NE40E-M2 V800R010C10SPC500 Configuration Guide - User Access 01

HUAWEI NE40E-M2 Series Universal Service
Router
V800R010C10SPC500
Configuration Guide - User Access
Issue 01
Date 2018-12-05
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2018. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. i

HUAWEI NE40E-M2 Series Universal Service Router
Configuration Guide - User Access Contents
Contents
1 About This Document.................................................................................................................. 1

2 License Requirements and Limitations for User Access--M2E............................................ 5
3 License Requirements and Limitations for User Access--M2F.............................................6
4 License Requirements and Limitations for User Access--M2H............................................7
5 License Requirements and Limitations for User Access--M2K............................................8
6 AAA and User Management Configuration (Access User)................................................... 9
6.1 Overview of AAA........................................................................................................................................................ 10
6.2 Licensing Requirements and Limitations for AAA and User Management--M2F..................................................... 10
6.3 Licensing Requirements and Limitations for AAA and User Management--M2H.................................................... 13
6.4 Licensing Requirements and Limitations for AAA and User Management--M2K.................................................... 16
6.5 Configuring AAA Schemes..........................................................................................................................................19
6.5.1 (Optional) Enabling RADIUS .................................................................................................................................. 19
6.5.2 Configuring an Authentication Scheme.................................................................................................................... 20
6.5.3 (Optional) Configuring Command-Line Reauthorization......................................................................................... 21
6.5.4 (Optional) Configuring Policies for User Authentication Failures........................................................................... 22
6.5.5 Configuring an Accounting Scheme..........................................................................................................................23
6.5.6 Configuring an AAA Scheme for a Domain............................................................................................................. 24
6.5.7 Verifying the AAA Scheme Configuration............................................................................................................... 25
6.6 Configuring RADIUS...................................................................................................................................................26
6.6.1 Configuring RADIUS Authentication and Accounting Servers................................................................................26
6.6.2 (Optional) Configuring RADIUS Proxy Authentication...........................................................................................28
6.6.3 (Optional) Configuring the Algorithm for Selecting a RADIUS Server...................................................................29
6.6.4 (Optional) Configuring Flexible Interoperation of RADIUS Attributes................................................................... 31
6.6.5 (Optional) Configuring Negotiated Parameters of the RADIUS Server................................................................... 32
6.6.6 (Optional) Disabling RADIUS Attributes................................................................................................................. 35
6.6.7 (Optional) Configuring RADIUS Attribute Translation............................................................................................36
6.6.8 (Optional) Configuring the Tunnel Password Delivery Mode.................................................................................. 37
6.6.9 (Optional) Configuring the Class Attribute to Carry the CAR Value........................................................................37
6.6.10 (Optional) Configuring the Format of the NAS-Port Attribute............................................................................... 38
6.6.11 (Optional) Configuring the Source Interface of a RADIUS Server.........................................................................42
6.6.12 (Optional) Configuring a RADIUS Authorization Server.......................................................................................43
Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. ii

6.6.13 (Optional) Setting the Status Parameters of a RADIUS Server.............................................................................. 44

6.6.14 (Optional) Configuring the Extended Source Interfaces of a RADIUS Server.......................................................45
6.6.15 (Optional) Configuring the Calling-station-ID Attribute Format............................................................................46
6.6.16 (Optional) Configuring Negotiated Parameters of the RADIUS Attribute............................................................. 48
6.6.17 (Optional) Configuring DSCP Values for RADIUS Packets...................................................................................50
6.6.18 (Optional) Configuring a Mode of Encapsulating User IP Addresses.................................................................... 50
6.6.19 (Optional) Configuring RADIUS Attributes........................................................................................................... 51
6.6.20 (Optional) Configuring an IPv6 Address Pool to be Delivered using the Framed-Ipv6-Pool Attribute to Replace
the IPv6 Address Pools of the Same Type..........................................................................................................................53
6.6.21 (Optional) Configuring the User-Defined Encapsulation for Radius Attributes..................................................... 54
6.6.22 (Optional) Configuring the RADIUS Server to Dynamically Deliver ACLs..........................................................54
6.6.23 (Optional) Configuring the Function to Parse the Option 17 Field Based on the Format Defined by the DSL
Forum..................................................................................................................................................................................56
6.6.24 Verifying the RADIUS Configuration..................................................................................................................... 56
6.7 Configuring the Diameter Server................................................................................................................................. 61
6.7.1 (Optional) Configuring a Diameter-enabled Interface to Support EDSG Services...................................................62
6.7.2 Enabling the Diameter Function................................................................................................................................63
6.7.3 Configuring a Diameter Link.................................................................................................................................... 64
6.7.4 (Optional) Binding a Diameter Server Group to an AAA Domain........................................................................... 65
6.7.5 Verifying the Diameter Server Configuration............................................................................................................65
6.8 Configuring the Function to Locally Generate and Store User Bills............................................................................67
6.9 Configuring a Domain.................................................................................................................................................. 68
6.9.1 Configuring Servers for a Domain............................................................................................................................ 69
6.9.2 (Optional) Setting the Maximum Number of Access Users for a Domain................................................................70
6.9.3 (Optional) Setting the Maximum Number of Sessions for an Account.................................................................... 70
6.9.4 (Optional) Setting the Priority of a Domain User......................................................................................................71
6.9.5 (Optional) Specifying a Group for a Domain............................................................................................................ 72
6.9.6 (Optional) Configuring Additional Functions for a Domain.....................................................................................73
6.9.7 (Optional) Configuring the Traffic Direction to Which the Domain User Traffic Quota Applies............................ 76
6.9.8 (Optional) Configuring Public and Private Network Users and Users Belonging to Different VPN Instances to
Coexist in a Domain........................................................................................................................................................... 76
6.9.9 (Optional) Configuring the Statistics Collection Method to Improve Accounting Accuracy................................... 77
6.9.10 (Optional) Configuring Users with the Same MAC Address for Relogin.............................................................. 78
6.9.11 (Optional) Configuring Load Balancing of Downstream Traffic on Eth-Trunk Interfaces.....................................79
6.9.12 (Optional) Blocking a Domain................................................................................................................................ 79
6.9.13 Verifying the Domain Configuration....................................................................................................................... 80
6.10 Configuring and Managing Users...............................................................................................................................83
6.10.1 Creating a Static User.............................................................................................................................................. 83
6.10.2 Configuring User Account Parsing..........................................................................................................................85
6.10.3 Configuring the User Name Format and Password................................................................................................. 86
6.10.4 Configuring the Limit on the Number of Access Users.......................................................................................... 87
6.10.5 Disconnecting Online Users.................................................................................................................................... 94
6.10.6 Generating User Login Failure and Logout Records...............................................................................................96
Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. iii

6.10.7 (Optional) Configuring the Function to Generate and Send Logs About User Logins, Logouts, and Online
Results................................................................................................................................................................................ 97
6.10.8 Tracing Services of Users........................................................................................................................................ 98
6.10.9 Configuring User Testing........................................................................................................................................ 99
6.10.10 Changing the Getting Online Period in Loose Mode.......................................................................................... 100
6.10.11 Configuring Whether to Log Out Users When an Interface Goes Down............................................................101
6.10.12 Configuring Automatic User Login.....................................................................................................................102
6.10.13 Enabling User Traffic Statistics Collection Based on Inner or Outer VLAN IDs on a Device...........................105
6.10.14 (Optional) Configuring the Alarm Function on an Interface with No Backup Protection Configured...............106
6.10.15 Verifying the User management Configuration...................................................................................................106
6.11 Maintaining AAA..................................................................................................................................................... 109
6.11.1 Clearing AAA Statistics.........................................................................................................................................109
6.11.2 (Optional) Mapping Refined Online Failure or Offline Sub-reasons to a General Sub-reason.............................110
6.12 Configuration Examples for AAA and User Management.......................................................................................110
6.12.1 Example for Performing Authentication and Accounting for Users by Using RADIUS......................................110
6.12.2 Example for Configuring Dynamic ACL Delivery Through the RADIUS Server............................................... 114
6.12.3 Example for Configuring RADIUS for User Authentication and Accounting (Through Flexible Interoperation of
RADIUS Attributes)......................................................................................................................................................... 118
7 IPv4 Address Management Configuration...........................................................................124

7.1 Overview of IPv4 Address Management....................................................................................................................125
7.2 Licensing Requirements and Limitations for IPv4 Address Management--M2H.....................................................125
7.3 Licensing Requirements and Limitations for IPv4 Address Management--M2K.....................................................127
7.4 Configuring an IPv4 Address Pool and an Address Pool Group................................................................................129
7.4.1 Creating an Address Pool........................................................................................................................................ 130
7.4.2 (Optional) Configuring Static IP Address Binding................................................................................................. 135
7.4.3 (Optional) Configuring DNS Services for the DHCPv4 Client.............................................................................. 136
7.4.4 (Optional) Configuring NetBIOS Services for the DHCPv4 Client........................................................................137
7.4.5 (Optional) Configuring SIP Services for the DHCPv4 Client.................................................................................138
7.4.6 (Optional) Configuring DHCPv4 Self-Defined Options......................................................................................... 139
7.4.7 (Optional) Configuring Address Protection............................................................................................................ 140
7.4.8 (Optional) Configuring a Constant Index for an IPv4 Address Pool...................................................................... 141
7.4.9 (Optional) Allocating IP Addresses Based on Option60 values..............................................................................142
7.4.10 (Optional) Locking an IP Address Pool................................................................................................................ 142
7.4.11 Configuring an Address Pool Group..................................................................................................................... 143
7.4.12 Specifying an IPv4 Address Pool for a Domain....................................................................................................144
7.4.13 (Optional) Configuring the Thresholds for public IP Address Pool Usage in a Domain...................................... 145
7.4.14 Verifying the Configuration of the IPv4 Address Pool and Address Pool Group................................................. 146
7.5 Configuring a DHCPv4 Server Group........................................................................................................................149
7.5.1 Creating a DHCPv4 Server Group.......................................................................................................................... 149
7.5.2 Associating the IP Address Pool and the DHCPv4 Server Group.......................................................................... 151
7.5.3 Verifying the DHCPv4 Server Group Configuration.............................................................................................. 151
7.6 Configuring DHCPv4 Proxy...................................................................................................................................... 152
7.6.1 Enabling DHCPv4 Proxy.........................................................................................................................................153
Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. iv

7.7 Adjusting DHCPv4 Service Parameters..................................................................................................................... 154

7.7.1 (Optional)Configuring Global DHCPv4 Parameters...............................................................................................154
7.7.2 Configuring a DHCP Option................................................................................................................................... 156
7.7.3 (Optional) Configuring the Format for Encapsulating the Option 82 Attribute into DHCP Messages.................. 157
7.7.4 (Optional) Shortening the User Address Lease Before a DHCPv4 Server Restarts................................................158
7.7.5 Configuring Transparent Transmission of DHCPv4 Packets.................................................................................. 159
7.7.6 (Optional) Enabling the BRAS to Transparently Transmit NAK Messages to DHCP Clients............................... 159
7.7.7 Enabling a DHCPv4 Server to Detect Unauthorized DHCPv4 Servers.................................................................. 160
7.7.8 Enabling the Detection of an IP Address Conflict.................................................................................................. 160
7.7.9 Saving DHCPv4 Data.............................................................................................................................................. 161
7.7.10 Restoring DHCPv4 Data....................................................................................................................................... 162
7.7.11 (Optional) Configuring the NE40E to Log Out an Online User and Deny Access of a New User After Detecting
an IPv4 Address Conflict..................................................................................................................................................162
7.7.12 (Optional) Configuring the Device to Log out a Dual-Stack User from Both IPv4 and IPv6 Stacks When a Zero
Lease Is Delivered in a CoA message for the User's IPv4 Address................................................................................. 163
7.7.13 Verifying the DHCPv4 Parameter Configuration.................................................................................................. 164
7.8 Maintaining DHCPv4................................................................................................................................................. 165
7.8.1 Clearing DHCPv4 Statistics.................................................................................................................................... 165
7.8.2 Monitoring DHCPv4 Operation Status....................................................................................................................166
7.9 Configuration Examples for IPv4 Address Management...........................................................................................166
7.9.1 Example for Configuring Address Assignment Based on the Local Address Pool................................................ 167
7.9.2 Example for Configuring Address Assignment Based on the Remote Address Pool............................................. 171
8 IPv6 Address Management Configuration...........................................................................176

8.1 Overview of IPv6 Address Management....................................................................................................................177
8.2 Licensing Requirements and Limitations for IPv6 Address Management--M2E..................................................... 179
8.3 Licensing Requirements and Limitations for IPv6 Address Management--M2F..................................................... 179
8.4 Licensing Requirements and Limitations for IPv6 Address Management--M2H.....................................................181
8.5 Licensing Requirements and Limitations for IPv6 Address Management--M2K.....................................................183
8.6 Configuring a DHCPv6 Relay Agent on the User Side..............................................................................................185
8.6.1 Configuring a Remote IPv6 Prefix Pool..................................................................................................................186
8.6.2 Configuring a Remote IPv6 Address Pool.............................................................................................................. 187
8.6.3 Configuring a DHCPv6 Server Group.....................................................................................................................188
8.6.4 Associating an Address Pool with a DHCPv6 Server Group.................................................................................. 190
8.6.5 Binding an IPv6 Remote Address Pool to a Domain.............................................................................................. 190
8.6.6 (Optional) Enabling a Device to Insert the Option 18 and Option 37 Attributes into Messages to Be Sent to the
DHCPv6 Server................................................................................................................................................................ 191
8.6.7 Verifying the DHCPv6 Relay Agent Configuration................................................................................................ 192
8.7 Configuring a Delegating Router............................................................................................................................... 193
8.7.1 Configuring the DHCPv6 Server DUID..................................................................................................................194
8.7.2 Configuring an IPv6 Delegation Prefix Pool...........................................................................................................195
8.7.3 Configuring an IPv6 Delegation Address Pool....................................................................................................... 197
8.7.4 Binding an IPv6 Delegation Address Pool to a Domain......................................................................................... 199
8.7.5 Verifying the Delegating Router Configuration...................................................................................................... 200
Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. v

8.8 (Optional) Adjusting DHCPv6 Service Parameters................................................................................................... 203

8.8.1 (Optional)Configuring Global DHCPv6 Parameters...............................................................................................203
8.8.2 (Optional) Enabling the Device to Parse Option 37 of Any Format in DHCPv6 Solicit or Request Messages..... 205
8.8.3 (Optional) Shortening the User Address Lease Before a DHCPv6 Server Restarts................................................205
8.8.4 (Optional) Configuring a Constant Index for an IPv6 Address Pool...................................................................... 207
8.8.5 Changing the DHCPv6 Option Code for Interconnection Between Huawei and Non-Huawei Devices................ 207
8.8.6 (Optional) Configuring the NE40E to Log Out an Online User and Deny Access of a New User After Detecting an
IPv6 Address Conflict...................................................................................................................................................... 208
8.8.7 (Optional) Setting Priorities for the DHCPv6 Option............................................................................................. 209
8.9 Configuring DHCPv6 (IA_NA) Address Allocation................................................................................................. 210
8.9.1 Configuring the NE40E based on Its Role.............................................................................................................. 210
8.9.2 Configuring the State of Address Allocation...........................................................................................................211
8.9.3 Verifying the DHCPv6 (IA_NA) Address Allocation Configuration..................................................................... 213
8.10 Configuring DHCPv6 (IA_PD) Prefix Allocation................................................................................................... 213
8.10.1 Configuring the NE40E based on Its Role............................................................................................................ 214
8.10.2 Checking the DHCPv6 (IA_PD) Prefix Allocation Configuration....................................................................... 214
8.11 Configuring DHCPv6 (IA_NA+IA_PD) Address Allocation.................................................................................. 215
8.11.1 Configuring the NE40E based on Its Role.............................................................................................................215
8.11.2 Configuring the State of Address Allocation.........................................................................................................216
8.11.3 Verifying the DHCPv6 (IA_NA+IA_PD) Address Allocation Configuration...................................................... 217
8.12 Configuring NDRA Address Allocation.................................................................................................................. 218
8.12.1 Configuring an IPv6 prefix pool............................................................................................................................219
8.12.2 Configuring an IPv6 Address Pool........................................................................................................................ 222
8.12.3 Binding an IPv6 Address Pool to a Domain..........................................................................................................224
8.12.4 (Optional) Configuring the state of Address Allocation....................................................................................... 224
8.12.5 (Optional) Configuring a Constant Index for an IPv6 Address Pool.................................................................... 226
8.12.6 (Optional) Locking an IPv6 Address Pool............................................................................................................ 226
8.12.7 Verifying the NDRA Address Allocation Configuration...................................................................................... 227
8.13 Configuring NDRA+DHCPv6 (IA_PD) Address Allocation.................................................................................. 228
8.13.1 Configuring the NE40E based on Its Role............................................................................................................ 228
8.13.2 (Optional) Configuring the state of Address Allocation....................................................................................... 229
8.13.3 Verifying the NDRA+DHCPv6 (IA_PD) Address Allocation Configuration.......................................................230
8.14 Maintaining IPv6 Address Management ................................................................................................................. 230
8.14.1 Clearing IPv6 Address Statistics........................................................................................................................... 230
8.15 Configuration Examples for IPv6 Address Management.........................................................................................231
8.15.1 Example for Assigning IPv6 Prefixes to Users from the User-side Delegation Address Pool............................. 231
8.15.2 Example for Configuring a Remote Address Pool for DHCPv6 Users' IPv6 Address Assignment..................... 238
8.15.3 Example for Configuring a Remote Address Pool for ND Users' IPv6 Address Assignment.............................. 242
9 IPoE Access Configuration...................................................................................................... 247

9.1 Overview of IPoE Access...........................................................................................................................................248
9.2 Licensing Requirements and Limitations for IPoE--M2F......................................................................................... 248
9.3 Licensing Requirements and Limitations for IPoE--M2H........................................................................................ 251
Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. vi

9.4 Licensing Requirements and Limitations for IPoE--M2K........................................................................................ 254

9.5 Configuring an Authentication Mode for IPoE Access..............................................................................................257
9.5.1 Configuring Web Authentication or Fast Authentication........................................................................................ 257
9.5.2 Configuring Binding Authentication....................................................................................................................... 262
9.5.3 Verifying the Authentication Mode Configuration for IPoE Access.......................................................................263
9.6 Configuring IPoE Access Services.............................................................................................................................264
9.6.1 Binding a Sub-interface to a VLAN........................................................................................................................ 265
9.6.2 Configuring a BAS Interface................................................................................................................................... 266
9.6.3 (Optional) Configuring Access Control on a BAS Interface...................................................................................272
9.6.4 (Optional) Enabling One-to-Many Mapping Between One MAC Address and Many Sessions............................ 274
9.6.5 (Optional) Configuring Flexible Access to VPNs................................................................................................... 274
9.6.6 Verifying the IPoE Access Service Configuration.................................................................................................. 279
9.7 Configuring IPoEv6 Access Services.........................................................................................................................280
9.7.1 Configuring an Authentication Mode......................................................................................................................281
9.7.2 Configuring an Address Allocation Mode...............................................................................................................281
9.7.3 Binding a Sub-interface to a VLAN........................................................................................................................ 283
9.7.4 Configuring a BAS Interface................................................................................................................................... 284
9.7.5 (Optional) Enabling One-to-Many Mapping Between One MAC Address and Many Sessions............................ 289
9.7.6 Verifying the IPoEv6 Access Service Configuration.............................................................................................. 290
9.8 Maintaining IPoE Access........................................................................................................................................... 292
9.8.1 Displaying BRAS Access Information....................................................................................................................292
9.8.2 Clearing BRAS Access Information........................................................................................................................292
9.8.3 Displaying BRAS Access Statistics........................................................................................................................ 293
9.8.4 Clearing BRAS Access Statistics............................................................................................................................ 294
9.8.5 Configuring Automatic Blocking of User Access Domains and Boards of a BRAS..............................................295
9.9 Configuration Examples for IPoE Access Authentication......................................................................................... 295
9.9.1 Example for Configuring Layer 3 IPoE Access with Web Authentication............................................................. 296
9.9.2 Example for Configuring Layer 3 IPoE Access with Captive Portal Redirection.................................................. 302
9.9.3 Example for Configuring the IPoE Access Service for VPN Users by Using Web Authentication....................... 309
9.9.4 Example for Configuring the IPoEoVLAN Access Service....................................................................................314
9.9.5 Example for Configuring the IPoEoQ Access Service............................................................................................317
9.9.6 Example for Configuring Local Authentication for Static Users............................................................................ 321
9.9.7 Example for Configuring MAC Authentication...................................................................................................... 323
9.9.8 Example for Configuring the IPoE Access Service by Using ND.......................................................................... 330
9.9.9 Example for Configuring IPoEv6 Access Using Web Authentication.................................................................... 336
9.9.10 Example for Configuring the Dual-Stack Access Service by Using Web Authentication.................................... 340
9.9.11 Example for Configuring BRAS Access Through L2VPN Termination.............................................................. 347
9.9.12 Example for Configuring BRAS Access Through L3VPN Termination.............................................................. 352
9.9.13 Example for Configuring RADIUS Proxy Authentication....................................................................................358
9.9.14 Example for Configuring the Ethernet Layer 2 Leased Line Access Service....................................................... 364
9.9.15 Example for Configuring the Ethernet Layer 3 Leased Line Access.................................................................... 367
9.9.16 Example for Configuring Layer 2 IPoE Access (Web Authentication).................................................................370
Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. vii

9.9.17 Example for Configuring Layer 2 IPoE Access (Web+MAC Authentication)..................................................... 376
9.9.18 Example for Configuring WLAN User Access Based on RADIUS Proxy Authentication.................................. 383
9.9.19 Example for Configuring Dumb Terminal Access Based on a VLAN ID............................................................ 389
9.9.20 Example for Configuring Dumb Terminal Access Based on a MAC Address..................................................... 392
10 PPPoE Access Configuration................................................................................................. 396

10.1 Overview of PPPoE Access......................................................................................................................................397
10.2 License Requirements and Limitations for PPPoE--M2E........................................................................................ 399
10.3 Licensing Requirements and Limitations for PPPoE--M2F....................................................................................399
10.4 Licensing Requirements and Limitations for PPPoE--M2H................................................................................... 400
10.5 Licensing Requirements and Limitations for PPPoE--M2K................................................................................... 401
10.6 Configuring PPPoE Access Services........................................................................................................................402
10.6.1 Configuring a VT...................................................................................................................................................403
10.6.2 Binding a VT to an Interface................................................................................................................................. 405
10.6.3 (Optional) Configuring PPPoE Server Parameters................................................................................................405
10.6.4 Binding Sub-interfaces to a VLAN....................................................................................................................... 406
10.6.5 Configuring a BAS Interface................................................................................................................................. 407
10.6.6 (Optional) Configuring Access Control on a BAS Interface.................................................................................410
10.6.7 (Optional) Configuring Refined IPv4 Route Advertisement.................................................................................412
10.6.8 (Optional) Configuring PPP User Access Limitations.......................................................................................... 413
10.6.9 (Optional) Configuring URPF for PPP Users........................................................................................................413
10.6.10 (Optional) Configuring the PPP Magic Number Check Function.......................................................................414
10.6.11 (Optional) Configuring Flexible Access to VPNs............................................................................................... 414
10.6.12 (Optional) Enabling BGP Route Forwarding Between a CPE and BRAS..........................................................419
10.6.13 Verifying the PPPoE Access Service Configuration........................................................................................... 420
10.7 Configuring PPPoEv6 Access Services....................................................................................................................421
10.7.1 Configuring an Address Allocation Mode.............................................................................................................421
10.7.2 Configuring a Virtual Template............................................................................................................................. 422
10.7.3 Binding the Virtual Template to an Interface........................................................................................................ 424
10.7.4 Binding a Sub-interface to a VLAN...................................................................................................................... 424
10.7.5 Configuring a BAS Interface................................................................................................................................. 425
10.7.6 (Optional) Configuring Refined IPv6 Route Advertisement.................................................................................429
10.7.7 (Optional) Configuring the PPP Magic Number Check Function.........................................................................430
10.7.8 Verifying the PPPoXv6 Access Service Configuration......................................................................................... 430
10.8 Maintaining PPPoE Access...................................................................................................................................... 433
10.8.1 Clearing PPPoE Statistics...................................................................................................................................... 433
10.9 Configuration Examples for PPPoE Access ............................................................................................................ 434
10.9.1 Example for Configuring PPPoE Access for IPv4 Users...................................................................................... 434
10.9.2 Example for Configuring PPPoE Access for IPv6 Users...................................................................................... 438
10.9.3 Example for Configuring PPPoE Access for IPv4/IPv6 Dual-Stack Users.......................................................... 443
10.9.4 Example for Connecting BRAS Users to the Internet Through VLL................................................................... 449
10.9.5 Example for Configuring Rate Limiting for PPPoEv4 Access............................................................................. 456
10.9.6 Example for Configuring IPv4/IPv6 Dual-Stack Access Based on Web+MAC Authentication.......................... 466
Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. viii

11 802.1X Access Configuration................................................................................................. 475

11.1 Overview of 802.1X Access..................................................................................................................................... 475
11.2 802.1X Authentication Features Supported by the NE40E...................................................................................... 476
11.3 Configuring 802.1X Access Services....................................................................................................................... 476
11.3.1 Creating a Dot1x Template.................................................................................................................................... 477
11.3.2 Binding a dot1x Template to a Domain................................................................................................................. 478
11.3.3 (Optional) Binding a Sub-interface to a VLAN.....................................................................................................478
11.3.4 Configuring a BAS interface................................................................................................................................. 479
11.3.5 Verifying the 802.1X Access Configuration..........................................................................................................481
11.4 Configuration Examples for 802.1X Access............................................................................................................ 482
11.4.1 Example for Configuring 802.1X Access..............................................................................................................482
11.4.2 Example for Configuring 802.1X Access..............................................................................................................485
12 L2TP Access Configuration................................................................................................... 489

