admin-vrrp vrid 1
vrrp vrid 1 preempt-mode timer delay 300
vrrp vrid 1 track bfd-session 1 peer
#
interface gigabitethernet 0/2/0
ip address 10.0.2.2 255.255.255.0
quit
#
interface LoopBack1
ip address 7.7.7.7 255.255.255.255
#
interface LoopBack2
ip address 8.8.8.8 255.255.255.255
#
interface LoopBack3
ip address 10.0.0.2 255.255.255.255
#
l2tp enable
l2tp-group lac1
tunnel name lac1
start l2tp ip 3.3.3.3
tunnel authentication
tunnel password simple Huawei-123
tunnel source loopback2 rui
tunnel timer hello 200
#
bfd bfd-net bind peer-ip 10.0.0.1
discriminator local 3
discriminator remote 3
commit
#
ospf 1
default cost inherit-metric
import-route direct
preference 100
area 0.0.0.0
network 10.0.0.0 0.0.0.255
network 10.0.2.0 0.0.0.255
network 10.0.3.0 0.0.0.255
#
Usage Scenario
With the rapid development of IP technologies, various value-added services are widely used
on the Internet. Carrier-class services, such as emerging IPTV, NGN, 4G, VIP customers'
leased line, and VPN interconnection, have high requirements for IP network reliability. IP
network reliability for carrier-class services includes device, link, and network reliability. On
a bearer network, the availability of a network device is required to reach 99.999%; that is, the
device downtime in a year must be less than 5 minutes. High reliability is a basic requirement
for carrier-class devices and must be considered by telecom carriers during network
construction.
The NE40E functions as an edge router that carries multiple services. It is connected to a core
network to implement Layer 3 routing functions and to the aggregation layer to terminate
Layer 2 user packets for user access. The NE40E can carry multiple services, such as triple
play services (HSI, VoIP, and IPTV). Therefore, The NE40E must have high reliability. The
NE40E provides service-level high-reliability technologies. Non-stop data flow forwarding
does not mean that user services are not interrupted. If a network node or link fails, user
traffic is switched to a backup device. If user information is not synchronized to a backup
device, user services are still interrupted. High reliability has been considered when the
NE40E is designed to function as a network edge service aggregation and control device,
which ensures that users' HSI, IPTV, and VoIP services are not interrupted if a network node
or link fault occurs. RUI is designed to meet the preceding reliability requirements.
Solution Limitations
l An exclusive address pool is an address pool or address segment exclusively used by a
backup group or link. Generally, an exclusive address pool is used for services that can
be assigned private IP addresses, such as VoIP services. This address pool is not
recommended for services that use public IP addresses, such as HSI services, because IP
address resources are wasted.
l In exclusive address pool mode, the master and backup devices cannot advertise the
same network segment route. Advertising the same network segment route will cause
load balancing on the upstream CRs and network-to-user traffic forwarding errors.
Networking Requirements
Carriers can divide networks accessed by users into different subnets based on traffic
destination addresses. When different users access the subnets, different rate limit and
accounting are performed for the users. EDSG implements subnet division, rate limit, and
accounting management on NE40Es. As applications accessed by users become diversified,
high reliability is required for EDSG services. To meet this requirement, deploy RUI so that
EDSG service traffic is smoothly switched to the backup device if the master device fails.
RUI ensures normal traffic accounting without the need of users' re-dialup.
On the network shown in Figure 13-7, the user goes online from Device A (master device)
through PPPoE dialup. Device A and Device B implement RUI over VRRP and BFD. Device
A backs up EDSG services to Device B (backup device). If Device A fails, service traffic is
switched to Device B. Traffic statistics on Device A and Device B remain consistent.
Figure 13-7 Example for configuring RUI+EDSG in exclusive address pool mode
NOTE
Interface 1 and interface 2 in this example are GE0/1/0 and GE0/2/0, respectively.
AAA Server
VOD Server
DeviceC
interface2 interface2
EDSG Service
Backup
DeviceA DeviceB
VRRP+BGD
interface1 interface1
Switch
GE0/2/0 10.0.0.1/24
Loopback 1 22.22.22.22/32
GE0/2/0 10.2.0.1/24
Loopback 1 88.88.88.88/32
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic user access functions and ensure that the two NE40Es have the same
configuration. For details, see HUAWEI NE40E-M2 Series Universal Service Router
Configuration Guide - User Access.
2. Configure routes to ensure IP connectivity between devices. For details, see HUAWEI
NE40E-M2 Series Universal Service Router Configuration Guide - IP Routing.
3. Establish a dual-device backup platform.
4. Configure NAS parameters and the interval at which traffic is backed up or the traffic
threshold.
5. Configure IP address pool binding.
6. Bind an RBP to an interface from which the user goes online.
7. Configure EDSG services on Device A and Device B. For details, see HUAWEI NE40E-
M2 Series Universal Service Router Multiservice Control Gateway Configuration Guide
- Value-added Service.
NOTE
The configuration on Device A is used in this example. The configuration on Device B is similar to that
on Device A.
Data Preparation
To complete the configuration, you need the following data:
l VRRP ID
l BFD parameters, such as the local and remote discriminators and expected minimum
intervals at which BFD control packets are sent and received
l IP addresses of interfaces on Device A and Device B
l Backup ID, which works together with an RBS to identify an RBP to which the user
belongs
l EDSG-related parameters
Procedure
Step 1 Establish a dual-device backup platform. The configuration on Device A is used in this
example. The configuration on Device B is similar to that on Device A.
NOTE
In this example, only RUI-related configurations are described. For other configurations, see the
corresponding configuration guide.
# Configure a BFD session on the access side to rapidly detect faults in interfaces or links and
trigger a master/backup VRRP switchover. 10.0.1.2 is the IP address of GE 0/1/0.2 on Device
B.
[~DeviceA] bfd
[*DeviceA-bfd] quit
[*DeviceA] bfd bfd bind peer-ip 10.0.1.2
[*DeviceA-bfd-session-bfd] discriminator local 1
[*DeviceA-bfd-session-bfd] discriminator remote 2
[*DeviceA-bfd-session-bfd] commit
[~DeviceA-bfd-session-bfd] quit
# Configure a VRRP backup group on GE 0/1/0.2, and configure the VRRP backup group to
track the BFD session and network-side interface.