12.1 Overview of L2TP Access........................................................................................................................................490
12.2 Licensing Requirements and Limitations for L2TP--M2F......................................................................................491
12.3 Licensing Requirements and Limitations for L2TP--M2H..................................................................................... 493
12.4 License Requirements and Limitations for L2TP--M2E.......................................................................................... 496
12.5 Licensing Requirements and Limitations for L2TP--M2K..................................................................................... 497
12.6 Configuring an LAC................................................................................................................................................. 499
12.6.1 Enabling L2TP.......................................................................................................................................................501
12.6.2 Configuring an L2TP Connection on the LAC..................................................................................................... 502
12.6.3 Configuring Tunnel Authentication.......................................................................................................................504
12.6.4 Configuring L2TP User Attributes........................................................................................................................ 507
12.6.5 Configuring AAA Schemes...................................................................................................................................509
12.6.6 Configuring LAC-side User Access...................................................................................................................... 509
12.6.7 Verifying the LAC Configuration..........................................................................................................................510
12.7 Configuring an LNS................................................................................................................................................. 512
12.7.1 Enabling the L2TP Function..................................................................................................................................513
12.7.2 Configuring an L2TP Connection on the LNS...................................................................................................... 514
12.7.3 Configuring L2TP Tunnel Authentication.............................................................................................................516
12.7.4 (Optional) Configuring User Authentication on the LNS..................................................................................... 518
12.7.5 Setting Tunnel Parameters on the LNS..................................................................................................................519
12.7.6 Configuring AAA Schemes...................................................................................................................................520
12.7.7 Configuring an Address Assignment Mode.......................................................................................................... 521
12.7.8 Verifying the LNS Configuration.......................................................................................................................... 522
12.8 Configuring L2TP Tunnel Switching....................................................................................................................... 524
12.9 (Optional) Configuring L2TP HQoS........................................................................................................................ 525
12.9.1 Configuring a QoS Profile..................................................................................................................................... 526
12.9.2 Applying the QoS Profile to the Domain.............................................................................................................. 526
12.9.3 Configuring the L2TP HQoS Scheduling Mode................................................................................................... 527
12.9.4 Verifying the L2TP HQoS Configuration..............................................................................................................528
12.10 (Optional) Adjusting L2TP Connection Parameters.............................................................................................. 529
Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. ix

12.10.1 Configuring AVP Attributes for L2TP Packets................................................................................................... 530

12.10.2 Configuring the Hello Interval............................................................................................................................ 533
12.10.3 Configuring Control Packet Retransmission....................................................................................................... 533
12.10.4 Configuring the Idle-Cut Timer of a Tunnel........................................................................................................534
12.10.5 Configuring the Default Invalid VLAN ID in the calling-station-id Attribute................................................... 535
12.10.6 Verifying the L2TP Connection Parameter Configuration.................................................................................. 535
12.11 Maintaining L2TP...................................................................................................................................................537
12.12 Configuration Examples for L2TP Access............................................................................................................. 537
12.12.1 Example for Configuring L2TP Access in NAS-initiated VPN Scenarios......................................................... 537
12.12.2 Example for Configuring L2TP Access in Client-initiated VPN Scenarios........................................................543
12.12.3 Example for Configuring Access to L3VPNs Through L2TP Tunnels...............................................................547
12.12.4 Example for Configuring LTS............................................................................................................................. 555
12.12.5 Example for Configuring L2TP Tunnel-based QoS Scheduling for User Access.............................................. 562
12.12.6 Example for Configuring L2TP Session-based QoS Scheduling for User Access............................................. 566
12.12.7 Example for Configuring L2TP Load Balancing................................................................................................ 571
12.12.8 Example for Configuring an L2TP Tunnel on a VPN for User Access.............................................................. 577
12.12.9 Example for Configuring an L2TP Tunnel on an L3VPN for User Access........................................................ 586
13 User Access Multi-Device Backup Configuration............................................................ 595

13.1 Overview.................................................................................................................................................................. 596
13.2 Licensing Requirements and Limitations for User Access Multi-Device Backup--M2E....................................... 596
13.3 Licensing Requirements and Limitations for User Access Multi-Device Backup--M2F....................................... 597
13.4 Licensing Requirements and Limitations for User Access Multi-Device Backup--M2H.......................................603
13.5 Licensing Requirements and Limitations for User Access Multi-Device Backup--M2K.......................................609
13.6 Configuring Multi-Device Backup for IPv4 User Information................................................................................ 615
13.6.1 Establishing a Multi-Device Backup Platform...................................................................................................... 615
13.6.2 (Optional) Disabling User Information Remote Backup in a Specified Domain..................................................620
13.6.3 Setting NAS Parameters........................................................................................................................................ 621
13.6.4 (Optional) Setting the Interval for Backing Up Traffic or the Traffic Threshold..................................................621
13.6.5 Controlling Advertisement of Address Pool UNRs.............................................................................................. 622
13.6.6 Configuring User Information Backup in Shared IP Address Pool Mode............................................................ 623
13.6.7 Configuring an Address Pool on a Device Configured with a Shared Address Pool............................................626
13.6.8 (Optional) Configuring IP Addresses for Web Authentication and RADIUS Authorization Servers.................. 628
13.6.9 Binding the RBP to a User Access Interface......................................................................................................... 629
13.6.10 (Optional) Enabling the Backup Device to Discard DHCPv4 Release Messages in RUI Scenarios.................. 630
13.6.11 (Optional) Configuring an Upper Threshold for the User Access Rate on the Backup Device.......................... 630
13.6.12 (Optional) Binding a Static Route Tag to the RBS..............................................................................................631
13.6.13 (Optional) Configuring a Session ID Range for PPPoE Users............................................................................632
13.6.14 Checking the Configurations............................................................................................................................... 632
13.7 Configuring Multi-Device Backup for IPv6 BRAS User Information.....................................................................634
13.7.2 (Optional) Disabling User Information Remote Backup in a Specified Domain..................................................639
13.7.3 Setting NAS Parameters........................................................................................................................................ 640
Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. x

13.7.4 (Optional) Setting the Interval for Backing Up Traffic or the Traffic Threshold..................................................641
13.7.5 Configuring User Information Backup in Shared IP Address Pool Mode............................................................ 641
13.7.6 Configuring User Information Backup in Exclusive Address Pool Mode............................................................ 643
13.7.7 (Optional) Configuring IP Addresses for Web Authentication and RADIUS Authorization Servers.................. 645
13.7.8 Binding the RBP to a User Access Interface......................................................................................................... 647
13.7.9 (Optional) Configuring an Upper Threshold for the User Access Rate on the Backup Device............................647
13.7.10 (Optional) Binding a Static Route Tag to the RBS..............................................................................................648
13.7.11 (Optional) Configuring a Session ID Range for PPPoE Users............................................................................649
13.7.12 Checking the Configurations............................................................................................................................... 649
13.8 Configuring Multicast Two-node Hot Backup......................................................................................................... 652
13.8.1 Enabling a Multicast RBS..................................................................................................................................... 652
13.8.2 (Optional) Configuring IGMP Packet Duplication............................................................................................... 652
13.8.3 Checking the Configuration Result....................................................................................................................... 653
13.9 Configuring L2TP Two-node Hot Backup............................................................................................................... 654
13.9.2 Setting a Base Value for L2TP Tunnel IDs............................................................................................................659
13.9.3 Configuring an L2TP Tunnel.................................................................................................................................659
13.9.4 Enabling an L2TP RBS......................................................................................................................................... 660
13.9.5 Controlling Advertisement of L2TP Hot Backup Routes..................................................................................... 660
13.9.6 (Optional) Setting the maximum number of users allowed on an L2TP LAC......................................................662
13.9.7 (Optional) Disabling the L2TP Traffic Protection Mechanism............................................................................. 662
13.9.8 Checking the Configurations................................................................................................................................. 663
13.10 Maintaining Multi-System Backup........................................................................................................................ 665
13.10.1 Displaying Backup Information.......................................................................................................................... 665
13.10.2 Clearing Backup Information.............................................................................................................................. 665
13.11 Configuration Examples......................................................................................................................................... 666
13.11.1 Example for Configuring RUI in Exclusive Address Pool Mode....................................................................... 666
13.11.2 Example for Configuring RUI in Shared Address Pool Mode............................................................................ 675
13.11.3 Example for Configuring User Information Backup with Automatic Route Advertisement.............................. 685
13.11.4 Example for Configuring Multicast Dual-Device Hot Backup........................................................................... 693
13.11.5 Example for Configuring IPv6 Dual-Device Hot Backup...................................................................................703
13.11.6 Example for Configuring L2TP Two-Node Hot Backup.....................................................................................709
13.11.7 Example for Configuring RUI+EDSG in Exclusive Address Pool Mode...........................................................718
13.11.8 Example for Configuring RUI+EDSG in Shared Address Pool Mode............................................................... 735
13.11.9 Example for Configuring Dual-device Hot Backup for Layer 3 Static IPv4 Users............................................ 753
14 Configuring SAID for BRAS Services................................................................................ 762
Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. xi

Configuration Guide - User Access 1 About This Document
1 About This Document
Purpose
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the User Access feature supported by the
NE40E.
Related Version
The following table lists the product version related to this document.
Product Name Version
NE40E-M2 Series V800R010C10
U2000 V200R018C50
Intended Audience
This document is intended for:
l Data configuration engineers

l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Security Declaration
l Encryption algorithm declaration
The encryption algorithms DES/3DES/RSA (RSA-1024 or lower)/MD5 (in digital
signature scenarios and password encryption)/SHA1 (in digital signature scenarios) have
a low security, which may bring security risks. If protocols allowed, using more secure
encryption algorithms, such as AES/RSA (RSA-2048 or higher)/SHA2/HMAC-SHA2 is
recommended.
l Password configuration declaration
Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 1

– Do not set both the start and end characters of a password to "%^%#". This causes
the password to be displayed directly in the configuration file.
– To further improve device security, periodically change the password.
l Personal data declaration
Your purchased products, services, or features may use users' some personal data during
service operation or fault locating. You must define user privacy policies in compliance
with local laws and take proper measures to fully protect personal data.
l Feature declaration
– The NetStream feature may be used to analyze the communication information of
terminal customers for network traffic statistics and management purposes. Before
enabling the NetStream feature, ensure that it is performed within the boundaries
permitted by applicable laws and regulations. Effective measures must be taken to
ensure that information is securely protected.
– The mirroring feature may be used to analyze the communication information of
terminal customers for a maintenance purpose. Before enabling the mirroring
function, ensure that it is performed within the boundaries permitted by applicable
laws and regulations. Effective measures must be taken to ensure that information is
securely protected.
– The packet header obtaining feature may be used to collect or store some
communication information about specific customers for transmission fault and
error detection purposes. Huawei cannot offer services to collect or store this
information unilaterally. Before enabling the function, ensure that it is performed
within the boundaries permitted by applicable laws and regulations. Effective
measures must be taken to ensure that information is securely protected.
l Reliability design declaration
Network planning and site design must comply with reliability design principles and
provide device- and solution-level protection. Device-level protection includes planning
principles of dual-network and inter-board dual-link to avoid single point or single link
of failure. Solution-level protection refers to a fast convergence mechanism, such as FRR
and VRRP.
Special Declaration
l This document serves only as a guide. The content is written based on device
information gathered under lab conditions. The content provided by this document is
intended to be taken as general guidance, and does not cover all scenarios. The content
provided by this document may be different from the information on user device
interfaces due to factors such as version upgrades and differences in device models,
board restrictions, and configuration files. The actual user device information takes
precedence over the content provided by this document. The preceding differences are
beyond the scope of this document.
l The maximum values provided in this document are obtained in specific lab
environments (for example, only a certain type of board or protocol is configured on a
tested device). The actually obtained maximum values may be different from the
maximum values provided in this document due to factors such as differences in
hardware configurations and carried services.
l Interface numbers used in this document are examples. Use the existing interface
numbers on devices for configuration.
l The pictures of hardware in this document are for reference only.

Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation which, if not

avoided, will result in death or serious injury.
Indicates a potentially hazardous situation which, if not

avoided, could result in death or serious injury.

avoided, may result in minor or moderate injury.

avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
NOTICE is used to address practices not related to personal
injury.
Calls attention to important information, best practices and

tips.
NOTE is used to address information not related to
personal injury, equipment damage, and environment
deterioration.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.

Convention Description
&<1-n> The parameter before the & sign can be repeated 1 to n

times.
# A line starting with the # sign is comments.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue
contains all updates made in previous issues.
l Changes in Issue 01 (2018-12-05)
This issue is the first official release. The software version of this issue is
V800R010C10SPC500.

HUAWEI NE40E-M2 Series Universal Service Router 2 License Requirements and Limitations for User Access--
Configuration Guide - User Access M2E
2 License Requirements and Limitations for

User Access--M2E
Licensing Requirements
This feature is a basic feature and is not under license control.
Restrictions and Guidelines

N/A

Configuration Guide - User Access M2F

User Access--M2F
BOM License Control Description Minimum Version
Item Requirement
82400206 NetEngine40E Controllable V800R009

Subscribers feature:
Quantity(1k This license
Subscribers) controls the
number of BAS
access users.
Each license
allows the
access of 1000
users.

N/A

Configuration Guide - User Access M2H

User Access--M2H
Item Requirement

number of BAS
access users.
Each license
allows the
access of 1000
users.

N/A

Configuration Guide - User Access M2K

User Access--M2K
Item Requirement

number of BAS
access users.
Each license
allows the
access of 1000
users.
88035DSN M2 Series Controllable V800R010C10

number of BAS
access users.
Each license
allows the
access of 1000
users.

N/A

Configuration Guide - User Access 6 AAA and User Management Configuration (Access User)
6 AAA and User Management Configuration

(Access User)
About This Chapter
This chapter describes how to configure authentication, authorization, and accounting (AAA)
to implement local or remote authentication, authorization, and accounting.This feature is not
supported on the M2E.
Context
NOTE
This feature is supported only on the Admin-VS.
6.1 Overview of AAA

This section describes concepts related to AAA, including the AAA scheme, RADIUS server
template, HWTACAS server template, and domain attribute.
6.2 Licensing Requirements and Limitations for AAA and User Management--M2F
6.3 Licensing Requirements and Limitations for AAA and User Management--M2H
6.4 Licensing Requirements and Limitations for AAA and User Management--M2K
6.5 Configuring AAA Schemes
By configuring AAA schemes, you can determine the authentication, authorization, and
accounting modes for a user.
6.6 Configuring RADIUS
RADIUS related information must be configured when a remote RADIUS server is used to
perform authentication and accounting for users.
6.7 Configuring the Diameter Server
A Diameter server must be configured when service policies need to be delivered through a
Diameter server.
6.8 Configuring the Function to Locally Generate and Store User Bills
This section describes how to configure the function to locally generate and store user bills, so
that user accounting information is correct if an interworking RADIUS server fails to respond
upon user login or logout.

6.9 Configuring a Domain

The NE40E supports domain-based management for local users and access users.
6.10 Configuring and Managing Users
The BRAS manages users either through the domain to which users belong or user accounts.
6.11 Maintaining AAA
This section describes how to maintain AAA by clearing HWTACACS statistics and
debugging RADIUS or HWTACACS.
6.12 Configuration Examples for AAA and User Management
This section provides configuration examples of AAA, including networking requirements,
configuration notes, and configuration roadmap.
6.1 Overview of AAA

This section describes concepts related to AAA, including the AAA scheme, RADIUS server
template, HWTACAS server template, and domain attribute.
6.2 Licensing Requirements and Limitations for AAA and

User Management--M2F


Restrictions Guidelines Impact
l RADIUS-delivered flow None Flow queue parameters do

queue parameters do not not take effect.
take effect if priority-
mode flow queue profile
and four-flow-queue
mapping (cos0/cos1/
cos2/cos3) profile are
configured.
l Home and vCPE users
are not supported.
l Both RADIUS-delivered
and configured flow
queue parameters take
effect. If RADIUS-
delivered flow queue
parameters are
inconsistent with those
configured, RADIUS-
parameters do not take
effect.
When IPoE user names are Properly configure the mode Communication between
generated based on the for generating user names IPoE users and the RADIUS
format configured using the for IPoE users and properly server is affected.
vlanpvc-to-username set the system name of a
command, the system name device. If a user name needs
in a user name can contain a to contain the system name,
maximum of 17 bytes. control the length of the
Excessive bytes will be system name to be no more
truncated. If parameters than 17 characters.
specified in the default-
user-name command cannot
be obtained from user
sessions, the generated user
names do not contain the
parameters. For example, if
no IP address is assigned to
a DHCP user before the user
goes online, the IP address
cannot be used to generate
the user name.

Restrictions on the function None Communication with the log

to generate login and logout server is affected.
logs of access users and
send the logs to a log server:
l IPv6 addresses are not
recorded for IPv6 users.
l For dual-stack users, user
information of the stacks
from which users go
online first and go offline
last is recorded only.
l Information about Layer
2 leased line users is not
recorded and user
information is not
recorded on the RUI
backup device.
l The user names recorded
in the logs can contain a
maximum of 63 bytes.
Excessive bytes will be
truncated.
The response delay policy Do not deploy a response The load balancing function
for access users on a BAS delay policy for access users for access users is affected.
interface is not supported on and inter-board trunk
the board where inter-board interfaces on the same
trunk interfaces reside. board.
The function to adjust None The function to adjust

bandwidths based on time bandwidths based on time
ranges is not supported for ranges for Layer 2 leased
Layer 2 leased line, Layer 3 line, Layer 3 leased line,
leased line, Layer 2 VPN Layer 2 VPN leased line,
leased line, or PPPoLNS and PPPoLNS users is
users. affected.

In scenarios where the QoS None The switch between SQ and

profiles for online Layer 2 CAR for leased line users is
and Layer 3 leased line affected when a QoS profile
users are changed through is delivered through CoA.
CoA, if different rate
limiting modes are adopted
(SQ to CAR or CAR to SQ),
a CoA ACK message is
returned and information
about the new QoS profile is
displayed in the display
access-user command
output. However, the new
QoS profile fails to take
effect.
If an inbound VPN instance Properly plan services. None

is configured for CGN
users, the inbound VPN
instance does not take effect.
The CGN users still use the
original public network
VPN instance.

User Management--M2H



and four-flow-queue
mapping (cos0/cos1/
configured.
are not supported.
and configured flow
effect. If RADIUS-
parameters are
configured, RADIUS-
effect.
the user name.


from which users go
recorded and user
information is not
recorded on the RUI
backup device.
truncated.

users. affected.


access-user command
effect.

VPN instance.

User Management--M2K



and four-flow-queue
mapping (cos0/cos1/
configured.
are not supported.
and configured flow
effect. If RADIUS-
parameters are
configured, RADIUS-
effect.
the user name.


from which users go
recorded and user
information is not
recorded on the RUI
backup device.
truncated.

users. affected.


access-user command
effect.

VPN instance.
6.5 Configuring AAA Schemes

6.5.1 (Optional) Enabling RADIUS

After RADIUS is enabled, AAA requests sent from users are forwarded. After RADIUS is
disabled, AAA requests sent from users are discarded.
Context
Perform the following steps on the Router:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius enable
The RADIUS protocol is enabled.
Step 3 Run commit

The configuration is committed.
----End
6.5.2 Configuring an Authentication Scheme

After configuring an authentication mode, you need to configure relevant user information on
the authentication server; if user information is not configured, users cannot pass the
authentication.
Context
Procedure
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run authentication-scheme scheme-name
An authentication scheme is created.
The authentication schemes named default, default0, and default1 are set by default on the
NE40E. They can be modified but cannot be deleted.
Step 4 Run authentication-mode { radius | local } *[ none ]

Or run authentication-mode none
Or run authentication-mode radius-proxy
An authentication mode is set.
l If RADIUS authentication is used, you need to configure a RADIUS authentication
server. For configuration details, see Configuring RADIUS Authentication and
Accounting Servers.
l If local authentication is used, you need to run the local-user user-name password
{ cipher cipher-password | irreversible-cipher irreversible-password command to
create a local user.
l If RADIUS proxy authentication is used, you need to configure RADIUS authentication
proxy. For configuration details, see (Optional) Configuring RADIUS Proxy
Authentication.
Step 5 (Optional) Run authening authen-fail { offline | online authen-domain domain-name }

The policy for handling the authentication failure is configured.
The policy for handling the authentication failure refers to the policy used by the NE40E after
the user fails the authentication.
Step 6 (Optional) Run authening quota-out-redirect-enable

The function of redirecting a user to a specified domain When the quota of the user equal to
zero is enabled.
Step 7 (Optional) Run authening authen-redirect online authen-domain domain-name
The redirection domain is configured.
After you configure the redirection domain, the users that pass the authentication and the
users that actually fail the authentication go online from different domains.
By configuring a private IP address pool, UCL-based access control, and security domain in
the redirection domain, you can differentiate the functions of address allocation (private
addresses and public addresses), access control, and NAT for different user domains. In this
manner, users in different domains are separated by differentiated configurations. This
solution effectively saves Internet IP addresses and prevents unauthorized users from
occupying many Internet IP addresses.
Step 8 (Optional) In the AAA domain view, run mac-authentication enable
The MAC address authentication is enabled.
NOTE
MAC address authentication is used to simplify Web authentication. If MAC address authentication is
enabled, the user for Web authentication only needs to input the user name and password at the first time
and the RADIUS server records the user's MAC address. When the user attempts to pass the Web
authentication again, the RADIUS server performs the authentication based on the users' MAC address
and the user does not need to input the user name and password again.
In the existing network, this command is used together with the authening authen-fail online authen-
domain domain-name command. If the MAC authentication fails, the user can perform the Web
authentication by inputing the user name and password in the re-direction domain, and then enter the
authentication domain and access the network resources.
----End
6.5.3 (Optional) Configuring Command-Line Reauthorization
Context
If you cannot change the user group to which an online user belongs because the dynamic
authorization server is Down, run commands to change the user group and reauthorize the
user.
NOTE
In network planning, ACLs are used to control user access authority, and ACL rules are configured
based on user groups. Therefore, to change a user's access authority, you can change its user group. For
example, ACL rules are configured to allow user group 1 to access only the internal network and user
group 2 to access both internal and external networks. When user A in user group 1 goes online, user A
can access the internal network only. To allow user A to access both internal and external networks,
reauthorize user A by changing its user group to user group 2.
Procedure
Step 2 Run reauthorize enable

Command-line reauthorization is enabled.

Step 3 Run reauthorize username username user-group user-group-name
The user group of a specified user is changed.
----End
6.5.4 (Optional) Configuring Policies for User Authentication

Failures
Context
Perform the following steps on the NE40E:
Procedure
Step 2 Run aaa
Step 3 Run
user-qos cir-zero { cir-value | unlimited }
The CIR of user traffic when the CIR and PIR delivered by the RADIUS server are both 0s is
set.
NOTE
This command can be used only when the upstream and downstream CIR and PIR delivered by the
RADIUS server are both 0s.
Step 4 Run quit

Return to the system view.
Step 5 Run radius-server group group-name
The RADIUS server group view is displayed.
Step 6 Run radius-attribute qos-profile no-exist-policy { online | offline }
The policy whether to allow users to keep online when the QoS profile delivered by the
RADIUS server is not configured on the NE40E is configured.
Step 7 Run radius-attribute policy-name no-exist-policy { online | offline }
The policy whether to allow users to keep online when the policy name delivered by the
RADIUS server is not configured on the NE40E is configured.
Step 8 Run commit
----End

6.5.5 Configuring an Accounting Scheme

You must configure an accounting scheme before implementing accounting for users.
Context
After being authenticated and authorized, users successfully go online, and accounting starts
with the access of services. Accounting is performed based on online time, user traffic, or
both. The accounting process is as follows: The NE40E collects statistics on the online time
and the upstream and downstream traffic, and then sends the statistics to the RADIUS server
in the format specified by the RADIUS protocol. At last, the server returns a message to the
NE40E indicating whether accounting succeeds.
Procedure
Step 2 Run aaa
Step 3 Run realtime-accounting backup enable
Real-time accounting backup is enabled between the master and slave MPUs.
Run this command if the RADIUS server requires that the interval at which real-time
accounting packets are sent be strictly followed. After the realtime-accounting backup
enable command is run, the master and slave MPUs start real-time accounting at the same
time. Even if a master/slave MPU switchover occurs during the real-time accounting interval,
the device still sends real-time accounting packets at the configured interval.
Step 4 Run accounting-scheme scheme-name
An accounting scheme is created.
The authentication schemes named default0 and default1 are set by default on the NE40E.
They can be modified but cannot be deleted.
Step 5 Run accounting-mode { hwtacacs | none | radius }
An accounting mode is set.
The NE40E supports RADIUS accounting, HWTACACS accounting, and non-accounting.
NOTE
Only administrators support HWTACACS accounting.
Step 6 (Optional) Run accounting interim interval interval [ second ] [ traffic ] [ hash ]
The interval for real-time accounting and conditions for sending real-time accounting packets
are configured and real-time accounting packets are hashed for the accounting scheme.
Real-time accounting indicates that the NE40E periodically generates accounting packets and
send them to the remote accounting server when a user is online. Real-time accounting

minimizes loss of accounting information when the communication between the NE40E and
the remote server is interrupted.
The interval for real-time accounting can be in minutes or seconds.
Step 7 (Optional) Run accounting start-fail { offline | online [ keep-accounting ] }
The policy for handling the accounting start failure is configured.
If the NE40E does not receive any response after sending an accounting start packet to the
remote accounting server, the NE40E adopts the policy for the accounting start failure. This
policy may keep the user online or log the user out.
Step 8 (Optional) Run accounting interim-fail [ max-times times ] { offline | online }
The policy for the real-time accounting failure is configured.
If the NE40E does not receive any response after re-sending the real-time accounting packets
to the remote accounting server for certain times, the NE40E adopts the policy for the real-
time accounting failure. This policy may keep the user online or log the user out.
When the RADIUS or the HWTACACS server is used for charging, it is recommended that
you set the time of retransmitting real-time charging packets to be larger than the time of
retransmitting failed RADIUS or the HWTACACS packets.
Step 9 (Optional) Run accounting send-update
The NE40E is configured to send real-time accounting packets immediately after receiving
the accounting start response.
After receiving the accounting response, the NE40E determines whether to send the real-time
accounting packet immediately according to the configuration.
Step 10 (Optional) Enable a device to send an accounting-start packet about a dual-stack user after a
specified delay
1. Run aaa

2. Run domain domain-name
The domain view is displayed.

3. Run accounting-start-delay
4. Run commit
----End
6.5.6 Configuring an AAA Scheme for a Domain

You must configure an AAA scheme for a domain before you perform AAA on users in this
domain.
Context

Procedure
Step 2 Run aaa
Step 3 Run domain domain-name
NOTE
User authentication, authorization, and accounting must be performed in the domain view.
Step 4 Run authentication-scheme scheme-name
An authentication scheme is specified for the domain.
By default, the default1 authentication scheme is used for user-defined domains, the default1
domain, or the default authentication scheme is used for the default_admin domain; the
default0 authentication scheme is used for the default0 domain. You can run the display
authentication-scheme command to view detailed information about the default
authentication schemes.
Step 5 Run accounting-scheme scheme-name
An accounting scheme is specified for the domain.
By default, the default1 accounting scheme is used for user-defined domains and the default1
domain; the default0 accounting scheme is used for the default0 domain and default_admin
domain.
Step 6 (optional) Run accounting dual-stack { separate | identical }
The accounting mode for IPv4/IPv6 dual-stack users is configured.
When separate is configured, traffic of IPv4 and IPv6 users is sent to the server separately;
when identical is configured, traffic of IPv4 and IPv6 users is sent to the server together.
By default, accounting is performed separately for IPv4 users and IPv6 users.
Step 7 Run authorization-scheme scheme-name
An authorization scheme is specified for the domain.
----End
6.5.7 Verifying the AAA Scheme Configuration

When an AAA scheme is configured, you can view the configuration of AAA, the recording
scheme, and basic information about online users.
Prerequisites
AAA schemes have been configured.

Procedure
l Run the display aaa configuration command to check brief information about AAA.
l Run the display accounting-scheme [ accounting-scheme-name ] command to check the
configuration about the accounting scheme.
l Run the display authentication-scheme [ authentication-scheme-name ] command to
check the configuration about the authentication scheme.
l Run the display authorization-scheme [ authorization-scheme-name ] command to
check the configuration about the authorization scheme.
l Run the display recording-scheme [ recording-scheme-name ] command to check the
configuration about the recording scheme.
----End
6.6 Configuring RADIUS

RADIUS related information must be configured when a remote RADIUS server is used to
perform authentication and accounting for users.
Context
NOTE
This configuration task is supported only on the Admin-VS.
6.6.1 Configuring RADIUS Authentication and Accounting

Servers
If one server is used for both authentication and accounting, different interfaces should be
used for authentication and accounting.
Context
To configure Remote Authentication Dial-In User Service (RADIUS) authentication and
accounting servers, configure the following parameters:
l IP addresses of the authentication and accounting servers
l VPN instance to which the authentication and accounting servers belong
l Interface numbers of the authentication and accounting servers (1812 and 1813 by
default)
l Weights of the authentication and accounting servers (applicable only to the load
balancing mode with the default value 0)
NOTE
The RADIUS authentication and accounting servers can use the same IP address. This means that a
server can function as both an authentication server and an accounting server.
Procedure


Step 3 Run radius-server authentication { ip-address [ vpn-instance instance-name ] | ipv6-
address } port [ weight weight-value ]
A RADIUS authentication server is configured.
If PPP users do not use the default interface for authentication, run the radius-server
authentication ip-address [ vpn-instance instance-name ] ppp-user-port port command.
Step 4 (Optional) Run radius-server authentication rollover-on-reject
The function of polling RADIUS servers for authentication after receiving a RADIUS
Access-Reject packet is enabled.
Step 5 (Optional) Run radius-server { retransmitretry-times | timeouttimeout-value } *

The command configures the number of transmission times and retransmission timeout period
used by the NE40E to send request packets to RADIUS servers.
If you do not specify authentication or accounting in the radius-server retransmit timeout
command, the command sets the number of transmission times or the retransmission timeout
period for all RADIUS authentication servers and RADIUS accounting servers in the
RADIUS server group view. If authentication is specified in the command, the
configurations of this command apply to all RADIUS authentication servers in the RADIUS
server group. If accounting is specified in the command, the configurations of this command
applies to all RADIUS accounting servers in the RADIUS server group.
Step 6 Run radius-server accounting { ip-address [ vpn-instance instance-name ] | ipv6-address }
port [ weight weight-value ]
A RADIUS accounting server is configured.
If PPP users do not use the default interface for accounting, run the radius-server accounting
ip-address [ vpn-instance instance-name ] ppp-user-port port command.
Step 7 (Optional) Run radius-server accounting-start-packet resend [ resend-times ]
The number of times that cached accounting start packets are retransmitted to the RADIUS
accounting server is configured.
Step 8 (Optional) Run radius-server accounting-stop-packet resend [ resend-times ]
The number of times the Accounting-Stop packet that is retransmitted is configured.
Step 9 (Optional) Run radius-server accounting-stop-packet send force
Generally, the RADIUS server generates a user entry only after the accounting succeeds.
However, some RADIUS server users who have passed the authentication generate user
entries in the database before the accounting, when they apply for an IP address, for example.
If the accounting fails due to some reasons, the IP address fails to be released, causing the
users fail to go online. To address this problem, configure the radius-server accounting-
stop-packet send force command to force the NE40E to send an Accounting-Stop packet to
the RADIUS server to release the IP address.
The command takes effect only when the accounting for the authenticated user fails and there
is a user entry in the database.

Step 10 (Optional) Run radius-server accounting-interim-packet resend [ resend-times ]
RADIUS real-time accounting packet caching is enabled, and the number of retransmissions
is specified for real-time accounting packets entering a cache queue.
Step 11 (Optional) Run radius-server accounting cache max-packet-number
The maximum number of accounting packets that can be cached is configured.
NOTE
If the value specified by max-packet-number is not 8192, the system limits the number of accounting
packets specified by max-packet-number and does not limit the number of users.
Step 12 (Optional) Run radius-server accounting cache retransmit retransmit timeout timeout
An interval at which cached RADIUS accounting packets are retransmitted and the number of
users for each packet retransmission are configured.
Step 13 (Optional) Run radius-server accounting cache memory-threshold memory-threshold-

value
A memory usage threshold is configured for the master main control board.
Step 14 (Optional) Run radius-server accounting cache-warning-threshold upper-limit upper-limit

lower-limit lower-limit
The accounting packet cache alarm function is enabled, and an alarm threshold and a clear
alarm threshold are configured. If the accounting packet cache usage reaches the configured
alarm threshold, an alarm is reported.
Accounting packet cache usage = Number of cached accounting packets/Maximum number of

accounting packets that can be cached
Step 15 (Optional) Run radius-server cache keep packet
The device is disabled from deleting cached accounting packets after the number of
retransmissions reaches the specified upper limit.
Step 16 (Optional) Run radius-server cache resend packet
The sending of cached accounting packets is triggered.
----End
6.6.2 (Optional) Configuring RADIUS Proxy Authentication
Context
In some cases, user authentication and accounting may be performed on different devices. For
example, the AC is responsible for user authentication, whereas the BRAS is responsible for
user accounting. To prevent two devices from sending authentication packets to the RADIUS
server at the same time, configure the BRAS that performs user accounting as a RADIUS
proxy. The RADIUS proxy then records authentication information of users when forwarding
RADIUS authentication packets. The BRAS with RADIUS proxy authentication configured
transparently transmits RADIUS packets from a specified RADIUS client to the RADIUS
server, record authorization information delivered by the RADIUS server, and transparently
transmits authentication response packets. If the authentication mode configured in the user

domain of the BRAS is radius-proxy, the BRAS can use the recorded authorization
information to authorize users.
NOTE
Currently, RADIUS proxy authentication takes effect for only IPoE users.
Perform the following steps on the NE40E.
Procedure
Step 2 Run radius-client ip-address [ mask { mask-ip | mask-length } ] [ vpn-instance instance-
name ] { { shared-key key | shared-key-cipher key-string-cipher } | server-group
groupname | roam-domain domain-name | domain-authorization | trigger-web
{ authentication | accounting | none } } *
A RADIUS client is configured, including the IP address, VPN instance, shared key, and
RADIUS server group.
Step 3 (Optional) Run radius-client check-attribute-length loose [ correct-forwarding ]
Loose check or correction of attribute lengths in authentication or accounting request packets
is configured.
Step 4 (Optional) Run radius-client packet dscp dscp-value
A DSCP value is set for RADIUS packets sent from the BRAS to the AP/AC.
Step 5 Run commit
----End
6.6.3 (Optional) Configuring the Algorithm for Selecting a

RADIUS Server
When there are more than one authentication or accounting server in a RADIUS server group,
you can specify either the load balancing or master/backup mode for these RADIUS servers.
Context
The algorithm for selecting a RADIUS server functions as follows:
l If the radius-server algorithm master-backup command is run or the default master/
backup mode is used, the RADIUS authentication server or accounting server configured
first is the master server, and the others are backup servers. A backup server is selected
only after the master server goes Down.
– When packets are sent for the first time:
If the master server is Up, it is selected. If no server is in the Up state, the first
configured server is selected.
– When packets are retransmitted due to a timeout:
n If a server has already been selected and the number of retransmission times
has not reached the limit, packets are still retransmitted to this server.

n If the number of retransmission times has reached the limit and the master
server times out, packets are retransmitted to the server that has most recently
received packets. If no such server is available or packets have already been
sent to this server, the polling mechanism is used to select another backup
server in the Up state. If no backup server is in the Up state, the next
configured backup server is selected.
n If the number of retransmission times has reached the limit and the backup
server times out, the polling mechanism is used to select another backup server
in the Up state. If no backup server is in the Up state, the next configured
backup server is selected.
l If the radius-server algorithm loading-share command has been configured to set the
load balancing mode, traffic is load-balanced based on the weights of servers.
– If the sum of weights of RADIUS servers is 0, each RADIUS server is considered
to have the same weight. Then a server in the Up state is selected at random.
For example, if a RADIUS server group has six servers, in which four are Up, one
is selected from the four servers in the Up state at random. These four servers have
the same chance of being selected. If no server is Up, one is selected from the six
servers at random. These six servers have the same chance of being selected.
– If the sum of weights of RADIUS servers is greater than 0, all RADIUS servers that
are in the Up state and have not been used are selected at random based on the
proportion by weight. If no RADIUS server is in the Up state, servers are selected at
random based on the proportion by weight.
For example, if a RADIUS server group has four servers, at a weight of 10, 20, 30,
and 40, respectively. If the four servers are all Up or Down, they will be selected at
a probability of 10%, 20%, 30%, and 40%. If the first server is Down, but the other
three servers are Up, a server is selected from the three servers in the Up state at a
probability of 20/(20+30+40), 30/(20+30+40), and 40/(20+30+40).
NOTE
Each time a RADIUS server is selected, the selection result is independent of previous selection results.
For example, two servers have the selection probability of 50% each. If 100 consecutive users select the
first server, the 101th user still has 50% probability to select the first server. It is similar to flipping a
coin. The probability for getting a head or tail is 50% each. If you only flip a coin few times, the
probability for each is not necessarily 50%. However, if you flip the coin multiple times, the probability
for getting a head or tail is 50% eventually.
l By default, the RADIUS accounting server is selected based on the authentication server
selection result. After a user selects a RADIUS server for authentication, it will also use
this RADIUS server for accounting. If the radius-server algorithm master-backup
[ strict ] command is run, the accounting server is selected based on the configured
algorithm. The master accounting server is preferentially selected, irrelevant to the
authentication server.
Procedure

Step 3 Run radius-server algorithm { loading-share | master-backup [ strict ] }
The algorithm for selecting the RADIUS server is configured.
If strict is configured, the accounting server is selected based on the configured algorithm.
The master accounting server is preferentially selected, irrelevant to the authentication server.
----End
6.6.4 (Optional) Configuring Flexible Interoperation of RADIUS

Attributes
Context
Perform the following steps on the Router.
Procedure
Step 2 Run access enable python extend script-package script-package-name
The python script extension function is enabled.
Step 3 Run access python-policy policy-name
A python policy template is configured.
Step 4 Run protocol protocol-type { packet packet-type [ direation { ingress | egress } ] } python-
script script-name
The system is enabled to call a specified python script to process packets of a specified
protocol, type, and direction (inbound or outbound).
Step 5 (Optional) Run protocol protocol-type packet process-fail passthrough
The python script is configured to use the original packet when it fails to modify information
in a packet.
Step 6 Run quit
Step 8 Run python-policy policy-name
The python policy template is bound to the RADIUS server group.
----End

6.6.5 (Optional) Configuring Negotiated Parameters of the

RADIUS Server
A RADIUS server and the NE40E must use the same RADIUS parameters and message
format to communicate.
Context
The negotiated parameters specify the conventions of the RADIUS protocol and message
format used for communication between the RADIUS server and the NE40E. The negotiated
parameters are as follows:
l RADIUS protocol version

The NE40E supports the standard RADIUS protocol, RADIUS+1.0, and RADIUS+1.1.
– The standard RADIUS protocol is based on RFC2865.
– RADIUS+1.0 is a Huawei private RADIUS protocol, compatible with the early
versions in which the standard vendor-ID is not defined. For the RADIUS attributes
supported by this version.
– RADIUS+1.1 is an extension of RFC2865, supporting more Huawei private
RADIUS attributes. For the RADIUS attributes supported by this version.
l Key
The key is used to encrypt user passwords and generate the response authenticator. The
RADIUS server encrypts the user password into an authentication packet by using the
MD5 algorithm before sending the packet. This ensures the security of authentication
data over the network.
The key on the NE40E must be the same as that on the RADIUS server so that both
parties of the authentication identify each other. The key is case sensitive.
l User name format
On the NE40E, a user name is in the format of user@domain. Certain RADIUS servers
do not support the user names that contain domain names. Therefore, you must set the
format of the user name that the NE40E sends to the RADIUS server according to
whether the user name containing the domain name is supported on the RADIUS server.
l Traffic unit
The traffic units used by different RADIUS servers may be different. The NE40E
supports four traffic units of byte, Kbyte, Mbyte, and Gbyte to meet requirements of
various RADIUS servers.
l Retransmission parameters
After sending a packet to the RADIUS server, if no response is returned within the
specified time, the NE40E resends the packet. In this manner, authentication or
accounting information will not be lost due to temporary congestion on the network.
Retransmission parameters of the RADIUS server include the timeout period and the
number of retransmission times.
l RADIUS attribute names case-sensitive or case-insensitive
Some RADIUS servers support case-sensitive attributes of the RADIUS attributes, and
only the HW-QoS-Profile-Name attribute is case-sensitive at present.
l Number of pending packets

Pending packets refer to those packets that have been sent but are not responded to. The
RADIUS server can concurrently process only a certain number of pending packets.
Therefore, the number of pending packets must be restricted.
Procedure
Step 2 (Optional) Run radius-server packet statistics algorithm { version1 | version2 }
The mode for collecting statistics about RADIUS authentication request and response packets
is configured.
If version1 is specified in the radius-server packet statistics algorithm command, the

radiusAccClientRequests object of the MIB collects statistics about authentication request
packets and retransmitted authentication request packets, and the radiusAccClientResponses
object of the MIB collects all authentication response packets, including authentication
success, failure, and challenge packets and incorrect response packets. In the display radius-
server packet ip-address ip-address authentication command output, the Access Requests
field indicates the number of authentication request packets, and the Access Accepts field
indicates the number of authentication success packets.
If version2 is specified in the radius-server packet statistics algorithm command, the

radiusAccClientRequests object of the MIB collects statistics about authentication request
packets and retransmitted authentication request packets, and the radiusAccClientResponses
object of the MIB collects all authentication response packets, including authentication
success, failure, and challenge packets and incorrect response packets. In the display radius-
server packet ip-address ip-address authentication command output, the Access Requests
field indicates the sum number of authentication request packets and retransmitted
authentication request packets, and the Access Accepts field indicates the sum number of all
authentication response packets, including authentication success, failure, and challenge
packets and incorrect response packets.
Step 4 Run radius-server type { standard | plus10 | plus11 }
The protocol version of the RADIUS server is configured.
Step 5 Run radius-server { shared-key key-string | shared-key-cipher key-string-cipher }

[ { authentication | accounting } ip-address [ vpn-instance instance-name ] port-number
[ weight weight ] ]
The key of the RADIUS server is configured.
You can configure a key on the NE40E for each RADIUS server.
Step 6 Run radius-server user-name { domain-included | original }
The format of the user name contained in the RADIUS packets is configured.
Step 7 Run radius-server admin-user domain-exclude enable

The device is enabled to apply the undo radius-server user-name domain-included

command configuration to the default management domain or the domain with the
adminuser-priority level command configured.
Step 8 Run radius-attribute apply user-name match user-type { ipoe | pppoe }
The Router replaces the user name with the user name delivered by the RADIUS server.
Step 9 Run radius-server traffic-unit { byte | gbyte | kbyte | mbyte }
The traffic unit of the RADIUS packets is configured.
This command is invalid for the RADIUS servers that do not measure traffic by bytes and the
RADIUS servers that use the standard RADIUS protocol.
Step 10 Run radius-server { retransmitretry-times | timeouttimeout-value }*
If you want to configure the number of transmission times and retransmission timeout period
for either all RADIUS authentication servers or RADIUS accounting servers, run the radius-
server { authentication | accounting } retransmit retry-times timeout timeout-value
command.
Step 11 Run radius-attribute agent-circuit-id format { cn | tr-101 }
The ID format of the circuit through which RADIUS packets are transmitted to the upstream
device is set.
Step 12 Run radius-server called-station-id include { ap-ip account-request | [ delimiter

delimiter ] { ap-mac [ mac-format type1 ] [ delimiter delimiter ] | ssid [ delimiter
delimiter] }* }
The method of constructing the No. 30 RADIUS public attribute is set.
Step 13 Run radius-server calling-station-id include [ delimiter delimiter ] { domain [ delimiter

delimiter ] | mac [ mac-format type1 ] [ delimiter delimiter ] | interface [ delimiter
delimiter ] | sysname [ delimiter delimiter | option82 [ delimiter delimiter ] ] }*
The method of constructing the No. 31 RADIUS public attribute is set.
Step 14 Run radius-server attribute case-sensitive attribute-name

NOTE
l At present, only the HW-QoS-Profile-Name attribute is case-sensitive.

l The QoS profile name on the Router must be the same as the QoS profile name that a RADIUS
server delivers. If they use different cases, inconsistency causes the Router to use QoS policies
incorrectly.
Step 15 Run radius-server { accounting | authentication } [ip-address [ vpn-instance vpn-instance-

name ] ] [ port ] pending-limit max-number
The maximum number of pending packets that can be sent to the RADIUS server is set.
Step 16 Run radius-server accounting-start-packet send after-ppp
The NE40E is configured to send Accounting Start packets to the RADIUS server after NCP
goes Up for PPPv6 users that use DHCPv6 to obtain IPv6 addresses.
----End

6.6.6 (Optional) Disabling RADIUS Attributes

You must enable RADIUS attribute translation before disabling RADIUS attributes.
Context
This function is configured for a RADIUS server group and takes effect on only the RADIUS
servers in this group. You can disable up to 64 attributes in a RADIUS server group.
You can disable the RADIUS attributes of both the sender and receiver on the NE40E.
Procedure
Step 3 Run radius-server attribute translate
RADIUS attribute translation is enabled.
Step 4 Run either of the following commands to disable basic or extended RADIUS attributes:
1. Run the radius-attribute disable attribute-name { receive | send } * command to
disable basic RADIUS attributes for request or response packets.
2. Run the radius-attribute disable attribute-name { access-accept | access-request |
account [ start ] } * command to disable basic RADIUS attributes for Access-Accept,
Access-Request, or accounting packets.
3. Run the radius-attribute disable extend attribute-description { access-accept |
{ access-request | account } * } command to disable extended RADIUS attributes for
Access-Accept, Access-Request, or accounting packets.
4. Run the radius-attribute disable extend { attribute-description | vendor-specific src-
vendor-id src-sub-attr-id }access-accept command to disable extended or user-defined
RADIUS attributes for packets.
5. Run the radius-attribute disable attribute-name { ip ip-address | string string | bin
string | integer integer } receive command to disable RADIUS attributes with specified
data types and carried in response packets.
6. Run the radius-attribute disable { hw-acct-update-address | flow-attributes } integer
integer account commamnd to disable RADIUS attributes with specified integral values
and carried in accounting packets. Currently, the integer parameter can be set to 0 only.
If you specify the flow-attributes parameter in the radius-attribute disable command,
the following flow attributes are all disabled: Acct-Input-Octets, Acct-Output-Octets,
Acct-Input-Packets, Acct-Output-Packets, Acct-Input-Gigawords, Acct-Output-
Gigawords, HW-Acct-IPV6-Input-Octets, HW-Acct-IPV6-Output-Octets, HW-Acct-
IPV6-Input-Packets, HW-Acct-IPV6-Output-Packets, HW-Acct-IPV6-Input-Gigawords,
and HW-Acct-IPV6-Output-Gigawords.
----End

6.6.7 (Optional) Configuring RADIUS Attribute Translation

The NE40E can communicate with RADIUS servers from different vendors through the
RADIUS attribute translation function.
Context
RADIUS servers from various vendors support different RADIUS attributes, and the vendors
also define RADIUS attributes in different manners. This makes interconnection between the
NE40E and RADIUS servers more difficult.
To address this problem, the NE40E provides the attribute translation function. After the
attribute translation function is configured, the NE40E can encapsulate or parse src-attribute
by using the format of dest-attribute when transmitting or receiving RADIUS packets. By
doing this, the NE40E can communicate with different types of RADIUS servers.
This function is applied when one attribute has multiple formats. For example, the nas-port-
id attribute has a new format and an old format. The NE40E uses the new format. If the
RADIUS server uses the old format, you can run the radius-attribute translate nas-port-id
nas-port-identify-old receive send command on the NE40E. Perform the following steps on
the Router:
Procedure
Step 3 Run radius-server attribute translate
RADIUS attribute translation is enabled.
Step 4 Perform any of the following operations to configure RADIUS attribute translation:
1. Run the radius-attribute translate src-attr-description dest-attr-description { { receive
| send } * } command to configure RADIUS attribute translation for request or response
packets.
2. Run the radius-attribute translate src-attr-description dest-attr-description { access-
accept | { access-request | account }* } command to configure RADIUS attribute
translation for Access-Accept, Access-Request, or accounting packets.
3. Run the radius-attribute translate extend src-attr-description dest-attr-description
{ access-accept | { access-request | account} * } command to configure extended
RADIUS attribute translation for Access-Request or accounting packets.
4. Run the radius-attribute translate extend src-attr-description vendor-specific src-
vendor-id src-sub-attr-id { access-request | account } * command to configure vendor-
specific extended RADIUS attribute translation for Access-Request or accounting
packets.

5. Run the radius-attribute translate extend vendor-specific src-vendor-id src-sub-attr-id

dest-attr-description access-accept command to configure vendor-specific extended
RADIUS attribute translation for Access-Accept packets.
----End
6.6.8 (Optional) Configuring the Tunnel Password Delivery Mode

The RADIUS server supports a tunnel password in cipher text or plain text.
Context
The RADIUS protocol specifies that the RADIUS server must deliver the tunnel password in
cipher text. Most RADIUS servers, however, do not conform to this specification. Therefore,
the NE40E supports configuration of the tunnel password delivery mode so that the NE40E
can communicate with various types of RADIUS servers.
Procedure
Step 3 Run radius-attribute tunnel-password { cipher | simple }
The mode in which the RADIUS server delivers the tunnel password is configured.
----End
6.6.9 (Optional) Configuring the Class Attribute to Carry the CAR

Value
You can configure the Class attribute to carry or not to carry the committed access rate (CAR)
value to ensure the communication between the NE40E and RADIUS servers from different
vendors.
Context
As specified in the standard RADIUS protocol, the Class attribute carried in an Access-
Accept packet sent from the RADIUS server to the client must be returned to the accounting
server without any change in an accounting request packet.
The NE40E extends the standard RADIUS protocol by adding the CAR value to the Class
attribute (RADIUS attribute 25).

Procedure
Step 3 Run radius-server class-as-car [ enable-pir ]
The Class attribute is configured to carry the CAR value.
NOTE
To meet the requirements of various RADIUS servers, the NE40E can use the RADIUS attribute 25 or
RADIUS attribute 26 to send the CAR value to the RADIUS server. The preceding commands configure
how to use the RADIUS attribute 25 to send the CAR value to the RADIUS server.
----End
6.6.10 (Optional) Configuring the Format of the NAS-Port

Attribute
You can configure different formats of the NAS-Port attribute so that the NE40E can
communicate with RADIUS servers from different vendors.
Context
Procedure
Step 2 Run radius-server groupgroup-name
Step 3 Run radius-server format-attribute { nas-port format-sting | nas-port-id { vendor

{ vendor-id [ version1 ] | redback-simple | redback-addition } | version1 | version2 } |
option82 }
The format of the NAS-Port attribute and format of the NAS-Port-Id attribute are configured.
When you configure the format of the NAS-Port-Id attribute:
l If vendor-id is set to 2352, the NE40E uses the default format of Redback to encapsulate
the NAS-Port-Id attribute.
The encapsulation format is slot/port[vpi-vci vpi vci | vlan-id [ivlan:]evlan] [pppoe sess-
id | clips sess-id].
Format example: 2/5 vlan-id 4 pppoe 8.