[~DeviceA] interface gigabitethernet 0/1/0.2
NOTE
Different priorities must be configured for devices in a VRRP backup group. The device with a high
priority is the master device.
# Configure an RBS.
[~DeviceA] remote-backup-service service1
[*DeviceA-rm-backup-srv-service1] peer 88.88.88.88 source 22.22.22.22 port 2046
[*DeviceA-rm-backup-srv-service1] track interface gigabitethernet 0/2/0
[*DeviceA-rm-backup-srv-service1] commit
[~DeviceA-rm-backup-srv-service1] quit
NOTE
Ensure that the master and backup devices can ping each other.
Run the track bfd-session command in the RBS view to monitor the peer BFD sessions that are
established on the network side on Device A and Device B, rapidly monitoring the peer status. For
configuration details, see track bfd-session in HUAWEI NE40E-M2 Series Universal Service Router
Command Reference - Reliability.
# Configure an RBP.
[~DeviceA] remote-backup-profile profile1
[*DeviceA-rm-backup-prf-profile1] peer-backup hot
[*DeviceA-rm-backup-prf-profile1] vrrp-id 1 interface gigabitethernet 0/1/0.2
[*DeviceA-rm-backup-prf-profile1] backup-id 10 remote-backup-service service1
[*DeviceA-rm-backup-prf-profile1] service-type bras
[*DeviceA-rm-backup-prf-profile1] commit
[~DeviceA-rm-backup-prf-profile1] quit
Step 2 Configure NAS parameters and an interval at which traffic information is backed up. The
configuration on Device A is used in this example. The configuration on Device B is similar
to that on Device A.
Step 3 Configure IP address pool binding. The configuration on Device A is used in this example.
The configuration on Device B is similar to that on Device A.
[~DeviceA] remote-backup-profile profile1
[*DeviceA-rm-backup-prf-profile1] ip-pool pool1
[*DeviceA-rm-backup-prf-profile1] commit
NOTE
The bound address pool named pool1 has been configured using the ip pool command in the AAA
domain view.
Step 4 Bind the RBP to GE 0/1/0.1 from which users go online. The configuration on 0/1/0 A is used
in this example. The configuration on 0/1/0 B is similar to that on 0/1/0 A.
[~DeviceA] interface gigabitethernet 0/1/0.1
[*DeviceA-GigabitEthernet0/1/0.1] remote-backup-profile profile1
[*DeviceA-GigabitEthernet0/1/0.1] commit
[~DeviceA-GigabitEthernet0/1/0.1] quit
NOTE
For details about how to configure a RADIUS server group, see Configuring a RADIUS Server
in HUAWEI NE40E-M2 Series Configuration Guide - User Access.
3. Configure an EDSG traffic policy.
a. Create service groups.
# Create a service group named s_1m.
[~DeviceA] service-group s_1m
NOTE
You must run the service-group command to create service groups regardless of whether the
NE40E obtains an EDSG service policy from local configurations or a RADIUS server.
b. Configure an ACL and define ACL rules for each service group.
# Configure ACL 6020 and define ACL rules for the service group named s_1m.
[~DeviceA] acl number 6020
[*DeviceA-acl-ucl-6020] rule 10 permit ip source service-group s_1m
destination ip-address 192.168.100.0 0.0.0.255
[*DeviceA-acl-ucl-6020] rule 20 permit ip source ip-address
192.168.100.0 0.0.0.255 destination service-group s_1m
[*DeviceA-acl-ucl-6020] commit
[~DeviceA-acl-ucl-6020] quit
# Configure ACL 6021 and define ACL rules for the service group named s_2m.
# Configure an AAA accounting scheme named acct1 and specify RADIUS accounting
as the accounting mode.
[~DeviceA-aaa] accounting-scheme acct1
[*DeviceA-aaa-accounting-acct1] accounting-mode radius
[*DeviceA-aaa-accounting-acct1] quit
[*DeviceA-aaa] commit
[~DeviceA-aaa] quit
# Set the bandwidth for uplink traffic rate limit for service_edsg1 to 1 Mbit/s.
[*DeviceA-service-policy-service_edsg1] rate-limit cir 1000 inbound
# Set the bandwidth for downlink traffic rate limit for service_edsg1 to 1 Mbit/s.
[*DeviceA-service-policy-service_edsg1] rate-limit cir 1000 outbound
[*DeviceA-service-policy-service_edsg1] commit
[~DeviceA-service-policy-service_edsg1] quit
# Set the bandwidth for uplink traffic rate limit for service_edsg2 to 2 Mbit/s.
[*DeviceA-service-policy-service_edsg2] rate-limit cir 2000 inbound
# Set the bandwidth for downlink traffic rate limit for service_edsg2 to 2 Mbit/s.
[*DeviceA-service-policy-service_edsg2] rate-limit cir 2000 outbound
[*DeviceA-service-policy-service_edsg2] commit
[~DeviceA-service-policy-service_edsg2] quit
7. Bind the local address pool and RADIUS server group to an AAA domain.
# Bind edsg_pool and rad_group1 to an AAA domain.
[~DeviceA] aaa
# Configure a password used for the NE40E to apply for an EDSG service quota
from the RADIUS server group.
[~DeviceA-prepaid-profile-prepaid1] password cipher huawei@123
# Set the time threshold for the NE40E to reapply for a time quota for EDSG
services from the RADIUS server to 60s.
[~DeviceA-prepaid-profile-prepaid1] threshold time 60 seconds
# Set the traffic volume threshold for the NE40E to reapply for a traffic volume
quota for EDSG services from the RADIUS server to 10 Mbytes.
[~DeviceA-prepaid-profile-prepaid1] threshold volume 10 mbytes
[~DeviceA-prepaid-profile-prepaid1] commit
[~DeviceA-prepaid-profile-prepaid1] quit
# Configure a password used for the NE40E to apply for an EDSG service quota
from the RADIUS server group.
[~DeviceA-prepaid-profile-prepaid2] password cipher huawei@123
# Set the time threshold for the NE40E to reapply for a time quota for EDSG
services from the RADIUS server to 300s.
[~DeviceA-prepaid-profile-prepaid2] threshold time 300 seconds
# Set the traffic volume threshold for the NE40E to reapply for a traffic volume
quota for EDSG services from the RADIUS server to 20 Mbytes.