NOTE
If a logical interface is configured on the user access interface, encapsulate packets on the logical
interface. Otherwise, encapsulate packets on the user access interface. pppoe sess-id indicates
session ID of a PPPoE user. clips sess-id indicates CID of DHCP users on the device. For
untagged Ethernet user VLANs, the VLAN ID is 0. For QinQ interfaces, evlan and ivlan indicate
outer VLAN ID and inner VLAN ID.
l If vendor-id is set to 2636, the NE40E uses the default format of Juniper to encapsulate
the NAS-Port-Id attribute.
The encapsulation format is {fastEthernet|gigabitEthernet} slot/port.subinterface[:vpi.vci
|:ivlan]
Format example: gigabitEthernet 2/5.4:4.
If vendor-id is set to 2636 and version1 is specified, the NE40E uses the version 1
format of Juniper to encapsulate the NAS-Port-Id attribute.
The encapsulation format is {FastEthernet|GigabitEthernet} slot/card/
port.subinterface[:vpi.vci |:ivlan]
Format example: GigabitEthernet 2/0/5.4:4
NOTE
If the logical interface configured on the user access interface is a non-Trunk interface, encapsulate
packets on the logical interface.
If the logical interface is a Trunk interface, encapsulate packets on the user access interface. If the
user access interface is also a Trunk interface, encapsulate packets on the first member interface of
the Trunk interface.
l If vendor-id is set to 9, the NE40E uses the default format of Cisco to encapsulate the
NAS-Port-Id attribute.
The encapsulation format is {ethernet|trunk|PW} slot/subslot/port.
Format example: ethernet 2/0/5.
NOTE
If a logical interface is configured on the user access interface, encapsulate packets on the logical
interface. Otherwise, encapsulate packets on the user access interface. For Trunk and PW
interfaces, the subslot number is 0.
l If the redback-simple format is specified to encapsulate the NAS-Port-Id attribute,
The encapsulation format is slot/port[vpivci vpi vci | vlanid [ivlan:]evlan] [pppoe sess-id
| clips sess-id].
Format example: 2/5 vlan-id 4 pppoe 8.
NOTE
Different from the Redback format, the redback-simple format does not contain any hyphen (-) in
keywords of vpivci or vlanid.
l If the redback-addition format is specified to encapsulate the NAS-Port-Id attribute,
the encapsulation format is atm slot/amalgamation result of subslot number and subport
number.
Format example: atm 3/12:20.32.
NOTE
This is an example for users log in on Atm3/3/0. This format only applies to users that log in on ATM
interfaces and the scenario where the device does not trust Option 82 and the vlanpvc-to-username is
set to version10 or version20. The amalgamation result of slot number and port number is calculated
based on the formula: (subslot number &0x03)<<2)|(port number &0x03)

The default NAS-Port-Id attribute format is determined by the vbas and client-option82
commands.
l When vbas or client-option82 command is disabled (the default status) on a BAS
interface, the following situations may occur:
– If the vlanpvc-to-username is set to version20 (the default parameter),
the format of NAS-Port-Id is: slot=xx; subslot=xx; port=xx;{VPI=xx;VCI=xx;|
vlanid=xx;|vlanid=xx;vlanid2=xx;}
Format example: slot=2;subslot=0;port=5;vlanid=4.
The slot number, subslot number, port number, VPI number, VCI number, outer
VLAN ID, and inner VLAN ID are filled with the actual values.
– If the vlanpvc-to-username is set to version10,
the format of NAS-Port-Id is: slot=xx;subslot=xx;port=xx;{VPI=xx;VCI=xx;|
vlanid=xx;}
Format example: slot=2;subslot=0;port=5;vlanid=4.
VLAN ID, and inner VLAN ID are filled with the actual values. For access users on
QinQ interfaces, the inner VLAN ID is filled.
– If the vlanpvc-to-username is set to turkey,
the format of NAS-Port-Id is: slot number/port number vlan-id inner VLAN
ID:outer VLAN ID.
Format example: 2/5 vlan-id 4096:4.
For untagged user VLANs, the IDs of inner and outer VLANs are both 4096. If the
user VLAN only carries a tag, the inner VLAN ID is 4096.
– If the vlanpvc-to-username is set to standard,
the format of NAS-Port-Id is: {eth|trunk|PW} slot number/subslot number/port
number:{vpi.vci| outer VLAN ID.inner VLAN ID} 0/0/0/0/0/0.
Format example: eth 2/0/5:4096.4 0/0/0/0/0/0.
NOTE
The slot number, subslot number, port number, VPI number, VCI number, outer VLAN ID, and
inner VLAN ID are filled with the actual values. For Trunk interfaces, the subslot number is 0.
For untagged user VLANs, the IDs of inner and outer VLANs are both 4096. If the user VLAN
only carries a tag, the inner VLAN ID is 4096. In the AAA view, you can specify pevlan or
cevlan in the vlanpvc-to-username standard trust { pevlan | cevlan } command. By default,
both parameters are specified in the command. If only pevlan is specified, set the inner VLAN ID
to 4096. If only cevlan is specified, set the outer VLAN ID to 4096.
l The vbas or client-option82 command is configured on the BAS interface.
– The vlanpvc-to-username is set to version20 (the default parameter) or version10
and the client-option82 basinfo-insert cn-telecom command is not run.
n User packets carry Option 82 information.
If VBAS is configured on the BAS interface, return Option 82 information
carried by user packets.
Format example: mse-108 eth 0/2/0/5:4.
If the option82-relay-mode command is not configured on the BAS interface,
return the first TLV value of user Option 82 information with two offset bytes.
For example, if the user Option 82 information is abc, return c.

If the option82-relay-mode command is configured on the BAS interface,

return the required information based on the configured formats. For details,
see the output information of the option82-relay-mode include command.
n If user packets do not carry Option 82 information,
the format of NAS-Port-Id is: hostname {eth} 0/slot number/subslot number/
port number:{vpi.vci|vlan| outer VLAN.inner VLAN}.
Format example: MSE-108 eth 0/2/0/5:0.
NOTE
The host name configured using the nas logic-sysname command in the BAS interface
view is preferentially used. If no host name is configured on the BAS interface, the default
host name is used. For untagged user VLANs, the IDs of inner and outer VLANs are both 0.
If the user VLAN carries only a tag, the inner VLAN ID is 0, indicating that the inner
VLAN is not displayed.
– If the vlanpvc-to-username to set to turkey and the client-option82 basinfo-
insert cn-telecom command is not run,
the format of NAS-Port-Id is: slot number/port number vlan-id inner VLAN
ID:outer VLAN ID.
Format example: 2/5 vlan-id 4096:4.
For untagged user VLANs, the IDs of inner and outer VLANs are both 4096. If the
user VLAN only carries a tag, the inner VLAN ID is 4096.
– If the vlanpvc-to-username is set to standard and the client-option82 basinfo-
insert cn-telecom command is run,
the format of NAS-Port-Id is: {eth|trunk|PW} slot number/subslot number/port
number:{vpi.vci|outer VLAN ID.inner VLAN ID} information carried by the client.
VLAN ID, and inner VLAN ID are filled with the actual values. For Trunk
interfaces, the slot number is 0. For untagged user VLANs, the IDs of inner and
outer VLANs are both 4096. If the user VLAN only carries a tag, the inner VLAN
ID is 4096. For PW interfaces, the subslot number is 0. In the AAA view, you can
specify pevlan or cevlan in the vlanpvc-to-username standard trust { pevlan |
cevlan } command. By default, both parameters are specified in the command. If
pevlan is specified, set the inner VLAN ID to 4096. If cevlan is specified, set the
outer VLAN ID to 4096.
n User packets carry Option 82 information.
If the vbas command is configured on the BAS interface, parse the complete
Option 82 information carried by user packets. Otherwise, parse Option 82
information with two offset bytes.
If user Option 82 information contains no blank space, information carried by
the client is filled with user Option 82 information with two offset bytes. For
example, if user Option 82 information is abc, the format of NAS-Port-Id is
eth 2/0/5:4096.4 c.
If user Option 82 information contains a space and / is in front of the space,
information carried by the client is filled with user Option 82 information with
two offset bytes. For example, if user Option 82 information is aaa/b cd, the
format of NAS-Port-Id is eth 2/0/5:4096.4 a/b cd.
If user Option 82 information contains two spaces and no / in front of the first
space, information carried by the client is filled with user Option 82
information after the second space. For example, if user Option 82 information
is aaab cd e, the format of NAS-Port-Id is eth 2/0/5:4096.4 e.

If user Option 82 information contains two spaces and no / in front of the

spaces, information carried by the client is filled with 0/0/0/0/0/0. For
example, if user Option 82 information is aaab cde, the format of NAS-Port-Id
is eth 2/0/5:4096.4 0/0/0/0/0/0.
n User packets do not carry Option 82 information.
Information carried by the client is filled with 0/0/0/0/0/0, for example, eth
2/0/5:4096.4 0/0/0/0/0/0.
Step 4 (Optional) Run radius-server nas-port-id lns include [ string string | ip delimiter ] { local-
tunnel-ip [ delimiter ] | peer-tunnel-ip [ delimiter ] | local-tunnel-id [ delimiter ] | peer-
tunnel-id [ delimiter ] | local-session-id [ delimiter ] peer-session-id [ delimiter ] | call-
serial-number [ delimiter ] } *
The format of the NAS-Port-Id attribute sent by the L2TP LNS to the RADIUS server is
configured.
Step 5 (Optional) Run radius-server nas-port-id include [ delimiter paradelimiter ] { interface-
description [ delimiter int-desdelimiter ] | pe-vlan [ delimiter pevlan-delimiter ] | ce-vlan
[ delimiter cevlan-delimiter ] } *
The format of the NAS-Port-Id attribute sent by a non-LNS device to the RADIUS server is
configured.
----End
6.6.11 (Optional) Configuring the Source Interface of a RADIUS

Server
When the NE40E connects to multiple RADIUS servers, you can configure the source
interface of each RADIUS server on the NE40E to identify the route between the NE40E and
each RADIUS server.
Context
On the NE40E, you can configure the interface that connects to a RADIUS server as the
source interface of the RADIUS server. On the NE40E, you can configure the source interface
in the system view or in the view of a RADIUS server group. Therefore, the RADIUS servers
in the RADIUS server group use this source interface to interact with the NE40E. If the
source interface of the RADIUS server group is not configured, the RADIUS servers use the
global source interface.
Procedure
l Configure the global source interface of all RADIUS servers in all RADIUS server
groups.
a. Run system-view
b. Run radius-server source interface interface-type interface-number
The global source interface of all the RADIUS servers is configured.
l Configure the source interface of a specified RADIUS server group.

a. Run system-view
b. Run radius-server group group-name
c. Run radius-server source interface interface-type interface-number
The source interface of the RADIUS server group is configured.
----End
6.6.12 (Optional) Configuring a RADIUS Authorization Server

You can configure multiple RADIUS authorization servers to authorize users who use
dynamic services.
Context
You need to configure a RADIUS authorization server for a dynamic service so that the
RADIUS server can dynamically authorize a user when the user uses the dynamic service.
NOTE
The NE40E supports Change of Authorization (CoA). Authorization information about online users can
be dynamically changed. While maintaining the online status of users, the network administrator can
modify the service attributes on the RADIUS server and then send CoA packets to dynamically change
the services used by users. This authorization mode is referred to as dynamic authorization.
Procedure
Step 2 Run radius-server authorization ip-address [ vpn-instance instance-name ] { shared-key
key | server-group groupname } * [ ack-reserved-interval interval ]
The global RADIUS authorization server is configured.
To retain the RADIUS authorization response packet to respond to the retransmitted packets
from the RADIUS authorization server, you need to set the period of retaining the
authorization response when configuring the RADIUS authorization server.
If destination-ip dest-ip or destination-port dest-port has been configured, the device checks
the destination IP address or port number in the dynamic authorization packets and discards
the packets if the destination IP address or port number does not match.
Step 3 Run radius-server authorization error-reply { version1 | version2 }
The rule for configuring dynamic authorization response packets sent by the NE40E is
executed.
Step 4 Run radius-server authorization accounting-realtime-packet disable
The NE40E is disabled from automatically responding with a real-time accounting packet
upon receipt of a CoA message delivered by the RADIUS server.

After this command is run, the NE40E does not automatically respond with a real-time
accounting packet upon receipt of a CoA message from the RADIUS server. As a result, the
RADIUS server cannot learn the latest user status in a timely manner. To resolve this problem,
run the accounting interim interval interval [ second ] [ traffic ] [ hash ] command to set an
interval for informing the RADIUS server of the latest user status.
----End
6.6.13 (Optional) Setting the Status Parameters of a RADIUS

Server
You can configure the status parameters of a RADIUS server on the NE40E to monitor the
RADIUS server status.
Context
RADIUS clients can detect the status of RADIUS servers and determine the real-time status
of RADIUS servers based on responses from the RADIUS servers. This helps identify which
servers are in the Up state so as to process user request packets in real time.
The configuration is valid for all RADIUS servers.
Procedure
Step 2 Run radius-server { dead-count dead-count [ fail-rate count ] | dead-interval interval }*

The parameters for determining the status change of a RADIUS server from Up to Down are
configured.
If the NE40E sends RADIUS packets to the RADIUS server consecutively for a specified
number of times but receives no response packet and the interval between the first ignored
packet and the nth ignored packet where n is equal to dead-count is longer than the value of
dead-interval, the NE40E considers that the RADIUS server is abnormal and sets its status to
Down.
Step 3 Configure a mode for restoring the Up state of the RADIUS server after its status is set to
Down.
After the status of the RADIUS server is set to Down, two modes are available for restoring
the Up state of the RADIUS server. Run either of the following command as required.
l Run the radius-server dead-time dead-time [ recover-count invalid ] command to
configure a period after which the status of the RADIUS server is automatically restored
to Up.
After the NE40E sets the status of a RADIUS server to Down, the NE40E waits a period
specified by dead-time. Then, the NE40E sets the status of the RADIUS server to Up
and attempts to set up a connection with it. If the connection cannot be set up, the
NE40E sets the status of the RADIUS server to Down again.
If recover-count invalid is configured, the NE40E sets the RADIUS server status to Up
only after the Up timer expires, irrespective of whether response packets are received
from the RADIUS server during connection re-establishment.

l Run the radius-server state-recovery-detect { authentication | accounting }

username username [ detect-interval detect-interval ] [ detect-threshold detect-
threshold ] command to enable RADIUS server status detection and restoration.
After the status of a RADIUS server is set to Down, the status of the RADIUS server is
automatically restored to Up after a specified period of time by default. However, the
NE40E does not know the actual status of the RADIUS server and only assumes that the
server is Up. To allow the NE40E to accurately determine the status of the RADIUS
server, run the radius-server state-recovery-detect { authentication | accounting }
username username [ detect-interval detect-interval ] [ detect-threshold detect-
threshold ] command to enable RADIUS server status detection and restoration.
Then, the NE40E sends detection packets to the RADIUS server at an interval specified
by detect-interval using a user name specified by username. If detection succeeds for a
consecutive number of times specified by detect-threshold, the NE40E sets the
RADIUS server status to Up again.
NOTE
After the radius-server state-recovery-detect command is run, the radius-server dead-time
dead-time [ recover-count invalid ] command configuration fails to take effect. In other words,
the status of the RADIUS server will not be automatically restored to Up after a period specified
by dead-time elapses.
----End
6.6.14 (Optional) Configuring the Extended Source Interfaces of a

RADIUS Server
If you do not want to use the default extended source interface to send and receive RADIUS
packets, you can change the default extended source interface of the RADIUS server.
Context
After you configure the extended source interfaces of the RADIUS server, the NE40E
increases the number of packets sent to the RADIUS server in a certain period of time.
After the configuration, the NE40E sends RADIUS packets by using the extended source
interfaces. The former half of extended source interfaces are used to send and receive
RADIUS authentication packets, and the latter half of extended source interfaces are used to
send and receive RADIUS accounting packets. If an odd number of extended source
interfaces are configured, the authentication interfaces outnumber the accounting interfaces by
one.
Procedure
Step 2 Run radius-server extended-source-ports [start-port start-port-number ] port-number

port-number
The extended source interfaces of the RADIUS server are configured.

NOTE
If you do not specify the start interface number when configuring the extended source interfaces, the
system assigns a configured number of valid extended source interfaces.
Step 3 Run radius-server extended-source-ports algorithm round-robin

The NE40E is enabled to use the round-robin algorithm to select an extended source port.
----End
6.6.15 (Optional) Configuring the Calling-station-ID Attribute

Format
The Calling-station-ID attribute format is configured to enable the NE40E to interconnect
with a non-Huawei device.
Procedure
Step 3 Run radius-server calling-station-id include [ delimiter delimiter ] { domain [ delimiter
delimiter ] | mac [ delimiter delimiter ] | interface [ delimiter delimiter ] | sysname
[ delimiter delimiter | { option82 | access-line-id} [ delimiter delimiter ] ] }*
Configuring a method of constructing the No. 31 RADIUS public attribute, namely, Calling-
Station-Id.
Step 4 Run radius-server calling-station-id include refer-option61
The Calling-Station-Id attribute format is determined based on Option 61.
After the radius-server calling-station-id include refer-option61 command is run, note the
following issues:
l If user packets carry Option 61, the Calling-Station-Id attribute format uses user MAC
addresses.
l If user packets do not carry Option 61, the Calling-Station-Id attribute format uses user
names without domain names.
Step 5 Run radius-server calling-station-id include vlan-binding
The Calling-Station-Id attribute format is constructed in the format of
slot(2)port(2)vpi(2)vci(4)vlan(4)mac(12).
Step 6 Run radius-server calling-station-id include vlan-description
The Calling-Station-Id attribute format is constructed based on the vlan-description format.
Step 7 Run radius-server calling-station-id lns-default version1
The default format for constructing the Calling-Station-Id attribute is configured on the LNS.
After the radius-server calling-station-id lns-default version1 command is run, the LNS
encapsulates the Calling-Station-Id attribute into RADIUS authentication and accounting

packets in the default format, even if the packets sent from the LAC to the LNS do not carry
the calling-number attribute. By default, if the LAC sends user packets without the calling-
number attribute to the LNS, the RADIUS authentication and accounting packets sent to the
RADIUS server do not carry the Calling-Station-Id attribute.
Step 8 Run radius-server calling-station-id lns-default version1 force
The LNS is enabled to construct the Calling-Station-Id attribute based on the version1 format.
In some special scenarios, to enable the LNS to encapsulate the Calling-Station-Id attribute
into RADIUS authentication and accounting packets in the default version1 format
irrespective of whether the LAC sends the calling-number attribute to the LNS, run the
radius-server calling-station-id lns-default version1 force command.
Step 9 Run radius-server calling-station-id include llid user-type { ppp | lns }*

The Calling-Station-Id attribute format is constructed based on the logical line ID (LLID)
information in an authentication accept packet sent by the RADIUS server.
After the radius-server calling-station-id include llid user-type { ppp | lns }* command is
run, the authentication process for PPP or LNS users has the following changes, and going-
online performance is affected because users are authenticated twice.
1. Two authentication request packets are sent. The format of the user name in the first
authentication request packet is NAS-IP-Address NAS-Port-Id, and the password is
HUAWEI (default value). The user name and password in the second authentication
request packet and accounting request packet are the actual user name and password.
2. If the RADIUS server delivers the LLID attribute in the first authentication accept
packet, the Calling-Station-Id field in the second authentication request packet and
accounting request packet is encapsulated with the LLID information. If the LLID
attribute fails to be obtained (for example, the RADIUS server does not deliver the No.
31 RADIUS public attribute Calling-Station-Id, a RADIUS Access-Reject packet is
received, or the authentication times out), the Calling-Station-Id field in the second
authentication request packet and accounting request packet is the same as that in the
first authentication request packet.
If the system fails to obtain the LLID information from the RADIUS server, the
authentication and accounting packets for the second authentication will carry the No. 31
RADIUS Calling-Station-Id attribute by default. However, if this occurs after the radius-
server calling-station-id disable with-llid-fail command is run, the authentication and
accounting packets for the second authentication will not carry the No. 31 RADIUS Calling-
Station-Id attribute. This configuration helps identify the users who have failed to obtain the
LLID information.
Step 10 Run radius-server calling-station-id include pevlan [ { delimiter delimiter } [ cevlan ] ]
or run radius-server calling-station-id include cevlan [ { delimiter delimiter } [ pevlan ] ]
The Calling-Station-Id attribute format is constructed based on the outer or inner VLAN
information.
The Calling-Station-Id attribute contains user VLAN information. You can specify either or
both of pevlan and cevlan. If you specify both pevlan and cevlan and specify pevlan before
specifying cevlan, the RADIUS server parses pevlan before parsing cevlan. If you specify
cevlan before specifying pevlan, the RADIUS server parses cevlan before parsing pevlan.
If access users send packets that carry single VLAN tags, the single VLAN tags can only be
encapsulated into pevlan.

Step 11 Run radius-server format-attribute calling-station-id vendor vendor-id [ include

option82 ] [ version1 ]
The Calling-Station-Id attribute format defined by a specified vendor is used.
Step 12 Run radius-server format-attribute include sub-slot
An interface number in the Calling-Station-Id and NAS-port-ID attributes contains a sub-slot

number.
After the radius-server format-attribute include sub-slot command is run, the Calling-
Station-Id and NAS-port-ID attributes in RedBack format use the interface number in the
format of slot/sub-slot/port.
----End
6.6.16 (Optional) Configuring Negotiated Parameters of the

RADIUS Attribute
When the RADIUS server and NE40E communicate, they must have the same specifications
for RADIUS attributes.
Procedure
Step 3 (Optional) Run radius-attribute enable framed-ip-netmask netmask-length account-

request
The 32-bit Framed-IP-Netmask attribute can be added to an Accounting-Request packet.
Step 4 Run radius-attribute vendor vendor-id enable
The ID of the vendor whose private RADIUS attribute the device can parse is added.
Step 5 Run radius-attribute vendor { { huawei | microsoft | 3gpp2 | redback | dslforum | other }*
| all } continuous
The NE40E is configured to carry multiple proprietary attributes in RADIUS attribute 26.
Step 6 Run radius-attribute include attribute-name
An attribute can be added to a RADIUS packet only by using the radius-attribute include
command. This can help control attributes in a RADIUS packet and prevent the length of a
RADIUS packet from exceeding 2048 bytes.
Step 7 Run radius-attribute include hw-dhcp-option option-num&<1-16>
The hw-dhcp-option attribute can be added to RADIUS authening packets.
Step 8 Run radius-attribute include reply-messag coa-nak
The Reply-Message attribute can be added to coa-nak packets.

Step 9 Run radius-attribute include nas-ip-address { accounting-on | accounting-off }*

The NAS-IP-Address attribute can be added to RADIUS accounting-on or accounting-off
packets.
Step 10 Run radius-attribute usermac-as-option61
The Option61 field is encapsulated into the No.153 proprietary attribute on the RADIUS
server, hw-user-mac attribute. If you also configure the client-option82 version1 command
on the BAS interface, the client-id information (DHCPv4 Option61/DHCPv6 Option1/PPPoE
PADR Tag 0x0103 Host-unique) is encapsulated into the Class attributes in RADIUS
accounting packets.
Step 11 Run radius-attribute include event-timestamp { accounting-on | accounting-off }
A RADIUS Accounting-On or Accounting-Off packet is configured to carry the event-
timestamp attribute.
Step 12 Run radius-attribute include class edsg
The class attribute can be added to EDSG service accounting packets.
Step 13 Run radius-attribute include hw-dhcpv6-option37 accounting-request
The HW-DHCPv6-Option37 attribute is allowed to be carried in user accounting request
packets sent to the RADIUS server.
Step 14 Run radius-attribute include hw-vpn-instance accounting-request
The HW-VPN-Instance attribute is allowed to be carried in user accounting request packets
sent to the RADIUS server.
Step 15 Run radius-attribute include hw-web-url accounting-request
The HW-Web-Url attribute is allowed to be carried in user accounting request packets sent to
the RADIUS server.
Step 16 Run radius-attribute include framed-route accounting-request
The Framed-Route attribute is allowed to be carried in user accounting request packets sent to
the RADIUS server.
Step 17 Run radius-attribute include hw-acct-terminate-subcause edsg
The HW-Acct-Terminate-Subcause attribute is allowed to be carried in EDSG service
accounting stop packets.
Step 18 Run radius-attribute include hw-user-mac edsg accounting-request
The HW-User-Mac attribute is allowed to be carried in EDSG service accounting request
packets.
Step 19 Run radius-attribute include hw-avpair subscriber:vpnid accounting-request
The user VPN index in the HW-Avpair attribute is allowed to be carried in accounting packets
of IPv4 users.
Step 20 Run commit
----End

6.6.17 (Optional) Configuring DSCP Values for RADIUS Packets

To prevent RADIUS packets sent by the NE40E from being discarded in the case of network
congestion, you can configure DSCP values for the RADIUS Packets.
Context
You can configure DSCP values for RADIUS packets, including the RADIUS packets sent by
the NE40E to a RADIUS server and the RADIUS packets sent by the NE40E to an AP/AC.
Procedure
l Configure DSCP values of RADIUS packets sent by the NE40E to a RADIUS server.
DSCP priorities of RADIUS packets sent by the NE40E to a RADIUS server can be
configured in two modes. The DSCP value of RADIUS packets configured in the
RADIUS server group view has a higher priority.
In the system view, configure a DSCP value for RADIUS packets.
a. Run system-view

b. Run radius-server packet dscp dscp
A DSCP value is configured for RADIUS packets sent by the NE40E.
In the RADIUS server group view, configure a DSCP value for RADIUS packets.
a. Run system-view


c. Run radius-server packet dscp dscp
A DSCP value is configured for RADIUS packets sent by the NE40E.
----End
6.6.18 (Optional) Configuring a Mode of Encapsulating User IP

Addresses
A RADIUS server and the NE40E must use the same RADIUS attribute to communicate.
Context
The attributes of a RADIUS server for encapsulation include Framed-IP-Address, Framed-IP-
Netmask, and Delegated-IPv6-Prefix. In version 1 format, the NE40E can only encapsulate a
valid address into these attributes. In version2 format, the NE40E can encapsulate a valid
address or an invalid address that is delivered by the RADIUS server into these attributes.

Procedure
Step 2 Run radius-attribute { framed-ip-address | delegated-ipv6-prefix } encapsulation-

method { version1 | version2 }
The mode of encapsulating user IP addresses is configured.
Encapsulating attributes in version 2 format requires a valid address for encapsulation.

Without a valid address, use the invalid address delivered by a RADIUS server for
encapsulation. Without either address, the attributes will not be delivered by the RADIUS
server.
----End
6.6.19 (Optional) Configuring RADIUS Attributes

The attributes delivered by the RADIUS server take effect only when there are corresponding
configurations on the NE40E.
Context
l Access service template
After an access service template is configured, the RADIUS server can send the service
template name and control user traffic by time segment.
When the authentication response message sent by the RADIUS server includes the HW-
Access-Service attribute, the traffic bandwidth restriction is based on the QoS profile
rule bound to the service template. When the QoS profile not containing a time segment
and the QoS profile containing a time segment in an access service template exist at the
same time, the QoS profile containing a time segment has a higher priority than the QoS
profile not containing a time segment.
If an in-use QoS profile in an access service template is modified, the modification takes
effect in real time. If all QoS profiles in an access service template are removed, the QoS
profile that is previously bound with the user takes effect.
l Static route synchronization from the RADIUS server to the NE40E
This function enables the NE40E to periodically or immediately synchronize static
routes with those delivered by the RADIUS server. Static route synchronization requests,
if not acknowledged, will be retransmitted before the maximum allowable number of
times is reached.
l Update of user names and domains based on CoA messages
In the web authentication scenario where a portal server cannot exchange authentication
messages with a BRAS, you can configure the portal server to exchange authentication
messages with a RADIUS server. To enable a BRAS to update user names based on
those delivered in CoA messages and switch users to the domains carried in the
RADIUS-delivered user names, run the radius-server coa update username command.

Procedure
l Create an access service template.
a. Run system-view
b. Run access-service service-name
The access service template view is displayed.
c. Run qos-profile profile-name
The default QoS profile bound to the access service template is configured.
Each access service template can be bound only with one QoS profile not
containing a time segment.
d. Run qos-profile profile-name time-range time-range-name
The QoS profile (containing a time segment) bound to the access service template is
configured.
Each access service template can be bound with up to 16 different time segments.
l Enable static route synchronization from the RADIUS server to the NE40E.
a. Run system-view
b. Run aaa route-download server-group group-name base-user-name user-name
password { simple | cipher } password [ download-interval interval-value | retry-
interval retry-interval-value | retry-max-count retry-count | tag tag-value | cost
cost-value | synchronization synchronization ]
The NE40E is enabled to periodically synchronize static routes with those delivered
by the RADIUS server.
c. (Optional) Run aaa route-download recover-delay delay-time
Delayed advertisement is configured for static routes downloaded from a RADIUS
server after the NE40E is restarted and configurations are restored.
In BRAS multi-device backup scenarios, after the aaa route-download command
is run to enable the NE40E to download static routes from a RADIUS server at an
interval, you must also run the aaa route-download recover-delay command to
configure delayed advertisement of static routes downloaded from a RADIUS
server.
In BRAS multi-device backup scenarios, after the aaa route-download command
is run to enable the NE40E to download static routes from a RADIUS server at an
interval, the master and backup devices download static routes from the RADIUS
server, but the cost value of the static routes downloaded to the master device is less
than that of the static routes downloaded to the backup device. If the master device
is restarted and immediately downloads static routes from the RADIUS server and
advertises them to the network side, network-side traffic will be transmitted to the
master device. However, batch backup of user information has not yet completed,
and the master device cannot process traffic. Therefore, the traffic is transmitted to
the backup device through the link between the master and backup devices. If the
network traffic volume is greater than the bandwidth of the link between the master
and backup devices, the downstream traffic may be interrupted.

To prevent this problem, run the aaa route-download recover-delay command to

configure delayed advertisement of static routes downloaded from a RADIUS
server after the NE40E is restarted and configurations are restored so that the
NE40E can advertise the static routes after user information is backed up. When the
master device is restarted, the network-side traffic is switched to the new master
device, preventing a traffic detour.
d. Run clear ip routes aaa-download [ [ vpn-instance vpn-name ] [ ip-address mask-
len | ipv6-address prefix-length ] | all ]
Static routes delivered by the RADIUS server are cleared from the NE40E.
e. Run aaa route-download now force
The NE40E is configured to immediately synchronize static routes with those

delivered by the RADIUS server.
l Update user names based on CoA messages and switch users to new domains.
a. Run system-view

b. Run radius-server coa update username
The device is enabled to update user names based on those delivered in CoA
messages and switch users to the domains carried in the RADIUS-delivered user
names.
----End
Result
l Run the display access-service command in any view to check information about the
access service template.
l Run the display aaa route-download config command in any view to check
configurations about static route synchronization from the RADIUS server to the
NE40E.
l Run the display aaa route command in any view to check whether static routes are
successfully delivered by the RADIUS server.
6.6.20 (Optional) Configuring an IPv6 Address Pool to be

Delivered using the Framed-Ipv6-Pool Attribute to Replace the
IPv6 Address Pools of the Same Type
Context
If you want to use an IPv6 address pool delivered by a RADIUS server using the Framed-
Ipv6-Pool attribute and IPv6 address pools configured in the domain to assign IPv6 addresses
to users, run the radius-attribute apply framed-ipv6-pool match pool-type command. After
you configure the radius-attribute apply framed-ipv6-pool match pool-type command, an
IPv6 address pool to be delivered by a RADIUS server using the Framed-Ipv6-Pool attribute
to replace the IPv6 address pools of the same type configured in a domain.

Procedure
Step 3 Run radius-attribute apply framed-ipv6-pool match pool-type
An IPv6 address pool to be delivered by a RADIUS server using the Framed-Ipv6-Pool
attribute is configured to replace the IPv6 address pools of the same type configured in a
domain.
----End
6.6.21 (Optional) Configuring the User-Defined Encapsulation for

Radius Attributes
Context
You can also specify a DHCP/DHCPv6 option to encapsulate a RADIUS attribute.
Procedure
Step 3 Run radius-attribute assign attribute-name { dhcp dhcp-option-code | dhcpv6 dhcpv6-
option-code }
The device is configured to encapsulate a RADIUS attribute in a specified DHCP/DHCPv6
option.
NOTE
The value of attribute-name can only be HW-PCP-Server-Name.
----End
6.6.22 (Optional) Configuring the RADIUS Server to Dynamically

Deliver ACLs
The RADIUS server can dynamically deliver ACLs based on the HW-Data-Filter attribute.
Context
The RADIUS server delivers the HW-Data-Filter attribute (No.26-82) carrying the traffic
classifier-behavior pair. The traffic classifier attribute carries the classifier name, behavior
name, and rule information, and the traffic behavior attribute carries the behavior name and

behavior information. ACL information is dynamically delivered after the traffic classifier-
behavior is delivered. The HW-Data-Filter attribute disabled by default. You can enable the
HW-Data-Filter attribute only using commands.
Perform the following operations on the Router.
Procedure
Step 2 Run aaa
Step 3 (Optional) Run remote-download user-group enable
The RADIUS server is configured to create dynamic user groups.
Step 4 (Optional) Run remote-download user-group check interval interval
The interval at which the NE40E checks whether online users or dynamic ACLs are using the
dynamic user group created by the RADIUS server is configured.
The NE40E checks one dynamic user group at each interval. If a user group is not used, the
NE40E deletes the user group.
Step 5 Run remote-download acl enable
The RADIUS server is configured to create dynamic ACLs. The RADIUS server can deliver
the HW-Data-Filter attribute carrying the traffic classifier-behavior pair for dynamic ACLs.
Step 6 (Optional) Run remote-download acl warning-threshold warning-threshold
The RADIUS server is configured to deliver the alarm threshold for the traffic classifier-
behavior pair usage.
Step 7 (Optional) Run recycle remote-download acl classifier classifier-name
The idle traffic classifier-behavior pair is reclaimed.
Step 8 Run quit
Step 9 Run radius-server group groupname
The RADIUS server group view displayed.
Step 10 (Optional) Run radius-attribute decode-error-policy ignore attribute-name
The NE40E ignores the RADIUS packets with the attribute that fails the parse and check.
Currently only the HW-Data-Filter attribute is supported.
----End

6.6.23 (Optional) Configuring the Function to Parse the Option 17

Field Based on the Format Defined by the DSL Forum
This section describes how to configure the device to parse the Option 17 field based on the
format defined by the DSL Forum and send the obtained sub-attributes to a RADIUS server.
Context
User login request packets carry Relay headers or multi-level Relay headers. The Relay
header carries the Option 17 field which contains sub-options. If the format of the options
carried in the Relay headers and DHCPv6 packets conforms to that defined by the DSL
Forum, the device can parse the Option 17 field and send the obtained sub-attributes to the
RADIUS server after the dhcpv6 option-17 decode version1 command is run in the system
view. Otherwise, the device does not parse the options nor send the attributes to the RADIUS
server.
Procedure
Step 2 Run dhcpv6 option-17 decode version1
The device is enabled to parse the Option 17 field based on the format defined by the DSL
Forum and sent the obtained sub-attributes to a RADIUS server.
----End
6.6.24 Verifying the RADIUS Configuration

After configuring a RADIUS server, you can view the server configurations, RADIUS
attributes supported by the system, and statistics on RADIUS packets.
Prerequisites
RADIUS server has been configured.
Procedure
l Run the display radius-server authorization configuration command to check the
configuration of the RADIUS authorization server.
l Run the display radius-server configuration [ group groupname ] command to check
the configuration of the RADIUS server group.
NOTE
Configuring the ui-mode type1 command in the system view influences the output format of the
display command.
l Run the display radius-attribute [ name attribute-name | { type { 3gpp | dsl | huawei |
microsoft | redback | standard } attribute-number ] command to check the RADIUS
attributes supported by the system.
l Run the display radius-attribute [ server-group server-group-name packet { access-
request | access-accept | access-reject | accounting-request | accounting-response |

coa-request | coa-ack | coa-nak | dm-request | dm-ack | dm-nak | accounting-on |

accounting-off } ] command to check attributes carried in packets sent by the RADIUS
server group.
l Run the display radius-server packet { ip-address | ipv6-address } ip-address [ vpn-
instance vpn-instance ] { accounting | authentication | coa | dm } command to check
the statistics about the packets on the RADIUS server of a specified IP address.
l Run the display radius-attribute packet-count command to check the number of times
an attribute occurs in a RADIUS packet.
l Run the display radius-client statistics client-ip client-ip-address [ vpn-instance vpn-
instance-name ] command to check statistics about RADIUS packets exchanged between
the RADIUS client and proxy.
l Run the display aaa remote-download acl item [ user-id user-id | classifier classifier-
name ] * [ verbose ] command to check information about the traffic classifier-behavior
pair in dynamic ACLs delivered by the RADIUS server.
l Run the display aaa remote-download acl statistics classifier classifier-name [ slot
slot-id ] command to check statistics about the traffic classifier-behavior pair in dynamic
ACLs delivered by the RADIUS server on a specific board.
----End
Example
Run the display radius-server authorization configuration command to view the
configuration of the RADIUS authorization server.
<HUAWEI> display radius-server authorization configuration
-----------------------------------------------------------------------------
IP-Address Secret-key Group Ack-r
Reserved-interval
-----------------------------------------------------------------------------
192.168.7.100 huawei rd1 20
Vpn : --
-----------------------------------------------------------------------------
1 Radius authorization server(s) in total
Run the display radius-server configuration command, and you can view the configuration
of the RADIUS server group.
<HUAWEI> display radius-server configuration
RADIUS source interface : LoopBack20
RADIUS no response packet count : 30
RADIUS auto recover time(Min) : 100
RADIUS authentication source ports :
IPv4: 1812
IPv6: 1812
RADIUS accounting source ports :
IPv4: 1813
IPv6: 1813
-------------------------------------------------------
Server-group-name : chen
Authentication-server: IP:10.3.4.144 Port:1812 Weight[0] [UP]
Vpn: -
Accounting-server : IP:10.3.4.144 Port:1814 Weight[0] [UP]
Vpn: -
Protocol-version : radius
Shared-secret-key : ******
Retransmission : 3
Timeout-interval(s) : 5
Acct-Stop-Packet Resend : NO
Acct-Stop-Packet Resend-Times : 0
-------------------------------------------------------

Are you sure to display next (y/n)[y]:y

-------------------------------------------------------
Server-group-name : huawei
Vpn: -
Vpn: -
Vpn: -
share-key: huawei
Retransmission : 2
Acct-Stop-Packet Resend : YES
-------------------------------------------------------
Total 2,2 printed
Run the display radius-attribute [ name attribute-name | { type { 3gpp | dsl | huawei |
microsoft | redback | standard } attribute-number ]command, and you can view the
RADIUS attributes supported by the NE40E of the current version.
<HUAWEI> display radius-attribute type standard 1
Radius Attribute Type : 1
Radius Attribute Name : User-Name
Radius Attribute Description : This Attribute indicates the name of the user to
be authenticated.
Supported Packets : Auth Request, Acct Request, Session Control, COA
Request, COA Ack
Run the display radius-attribute server-group server-group-name packet access-request

command, and you can view the attributes of Access-Request packets in the RADIUS server
group named group 2.
<HUAWEI> display radius-attribute server-group group2 packet access-request
-------------------------------------------------------------------------------
Radius Packet Type : Access-Accept
Attribute Type Attribute Name Translate From
-------------------------------------------------------------------------------
1 User-Name
6 Service-Type
7 Framed-Protocol
8 Framed-IP-Address
9 Framed-IP-Netmask
11 Filter-Id
12 Framed-MTU
14 Login-IP-Host
15 Login-Service
18 Reply-Message
19 Callback-Number
22 Framed-Route
24 State
25 Class
27 Session-Timeout
28 Idle-Timeout
29 Termination-Action
62 Port-Limit
64 Tunnel-Type
65 Tunnel-Medium-Type
66 Tunnel-Client-Endpoint
67 Tunnel-Server-Endpoint
69 Tunnel-Password
75 Password-Retry
79 EAP-Message
80 Message-Authenticator
81 Tunnel-Private-Group-ID
82 Tunnel-Assignment-ID
83 Tunnel-Preference
85 Acct-Interim-Interval

88 Framed-Pool
89 Chargeable-User-Identity
90 Tunnel-Client-Auth-ID
96 Framed-Interface-Id
97 Framed-IPv6-Prefix
98 Login-IPv6-Host
99 Framed-IPv6-Route
100 Framed-IPv6-Pool
123 Delegated-IPv6-Prefix
135 Ascend-Client-Primary-Dns
136 Ascend-Client-Secondary-Dns
2011(HUAWEI),1 HW-Input-Committed-Burst-Size
2011(HUAWEI),2 HW-Input-Committed-Information-Rate
2011(HUAWEI),3 HW-Input-Peak-Information-Rate
2011(HUAWEI),4 HW-Output-Committed-Burst-Size
2011(HUAWEI),5 HW-Output-Committed-Information-Rate
2011(HUAWEI),6 HW-Output-Peak-Information-Rate
2011(HUAWEI),15 HW-Remanent-Volume
2011(HUAWEI),17 HW-Subscriber-QoS-Profile
2011(HUAWEI),22 HW-Priority
2011(HUAWEI),27 HW-Portal-URL
2011(HUAWEI),28 HW-FTP-Directory
2011(HUAWEI),29 HW-Exec-Privilege
2011(HUAWEI),30 HW-RADIUS-MP-VT-Number
2011(HUAWEI),31 HW-QOS-Profile-Name
2011(HUAWEI),32 HW-SIP-Server
2011(HUAWEI),35 HW-Renewal-Time
2011(HUAWEI),36 HW-Rebinding-Time
2011(HUAWEI),37 HW-IGMP-Enable
2011(HUAWEI),61 HW-Up-Priority
2011(HUAWEI),62 HW-Down-Priority
2011(HUAWEI),63 HW-Tunnel-Vpn-Instance
2011(HUAWEI),64 HW-Virtual-Template
2011(HUAWEI),65 HW-User-Date
2011(HUAWEI),66 HW-User-Class
2011(HUAWEI),70 HW-PPP-NCP-Type
2011(HUAWEI),71 HW-VSI-Name
2011(HUAWEI),72 HW-Subnet-Mask
2011(HUAWEI),73 HW-Gateway-Address
2011(HUAWEI),74 HW-Lease-Time
2011(HUAWEI),75 HW-Ascend-Client-Primary-WINS
2011(HUAWEI),76 HW-Ascend-Client-Second-WIN
2011(HUAWEI),77 HW-Input-Peak-Burst-Size
2011(HUAWEI),78 HW-Output-Peak-Burst-Size
2011(HUAWEI),79 HW-Reduced-CIR
2011(HUAWEI),80 HW-Tunnel-Session-Limit
2011(HUAWEI),82 HW-Data-Filter
2011(HUAWEI),83 HW-Access-Service
2011(HUAWEI),85 HW-Portal-Mode
2011(HUAWEI),87 HW-Policy-Route
2011(HUAWEI),88 HW-Framed-Pool
2011(HUAWEI),91 HW-Queue-Profile
2011(HUAWEI),92 HW-Layer4-Session-Limit
2011(HUAWEI),93 HW-Multicast-Profile-Name
2011(HUAWEI),94 HW-VPN-Instance
2011(HUAWEI),95 HW-Policy-Name
2011(HUAWEI),96 HW-Tunnel-Group-Name
2011(HUAWEI),97 HW-Multicast-Source-Group
2011(HUAWEI),98 HW-Multicast-Receive-Group
2011(HUAWEI),99 HW-Multicast-Type
2011(HUAWEI),100 HW-Reduced-PIR
2011(HUAWEI),135 HW-Client-Primary-DNS
2011(HUAWEI),136 HW-Client-Secondary-DNS
2011(HUAWEI),138 HW-Domain-Name
2011(HUAWEI),140 HW-HTTP-Redirect-URL
2011(HUAWEI),141 HW-PPP-Local-IP-Address
2011(HUAWEI),142 HW-Qos-Profile-Type
2011(HUAWEI),143 HW-Max-List-Num
2011(HUAWEI),154 HW-DNS-Server-IPv6-Address

2011(HUAWEI),155 HW-DHCPv4-Option121
2011(HUAWEI),156 HW-DHCPv4-Option43
2011(HUAWEI),157 HW-Framed-Pool-Group
2011(HUAWEI),158 HW-Framed-IPv6-Address
2011(HUAWEI),160 HW-Nat-Policy-Name
2011(HUAWEI),164 HW-Nat-Port-Forwarding
2011(HUAWEI),166 HW-DS-Lite-Tunnel-Name
2011(HUAWEI),167 HW-PCP-Server-Name
2011(HUAWEI),182 HW-Down-Qos-Profile-Name
2011(HUAWEI),183 HW-Port-Mirror
2011(HUAWEI),191 HW-Delegated-IPv6-Prefix-Pool
2011(HUAWEI),194 HW-IPv6-Policy-Route
2011(HUAWEI),253 HW-Web-URL
311(MICROSOFT),16 MS-MPPE-Send-Key
311(MICROSOFT),17 MS-MPPE-Recv-Key
311(MICROSOFT),26 MS-CHAP2-Success
311(MICROSOFT),28 MS-Primary-DNS-Server
311(MICROSOFT),29 MS-Secondary-DNS-Server
2352(RedBack),92 Forward-Policy
2352(RedBack),106 NPM-Service-Id
2352(RedBack),107 HTTP-Redirect-Profile-Name
2352(RedBack),165 HTTP-Redirect-URL
5535(3GPP2),7 Home-Agent-Address
5535(3GPP2),81 Removal-Indication
-------------------------------------------------------------------------------
Run the display radius-server packet ip-address ip-address [ vpn-instance ] accounting

command, and you can view the statistics about the accounting packets on the RADIUS
server of a specified IP address.
<HUAWEI>display radius-server packet ip-address 10.1.1.2 accounting
Total radius server accounting packets:
Account Requests : 1 Account Retransmissions : 19
Account Responses : 0 Malformed Account Responses : 0
Bad Authenticators : 0 Pending Requests : 0
Timeouts : 20
Speed Limit Block : 0 Pending Limit Block : 0
Server Down Block : 0 No Source IP Block : 0
Server Not Reply : 20
Unknown Types : 0 Packets Dropped : 0
Last 30 minutes radius server accounting packets:
Account Requests : 0 Account Retransmissions : 0
Account Responses : 0 Malformed Account Responses : 0
Bad Authenticators : 0 Pending Requests : 0
Timeouts : 20
Speed Limit Block : 0 Pending Limit Block : 0
Server Down Block : 0 No Source IP Block : 0
Server Not Reply : 20
Unknown Types : 0 Packets Dropped : 0
Run the display radius offline-sub-reason [ subcode subcode-number ] command to check

the user offline causes mapped to the numbers carried in the Accounting Stop packets sent to
the RADIUS server.
<HUAWEI> display radius offline-sub-reason subcode 1
------------------------------------------------------------------------------
Subcode description of offline sub reason
------------------------------------------------------------------------------
1 User request to offline
------------------------------------------------------------------------------
Run the display radius-client statistics command to view statistics about RADIUS packets
exchanged between the RADIUS client and proxy.
<HUAWEI> display radius-client statistics client-ip 10.111.2.20
Authentication packets:
Access Requests : 0 Access Accepts : 0
Access Challenges : 0 Access Rejects : 0
Bad Authenticators : 0 Packets Dropped : 0
Accouting packets:

Account Requests : 0 Account Responses : 0

DM packets:
Author Requests : 0 Author Acks : 0
Author Naks : 0
Abnormal Attribute Length packets:
Access Requests : 0 Account Requests : 0
Author Acks : 0 Author Naks : 0
Corrected Access Requests : 0
Run the display aaa remote-download acl item [ user-id user-id | classifier classifier-
name ] * [ verbose ] command. The command output shows information about the traffic
classifier-behavior pair in dynamic ACLs delivered by the RADIUS server.
<HUAWEI> display aaa remote-download acl item
-------------------------------------------------------------------------------
ClassifierName ReferedNumByUser RuleNumber

Classifiertype
-------------------------------------------------------------------------------
class6 1 2
remote
The used user-id table
are :
-------------------------------------------------------------------------------
class5 1 2
remote
The used user-id table
are :
-------------------------------------------------------------------------------
Total Classifier-Behavior Number : 2
Run the display aaa remote-download acl statistics classifier classifier-name [ slot slot-id ]
command. The command output shows statistics about the traffic classifier-behavior pair in
dynamic ACLs delivered by the RADIUS server on a specific board.
<HUAWEI> display aaa remote-download acl statistics classifier c2 slot 1
-------------------------------------------------------------------------
Classifier name: c2
Classifier type: remote
rule:(number: 1)
ipv4;ruleid=5;daaflag;permit;proto=6;dipv4=10.2.3.3/16;su-group=group1;
(IPv4, inbound: 0 packets, 0 bytes, outbound: 0 packets, 0 bytes)
Behavior name: b2
deny;
Behavior Type: remote
----------------------------------------------------------------------------
6.7 Configuring the Diameter Server

A Diameter server must be configured when service policies need to be delivered through a
Diameter server.

Context
A Diameter server is used to deliver service policies for value-added services, such as the
BOD, DAA, and EDSG services.
Before configuring a Diameter server, get familiar with the following basic concepts:
l Diameter client: is the local Router. Only one client entity can be configured on the
Router.
l Diameter server: is the remote policy server RM9000. A maximum of eight Diameter
servers can be specified on the Router.
l Diameter connection group: is a Diameter server-client connection group that is uniquely
identified by the client name and server name. Since a maximum of eight servers can be
specified on the Router, at most eight Diameter connection groups may exist on the
Router.
l Diameter link: is a Diameter connection that is established using TCP. It is uniquely
identified by the IP address and port number of the Diameter client, and IP address and
port number of the Diameter server. A maximum of four Diameter links can be set up in
the Diameter server group view.
Configuration Process
Figure 6-1 Flowchart of configuring a Diameter server

Configuring a Diameter-
enabled Interface to Support
EDSG Services
Enabling the Diameter

Function
Configuring a Diameter Link
Binding a Diameter Server

Group to an AAA Domain
Mandatory
Optional
6.7.1 (Optional) Configuring a Diameter-enabled Interface to

Support EDSG Services
Before configuring a Diameter server for EDSG services, enable the Diameter-enabled
interface to support EDSG services.