[~DeviceA-prepaid-profile-prepaid2] threshold volume 20 mbytes
[~DeviceA-prepaid-profile-prepaid2] commit
[~DeviceA-prepaid-profile-prepaid2] quit
9. Configure interfaces.
a. Create a virtual template.
[~DeviceA] interface Virtual-Template 1
[*DeviceA-Virtual-Template1] commit
[~DeviceA-Virtual-Template1] quit
d. Configure the interface connected to the policy server, AAA server, and portal
server.
[~DeviceA] interface GigabitEthernet0/1/1
[*DeviceA-GigabitEthernet0/1/1] ip address 10.10.10.1 255.255.255.0
[*DeviceA-GigabitEthernet0/1/1] commit
[~DeviceA-GigabitEthernet0/1/1] quit
# Configure the AAA server to deliver the RADIUS attribute User-Password with a
value of huawei@123 for the PPPoE users (users 1 and 2).
NOTE
The shared key configured for a RADIUS server group determines the content of the User-
Password attribute.
NOTE
The content of the HW-Account-Info attribute starts with "A" followed by a service name. This
attribute is used in user authentication response packets to deliver EDSG services that
automatically take effect (directly activated after delivery).
After successfully configuring the RBS, run the display remote-backup-service command.
The TCP connection is in the Connected state.
<DeviceA> display remote-backup-service service1
----------------------------------------------------------
Service-Index : 0
Service-Name : service1
TCP-State : Connected
Peer-ip : 88.88.88.88
Source-ip : 22.22.22.22
TCP-Port : 2046
Track-BFD : --
Track-interface0 : GigabitEthernet0/2/0
Track-interface1 : --
Last up time : 2016-06-02 16:15:8
Last down time : 2016-06-02 16:3:36
Last down reason : TCP closed for packet error.
--------------------------------------------------------
After users go online, run the display backup-user command to view user information that is
backed up.
<DeviceA> display backup-user
Remote-backup-service: service1
Total Users Numer: 10
------------------------------------------------------------------------
100 101 102 103 104 105 106 107 108 109
------------------------------------------------------------------------
Run the display access-user interface command to view online user information on a
specified interface.
----End
Configuration Files
Device A configuration file
#
sysname DeviceA
#
ip pool pool1 bas local
authentication-scheme auth1
authentication-scheme radius
accounting-scheme acct1
accounting-mode radius
domain domain1
ip-pool edsg_pool
radius-server group rad_group1
#
service-group s_1m
service-group s_2m
#
acl number 6020
rule 10 permit ip source service-group s_1m destination ip-address 192.168.100.0
0.0.0.255
rule 20 permit ip source ip-address 192.168.100.0 0.0.0.255 destination service-
group s_1m
#
acl number 6021
rule 15 permit ip source service-group s_2m destination ip-address 192.168.200.0
0.0.0.255
rule 25 permit ip source ip-address 192.168.200.0 0.0.0.255 destination service-
group s_2m
#
traffic classifier c1 operator or
if-match acl 6020
#
traffic classifier c2 operator or
if-match acl 6021
#
traffic behavior b1
#
traffic behavior b2
#
traffic policy traffic_policy_edsg
share-mode
classifier c1 behavior b1
classifier c2 behavior b2
#
traffic-policy traffic_policy_edsg inbound
traffic-policy traffic_policy_edsg outbound
#
aaa
authentication-scheme auth1
#
accounting-scheme acct1
#
#
http-redirect-profile http_redirect_profile
web-server url http://
www.sample.com
web-server mode post
#
prepaid-profile prepaid1
password cipher huawei@123
authentication-scheme auth1
accounting-scheme acct1
radius-server group
rad_group1
threshold time 60 seconds
threshold volume 10 mbytes
#
prepaid-profile prepaid2
password cipher huawei@123
authentication-scheme auth1
accounting-scheme acct1
radius-server group
rad_group1
threshold time 300 seconds
threshold volume 20 mbytes
share-mode
classifier c1 behavior b1
classifier c2 behavior b2
#
traffic-policy traffic_policy_edsg inbound
traffic-policy traffic_policy_edsg outbound
#
aaa
authentication-scheme auth1
#
accounting-scheme acct1
#
#
http-redirect-profile http_redirect_profile
web-server url http://
www.sample.com
web-server mode post
#
prepaid-profile prepaid1
password cipher huawei@123
authentication-scheme auth1
accounting-scheme acct1
radius-server group
rad_group1
threshold time 60 seconds
threshold volume 10 mbytes
#
prepaid-profile prepaid2
password cipher huawei@123
authentication-scheme auth1
accounting-scheme acct1
radius-server group
rad_group1
threshold time 300 seconds
threshold volume 20 mbytes
quota-out redirect http_redirect_profile
#
service-policy download local radius rad_group1 password cipher huawei@123
#
service-policy name service_edsg1 edsg
radius-server group rad_group1
service-group s_1m
authentication-scheme auth1
accounting-scheme acct1
rate-limit cir 1000 inbound
rate-limit cir 1000 outbound
prepaid-profile prepaid1
#
service-policy name service_edsg2 edsg
radius-server group rad_group1
service-group s_2m
authentication-scheme auth1
accounting-scheme acct1
rate-limit cir 2000 inbound
rate-limit cir 2000 outbound
prepaid-profile prepaid2
#
interface GigabitEthernet0/1/2.1
user-vlan 1000 2000
user-vlan 1 1000 qinq 100
bas
#
access-type layer2-subscriber default-domain pre-authentication domain1
authentication-method ppp web
#
return
Usage Scenario
With the rapid development of IP technologies, various value-added services are widely used
on the Internet. Carrier-class services, such as emerging IPTV, NGN, 4G, VIP customers'
leased line, and VPN interconnection, have high requirements for IP network reliability. IP
network reliability for carrier-class services includes device, link, and network reliability. On
a bearer network, the availability of a network device is required to reach 99.999%; that is, the
device downtime in a year must be less than 5 minutes. High reliability is a basic requirement
for carrier-class devices and must be considered by telecom carriers during network
construction.
The NE40E functions as an edge router that carries multiple services. It is connected to a core
network to implement Layer 3 routing functions and to the aggregation layer to terminate
Layer 2 user packets for user access. The NE40E can carry multiple services, such as triple
play services (HSI, VoIP, and IPTV). Therefore, The NE40E must have high reliability. The
NE40E provides service-level high-reliability technologies. Non-stop data flow forwarding
does not mean that user services are not interrupted. If a network node or link fails, user
traffic is switched to a backup device. If user information is not synchronized to a backup
device, user services are still interrupted. High reliability has been considered when the
NE40E is designed to function as a network edge service aggregation and control device,
which ensures that users' HSI, IPTV, and VoIP services are not interrupted if a network node
or link fault occurs. RUI is designed to meet the preceding reliability requirements.
Solution Limitations
l In shared address pool mode, an address pool (an IP network segment) is planned based
on services. A service (for example, Internet access or VoIP service) corresponds to a
domain's configuration. If terminals that go online through different access links have a
service (for example, Internet access service), the terminals share address pool resources
in a domain. This mode is called multi-link address pool sharing.
l During the actual deployment, planning address pools based on links is difficult, because
the number of public addresses is limited and dividing address pools causes address
resource waste. Address pools can be divided based on authentication domains, which
allows an address pool on the NE40E to be shared between links or backup groups. In
this situation, forwarding control cannot be performed by advertising or withdrawing a
network segment route of an address pool. To implement forwarding control, using a
shared address pool and tunnel protection is recommended.
Networking Requirements
Carriers can divide networks accessed by users into different subnets based on traffic
destination addresses. When different users access the subnets, different rate limit and
accounting are performed for the users. EDSG implements subnet division, rate limit, and
accounting management on NE40Es. As applications accessed by users become diversified,
high reliability is required for EDSG services. To meet this requirement, deploy RUI so that
EDSG service traffic is smoothly switched to the backup device if the master device fails.
RUI ensures normal traffic accounting without the need of users' re-dialup.
On the network shown in Figure 13-8, the user goes online from Device A (master device)
through PPPoE dialup. Device A and Device B implement RUI over VRRP and BFD. Device
A backs up EDSG services to Device B (backup device). If Device A fails, service traffic is
switched to Device B. Traffic statistics on Device A and Device B remain consistent.
Figure 13-8 Example for configuring RUI+EDSG in shared address pool mode
NOTE
Interface 1 interface 2 and interface 3 in this example are GE0/1/0, GE0/2/0 and GE0/3/0, respectively.
AAA Server
VOD Server
DeviceC
interface2 interface2
EDSG Service
Backup
interface3 interface3
DeviceA DeviceB
VRRP+BGD
interface1 interface1
Switch
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic user access functions and ensure that the two NE40Es have the same
configuration. For details, see HUAWEI NE40E-M2 Series Universal Service Router
Configuration Guide - User Access.
2. Configure routes to ensure IP connectivity between devices. For details, see HUAWEI
NE40E-M2 Series Universal Service Router Configuration Guide - IP Routing.
3. Establish a dual-device backup platform.
4. Configure an RBS, address pool, and RBP.
5. Configure a protection path for returned network-side traffic.
6. Bind an RBP to an interface from which the user goes online.
7. Configure EDSG services on Device A and Device B. For details, see HUAWEI NE40E-
M2 Series Universal Service Router Multiservice Control Gateway Configuration Guide
- Value-added Service.
Data Preparation
To complete the configuration, you need the following data:
l VRRP ID
l IP address of each interface on Routers that back up each other
l Backup ID, which works together with an RBS to identify an RBP to which the user
belongs
l Name of a hybrid address pool
l EDSG-related parameters
Procedure
Step 1 Establish a dual-device backup platform. The configuration on Device A is used in this
example. The configuration on Device B is similar to that on Device A.
NOTE
# Configure a BFD session on the access side to rapidly detect faults in interfaces or links and
trigger a master/backup VRRP switchover. 10.0.1.2 is the IP address of GE 0/1/0.2 on Device
B.
[*DeviceA] bfd
[*DeviceA] commit
[~DeviceA-bfd] quit
[*DeviceA] bfd bfd bind peer-ip 10.0.1.2
[*DeviceA-bfd-session-bfd] discriminator local 1
[*DeviceA-bfd-session-bfd] discriminator remote 2
[*DeviceA-bfd-session-bfd] commit
[~DeviceA-bfd-session-bfd] quit
# Configure a VRRP backup group on GE 0/1/0.2, and configure the VRRP backup group to
track the BFD session and network-side interface.
[*DeviceA] interface gigabitethernet 0/1/0.2
[*DeviceA-GigabitEthernet0/1/0.2] vlan-type dot1q 200
[*DeviceA-GigabitEthernet0/1/0.2] ip address 10.0.1.1 255.255.255.0
[*DeviceA-GigabitEthernet0/1/0.2] vrrp vrid 1 virtual-ip 10.0.1.100
[*DeviceA-GigabitEthernet0/1/0.2] admin-vrrp vrid 1
[*DeviceA-GigabitEthernet0/1/0.2] vrrp vrid 1 priority 120
[*DeviceA-GigabitEthernet0/1/0.2] vrrp vrid 1 preempt-mode timer delay 600
[*DeviceA-GigabitEthernet0/1/0.2] vrrp vrid 1 track bfd-session 1 peer
NOTE
Different priorities must be configured for devices in a VRRP backup group. The device with a high
priority is the master device.
NOTE
Run the track bfd-session command in the RBS view to monitor the peer BFD sessions that are
established on the network side on Device A and Device B, rapidly monitoring the peer status. For
configuration details, see track bfd-session in HUAWEI NE40E-M2 Series Universal Service Router
Command Reference - Reliability.
# Configure a local address pool and backup address pool on Device A (master device).
[*DeviceA] ip pool hsi bas local
[*DeviceA-ip-pool-hsi] gateway 1.1.1.1 24
[*DeviceA-ip-pool-hsi] section 0 1.1.1.2 1.1.1.254
[*DeviceA-ip-pool-hsi] commit
[~DeviceA-ip-pool-hsi] quit
[*DeviceA] ip pool hsi-main-bak bas local
[*DeviceA-ip-pool-hsi-main-bak] gateway 2.2.2.2 24
[*DeviceA-ip-pool-hsi-main-bak] section 0 2.2.2.3 2.2.2.254
[*DeviceA-ip-pool-hsi-main-bak] commit
[~DeviceA-ip-pool-hsi-main-bak] quit
# Configure an address pool named hsi-main on Device B and configure it as a local address
pool.