Context
By default, a Diameter server cannot deliver EDSG services through a Gx interface.
Therefore, configure the Diameter-enabled Gx interface to allow the Diameter server to
deliver EDSG services.
Procedure
Step 2 Run diameter predefined-rule support-type edsg
The Diameter-enabled Gx interface is configured to allow the Diameter server to deliver
EDSG services.
Step 3 Run commit
----End
6.7.2 Enabling the Diameter Function

Enabling the Diameter function is the prerequisite of configuring a Diameter server.
Context
After the Diameter function is enabled, you can configure some optical Diameter-related
functions, such as the maximum number of times a probe packet can be retransmitted and the
maximum number of times a CCR-I message can be retransmitted.
Procedure
Step 2 Run diameter enable
The Diameter protocol is enabled on the Router.
Step 3 (Optional) Run diameter-dwr { retransmit retry-times | timeout second }*

The number of dog-watch-request (DWR) probe packet retransmissions and a probe timeout
period is configured.
Step 4 (Optional) Run diameter gx event-trigger version { r940 | r970 }
The Usage_Report value of Event-Trigger is changed.
Step 5 (Optional) Run diameter gx ccri retransmit
The number of CCR-I message retransmissions, number of retransmission rounds, and
retransmission interval between rounds are configured.
Step 6 Run commit

----End
6.7.3 Configuring a Diameter Link

A Diameter link connects a Diameter client and a Diameter server.
Context
A Diameter server group consists of the Diameter client, Diameter server, and Diameter link.
Procedure
Step 2 Run diameter-local localname interface interface-type interface-number [ host host-name |

product product-name | realm realm-name ]*
The Diameter client entity information is configured, including the name, host IP address (IP
address of the interface specified by interface interface-type interface-number), host name,
domain name, and product name of the client.
Step 3 Run diameter-peer peer-name { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-

instance ] port port-number [ host host-name | realm realm-name ]*
The Diameter server entity information is specified, including the host name, domain name,
IP address, and port number of the server.
Step 4 Run diameter-server group group-name
A Diameter server group is created, and its view is displayed.
Step 5 Run diameter-link local local-name peer peer-name client-port port-number [ weight
weight-value ]
A Diameter link is set up between the Diameter client and server.
Step 6 (Optional) Run diameter no-send-ccri without subscription-id
The device is disabled from sending CCR-I messages to a Diameter server for user login after
the device receives a RADIUS authentication response message that does not carry the
subscription-id attribute.
Step 7 (Optional) Run diameter case-sensitive predefined-rule edsg
The device is configured to process case sensitivity of the predefined EDSG rules delivered
by the Diameter server.
Step 8 Run commit
----End

6.7.4 (Optional) Binding a Diameter Server Group to an AAA

Domain
After a Diameter server group is configured, bind the server group to an AAA domain.
Context
After a Diameter server group is configured, bind the server group to an AAA domain so that
the Diameter server group can be used in this domain.
Procedure
Step 2 Run aaa
The AAA domain view is displayed.
Step 4 Run diameter-server group group-name
The created Diameter server group is bound to the AAA domain.
Step 5 Run commit
----End
6.7.5 Verifying the Diameter Server Configuration

After configuring a Diameter server, check the configurations.
Prerequisites
The Diameter server has been configured.
Procedure
l Run the display diameter configuration command to check Diameter server
configurations.
l Run the display diameter-group bind-info command to check the binding relationship
between the AAA domain and Diameter server group.
----End
Example
Run the display diameter configuration command to check Diameter server configurations.
<HUAWEI> display diameter configuration
<HUAWEI> display diameter configuration
-- Diameter Configuration ---------------------------------------------------

Diameter function is Enabled

Diameter Gx use XML data dictionary
Diameter predefined-rule support-type edsg is Enabled
Attribute used-service-unit include cc-output-octets disable
Diameter gx ccri retransmit 4
Diameter gx ccri retransmit round 5
Diameter gx ccri retransmit round timeout 79
-----------------------------------------------------------------------------
-- Diameter local information -----------------------------------------------
Diameter local number : 1
-----------------------------------------------------------------------------
| Local index : 0
| Local name : abc
| Local interface name : GigabitEthernet0/0/0
| Local IP Address : 10.137.83.222
| Local host name : nanjing222
| Local realm name : huawei
| Local product name : testa
-----------------------------------------------------------------------------
-- Diameter peer information -----------------------------------------------
Diameter peer number : 1
-----------------------------------------------------------------------------
| Peer index : 0
| Peer name : peer
| Peer IPv4 address : 10.137.83.56
| VPN Instance : test2
| Peer port : 3868
| Peer host name : pcrf.huawei.com
| Peer realm name : huawei.com
-----------------------------------------------------------------------------
-- Diameter server group Configuration --------------------------------------
Diameter server group number : 1
-----------------------------------------------------------------------------
| Group index : 0
| Group name : test
| Group active state : Active
| Group Reference number : 1
| Predefined-rule case-sensitive for EDSG : Yes
| Do not send CCR-I without subscription-id : Yes
-----------------------------------------------------------------------------
| Connection group number : 1
-----------------------------------------------------------------------------
|| Connection group index : 0
|| Local index : 0
|| Local name : abc
|| Local interface name : GigabitEthernet0/0/0
|| Local IP Address : 10.137.83.222
|| Local host name : nanjing222
|| Local realm name : huawei
|| Local product name : testa
|| Peer index : 0
|| Peer name : peer
|| Peer IPv4 address : 10.137.83.56
|| Peer port : 3868
|| Peer host name : pcrf.huawei.com
|| Peer realm name : huawei.com
-----------------------------------------------------------------------------
|| Connection number : 1
-----------------------------------------------------------------------------
|||Connection index : 0
|||Client port : 3896
|||Link State : Up
|||Link Weight : 10
-----------------------------------------------------------------------------
| Total connection number : 1
-----------------------------------------------------------------------------
Run the display diameter-group bind-info command to check the binding relationship
between the AAA domain and Diameter server group.

<HUAWEI> display diameter-group bind-info
-----------------------------------------------------------------------------
| Domain Name | Diameter Group Name |
-----------------------------------------------------------------------------
| huawei | huawei |
-----------------------------------------------------------------------------
6.8 Configuring the Function to Locally Generate and

Store User Bills
This section describes how to configure the function to locally generate and store user bills, so
that user accounting information is correct if an interworking RADIUS server fails to respond
upon user login or logout.
Context
If a RADIUS server is configured to implement the accounting for access users or value-
added services, the Router allows the generation of local bills under the following scenarios:
l An accounting stop request is triggered by a user or value-added service, but the
RADIUS server does not respond. In this case, the Router generates a local bill to record
the accounting information and considers that the user is offline.
l The accounting start-fail online command is run to allow a user to go online even if
accounting fails to start for the user. When users go offline, local bills can be created to
record accounting information.
Local bills can be transferred to a bill server for account reconciliation on the RADIUS server.
Procedure
Step 2 Run local-aaa-server
The local AAA server view is displayed.
Step 3 Run local-bill-pool enable
A local bill pool is created.
Step 4 Run bill-server ip-address filename filename [ user-name user-name password cipher
cipher-password port ]
A bill server is configured.
A bill server can be used to transfer bills stored in the local bill pool or CF card, so that the
space of local bill pool or CF card can be released.
Step 5 Configure the transfer mode and the transfer trigger conditions for bills on the Router.
l Configure the transfer mode for bills stored in the local bill pool or CF card.
a. Run local-bill cache backup-mode { cfcard | none | tftp | sftp }
The automatic bill transfer mode is specified.

If none is specified, bills in the local bill pool are not transferred. If you need bill
transfer before the automatic bill transfer condition is met, run the local-bill cache
backup command to manually transfer local bills to the CF card or bill server.
b. Run local-bill cfcard backup-mode { tftp | sftp }
The mode in which the bills in the CF card are transferred to the bill server is
configured.
Besides automatic bill transfer, the Router supports manual bill transfer from the CF
card to the bill server using the local-bill cfcard backup command.
l Configure the transfer trigger conditions for local bill transfer to the CF card or bill
server.
a. Run local-bill { cache | cfcard } backup-interval interval-time
The interval at which bills in the local bill pool or CF card are transferred to the bill
server is set.
b. Run local-bill { cache | cfcard } alarm-threshold threshold-value
The threshold at which a bill alarm is generated for the local bill pool or CF card is
set.
Step 6 (Optional) Run local-bill cfcard reset
Bills in the CF card are manually cleared.
When the CF card storage space is insufficient but the bill server is faulty, run the preceding
command to clear existing local bills. Otherwise, new bills will be dropped.
Bills cannot be restored after they are deleted from the CF card. Exercise caution when
running this command.
Step 7 Run commit

----End
Result
After configuring the function to locally generate and store user bills, perform the following
checks:
l Run the display local-bill configuration command to check the configurations of the
local bill transfer function.
l Run the display local-bill information command to check the usage of the CF card or
local bill pool.
l Run the display local-bill cache start-num count command to check the information
about specified bills in the local bill pool.
6.9 Configuring a Domain

The NE40E supports domain-based management for local users and access users.

6.9.1 Configuring Servers for a Domain

You can configure a RADIUS server or a DNS server for a domain as required.
Context
Procedure
Step 2 Run aaa
Step 4 (Optional) Run radius-server llid-first-authentication group domain-name
A RADIUS server group for the first LLID authentication is configured.
Step 5 Configure a web authentication server.

1. Run radius-server group group-name
A RADIUS server group is specified for the domain.

2. Run web-server { url url [ slave ] | url-parameter | ip-address [ ipv6–address ]
[ slave ] | mode { get | post } | redirect-key { mscg-ip mscg-ip-key | mscg-name mscg-
name-key | user-ip-address user-ip-key | user-location user-location-key } | user-first-
url-key { key-name | default-name } | { ip-address [ ipv6–address ] | url url } bind
web-auth-server ip-address [ vpn-instance vpn-instance ] slave }
A mandatory web authentication server is specified for the domain.

3. (Optional) Run web-server redirect-key subscription-id subscription-id
The device is enabled to add the Option 82 information to the URL string in a redirection
packet to be sent to a user.
Step 6 Configure a DNS server.

1. Run radius-server group group-name
A RADIUS server group is specified for the domain.

2. Run dns { primary-ip |second-ip } ip-address
The primary or secondary DNS server is specified for the domain.

NOTE
If IP addresses are automatically allocated from the BAS address pool, the DNS server can be
configured in both the domain view and the address pool view, but the configuration in the domain
view takes precedence.
The IP address of the DNS server for user access can be delivered by the RADIUS server,
configured in the AAA domain view, or configured in the address pool view. The DNS server
address configured in the AAA domain view has a higher priority than that configured in the
address pool view but has a lower priority than that delivered by the RADIUS server.
----End
6.9.2 (Optional) Setting the Maximum Number of Access Users

for a Domain
You can set the maximum number of access users for a domain.
Context
To guarantee the processing capability of the NE40E, you can limit the total number of access
users for a domain. If the number of users reaches the limit, additional access users are
denied.
Procedure
Step 2 Run aaa
Step 4 Run access-limit max-number
The maximum number of access users is specified for the domain.
----End
6.9.3 (Optional) Setting the Maximum Number of Sessions for an

Account
You can set the maximum number of sessions for an account. This means that you can limit
the number of sessions allowed for users of the same user account. Users of the same user
account share QoS resources.
Context
To guarantee the processing capability of the NE40E, you can limit the maximum number of
sessions for an account. If the number of sessions reaches the limit, additional access users are
denied.

Procedure
Step 2 Run aaa
Step 4 Run user-max-session max-session-number
The maximum number of sessions for an account is set.
----End
6.9.4 (Optional) Setting the Priority of a Domain User

You can set a priority for each domain user so that users or services of different priorities are
offered with different classes of services.
Context
Procedure
Step 2 Run aaa
Step 4 Run user-priority { upstream | downstream } { priority | trust-8021p-inner | trust-8021p-
outer | trust-dscp | trust-dscp-inner | trust-dscp-outer | unchangeable | trust-exp-inner |
trust-exp-outer }
The priority of the domain user is set.
Currently, one domain can be configured with only one user priority.
l priority: user priority. The value ranges from 0 to 7.
l trust-8021p-inner: The 802.1p priority in the inner tag of a Layer 2 user packets is used
as the user priority.
l trust-8021p-outer: The 802.1p priority in the outer tag of a Layer 2 user packet is used
as the user priority.

l trust-dscp: The DSCP value of a user packet is used as the user priority.
l trust-dscp-inner: The DSCP value in the inner tag of a user packet is used as the user
priority.
l trust-dscp-outer: The DSCP value in the outer tag of a user packet is used as the user
priority.
l unchangeable: The user priority is fixed.
l trust-exp-inner: The EXP value in the inner tag of an MPLS packet is used as the user
priority.
l trust-exp-outer: The EXP value in the outer tag of an MPLS packet is used as the user
priority.
----End
6.9.5 (Optional) Specifying a Group for a Domain

A domain can be specified to belong to a user group or a VPN instance. This allows the
domain to be flexibly associated with various services.
Context
A domain can belong to any of the following groups:
l User group
A user group is used to control the access right of users and implement ACLs. Up to 255
user groups can be configured on the NE40E.
l VPN instance
Procedure
Step 2 Run aaa
A domain is created and the domain view is displayed.
Step 4 Run the following command as required:

l To specify a user group for the domain, run user-group group-name
l To specify a VPN instance for the domain, run vpn-instance instance-name
l To specify an inbound VPN instance for the AAA domain, run vpn-instance vpn-
instance-name inbound

NOTE
This configuration applies to hub and spoke networking scenarios. The VPN instances configured
using the vpn-instance vpn-instance-name inbound and vpn-instance vpn-instance-name
commands cannot be the same.
----End
6.9.6 (Optional) Configuring Additional Functions for a Domain

A domain has additional functions such as time-based control, policy-based routing, traffic
statistics, or IP address usage alarm.
Context
A domain has the following additional functions:
l Time-based control
Time-based control means that a domain is automatically blocked in a specified period.
During this period, the users of this domain cannot access the NE40E and the online
users are disconnected. After the period, the domain is reactivated automatically, and the
domain users are allowed to log in again.
l Idle cut
When the traffic volume of a user keeps being lower than a threshold in a period, the
NE40E considers the user idle and disconnects the user. To perform the idle cut function,
set the idle time and the traffic threshold.
The idle cut function configured for a domain controls only the basic traffic of a user.
The multicast traffic and the VAS traffic that is not configured with the summary feature
are not included in the basic traffic. Therefore, the idle cut function is invalid for them.
l Mandatory PPP authentication
Generally, the authentication mode (PAP, CHAP, or MSCHAP) of a PPP user is
negotiated by the PPP client and the virtual template. After the mandatory authentication
mode of a PPP user is configured for a domain, the users in the domain are authenticated
in the configured mode.
l Policy-based routing
In packet forwarding, the NE40E determines the forwarding egress according to the
destination addresses of the packets. With the policy-based routing function, however,
the NE40E determines the forwarding egress according to the address specified in the
user domain.
l IP address usage alarm
After the alarm threshold for the usage (in percentage) of IP addresses is set in a domain,
the NE40E sends a trap to the network management system (NMS) when the usage of IP
addresses exceeds the threshold. If no alarm threshold is set, the NE40E does not send
any trap to the NMS, regardless of the usage of IP addresses.
l Traffic statistics
The traffic statistics function collects the total traffic of a domain and the upstream and
downstream traffic of users.
l Accounting packet copy
The accounting packet copy function allows the NE40E to send accounting information
to two RADIUS server groups at the same time and waits for their responses. If no

response is received, the NE40E retransmits accounting information after 5s. If the
NE40E fails to receive a response from a RADIUS server for three consecutive times,
the NE40E sends Accounting Stop packets to this RADIUS server and no longer sends
accounting packets to this RADIUS server.
You can perform this function when multiple copies of original accounting information
are required (for example, multiple ISPs cooperate in the networking). In this case,
accounting packet copies need to be sent to two RADIUS server groups at the same time,
and will be used as the original accounting information in future settlement.
l Re-authentication timeout
The re-authentication timeout is valid for Layer 3 pre-authentication users. If a Layer 3
pre-authentication user does not pass the authentication within the maximum re-
authentication time, the NE40E disconnects this user.
l Policy used for online users when the quota is used up
The NE40E uses a policy after the quota (traffic or session time) of an online user is used
up. The NE40E may forcibly log out the user, keep the user online, or redirect the user to
a specified portal.
l Host route tagging
The host route tagging function allows the NE40E to import route tags based on routing
policies and advertise different host routes to different networks by setting and
categorizing route tags for host routes of IPv4 users and network segment routes
generated based on the RADIUS-delivered Framed-Route attribute.
Procedure
Step 2 Run aaa
Step 4 Run time-range domain-block { range-name | enable }
Time-based control is configured.
You can configure up to four time ranges, which have equal priority.
Step 5 Run idle-cut idle-time { idle-data | zero-rate } [ inbound | outbound ]
The idle cut function is configured.
The idle-cut command is used when some users cannot access the Internet due to an
exception but can access the Internet after being logged out once. The idle-cut function can
take effect on upstream traffic, downstream traffic, or both according to the parameter you
specify. If you do not specify the inbound parameter or the outbound parameter, the idle-cut
function takes effect on both upstream and downstream traffic.
Step 6 Run ppp-force-authtype { chap | mschap_v1 | mschap_v2 | pap }

Mandatory PPP authentication is configured.

Step 7 Run policy-route { next-hop-ip-address | next-hop-ipv6-address }
Policy-based routing is configured.
Step 8 Run ip-warning-threshold { upper-limit-value | lower-limit lower-limit-value }
The IP address usage alarm function is configured.
Step 9 Run flow-bill
The function of collecting the statistics about the total traffic is enabled.
Step 10 Run flow-statistic { down | up } *

The function of collecting the upstream or downstream traffic statistics of the domain users is
enabled.
Step 11 Run accounting-copy radius-server radius-name
The function of sending accounting packet copies is enabled.
Step 12 Run max-ipuser-reauthtime time-value
The re-authentication timeout is configured.
Step 13 Run quota-out { offline | online | redirect url url-string [ redirect-stop-accounting ] }
The policy used for online users when the quota is used up is configured.
NOTE
This command takes effect only when the user's quota is used up and the user is in the specified domain.
If the user domain is changed by a CoA packet sent from a policy server and the quota-out command is
not configured in the new domain, the user will be logged out if the quota is used up.
If the RADIUS protocol type is set to non-standard, a real-time accounting packet is sent to
the RADIUS server to apply for a new quota when user's quota is used up. If the RADIUS
server responds with zero quota, the user is redirected based on the configured quota-out
redirect url url-string [ redirect-stop-accounting ] command.
If you want a user to be directly redirected when its quota is used, you must first set the
RADIUS protocol type to standard and configure the quota-out redirect url url-string
[ redirect-stop-accounting ].
Step 14 Run radius-no-response lease-time time
The extended lease in case of no response from the RADIUS server is set for DHCP users.
Step 15 Run redirect-domain effect-attribute { user-group | web-url | qos-profile | accounting-
scheme | ip-unr-tag }
The fields that are allowed to take effect are specified in the domain that CoA delivers or the
redirection domain for users after they use up their quota.
Step 16 Run ip unr tag route-type host-route framed-route
A route tag is set for host routes of IPv4 users and network segment routes generated based on
the RADIUS-delivered Framed-Route attribute.
Step 17 Run reallocate-ip-address
IP address reallocation is enabled in a domain

The reallocate-ip-address command is used only for Web users.
----End
6.9.7 (Optional) Configuring the Traffic Direction to Which the

Domain User Traffic Quota Applies
The user traffic quota can be configured to apply to upstream or downstream traffic in the
AAA domain view.
Procedure
Step 2 Run aaa
Step 4 Run user volume-quota apply { inbound | outbound }
The traffic direction to which the user traffic quota applies is specified.
----End
6.9.8 (Optional) Configuring Public and Private Network Users

and Users Belonging to Different VPN Instances to Coexist in a
Domain
Context
By default, a domain cannot have both public and private network users or have users
belonging to different VPN instances. After you configure a device to trust the VPN instance
bound to the BAS interface through which users go online or the VPN instance bound to the
address pool or address pool group that the RADIUS server uses to deliver IP addresses to
Layer 2 users, public and private network users or users belonging to different VPN instances
can coexist in a domain.
Procedure
Step 1 Configure public and private network users or users belonging to different VPN instances to
go online through the same BAS interface and coexist in the same domain.
1. Run system-view
2. Run aaa


4. Run trust vpn-instance access-interface
The device is configured to trust the VPN instance bound to the BAS interface through
which Layer 2 users go online.
For VPN users, run the vpn-instance command on the BAS interface through which
VPN users go online to bind a VPN instance to the BAS interface. Note that the VPN
instance bound to the BAS interface must be the same as that bound to an IP address
pool.
This command applies only to Layer 2 common users and static users.
Step 2 Configure public and private network users or users belonging to different VPN instances to
go online through different BAS interfaces and coexist in the same domain.
1. Run system-view

2. Run aaa


4. (Optional) Run trust vpn-instance framed-pool
The device is configured to trust the VPN instance bound to the IPv4 address pool or
IPv4 address pool group that the RADIUS server uses to deliver IPv4 addresses to Layer
2 users.
5. (Optional) Run trust vpn-instance framed-ipv6-pool
The device is configured to trust the VPN instance bound to the IPv6 address pool or
IPv6 address pool group that the RADIUS server uses to deliver IPv6 addresses to Layer
2 users.
This command applies only to Layer 2 common IPv6 users and static IPv6 users.
----End
6.9.9 (Optional) Configuring the Statistics Collection Method to

Improve Accounting Accuracy
Context
One or two layers of VLAN tags are added to each user packet transmitted over a MAN. The
NE40E counts VLAN header length into packet length when collecting statistics about user
packet bytes. As a result, the number of bytes sent by a user terminal greatly deviates from the
number of bytes in the statistics collected by the NE40E. To improve accounting accuracy,
you can configure the NE40E to exclude VLAN header length from packet length when
collecting statistics about packet bytes of Layer 2 IPoE and PPPoE users.

Procedure
Step 2 Run aaa
Step 4 Run accounting exclude-type vlan access-user layer2 { ipoe | pppoe } *
The NE40E is configured to exclude VLAN header length from packet length when collecting
statistics about user packet bytes.
This configuration applies to both IPv4 and IPv6 packet statistics.
After this command is configured, the number of bytes sent by the user terminal deviates little
from the number of bytes in the statistics collected by the NE40E. If no packet is lost, the two
numbers are the same.
----End
6.9.10 (Optional) Configuring Users with the Same MAC Address

for Relogin
Context
When an STB is quickly powered off and then restarted, the NE40E cannot detect the user
logout, and the user entry is still available. After the STB restarts, the user goes online again.
The STB obtains a new account from the NMS in which the online domain may have changed
and sends a Discover or Request message to the NE40E. Upon receipt of the Discover or
Request message, the NE40E does not check the Option 60 field because a user entry with the
same MAC address already exists. The NE40E responds with an ACK message. As a result,
the user always goes online from the initial domain and cannot access the network normally.
To resolve this problem, enable the NE40E to log out an online user when a Discover or
Request message from a user with the same MAC address as the online user is received.
Procedure
Step 2 Run aaa
Step 4 Run dhcp { discover | reboot-request } * user offline

The device is enabled to log out an online user when a Discover message from a client with
the same MAC address as the online user is received.
----End
6.9.11 (Optional) Configuring Load Balancing of Downstream

Traffic on Eth-Trunk Interfaces
Context
Load balancing can be enabled for downstream traffic of a user on Eth-Trunk interfaces.
Procedure
Step 2 Run aaa
Step 4 Run trunk downstream load-balance enable
Load balancing of downstream traffic on Eth-Trunk interface is enabled.
----End
6.9.12 (Optional) Blocking a Domain

Users cannot access a blocked domain. When a domain is not to be used, you can block the
domain.
Context
Procedure
Step 2 Run aaa
Step 4 Run block

The status of the domain is set to the blocked state.
----End
6.9.13 Verifying the Domain Configuration

After configuring a domain, check the configurations.
Prerequisites
The domain has been configured.
Procedure
Step 1 Run the display domain [ domain-name ] command to check the configuration of the
domain.
Step 2 Run the display user-flow-statistics [ domain domain-name ] command in any view to check
user traffic statistics.
Step 3 Run the display ip-pool usage-status [ domain domain-name ] command to check
information about public IP address pool status in a specified domain.
Step 4 Run the display ip-pool pool-usage [ domain dname | pool-name [ pool-name ]]command to
check information about the usage of the address pool of every domain.
----End
Example
Run the display domain command, and you can view the summaries of configurations of all
the domains.
<HUAWEI> display domain
------------------------------------------------------------------------------
Domain name State CAR Access-limit Online BODNum RptVSMNum
------------------------------------------------------------------------------
default0 Active 0 279552 0 0 0
default_admin Active 0 279552 0 0 0
default Active 0 279552 0 0 0
isp1 Active 0 279552 0 0 0
------------------------------------------------------------------------------
Total 5,5 printed
<HUAWEI> display domain isp1
------------------------------------------------------------------------------
Domain-name : huawei
Domain-state : Active
Authentication-scheme-name : default1
Accounting-scheme-name : default1
Authorization-scheme-name : -
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Primary-DNS-IPV6-address : -
Second-DNS-IPV6-address : -
Web-server-URL-parameter : No
Portal-server-URL-parameter : No
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
Time-range : Disable
Idle-cut direction : Both
Idle-data-attribute (time,flow) : 0, 60

User detect interval : 0s

User detect retransmit times : 0
Install-BOD-Count : 0
Report-VSM-User-Count : 0
Value-added-service : default
User-access-limit : 1045504
Online-number : 0
Web-IP-address : -
Web-IPv6-address : -
Web-URL : -
Web-auth-server : -
Web-auth-state : -
Web-server-mode : get
Slave Web-IP-address : -
Slave Web-IPv6-address : -
Slave Web-URL : -
Slave Web-auth-server : -
Slave Web-auth-state : -
Web-server identical-url : Disable
Portal-server-IP : -
Portal-URL : -
Portal-force-times : 2
Portal-server identical-url : Disable
Service-policy(Portal) : -
Ds-lite IPv4 portal : Disable
PPPoE-user-URL : Disable
AdminUser-priority : 16
IPUser-ReAuth-Time : 300s
mscg-name-portal-key : -
Subscription-id-key : abcdefg
Portal-user-first-url-key : -
User-session-limit : 4294967295
Ancp auto qos adapt : Disable
L2TP-group-name : -
User-lease-time-no-response : 0s
RADIUS-server-template : -
Two-acct-template : -
RADIUS-server-pre-template : -
-
-
HWTACACS-server-template : -
Bill Flow : Disable
Tunnel-acct-2867 : Disable
Qos-profile-name inbound : -
Qos-profile-name outbound : -
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
IP-warning-threshold(Low) : -
IPv6-warning-threshold : -
IPv6-warning-threshold(Low) : -
Multicast Forwarding : Yes
Multicast Virtual : No
Max-multilist num : 4
Multicast-profile : -
Multicast-profile ipv6 : -
Multicast-policy : -
Multicast-bandwidth : -
Multicast-bandwidth-level-1 : -
Quota-out : Offline
Service-type : -
User-basic-service-ip-type : -/-/-
PPP-ipv6-address-protocol : Ndra
IPv6-information-protocol : Stateless dhcpv6
IPv6-PPP-assign-interfaceid : Disable
IPv6-PPP-NDRA-halt : Disable