[*DeviceB] ip pool hsi-main bas local
[*DeviceB-ip-pool-hsi-main] gateway 2.2.2.2 24
[*DeviceB-ip-pool-hsi-main] section 0 2.2.2.3 2.2.2.254
[*DeviceB-ip-pool-hsi-main] commit
[~DeviceB-ip-pool-hsi-main] quit
# Configure a backup address pool named hsi-bak and configure it as an RUI-slave address
pool.
[*DeviceB] ip pool hsi-bak bas local rui-slave
[*DeviceB-ip-pool-hsi-bak] gateway 1.1.1.1 24
[*DeviceB-ip-pool-hsi-bak] section 0 1.1.1.2 1.1.1.254
[*DeviceB-ip-pool-hsi-bak] commit
[~DeviceB-ip-pool-hsi-bak] quit
Step 3 Bind the configured address pools to the RBS and configure a protection path for returned
network-side traffic.
[*DeviceA] remote-backup-service service1
[*DeviceA-rm-backup-srv-service1] ip-pool hsi
[*DeviceA-rm-backup-srv-service1] ip-pool hsi-bak
[*DeviceA-rm-backup-srv-service1] protect redirect ip-nexthop 10.1.1.7 interface
gigabitethernet 0/3/0
[*DeviceA-rm-backup-srv-service1] commit
Step 4 Bind the RBP to GE 0/1/0.1 from which users go online. The configuration on Device A is
used in this example. The configuration on Device B is similar to that on Device A.
[~DeviceA] interface gigabitethernet 0/1/0
[*A-GigabitEthernet0/1/0.1] remote-backup-profile profile1
[*DeviceA-rm-backup-srv-service1] commit
[~A-GigabitEthernet0/1/0.1] quit
NOTE
For details about how to configure a RADIUS server group, see Configuring a RADIUS Server
in HUAWEI NE40E-M2 Series Configuration Guide - User Access.
3. Configure an EDSG traffic policy.
a. Create service groups.
# Create a service group named s_1m.
[~DeviceA] service-group s_1m
NOTE
You must run the service-group command to create service groups regardless of whether the
NE40E obtains an EDSG service policy from local configurations or a RADIUS server.
b. Configure an ACL and define ACL rules for each service group.
# Configure ACL 6020 and define ACL rules for the service group named s_1m.
[~DeviceA] acl number 6020
[*DeviceA-acl-ucl-6020] rule 10 permit ip source service-group s_1m
destination ip-address 192.168.100.0 0.0.0.255
[*DeviceA-acl-ucl-6020] rule 20 permit ip source ip-address
192.168.100.0 0.0.0.255 destination service-group s_1m
[*DeviceA-acl-ucl-6020] commit
[~DeviceA-acl-ucl-6020] quit
# Configure ACL 6021 and define ACL rules for the service group named s_2m.
[~DeviceA] acl number 6021
[*DeviceA-acl-ucl-6021] rule 15 permit ip source service-group s_2m
destination ip-address 192.168.200.0 0.0.0.255
[*DeviceA-acl-ucl-6021] rule 25 permit ip source ip-address
192.168.200.0 0.0.0.255 destination service-group s_2m
[*DeviceA-acl-ucl-6021] commit
[~DeviceA-acl-ucl-6021] quit
# Configure an AAA accounting scheme named acct1 and specify RADIUS accounting
as the accounting mode.
[~DeviceA-aaa] accounting-scheme acct1
[*DeviceA-aaa-accounting-acct1] accounting-mode radius
[*DeviceA-aaa-accounting-acct1] quit
[*DeviceA-aaa] commit
[~DeviceA-aaa] quit
# Set the bandwidth for uplink traffic rate limit for service_edsg1 to 1 Mbit/s.
[*DeviceA-service-policy-service_edsg1] rate-limit cir 1000 inbound
# Set the bandwidth for downlink traffic rate limit for service_edsg1 to 1 Mbit/s.
[*DeviceA-service-policy-service_edsg1] rate-limit cir 1000 outbound
[*DeviceA-service-policy-service_edsg1] commit
[~DeviceA-service-policy-service_edsg1] quit
# Set the bandwidth for uplink traffic rate limit for service_edsg2 to 2 Mbit/s.
[*DeviceA-service-policy-service_edsg2] rate-limit cir 2000 inbound
# Set the bandwidth for downlink traffic rate limit for service_edsg2 to 2 Mbit/s.
[*DeviceA-service-policy-service_edsg2] rate-limit cir 2000 outbound
[*DeviceA-service-policy-service_edsg2] commit
[~DeviceA-service-policy-service_edsg2] quit
7. Bind the local address pool and RADIUS server group to an AAA domain.
# Bind edsg_pool and rad_group1 to an AAA domain.
[~DeviceA] aaa
[*DeviceA-aaa] domain domain1
[*DeviceA-aaa-domain-domain1] ip-pool edsg_pool
[*DeviceA-aaa-domain-domain1] radius-server group rad_group1
[*DeviceA-aaa-domain-domain1] quit
[*DeviceA-aaa] commit
[~DeviceA-aaa] quit
# Configure a password used for the NE40E to apply for an EDSG service quota
from the RADIUS server group.
[~DeviceA-prepaid-profile-prepaid1] password cipher huawei@123
# Set the time threshold for the NE40E to reapply for a time quota for EDSG
services from the RADIUS server to 60s.
[~DeviceA-prepaid-profile-prepaid1] threshold time 60 seconds
# Set the traffic volume threshold for the BRAS to reapply for a traffic volume
quota for EDSG services from the RADIUS server to 10 Mbytes.
[~DeviceA-prepaid-profile-prepaid1] threshold volume 10 mbytes
[~DeviceA-prepaid-profile-prepaid1] commit
[~DeviceA-prepaid-profile-prepaid1] quit
# Configure a password used for the NE40E to apply for an EDSG service quota
from the RADIUS server group.
[~DeviceA-prepaid-profile-prepaid2] password cipher huawei@123
# Set the time threshold for the NE40E to reapply for a time quota for EDSG
services from the RADIUS server to 300s.
[~DeviceA-prepaid-profile-prepaid2] threshold time 300 seconds
# Set the traffic volume threshold for the NE40E to reapply for a traffic volume
quota for EDSG services from the RADIUS server to 20 Mbytes.
[~DeviceA-prepaid-profile-prepaid2] threshold volume 20 mbytes
[~DeviceA-prepaid-profile-prepaid2] commit
[~DeviceA-prepaid-profile-prepaid2] quit
9. Configure interfaces.
a. Create a virtual template.
[~DeviceA] interface Virtual-Template 1
[*DeviceA-Virtual-Template1] commit
[~DeviceA-Virtual-Template1] quit
d. Configure the interface connected to the policy server, AAA server, and portal
server.
[~DeviceA] interface GigabitEthernet0/1/1
[*DeviceA-GigabitEthernet0/1/1] ip address 10.10.10.1 255.255.255.0
[*DeviceA-GigabitEthernet0/1/1] commit
[~DeviceA-GigabitEthernet0/1/1] quit
NOTE
The shared key configured for a RADIUS server group determines the content of the User-
Password attribute.
NOTE
The content of the HW-Account-Info attribute starts with "A" followed by a service name. This
attribute is used in user authentication response packets to deliver EDSG services that
automatically take effect (directly activated after delivery).
Port-Number : 0
IP-Pool : hsi
Traffic threshold : 50(MB)
Traffic interval : 10(minutes)
After successfully configuring the RBS, run the display remote-backup-service command.
The TCP connection is in the Connected state.
<~DeviceA> display remote-backup-service service1
----------------------------------------------------------
Service-Index : 0
Service-Name : service1
TCP-State : Connected
Peer-ip : 88.88.88.88
Source-ip : 22.22.22.22
TCP-Port : 2046
Track-BFD : --
Track-interface0 : GigabitEthernet0/2/0
Track-interface1 : --
----------------------------------------------------------
ip pool:
hsi metric 10
hsi-bak metric 10
ipv6 pool:
NAT instance : nat1
----------------------------------------------------------
Rbs-ID : 0
Protect-type : ip-redirect
Next-hop : 10.1.1.7
Vlanid : 0
Peer-ip : 10.1.1.7
Vrfid : 0
Tunnel-index : 0x0
Tunnel-state : UP
Tunnel-OperFlag: NORMAL
Spec-interface : GigabitEthernet0/3/0
Out-interface : GigabitEthernet0/3/0
User-number : 0
After users go online, run the display backup-user command to view user information that is
backed up.
<~DeviceA> display backup-user
Remote-backup-service: service1
Total Users Numer: 10
------------------------------------------------------------------------
100 101 102 103 104 105 106 107 108 109
------------------------------------------------------------------------
Run the display access-user interface command to view online user information on a
specified interface.
<~DeviceA> display access-user interface GigabitEthernet 0/1/0.1
------------------------------------------------------------------------------
UserID Username Interface IP address MAC
Vlan IPv6 address Access type
------------------------------------------------------------------------------
120 user@lsh GE0/1/0.1 2.2.2.10 0002-0101-0101
50/- - IPoE
101 user@lsh GE0/1/0.1 2.2.2.9
0002-0101-0102 -
50/- - IPoE
102 user@lsh GE0/1/0.1 2.2.2.8
0002-0101-0103 -
50/- - IPoE
103 user@lsh GE0/1/0.1 2.2.2.7
0002-0101-0104 -
50/- - IPoE
----End
Configuration Files
l Device A configuration file
#
sysname DeviceA
#
ip pool hsi bas local
gateway 1.1.1.1 255.255.255.0
section 0 1.1.1.2 1.1.1.254
#
ip pool hsi-main-bak bas local rui-slave
gateway 2.2.2.2 255.255.255.0
accounting-scheme
acct1
radius-server group
rad_group1
threshold time 300
seconds
threshold volume 20
mbytes
quota-out redirect
http_redirect_profile
#
service-policy download local radius rad_group1 password cipher huawei@123
#
service-policy name service_edsg1 edsg
radius-server group rad_group1
service-group s_1m
authentication-scheme auth1
accounting-scheme acct1
rate-limit cir 1000 inbound
rate-limit cir 1000 outbound
prepaid-profile prepaid1
#
service-policy name service_edsg2 edsg
radius-server group rad_group1
service-group s_2m
authentication-scheme auth1
accounting-scheme acct1
rate-limit cir 2000 inbound
rate-limit cir 2000 outbound
prepaid-profile prepaid2
#
interface GigabitEthernet0/1/2.1
user-vlan 1000 2000
user-vlan 1 1000 qinq 100
bas
#
access-type layer2-subscriber default-domain pre-authentication domain1
authentication-method ppp web
#
return
l Device B configuration file
#
sysname DeviceB
#
ip pool hsi-main bas local
gateway 2.2.2.2 255.255.255.0
section 0 2.2.2.3 2.2.2.253
#
ip pool hsi-bak bas local rui-slave
gateway 1.1.1.1 255.255.255.0
# LOCAL
section 0 1.1.1.2 1.1.1.253
# REMOTE
dhcp-server group gm1
#
aaa
domain userdomain1
authentication-scheme default0
accounting-scheme default0
#
bfd bfd bind peer-ip 10.0.1.1
discriminator local 2
discriminator remote 1
commit
#
interface gigabitethernet 0/1/0.2
vlan-type dot1q 200
ip address 10.0.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.1.100
admin-vrrp vrid 1
vrrp vrid 1 track bfd-session 2 peer
vrrp vrid 1 track interface gigabitethernet 0/2/0 reduced 50
#
remote-backup-service service1
peer 22.22.22.22 source 88.88.88.88 port 2046
track interface gigabitethernet 0/2/0
ip-pool hsi-main
ip-pool hsi-bak
protect redirect ip-nexthop 10.1.1.6 interface gigabitethernet 0/3/0
#
remote-backup-profile profile1
peer-backup hot
service-type bras
backup-id 10 remote-backup-service service1
peer-backup hot
vrrp-id 1 interface gigabitethernet 0/1/0.2
ip-pool hsi include hsi-main node 5
ip-pool hsi include hsi-bak node 10
#
interface gigabitethernet 0/1/0.1
user-vlan 50
remote-backup-profile profile1
bas
access-type layer2-subscriber
authentication-method web
vlan-type dot1q 1
ip address 192.168.100.1 255.255.255.0
#
interface gigabitethernet 0/3/0
undo shutdown
ip address 10.1.1.7 255.255.255.0 #
value-added-service enable
#
radius-server group rad_group1
radius-server authentication 10.10.10.2 1812 weight 0
radius-server accounting 10.10.10.2 1813 weight 0
radius-server shared-key-cipher %^%#x*CgITP4C~;q,*+DEW'JBWe#)"Q&|
7bX]b:Y<{w'%^%#
#
ip pool edsg_pool bas local
gateway 172.32.0.0 255.255.0.0
section 0 172.32.0.0 172.32.255.255
#
aaa
authentication-scheme auth1
authentication-scheme radius
accounting-scheme acct1
accounting-mode radius
domain domain1
ip-pool edsg_pool
radius-server group rad_group1
#
service-group s_1m
service-group s_2m
#
acl number 6020
rule 10 permit ip source service-group s_1m destination ip-address
192.168.100.0 0.0.0.255
rule 20 permit ip source ip-address 192.168.100.0 0.0.0.255 destination
service-group s_1m
#
acl number 6021
rule 15 permit ip source service-group s_2m destination ip-address
192.168.200.0 0.0.0.255
rule 25 permit ip source ip-address 192.168.200.0 0.0.0.255 destination
service-group s_2m
#
traffic classifier c1 operator or
Usage Scenario
With the rapid development of IP technologies, various value-added services are widely used
on the Internet. Carrier-class services, such as emerging IPTV, NGN, 4G, VIP customers'
leased line, and VPN interconnection, place higher requirements on IP network reliability. IP
network reliability for carrier-class services includes device, link, and network reliability. On
a bearer network, the availability of a network device is required to reach 99.999%; that is, the
device downtime in a year must be less than 5 minutes. High reliability is a basic requirement
for carrier-class devices.