IPv6-PPP-NDRA-unicast : Disable
Trigger-packet-wait-delay : 60s
Peer-backup : Enable
Redirect-domain user-group : Enable
Redirect-domain web-url : Enable
Redirect-domain qos-profile : Enable
Redirect-domain accouting-scheme: Enable
Redirect-domain ip-unr-tag : Enable
Reallocate-ip-address : Disable
Cui enable : Disable
Igmp enable : Enable
Pim snooping enable : Enable
L2tp-user radius-force : Disable
Accounting dual-stack : Separate
Radius server domain-annex : -
Dhcp-option64-service : Disable
Parse-separator : -
Parse-segment-value : -
Dhcp-receive-server-packet : -
Http-hostcar : Disable
Public-address assign-first : Disable
Public-address nat : Enable
Dhcp-user auto-save : Disable
IP-pool usage-status threshold : 255 , 255
Select-Pool-Rule : gateway + local priority
AFTR name : -
Traffic-rate-mode : Separate
Traffic-statistic-mode : Separate
Rate-limit-mode-inbound : Car
Rate-limit-mode-outbound : Car
Service-change-mode : Stop-start
DAA Direction : both
Session Volumequota apply direction: both
Soap-server group : -
Nas logic-sysname : -
Multicast-flow separate(L2tp) : No
Accounting exclude-type vlan : -/-
Framed-ip urpf : Enable
Local backup : Enable
EDSG stop accounting merge : disable
EDSG interim accounting merge : disable
EDSG merged interim accounting interval(minute): --
EDSG merged interim accounting hash : disable
Stop dropped flow direction : -
Interval dropped flow direction : -
Edsg family-schedule inbound : Disable
Edsg family-schedule outbound : Disable
Portal redirect-time : 50s
Web apmac mode : Aes128 cbc
Web usermac mode : Aes128 cbc
Portal usermac mode : Aes128 cbc
Layer2 IPoE ip-pool select-mode : Remote
Layer2 PPPoE ip-pool select-mode: Local
Redirect Diffserv Domain : ss1
RA link-prefix : Enable
Ipv6 address assign mode : Circuit-id
access-trigger loose time(minute) :0
access-trigger loose infinite-lease :Enable
IP unr tag :1234
IPoE user ipv6-pd address release policy : Separate
Map priority : MAP-E
Coa-zero-lease Dual-cut : Disable
------------------------------------------------------------------------------
Run the display user-flow-statistics command to view upstream and downstream traffic
statistics of users.
<HUAWEI> display user-flow-statistics
Total Flow Statistics
-------------------------------------------------

IPv4 flow statistics :

Up packets number(high,low) : (0,0)
Up bytes number(high,low) : (0,0)
Down packets number(high,low) : (0,0)
Down bytes number(high,low) : (0,0)
IPv6 flow statistics :
Up packets number(high,low) : (0,0)
Up bytes number(high,low) : (0,0)
Down packets number(high,low) : (0,0)
Down bytes number(high,low) : (0,0)
-------------------------------------------------
Run the display ip-pool usage-status command to view information about public IP address
pool status in all domains.
<HUAWEI> display ip-pool usage-status
-----------------------------------------------------------------------------
Domain name Used Total Ratio(%) Low(%) High(%) Status
isp1 0 2 0 2 100 0
-----------------------------------------------------------------------------
TOTAL: 1
Run the display ip-pool pool-usage command to view address pool usage in all domains.
<HUAWEI> display ip-pool pool-usage
-------------------------------------
Domain name PoolLen Used Ratio
-------------------------------------------
default0 254 0 0%
default1 0 0 0%
default_admin 0 0 0%
wq 0 0 0%
chen 254 0 0%
isp7 65788 0 0%
gaoli 0 0 0%
ly 254 0 0%
test 0 0 0%
lsh 9 1 11%
------------------------------------------
6.10 Configuring and Managing Users

The BRAS manages users either through the domain to which users belong or user accounts.
6.10.1 Creating a Static User

A user that requires a fixed IP address can be configured as a static user.
Prerequisites
BAS needs to be configured on the interfaces for static users.

Context
l The IPv4 address allocated to a static user is one of the addresses in the configured address
pool. If the address pool is a local address pool, run the excluded-ip-address command to
prevent the addresses from being allocated to other users.
l If an IPv6 address or IPv6 delegation prefix needs to be allocated from a local address
pool to a static user, configure a local address pool first. If an IPv6 address or IPv6
delegation prefix needs to be allocated from a remote address pool, the remote address
pool does not need to be configured first.
Procedure
Step 2 (Optional) Run static-user interface-list list-name
An access interface list is configured for static users.
Step 3 (Optional) Run interface
An access interface for static users is bound to the access interface list.
Step 4 (Optional) Run quit
Step 5 Run either of the following commands:
l (Optional) To create a static user and allow the user to go online through a specified
interface, run the static-user [ description ] { start-ip-address [ end-ip-address ]
[ gateway ip-address ] | start-ipv6-address [ end-ipv6-address ] [ delegation-prefix
start-ipv6-prefix [ end-ipv6-prefix ] prefix-length ] ipv6-gateway ipv6-gateway-address}
* [ vpn-instance instance-name ] [ domain-name domain-name | interface { interface-
name | interface-type interface-number } [ vlan vlan-id [ qinq qinq-vlan ] | mac-address

mac-address | detect | export | keep-online ] * command.
l (Optional) To create a static user and allow the user to go online through interfaces of a
specified interface list, run the static-user [ description ] start-ip-address [ end-ip-
address ] [ gateway ip-address ] [ vpn-instance instance-name ] [ domain-name
domain-name | interface-list list-name | mac-address mac-address | export | keep-
online ] * command.
When creating a static user, you can specify the IP address (including the VPN instance to
which the IP address belongs), interface through which the user is connected to the NE40E,
domain, and MAC address.
If detect is configured, it indicates that the NE40E actively detects the static user to get him
online. If detect is not configured, the user can go online only after sending ARP/IPv4
packets. For IPv6 users, they need to actively send NS/NA/IPv6 packets to trigger user online
with the IPv6 address or delegation prefix.

The arp-trigger or ip-trigger command must be configured on the BAS interface through
which the IPv4 static user goes online.
When configuring an IPv6 address for a static user, run the ipv6-trigger or nd-trigger
command on the interface that the user accesses to trigger the user to get online with the
configured IPv6 address or IPv6 delegation prefix.
NOTE
l IPv4 single-stack static users can go online through multiple interfaces bound to an interface list, but
the NE40E cannot initiate ARP or IP packets for the static users for login. When you configure IPv4
single-stack static users to go online through interfaces bound to an interface list using the static-
user command, the detect and vlan keywords are removed from the command.
l IPv6 static users cannot go online through interfaces bound to an interface list.
Step 6 (Optional) Run static-user detect interval interval-value

The interval at which the Router detects whether static users are online is configured.
Step 7 Run layer3-subscriber { start-ip-address [ end-ip-address ] | start-ipv6-address [ end-ipv6-
address ] | delegation-prefix start-ipv6-prefix [ end-ipv6-prefix ] prefix-length } * [ vpn-
instance instance-name ] domain-name domain-name
The IP address segment and authentication domain for Layer 3 users are configured.
The device can only have a limited number of IP address segments configured. If IPv4
addresses of user access packets do not belong to the IP address segments configured, the
packets are discarded, and users cannot go online. Running the layer3-subscriber ip-address
any domain-name domain-name command is recommended in scenarios where there are a
large number of IP address segments on the network so that users whose IP addresses do not
belong to the IP address segments configured can go online through the configured domain.
----End
6.10.2 Configuring User Account Parsing

The sequence of a domain name and a user name can be flexibly configured to meet different
requirements.
Context
Procedure
Step 2 Run aaa
Step 3 Run domain-name-delimiter delimiter
The domain name delimiter is configured.
Step 4 Run domain-location { after-delimiter | before-delimiter }
The location of the domain name is configured.

Step 5 Run domainname-parse-direction { left-to-right | right-to-left }

The parsing direction of the domain name is configured.
Step 6 (Optional) Run realm-name-delimiter delimiter
The realm name delimiter is configured.
Step 7 (Optional) Run realm-location { after-delimiter | before-delimiter }
The location of the realm name is configured.
Step 8 (Optional) Run realmname-parse-direction { left-to-right | right-to-left }
The parsing direction of the realm name is configured.
Step 9 Run parse-priority { domain-first | realm-first }
The parsing priority is configured.
If the parsing priority is set to domain-first, the realm domain name is excluded from the user
account.
----End
6.10.3 Configuring the User Name Format and Password

The NE40E supports the configuration of the user name format and password. No user name
or password needs to be entered for users that attempt to get online through binding.
Context
NOTE
l The new password is at least eight characters long and contains at least two of upper-case letters,
lower-case letters, digits, and special characters.
l When configuring an authentication password, select the ciphertext mode because the password is
saved in configuration files in simple text if you select simple text mode, which has a high risk. To
ensure device security, change the password periodically.
Procedure
l Configuring the generation mode of the user name of an IPoX user and the password of
an IPoX user.
a. Run system-view
b. Run aaa
c. Run default-user-name [ template template-name ] include { sysname
[ separator ] | gateway-address separator [ separator ] | ip-address separator
[ separator ] | mac-address { separator | noseparator } [ separator ] | { option82
[ separator | { sub-option sub-option-code [ offset offset ] parse-mode { auto-
identify [ offset ] | string [ length ] | binary length | hex [ length ] { class1 | class2 |
class3 } } [ separator ] } &<1-4> ] | access-line-id [ separator | { circuit-id [ offset

offset ] parse-mode { auto-identify [ offset ] | string [ length ] | binary length | hex

[ length ] { class1 | class2 | class3 } } [ separator ] | remote-id [ offset offset ]
parse-mode { auto-identify [ offset ] | string [ length ] | binary length | hex
[ length ] { class1 | class2 | class3 } } [ separator ] } * ] } | { option60 | vendor-
class } [ cn | [ offset offset ] { length length | sub-option sub-option-code [ sub-
offset sub-offset ] [ sub-length sub-length ] } ] [ separator ] | { option61 | client-
id } [ separator ] | option12 [ separator ] | pevlan [ separator ] | cevlan
[ separator ] | slot [ seperator ] | port [ seperator ] | subslot [ seperator ] } *
The Router is configured to generate the IPoX user name according to information
carried in the user access request packet.
Or run vlanpvc-to-username { standard | turkey | version10 | version20 }
Or run vlanpvc-to-username standard trust { pevlan | cevlan } [ ignore-rid ]
Or run vlanpvc-to-username standard ignore-rid
The Router is configured to generate the IPoX user name by using the original
format.
d. (Optional) Run domain domain-name
e. (Optional) Run radius-server domain-annex { left | right }annex-string
A string added to the left or right of the domain name in the user name carried in an
authentication request packet or in an accounting request packet sent from a BRAS
to a RADIUS server is configured.
f. (Optional) Run quit
Return to the AAA view.
g. Run default-password [ template template-name ] { cipher cipher-password |
simple simple-password | { option60 | vendor-class } [ cn | [ offset offset ] { length
length | sub-option sub-option-code [ sub-offset sub-offset ] [ sub-length sub-
length ] } ] [ md5-encryt ] [ support hex ] | { option77 | user-class } }
The password or password template of the IPoX user is configured.
The differences between the cipher and simple keywords are as follows:
If cipher is specified, you can enter an encrypted password. If simple is specified,
you can enter only the original (non-encrypted) password. The cipher keyword
supports longer passwords because encrypted passwords are longer than non-
encrypted ones.
NOTE
For the sake of device security, do not use the default password. Please change the password.
h. Run commit
----End
6.10.4 Configuring the Limit on the Number of Access Users

Limiting the number of access users can prevent unauthorized users from accessing the
network.

Context
Procedure
l Restricting the number of access users in a single VLAN
By default, no more than 3k (3000) users in a single VLAN are allowed to go online. If
more than 3k access users exist in a single VLAN, run the vlan-host-car command to
limit the rate at which user packets with the same VLAN ID are sent to the CPU.
NOTE
The Router supports CAR rate limit to defend against user attacks. The Router is enabled with
some CAR functions by default and has some default CAR parameter values. For detailed
configuration procedures, see Configuring CAR for CPU-destined User Packets By default, the
Router sets the CIR 256 kbit/s, PIR 256 kbit/s, CBS 128000 bytes, and PBS 128000 bytes for user
packets with the same VLAN ID to be sent to the CPU. Therefore, no more than 3k (3072) users in
a single VLAN are allowed to go online.
l Restricting the access of PPP users
a. Run system-view
b. Run ppp-user-slot-warning-threshold threshold-value
The alarm threshold for PPP users allowed to access an interface board is
configured. If the percentage of PPP users currently accessing the interface board
exceeds the threshold, an alarm is generated.
c. Run ppp-user-warning-threshold threshold-value
The alarm threshold for PPP users allowed to access the entire NE40E is
configured. If the percentage of PPP users currently accessing the entire NE40E
d. Run ppp connection chasten[ option105 ] request-sessions request-period
blocking-period [ padi-discard ] [ quickoffline ] or ppp connection chasten
request-sessions request-period blocking-period [ padi-discard ] [ quickoffline ]
[ multi-sessions-permac ]
The number of PPP access attempts is limited.
Restricting the number of access attempts can prevent unauthorized users from
using a brute force attack to crack the password of the authorized user. If a user fails
to pass the authentication for N times during the specified period, the user account
is frozen for a period of time, thwarting unauthorized users' efforts in cracking the
password of the authorized user.
In a scenario in which a large number of users go offlilne immediately after they go
online, the CPU may be overloaded and the RADIUS server may even go Down. To
prevent this problem, you can configure the quickoffline parameter to restrict the
number of times a PPP user goes offline within a specified time. If the PPP user
immediately goes offline after going online for request-sessions times within a
request-period, the user account is frozen for blocking-period seconds.
In the system view, this command takes effect on all users that access the NE40E.
In the VLAN view, the command takes effect only on VLAN users that access the
interface where the VLAN resides. If this command is configured in both the

system and VLAN views, the command that first meets the restriction condition
takes effect.
The maximum number of access users is set to more than 1 for a MAC address
using the pppoe-server max-sessions remote-mac command, and option105 is not
specified in the ppp connection chasten command. In this scenario, MAC address-
based restriction on the number of connection requests from a PPP user does not
take effect. To enable this function to take effect, specify the multi-sessions-
permac parameter. If option105 is specified in the ppp connection chasten
command, option105-based restriction on the number of connection requests from a
PPP user takes effect.
e. Run pppoe-server slot-number max-sessions session-number
The maximum number of users that are allowed to access from the interface board
is configured.
f. Run pppoe-server max-sessions remote-mac session-number
The maximum number of users that are allowed to access from a MAC address is
configured.
NOTE
After the maximum number of access users is set to more than 1 using the pppoe-server max-
sessions remote-mac command and option105 is not specified in the ppp connection chasten
command, restriction on the number of connection requests from a PPP user does not take effect.
If option105 is specified in the ppp connection chasten command, restriction on the number of
connection requests from a PPP user takes effect.
g. Run pppoe-server same-user forbid
The function to deny a user's login request if another user having the same MAC
address has gone online from the same physical location is enabled when each
MAC address maps a unique session.
h. Run aaa

i. Run ppp username check
The function of the device to check whether a login request from a PPP user
contains a user name and to deny the request if it does not contain a user name is
configured.
j. Run commit

l Restricting the number of IP addresses for PPP users
To balance the traffic load of users among different boards and interfaces, configure the
maximum number of IP addresses for PPP users allowed to log in from a specified board
or BAS interface. When the number of PPP users reaches the maximum number, the
board or interface stops responding the PADO packets of PPP users, and no additional
users can log in.
The configuration applies only to PPPoE and L2TP users. The single-stack users are
counted as one user, and dual-stack users are counted as two users. When the number of
login PPP users reaches the maximum value configured on a BAS interface or board, the
interface or board stops responding PADO packets of new access PPP users.

If the number of PPP users logging in from a BAS interface reaches the maximum
number of IP addresses for PPP users configured on a board, the BAS interface stops
responding PADO packets of new access PPP users. However, the BAS interfaces
configured with exclude have no such limitation.
a. Run system-view
b. Run slot slot-id
The slot view is displayed.
c. Run access-ip-limit max-number user-type ppp
The number of IP addresses for PPP users is configured on a board
d. Run quit
e. Run interface interface-type interface-number
The interface view is displayed.
f. Run bas
The bas interface view is displayed.
g. Run access-type layer2-subscriber [ bas-interface-name name | default-domain
{ pre-authentication domain-name | authentication [ force | replace ] domain-
name } * | accounting-copyradius-server radius-name ] *
The access type is set to Layer 2 subscriber access and the attributes of this access
type are configured.
h. Run access-ip-limit max-number user-type ppp [ exclude ]
The number of IP addresses for PPP users is configured on a BAS interface.
i. Run commit
l Restricting the number of users' access packets
If the device is attacked by a large number of ARP/IP/IPv6/ND packets or unauthorized
users repeatedly send ARP/IP/IPv6/ND packets to go online, the MPU's CPU usage goes
high. To configure a limit on the number of ARP/IP/IPv6/ND packets that can be sent to
the MPU, run the access trigger packet-limit command so that the device discard
packets that exceed the configured limit.
a. Run system-view
b. Run slot slot-id
c. Run access trigger packet-limit packets-num time seconds
The number of ARP/IP/IPv6/ND packets that can be sent to the MPU is configured
on a board
d. Run quit

e. Run commit

l Restricting the access of DHCP users
a. Run system-view

b. Run dhcp-user-slot-warning-threshold threshold-value
The alarm threshold for DHCP users allowed to access an interface board is
configured. If the percentage of DHCP users currently accessing the interface board
c. Run dhcp-user-warning-threshold threshold-value
The alarm threshold for DHCP users allowed to access the entire NE40E is
configured. If the percentage of DHCP users currently accessing the entire NE40E
d. Run dhcp connection chasten { authen-packets authen-packets | request-packets
request-packets } * check-period check-period restrain-period restrain-period
[ slot slotid ]
The number of DHCP access attempts is limited.
n Run display dhcp chasten-user slot slotid [ mac-address mac-address ]

[ state { restrain | check } ]
You can view information about users whose attempts to set up DHCP
connections are limited.
e. Run commit

l Restricting the access of users allowed to access an interface board
a. Run system-view

b. Run slot-warning-threshold threshold-value
The alarm threshold for users allowed to access an interface board is configured. If
the percentage of users currently accessing the interface board exceeds the
threshold, an alarm is generated on the Router.
l Restricting the access response delay
a. Run system-view

b. Run aaa

c. Run access-delay step step-value minimum minimum-time maximum maximum-
time [ slot slot-id ]
The access response delay function is enabled, and set the maximum and minimum
access response delays.

NOTE
If the access response delay function is configured globally and on a BAS interface, the
configuration on the interface rather than the global configuration takes effect.
The access response delay depends on the number of access users, and the
configured parameters including the step, maximum access response delay, and
minimum access response delay.
n If the value obtained by dividing the number of access users by the step and
then adding the integer part of the result to the minimum access response delay
is smaller than or equal to the maximum access response delay, you can obtain
the access response delay for the users by multiplying this final value with 10
ms.
n If the value obtained by dividing the number of access users by the step and
then adding the integer part of the result to the minimum access response delay
is greater than the maximum access response delay, you can obtain the access
response delay for the users by multiplying maximum access response delay
with 10 ms.
Assume that the step is 3000, the maximum access response delay is 7, and the
minimum access response delay is 3. Then, the delay for access users numbered 0
to 2999 is 3 x 10 ms; the delay for access users numbered 3000 to 5999 is 4 x 10
ms; the delay for access users numbered 6000 to 8999 is 5 x 10 ms; the delay for
access users numbered 9000 to 11999 is 6 x 10 ms; the delay for access users
numbered 12000 to 10 and numbers after 14999 is 7 x 10 ms.
d. Run quit
e. (Optional) Run access delay load-balance group groupname [ delay-time ]
A load balancing group for BAS interfaces is configured.
If two devices with the same configuration are deployed, users can go online from
any of the two devices that work in master/backup mode. If load balancing groups
are configured on both the master and backup devices, run the access delay load-
balance group group-name delay-time command to configure a response delay
policy for the load balancing group on the backup device. In this way, even if an
interface on the backup device is selected in a Hash operation, the interface will not
respond to user login requests until the time specified by delay-time elapses. This
ensures that users go online preferentially through an interface on the master device.
Users will go online through an interface on the backup device only when the
master device is faulty.
f. Run interface interface-type interface-number
g. Run bas
A BAS interface is created, and the BAS interface view is displayed.
h. (Optional) Run access-delay delay-time load-balance-group group-name
The BAS interface is added to the load balancing group. After the configurations
are complete, BAS interfaces in the load balancing group either immediately
respond to or delay responding to the received login requests for a configured
period of time in accordance with MAC-address-based Hash results to implement
inter-board load balancing.

If no response delay time is configured for the load balancing group:

n If the interface through which users go online is selected in a Hash operation,
the interface immediately responds to the received login requests.
n If the interface through which users go online is not selected in a Hash
operation, the interface responds to the received login requests after the delay
time configured for the BAS interface elapses.
If a response delay time is configured for the load balancing group:
n If the interface through which users go online is selected in a Hash operation,
the interface responds to the received login requests after the delay time
configured for the load balancing group elapses.
n If the interface through which users go online is not selected in a Hash
operation, the interface responds to the received login requests after the delay
time configured for the load balancing group plus the delay time configured
for the BAS interface elapses.
i. (Optional) Run access-delay delay-time [ circuit-id-include text-value | even-mac |
odd-mac ]
A response delay policy is configured for access users on the BAS interface.
If circuit-id-include is specified, you must run the client-option82 command in the
BAS interface view to configure the device to trust the DHCP Option 82 field (for a
DHCP user) or the PPPoE+ field (for a PPP user) for the response delay to take
effect.
l Restricting the user packets of a specific type
a. Run system-view
b. Run access packet strict-check { all | { nd | dhcpv6 | dhcp | ppp | l2tp | dot1x }
*}
The user packets of a specific type are strictly checked by the Router.
l Configure a device to dynamically adjust the number of access users based on the system
status.
a. Run system-view
b. Run aaa
c. Run access-speed adjustment system-state enable [ strict-check ]
The device is configured to adjust the user access rate based on the system status.
d. Run access-speed adjustment system-state threshold { main-cpu-usage | main-
memory-usage | access-usage | slot-cpu-usage | slot-memory-usage | ppp-cpcar-
drop | ppp-receive-queue | pppoe-receive-queue | l2tp-queue | dhcp-slot-queue }
alarm threshold-value resume threshold-value
The system status thresholds for decreasing and restoring the user access rate are
configured.
e. Run access-speed adjustment system-state user-type { { dhcp | pppoe | ipv4-
trigger | ipv6-trigger | dot1x } * | none }

The type of users for whom the device adjusts the user access rate based on the
system status is configured.
f. Run access-speed adjustment system-state time interval adjust-interval delay-
count adjust-delay-count [ slot ]
An interval at which the system status is detected for adjusting the user access rate
and the minimum number of detection intervals after which the user access rate is
increased are configured.
g. Run commit
l Configure the device to preferentially allocate CPU resources to users who request to go
online.
a. Run system-view
b. Run aaa
c. Run access-speed adjustment edsg-queue enable
The device is enabled to preferentially allocate CPU resources to users who request
to go online and temporarily delay the activation of EDSG services that enter the
activation queue.
l Configure the alarm and clear alarm function for the user resource and CPU usage.
a. Run system-view
b. Run access-user exhaust warning enable
The system is enabled to generate an alarm when the user resource or CPU usage
reaches the alarm threshold or generate a clear alarm when the user resource or
CPU usage falls below the clear alarm threshold.
c. Run access-user exhaust threshold-alarm { main-resource-usage | slot-resource-
usage | main-cpu-usage | slot-cpu-usage } upper-limit upper-limit lower-limit
lower-limit
The alarm and clear alarm thresholds for the user resource or CPU usage are
configured.
d. Run commit
----End
6.10.5 Disconnecting Online Users

The NE40E supports the disconnection of online users by the IP address, MAC address,
access port, or domain.
Context
When connections are cut off according to user names and authentication modes, if there are
multiple connections satisfying the condition, they are cut off at the same time.