The NE40E functions as an edge router that carries multiple services and plays a transitional
role on a network. It is connected to the core network to implement the Layer 3 routing
function and to the aggregation network to terminate the Layer 2 user packets so that users
can access the aggregation network. Additionally, the NE40E carries triple play services
including HSI, VoIP, and IPTV, which raises the bar for high reliability.NE40E The NE40E
provides service-level high-reliability technologies. Non-stop data flow forwarding does not
mean that user services are not interrupted. If a network node or link fails, user traffic is
switched to a backup device. However, if user information is not synchronized to a backup
device, user services will be interrupted. High reliability has been considered when the
NE40E is designed to function as a network edge service aggregation and control device,
which ensures that users' HSI, IPTV, and VoIP services are not interrupted if a network node
or link fault occurs. Dual-device hot backup is designed to meet the preceding reliability
requirements.
Networking Requirements
As shown in Figure 13-9, users access PE1 and PE2 through the CE. An Eth-Trunk interface
is configured on each PE, and the two PEs are directly connected. A VRRP backup group is
configured on PE1 and PE2 to track the status of Eth-Trunk member interfaces. Access links
are bound together on the CE, and the LACP protocol is run to work with the PEs to select the
active and standby links. This ensures that services can be immediately switched to the
backup device if the master device fails after users go online.
Figure 13-9 Networking diagram for configuring dual-device hot backup for Layer 3 static
IPv4 users
NOTE
In this example, interface1, interface2, interface3, interface4, and interface5 represent GE0/1/0,
GE0/1/1, GE0/1/5, GE0/2/0, and GE0/2/3, respectively.
IP Core
interface2 interface2
interface3
PE1 PE2
interface4 interface5
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic user access functions and ensure that the two devices working in master/
back mode have the same configuration. For configuration details, see HUAWEI
NE40E-M2 Series Universal Service Router Configuration Guide > User Access.
2. Configure Eth-Trunk interfaces to work in static LACP mode. For configuration details,
see HUAWEI NE40E-M2 Series Universal Service Router Configuration Guide > LAN
Access and MAN Access.
3. Configure a VRRP backup group on PE1 and PE2.
4. Configure VRRP to track the interface status.
5. Associate the Eth-Trunk interfaces working in static LACP mode on the PEs with the
VRRP backup group.
Data Preparation
To complete the configuration, you need the following data:
l VRRP parameters (VRRP ID)
l IP address of each interface on PE1 and PE2
l Backup ID, which works together with an RBS to identify an RBP to which users belong
l User access parameters
Procedure
Step 1 Configure user access.
For configuration details, see HUAWEI NE40E-M2 Series Universal Service Router
Configuration Guide > User Guide > AAA and User Management Configuration.
Step 2 Configure Eth-Trunk interfaces to work in static LACP mode, and add the member interfaces
GE0/2/0 and GE0/2/3 to the Eth-Trunk interfaces.
# Configure CE1.
<HUAWEI> system-view
[~HUAWEI] sysname CE1
[*HUAWEI] commit
[~CE1] interface Eth-Trunk 20
[*CE1-Eth-Trunk20] mode lacp-static
[*CE1-Eth-Trunk20] lacp timeout fast
[*CE1-Eth-Trunk20] trunkport gigabitethernet 0/2/0 to 0/2/3
[*CE1-Eth-Trunk20] commit
[~CE1-Eth-Trunk20] quit
# Configure PE1.
<HUAWEI> system-view
[~HUAWEI] sysname PE1
[*HUAWEI] commit
[~PE1] interface Eth-Trunk 10
[*PE1-Eth-Trunk10] mac-address 0000-0000-0001
[*PE1-Eth-Trunk10] mode lacp-static
[*PE1-Eth-Trunk10] lacp timeout fast
[*PE1-Eth-Trunk10] trunkport gigabitethernet 0/1/0
[*PE1-Eth-Trunk10] commit
[~PE1-Eth-Trunk10] quit
# Configure PE2.
<HUAWEI> system-view
[~HUAWEI] sysname PE2
[*HUAWEI] commit
# Configure the IP address of the GE interface, and set the LACP priority of PE2 in the VRRP
backup group to the default value (as the backup device).
[~PE2] interface Gigabitethernet 0/1/5
[*PE2-Gigabitethernet0/1/5] undo shutdown
[*PE2-Gigabitethernet0/1/5] ip address 193.1.2.1 255.255.255.0
[*PE2-Gigabitethernet0/1/5] vrrp vrid 120 virtual-ip 193.1.2.100
[*PE2-Gigabitethernet0/1/5] admin-vrrp vrid 120 ignore-if-down
[*PE2-Gigabitethernet0/1/5] commit
Step 4 Configure the VRRP backup group to track the interface status.
# Configure VRRP on PE1 to track the interface status.
[~PE1-Gigabitethernet0/1/5] vrrp vrid 120 track interface Gigabitethernet 0/1/0
reduced 40
[~PE1-Gigabitethernet0/1/5] vrrp vrid 120 track interface Gigabitethernet 0/1/1
reduced 40
[*PE1-Gigabitethernet0/1/5] commit
[~PE1-Gigabitethernet0/1/5] quit
Step 5 Associate the Eth-Trunk interfaces working in static LACP mode with the VRRP backup
group.
# Associate PE1's Eth-Trunk interface working in static LACP mode with the VRRP backup
group.
[~PE1] interface Eth-Trunk 10
[*PE1-Eth-Trunk 10] lacp track vrrp vrid 120 interface Gigabitethernet 0/1/5
[*PE1-Eth-Trunk 10] commit
[~PE1-Eth-Trunk 10] quit
# Associate PE2's Eth-Trunk interface working in static LACP mode with the VRRP backup
group.
[~PE2] interface Eth-Trunk 12
[*PE2-Eth-Trunk 12] lacp track vrrp vrid 1 interface Gigabitethernet 0/1/5
[*PE2-Eth-Trunk 12] commit
Step 7 Configure an RBS, address pool, and RBP. Take the command output on PE1 as an example.
# Configure PE1.
# Configure PE2.
After completing the configurations, run the display remote-backup-profile command. The
command output shows that the status of PE1 is Master and that of PE2 is Slave.
<PE1> display remote-backup-profile p1
-----------------------------------------------
Profile-Index : 0x1000
Profile-Name : p1
Service : bras
Remote-backup-service: s1
Backup-ID : 1
track protocol : VRRP
VRRP-ID : 120
VRRP-Interface : GigabitEthernet0/1/5
Access-Control : --
State : Slave
Peer State : Master
Interface :
Eth-Trunk12.2
Eth-Trunk12.111
Backup mode : hot
Slot-Number : --
Card-Number : --
Port-Number : --
Traffic threshold : 50(MB)
Traffic interval : 10(minutes)
IP-Pool :
ln
Forwarding Configured: Slave Forwarding
<PE1> display remote-backup-service S1
----------------------------------------------------------
Service-Index : 1
Service-Name : s1
TCP-State : Connected
Peer-ip : 172.16.18.2
Source-ip : 172.16.18.1
TCP-Port : 12012
Track-BFD : -
SSL-Policy-Name : --
SSL-State : --
Last up time : 2016-08-02 15:34:36
Track-interface0 : GigabitEthernet0/1/1
Weight : 10
Uplink state : 2 (1:DOWN 2:UP)
Domain-map-list : --
Send Q pkt count : 0
----------------------------------------------------------
ip pool:
ipv6 pool:
Failure ratio : 100%
Failure duration : 0 min
pool route status: 2
switch mark : 2
----------------------------------------------------------
Rbs-ID : 0
Protect-type : public(unknown)
Tunnel-policy : yhz
Peer-ip : 172.16.18.2
Vrfid : 0
Tunnel-state : DOWN
Tunnel-OperFlag: NORMAL
Spec-interface : Null
Total users : 0
----End
Configuration Files
l PE1 configuration file
#
sysname PE1
#
aaa
domain huawei
authentication-scheme default0
accounting-scheme default0
ip-pool ln
#
ip pool ln bas local
gateway 200.0.0.1 255.255.255.0
section 0 200.0.0.2 200.0.0.255
excluded-ip-address 200.0.0.2 200.0.0.254
#
remote-backup-service s1
peer 172.16.18.1 source 172.16.18.2 port 12012
track interface GigabitEthernet0/1/1
#
remote-backup-profile p1
service-type bras
backup-id 1 remote-backup-service s1
peer-backup hot
vrrp-id 120 interface GigabitEthernet0/1/5
ip-pool ln
#
layer3-subscriber 200.0.0.2 200.0.0.254 domain-name test
#
interface Eth-Trunk10
mac-address 0000-0000-0001
mode lacp-static
lacp timeout fast
lacp track vrrp vrid 120 interface GigabitEthernet0/1/5
#
interface Eth-Trunk 10.1
vlan-type dot1q 10
ip address 50.0.0.1 255.255.255.0
bas
#
access-type layer3-subscriber default-domain pre-authentication test
authentication test_hou
#
#
interface GigabitEthernet0/1/1
undo shutdown
ip address 10.1.1.2 255.255.255.0
dcn
#
interface GigabitEthernet0/1/5
undo shutdown
ip address 193.1.2.2 255.255.255.0
vrrp vrid 120 virtual-ip 193.1.2.100
admin-vrrp vrid 120 ignore-if-down
vrrp vrid 120 priority 120
vrrp vrid 120 track interface GigabitEthernet0/1/0 reduced 40
vrrp vrid 120 track interface GigabitEthernet0/1/1 reduced 40
dcn
#
interface GigabitEthernet0/1/0
undo shutdown
eth-trunk 10
dcn
#
interface GigabitEthernet0/1/1
undo shutdown
ip address 10.1.1.2 255.255.255.0
dcn
#
#
ospf 1
default cost inherit-metric
import-route direct
import-route unr
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 12.1.1.0 0.0.0.255
#
Manual fault diagnosis is time-consuming and locating fault points is difficult on networks
that have various types of users, large numbers of access users, and peripheral interworking
devices. The System of Active Immunization and Diagnosis (SAID) can therefore be used to
implement self-diagnosis and self-recovery of service nodes for user access.
Usage Scenario
The SAID is used to identify typical faults and automatically diagnose and rectify the faults.
The SAID function is enabled by default in typical BRAS scenarios to allow a device to
periodically detect whether the number of online users or traffic rates are abnormal. When a
large number of login failures or a sudden decrease in traffic is diagnosed and the time
condition for self-healing is met, the system generates a log and determines whether to trigger
self-healing (perform a master/slave switchover or restart a board/subcard).
Pre-configuration Tasks
None
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run undo set said-node disable
The default SAID node configuration is restored.
NOTE
To check the status of SAID nodes, run the display said-node brief command (When OPERATE is set
to Enable, SAID nodes are enabled. When OPERATE is set to Disable, SAID nodes are disabled) .
NOTE
Run the display aaa configuration command to check the enabling status of SAID. In the command
output, if the Said switch field is displayed as enable, SAID is enabled. If the Said switch field is
displayed as disable, SAID is not enabled.
----End
Follow-up Procedure
Run the display aaa configuration command to check the configuration of the SAID
function.