NOTE
You can cut off the connection with a user with a specified user name, in a specified domain, on a
specified interface, whose IP address is in a specified IP address pool, whose IPv6 address is in a
specified IPv6 address pool, or the combination of them. For example, you can cut off the connection
with an access user whose IP address is in IP address pool 1, on GE 1/0/0, and in domain 1 using the cut
access-user interface gigabitethernet 1/0/0 domain dom1 ip-pool pool1 command.
Procedure
Step 2 Run aaa
Step 3 Run cut access-user username user-name { all | hwtacacs | local | none | radius | radius-
proxy }
The online user with the specified user name is disconnected.
Or run cut access-user domain domain-name
The online users in the specified domain are disconnected.
Or run cut access-user mac-address mac-address
The online user with the specified MAC address is disconnected.
Or run cut access-user ipv6-address ipv6-address [ vpn-instance instance-name ]
The online user with the specified IPv6 address is disconnected.
Or run cut access-user ip-address ip-address [ vpn-instance instance-name ]
The online user with the specified IP address is disconnected.
Or run cut access-user interface interface-type interface-number [ pevlan vlan-id ] [ cevlan
vlan-id ]
The online users on the specified interface are disconnected.
Or run cut access-user user-id start-no [ end-no ]
The online user with the specified user ID is disconnected.
Or run cut access-user ip-pool pool-name
The online users using the IP addresses in the specified IP address pool are disconnected.
Or run cut access-user slot slot-id
All users on the board in the specified slot are disconnected.
Or run cut access-user ipv6-pool pool-name
All users in the specified IPv6 address pool are disconnected.
Or run cut access-user ipv6-prefix prefix-address/prefix-length

The online users using the specified IPv6 prefix are disconnected.
Or run cut access-user authen-method authen-method-type
The online users using the specified authentication mode are disconnected.
Step 4 Run user-queue-resource allocate-fail offline
The policy when user queue resources fail to be allocated is configured.
Step 5 (Optional) Configures a device to forcibly log out a dual-stack user if the user releases any IP
address
2. (Optional) Run any-address-release offline
The device is configured to forcibly log out a dual-stack user when the user releases an
IP address.
This command applies to only PPPoX and L2TP users.
----End
6.10.6 Generating User Login Failure and Logout Records

You can determine the cause and time of users' online and offline behavior from their online
and offline records.
Context
Procedure
Step 2 Enable the function to generate user login failure and logout records.
1. Run aaa offline-record
The function to generate logout records is enabled.
2. Run aaa online-fail-record
The function to generate login failure records is enabled.
3. Run aaa_abnormal-offline-record
The function to generate abnormal logout records is enabled.
4. Run aaa normal-offline-record
The function to generate normal logout records is enabled.
Step 3 (Optional) Enable the function to save user login failure and logout records to a local file.
1. Run save aaa online-fail-record
User login failure records are saved to a local file.

2. Run save aaa offline-record

User logout records are saved to a local file.
3. Run save aaa normal-offline-record
Normal user logout records are saved to a local file.
4. Run save aaa abnormal-offline-record
Abnormal user logout records are saved to a local file.
Step 4 (Optional) Run The device is configured to display user offline records in the MIB table
hwAAAOfflineRecordTable in lexicographical order.
aaa offline-record mib-order lexicographical-order
Step 5 Run commit

----End
6.10.7 (Optional) Configuring the Function to Generate and Send

Logs About User Logins, Logouts, and Online Results
This second describes how to configure the function to generate logs about user logins,
logouts, and online results and send the logs to a log server. After the function is enabled, you
can use the log server to query user access information, such as IP addresses, online time, and
offline time of access users.
Context
After the function to generate and send logs about user logins, logouts, and online results is
enabled on the Router, the device records information when users successfully log in or log
out. The information includes user names, login and logout operations, login and logout time,
access interfaces, and user IP and MAC addresses.
Additionally, the Router can send the logs to a log server, allowing network maintenance
personnel to query logs on the log server.
Procedure
Step 2 Run ip userlog { access | call-status } export host ip-address udp-port
An IP address and UDP port number are set for the log server that is used to receive logs
about user logins, logouts, and online results.
Step 3 Run ip userlog access export version
The version number of packets used to send user login and logout logs is set.
Step 4 Run ip userlog access send format syslog
The format for sending user login and logout logs is set.

Step 5 Run ip userlog access

The device is enabled to generate user login and logout logs and send the logs to a log server.
Step 6 Run ip userlog call-status
The device is enabled to generate user online result logs and send the logs to a log server.
Step 7 Run commit
----End
Result
l After configuring the function to generate and send logs about user logins, logouts, and
online results, run the display ip userlog access config command to check the
configurations of the function.
l After users log in or out successfully, run the display ip userlog access statistic
command to check statistics about user login and logout logs.
NOTE
To re-collect log statistics about user logins, logouts, and online results, run the reset ip userlog
statistics access command to clear the existing statistics.
Statistics about user login, logout, and online result logs cannot be restored after they are cleared.
Therefore, exercise caution when running this command.
l After configuring the function to generate and send logs about user logins, logouts, and
online results, run the display ip userlog buffer access command to check control block
information and user access information stored in the buffer area where the user logs are
recorded.
6.10.8 Tracing Services of Users
Context
Procedure
Step 1 Run trace access-user object object-id { interface interface-type interface-number | ip-
address ip-address | mac-address mac-address | ce-vlan ce-vlan-id | pe-vlan pe-vlan-id |
ipv6-address ipv6-address/prefixlength | user-name user-name | tunnel-id tunnel-id | access-
mode { pppoe | pppoa | pppoeoa | ipoe | ipoeoa } } * [ output { file file-name | syslog-
server ip-address | vty } | [ -t time ] | mode packet | flow-report ] *
Or run trace access-user object object-id { circuit-id text | remote-id text } * { exact-match
| partial-match }
Or run trace access-user object object-id calling-number [ output { file file-name | syslog-
server ip-address | vty } ] [ mode packet ] [ -t time ] [ | include ] calling-number-content
text
Or run trace access-user object object-id { circuit-id text | remote-id text } * { exact-match
| partial-match } [ output { file file-name | syslog-server ip-address | vty } | -t time | mode
packet | flow-report ] *

Service tracing is enabled.

Using the service tracing function decreases the performance of the NE40E. Therefore, you
are recommended to use this function only when you need to locate faults. Disable this
function when the NE40E runs normally. If the status of a great number of users changes, you
need to configure the objects to be traced accurately when using the service tracing function.
Otherwise, a great number of resources are wasted and user services are affected.
Step 2 Run commit
----End
6.10.9 Configuring User Testing

User testing is used to locate a fault by checking whether a user can pass the authentication of
the RADIUS server group when the AAA server does not function properly.
Context
NOTE
Procedure
Step 2 Run radius-test-group radius-test-group-name
The RADIUS server test template is configured.
Step 3 Run include [ authentication | accounting ] radius-attr-name { radius-attribute-value |
auto }
The RADIUS attribute is configured to be sent along with the RADIUS server test template.
Step 4 Run exclude [ authentication | accounting ] radius-attr-name
The RADIUS attribute is configured not to be sent along with the RADIUS server test
template.
----End
Follow-up Procedure
You can run the test-aaa user-name password [ password random [ random1 random2 ]
timestamp [ timestamp1 timestamp2 ] ] radius-group group-name [ chap | pap ] [ test-
group test-group-name ] command to locate a fault by checking whether a user can pass the
authentication of the RADIUS server group.

6.10.10 Changing the Getting Online Period in Loose Mode

Getting online in loose mode after the system restarts due to an exception reduces client
restarts, but may use a lot of resources. You can change the period during which users can get
online in loose mode.
Prerequisites
Getting online triggered by IP/ARP packets has been enabled on a BAS interface.
Context
By default, the user information backup table cannot be queried within two hours after the
NE40E restarts due to an exception, but original online users can still get online by using
IP/ARP packets. You can run the access-trigger command to change the period during which
users can get online in loose mode, avoiding users that get offline can get online again only
after lease renewal fails (after the lease expires) or users' terminals restart. To change the
getting online period in loose mode, perform the following steps on the NE40E:
Procedure
l Configure user access in loose mode in the AAA view.
a. Run system-view
b. Run aaa
c. Run access-trigger loose { loose-time | all-time }
The period during which users can get online in loose mode after the system restarts
is set.
By default, users can get online in loose mode within 120 minutes after the system
restarts.
After this command is executed, the filtering function of the user information
backup table does not take effect, and IP/ARP packets sent by users will trigger
getting online requests. As a result, the NE40E needs to process a large number of
getting online request packets, which uses a lot of resources and affects normal
users' access.
After the NE40E restarts, a large number of request packets will increase the
pressure on the DHCP server and RADIUS server.
d. Run access-trigger loose infinite-lease
Users with an infinite lease are enabled to go online by sending IP/ARP packets
when no abnormal logout backup entry is generated.
l Configure user access in loose mode in the AAA domain view.
a. Run system-view
b. Run aaa

c. Run domain domain-name

d. Run access-trigger loose { loose-time | all-time }
The period is configured, during which users in the authentication domain bound to
the BAS interface can go online in loose mode after the system restarts. By default,
users can go online in loose mode within 0 minutes after the system restarts.
NOTE
If the period is configured both in the AAA view and AAA domain view, the configuration
with a longer period takes effect.
e. Run access-trigger loose infinite-lease
Users with an infinite lease in the authentication domain bound to the BAS interface
are enabled to go online by sending IP/ARP packets when no abnormal logout
backup entry is generated.
----End
6.10.11 Configuring Whether to Log Out Users When an Interface

Goes Down
Context
When an interface goes Down due to an interface fault or a direct link fault, the users on the
interface are logged out. When the interface recovers and goes Up, the users go online
through the interface again. If an interface constantly goes Up and Down due to an interface
fault or a direct link fault, the users also go online and offline through the interface constantly.
To address this problem, run the user-policy interface-down command to configure a policy
for online users when an interface goes Down. The policy can be forcibly logging out the
users or keeping the users online.
Procedure
l Configure whether to log out users when an interface goes Down globally.
a. Run system-view
b. Run user-policy interface-down { offline | online }
A policy is configured and applied to online users when an interface goes Down.
The policy can be forcibly logging out the users or keeping the users online.
l Configure whether to log out users on an interface when the interface goes Down.
a. Run system-view
b. Run interface interface-type interface-number [ .subinterface-number ]
c. Run commit
d. Run bas


e. Run access-type layer2-subscriber [ default-domain { [ authentication [ force |
replace ] dname ] [ pre-authentication predname ] } ]
The access type and relevant attributes are configured for Layer 2 access users.
Or run access-type layer3-subscriber [ default-domain { [ pre-authentication
predname ] authentication [ force | replace ] dname } ]
f. Run user-policy interface-down { offline | online }
A policy is configured and applied to online users when the BAS interface goes
Down. The policy can be forcibly logging out the users or keeping the users online.
NOTE
l If the user-policy interface-down command is configured in both the system view and the
BAS interface view, whether users are logged out when the BAS interface goes Down depends
on whether the user-policy interface-down command is configured on the BAS interface, and
whether users are logged out when another BAS interface goes Down depends on the
configuration in the system view.
l After you run the user-policy interface-down online command to keep users online when an
interface goes Down, the detection mechanisms, including the ARP probe and PPP keepalive,
configured for users still take effect. Specifically, if the detection fails, the users are forcibly
logged out.
l Run commit
----End
6.10.12 Configuring Automatic User Login
Usage Scenario
In a Dynamic Host Configuration Protocol version 4 (DHCPv4) user access scenario, when
the Router is restarted or its board, subcard, or interface is faulty, DHCPv4 users are logged
out and their information is lost. If a DHCPv4 client does not detect the fault, the DHCPv4
client does not resend a DHCP request packet to the Router or redial up after the fault is
rectified. As a result, the DHCPv4 user cannot go online again. To address this problem,
configure automatic user login. Specifically, save user information automatically before any
fault occurs and allow the users to go online automatically after the fault is rectified.
If the Router is powered off and restarted, user information saved in the high-end memory
will be lost. Before the Router is powered off, write the user information saved in the high-
end memory to the CF card. After the Router is restarted, restore the user information saved in
the CF card to the high-end memory.
NOTE
The following DHCPv4 user information is saved: MAC address, IP address, VLAN/PVC, access
interface, VPN instance name, domain name, lease, Option 82, Option 60, Option 61, and IP address of
the DHCPv4 server. The DHCPv4 user information is used only when the DHCPv4 users go online
automatically. To ensure security, do not save DHCPv4 user information in the CF card for a long time
and clear it in time.

Procedure
Step 2 Run access-user dhcp auto-save enable max-user-number max-user-number
Automatic backup of DHCPv4 user information is enabled globally, and the maximum
number of DHCPv4 users whose information can be backed up in all domains is specified.
NOTE
The device backs up only information about the configured maximum number of DHCPv4 users in all
domains. The excessive part of DHCPv4 user information is not backed up. Specify max-user-number as
the total number of DHCPv4 users whose information needs to be backed up in all domains.
The access-user dhcp auto-save command applies for a memory space based on the maximum number
of DHCPv4 users. If the command cannot apply for the size of contiguous memory space, the command
fails to be executed, and automatic backup of DHCPv4 user information is disabled.
Step 3 Run aaa

Step 5 Run access-user dhcp auto-save enable
Automatic backup of DHCPv4 user information is enabled in the domain.
Information about online DHCPv4 users in the domain is saved in the high-end memory,
which is a storage medium. The larger the configured maximum number of the DHCPv4
users, the more memory space the user information takes up. For example, information about
64000 DHCPv4 users takes up 50 MB of memory.
In a dual-system hot backup scenario, DHCPv4 user information is backed up using the dual-
system hot backup mechanism, so the device does not save information about these DHCPv4
users in the high-end memory.
Step 6 Run quit
Step 7 Run access-trigger lease-end-time original
The Router is configured to apply the original lease time for users that go online again after
going offline abnormally.
Step 8 Run quit
Step 9 Run access-user dhcp auto-recover enable
Automatic DHCPv4 user login is enabled.
Step 10 (Optional) Run access-user dhcp auto-recover speed { slow | normal | fast }
The rate at which DHCPv4 users automatically go online after the Router recovers from a
fault is configured.

l If slow is configured, the maximum rate at which DHCPv4 users automatically go online
after the Router recovers from a fault is 100/s.
l If normal is configured, the maximum rate at which DHCPv4 users automatically go
online after the Router recovers from a fault is 300/s.
l If fast is configured, the maximum rate at which DHCPv4 users automatically go online
after the Router recovers from a fault is 500/s.
Step 11 To allow users to go online automatically after the device is powered off and restarted,
perform the following operations additionally:
1. Before the device is powered off, run access-user dhcp save-file file-path-name
DHCPv4 user information saved in the high-end memory is written to the CF card, and
the directory and file name are specified.
If there is a large amount of DHCPv4 user information saved in the high-end memory, it
takes a long time for the access-user dhcp save-file command to write the information
to the CF card, which may affect services. Exercise caution when you run this command.
2. After the device is restarted, run access-user dhcp recover-file file-path-name

DHCPv4 user information saved in the CF card is restored to the high-end memory.
The device reads DHCPv4 user information in the CF card and saves the information in
the high-end memory. The new information does not override the orginal DHCPv4 user
information saved in the high-end memory.
Step 12 Run commit
----End
Checking the Configurations

Run the display access-user auto-save user-info { online | wait-recover | mac-address
mac-address [ interface { interface-name | interface-type interface-number } [ pevlan pevlan
cevlan cevlan ] ] } command to check DHCPv4 user information saved in the high-end
memory.
[HUAWEI] display access-user auto-save user-info mac-address 0001-0101-0101
--------------------------------------------------------------------------------
Index MAC IP address Access interface Vlan(PVC)
--------------------------------------------------------------------------------
0 6ad4-04a7-11cc 192.168.210.218 GE5/1/0.3 200/100
1 6ad4-05a7-11cd 192.168.210.217 GE5/1/0.3 200/100
2 6ad4-06a7-11ce 192.168.210.216 GE5/1/0.3 200/100
3 6ad4-07a7-11cf 192.168.210.215 GE5/1/0.3 200/100
4 6ad4-08a7-11d0 192.168.210.214 GE5/1/0.3 200/100
5 6ad4-09a7-11d1 192.168.210.213 GE5/1/0.3 200/100
6 6ad4-0aa7-11d2 192.168.210.212 GE5/1/0.3 200/100
7 6ad4-0ba7-11d3 192.168.210.211 GE5/1/0.3 200/100
8 6ad4-0ca7-11d4 192.168.210.210 GE5/1/0.3 200/100
9 6ad4-0da7-11d5 192.168.210.209 GE5/1/0.3 200/100
10 6ad4-0ea7-11d6 192.168.210.208 GE5/1/0.3 200/100
11 6ad4-0fa7-11d7 192.168.210.207 GE5/1/0.3 200/100
12 6ad4-10a7-11d8 192.168.210.206 GE5/1/0.3 200/100
13 6ad4-11a7-11d9 192.168.210.205 GE5/1/0.3 200/100

Run the display access-user auto-save statistics command to check statistics about DHCPv4
user information saved in the high-end memory.
[HUAWEI] display access-user auto-save statistics
Max backup user number : 64000
Current valid item number : 14
Current online user number : 14
Current wait-recover user number : 0
Version of user-backup-table : V3.0
6.10.13 Enabling User Traffic Statistics Collection Based on Inner

or Outer VLAN IDs on a Device
This section describes how to enable user traffic statistics collection based on inner or outer
VLAN IDs on a device.
Context
By default, a device can only collect user traffic statistics based on inner or outer VLAN IDs
on interfaces. To allow the device to collect user traffic statistics based on inner or outer
VLAN IDs on the entire device, enable user traffic statistics collection based on inner or outer
VLAN IDs on the device.
Procedure
Step 2 Run access user-flow-statistics enable
User traffic statistics collection is enabled based on inner or outer VLAN IDs on the device.
Step 3 Run commit
----End
Result
l After PPPoE users go online through QinQ VLAN tag termination sub-interfaces and
any is specified for inner VLAN tags, which means that packets carrying any inner
VLAN tags are forwarded, you can run the display access user-flow-statistics
configuration or display vlan-statistics pevlan command to check user traffic
collection configuration or user traffic statistics on a device.
l To collect user traffic statistics in a coming period, run the reset vlan-statistics pevlan
command to clear the existing statistics based on a specified inner or outer VLAN ID.
The system then starts to collect user traffic statistics about the specified inner or outer
VLAN ID from zero. After a specified period elapses, run the display vlan-statistics
pevlan command to view the newly collected statistics.

6.10.14 (Optional) Configuring the Alarm Function on an

Interface with No Backup Protection Configured
This section describes how to configure the backup detection interval, number of detections,
and minor and major alarm thresholds for the number of users on an interface with no backup
protection configured.
Context
The system detects the number of users on interfaces at configured intervals. If no backup
protection is configured on a physical interface (sub-interfaces included), an intra-board Eth-
Trunk interface (sub-interfaces included), or an interface with access response delay based on
odd and even MAC addresses configured but load imbalance occurs (for example, access
response delay based on odd and even MAC addresses fails to take effect due to an interface
fault), a large number of users may fail to go online in case of a board fault. Therefore, you
need to configure the alarm function to prevent impact on user services.
Procedure
Step 2 Run aaa
Step 3 Run access_backup-check detect-interval detect-interval detect-count detect-count fail-
count fail-count
The backup detection interval and number of detections are configured.
Step 4 Run access_backup-check interface-type { eth-trunk | GigabitEthernet |
GigabitEthernet10GE | GigabitEthernet100GE} minor-trap-usernum minor-trap-
usernum major-trap-usernum major-trap-usernum
The minor and major alarm thresholds for the number of users on an interface with no backup
protection configured are configured.
----End
6.10.15 Verifying the User management Configuration

After user management is configured, you can view configuration of the user name format
and user account parsing.
Procedure
l Run the display static-user command to check information about static users.
l Run the display aaa configuration command to check the configuration of the user
account parsing function.
l Run the display vlanpvc-to-username command to check the configuration of the
format of the IPoX user name.

l Run the display call rate command to check the put-through rate of all type of users.
l Run the display access trigger user-table command to check information about users
whose access packets are limited on a board.
l Run the display access-ip-number { interface interface-type interface-number | slot
slot-id }* user-type ppp command to check the configuration of the number of IP
addresses for PPP users who log in from a specified interface or a specified board.
l Run the display trace access-user object [ object-id ] command to display the
configurations of all the service objects to be traced or service objects with specified IDs.
l Run the display aaa online-fail-record dhcp statistics command to check user login
failure records.
l Run the display access delay load-balance [ group group-name ] command to check
information about a configured load balancing group.
----End
Example
After the configuration is complete, you can run the display static-user command to view
information about static users.
<HUAWEI> display static-user
---------------------------------------------------------------------------
Interface VLAN-ID IP-address MAC-address VPN
IPv6-address
IPv6-delegation-prefix
---------------------------------------------------------------------------
GE2/0/3.1 1/1 10.255.255.241 -
-
-
-
GE2/0/3.1 1/1 10.255.255.249 - -
-
-
---------------------------------------------------------------------------
Total 2 item(s) matched
After the configuration is complete, you can run the display aaa configuration command to
view the configuration of the user account parsing function.
<HUAWEI> display aaa configuration
---------------------------------------------------------------------------
AAA configuration information :
---------------------------------------------------------------------------
Parse Priority : Domain first
Domain Name Delimiter : @
Domainname parse direction : Left to right
Domainname location : After-delimiter
Realm name delimiter : -
Realmname parse direction : Left to right
Realmname location : Before-delimiter
Domain : total: 1024 used: 6
Authentication-scheme : total: 32 used: 3
Authorization-scheme : total: 32 used: 1
Accounting-scheme : total: 256 used: 3
Recording-scheme : total: 128 used: 0
AAA-access-user : total: 279552 used: 0
Access-user-state : authen: 0 author: 0 accounting: 0
Transition-step : -
Min-Delay-time : -
Max-Delay-time : -
Access speed : -
Offline speed : 256(/s)

Account-session-id-version : Version1
Remote-download configuration :
Remote user-group : enable
Remote user-group check interval: 10
Remote acl : enable
Edsg update-user-ip-acct : enable
-------------------------------------------------------------------
After the configuration is complete, you can run the display vlanpvc-to-username command
to view the configuration of the format of the IPoX user name.
<HUAWEI> display vlanpvc-to-username
Version of vlan and pvc model in username : Version2.0
After the configuration is complete, you can run the display call rate command to view the
put-through rate of all type of users.
<HUAWEI> display call rate
User callrate:
--------------------------------------------------------
Usertype Calltime Callcompletion Rate
--------------------------------------------------------
PPP 127 127 100.00%
Dot1X 324 324 100.00%
Web/Fast 7 7 100.00%
Bind 0 0 0.00%
Total 458 458 100.00%
After the configuration is complete, you can run the display access trigger user-table
command to view information about users whose access packets are limited on the board in
slot 1.
<HUAWEI> display access-trigger user-table slot 1
----------------------------------------------------------------------------------
---------------------------------
User Mac address :0008-0201-0101
Access Interface :GigabitEthernet0/1/1.1
Access Pevlan/CeVlan:405/-
IPV4:
User IP address :10.1.1.4
Start Limit Time :2013-10-24 16:07:55
Pass Packet :28
Drop Packet :0
# After the configuration is complete, you can run the display trace access-user object
command to display the configurations of all the service objects to be traced or service objects
with specified IDs.
<HUAWEI> display trace access-user object 1
Object ID :
1
MAC Address :
0001-0001-0001
Output to VTY
Aging time : 15
Flow Report : Enable
Object ID :
2
MAC Address :
0001-0001-0002
Output to VTY
Aging time : 15
Flow Report : Enable
--------------------------
# After the configuration is complete, you can run the display aaa online-fail-record dhcp
statistics command to check user login failure records.
<HUAWEI>display aaa online-fail-record dhcp statistics

----------------------------------------------------------------------------------
--------------
DHCPv4 online failures : 10
DHCPv6 online failures : 10
----------------------------------------------------------------------------------
--------------
# After the configuration is complete, you can run the display access delay load-balance
command to check information about a configured load balancing group.
<HUAWEI> display access delay load-balance group huawei
Group-name:huawei Member-count:2
Active-count:2 Delay-time:0
-------------------------------------------------------------------------
Member-InterfaceName Number DelayTime Count Chasten UpDownTime
-------------------------------------------------------------------------
GigabitEthernet1/0/1.1 0 20 0 0 -
GigabitEthernet2/0/1.1 1 20 0 0 -
-------------------------------------------------------------------------
6.11 Maintaining AAA

This section describes how to maintain AAA by clearing HWTACACS statistics and
debugging RADIUS or HWTACACS.
6.11.1 Clearing AAA Statistics

Clearing AAA statistics includes clearing statistics on the AAA server and accounting stop
packets.
Context
Statistics cannot be restored after you clear them. Exercise caution when running the
command.
Procedure
l Run the reset radius statistics packet command in the system view to clear statistics
about the RADIUS server.
l Run the reset aaa statistics { authentication | accounting } [ domain domain-name ]
command in any view to clear statistics about authentication or accounting packets.
l Run the reset radius-attribute packet-count command in the user view to clear the
number of times an attribute occurs in a RADIUS packet.
l Run the reset aaa remote-download acl statistics [ classifier classifier-name | slot slot-
id ] command in the user view to clear dynamic ACL statistics delivered by the RADIUS
server.
l Run the reset radius-server accounting-packet all command in the user view to clear
all accounting packets from a cache queue.

l Run the reset radius-server accounting-interim-packet { all | ip ip-address }

command in the user view to clear real-time accounting packets from a cache queue.
l Run the reset aaa online-fail-record dhcp statistics command in any view to clear user
login failure records.
l Run the reset max-onlineusers command in the system view to clear the maximum
number of concurrent online users recorded by the system.
You can clear statistics based on a specified board or domain.
----End
6.11.2 (Optional) Mapping Refined Online Failure or Offline Sub-

reasons to a General Sub-reason
If you want to learn only general login failure or logout sub-reasons, not refined sub-reasons,
you can map some refined sub-reasons to a general sub-reason. The device will then display
information only about the mapping general sub-reason.
Procedure
Step 2 Run aaa
Step 3 Run sub-reason start-reason [ end-reason ] mapping mapping-reason
Refined login failure or logout sub-reasons are mapped to a general sub-reason.
----End
6.12 Configuration Examples for AAA and User

Management
This section provides configuration examples of AAA, including networking requirements,
configuration notes, and configuration roadmap.
6.12.1 Example for Performing Authentication and Accounting for

Users by Using RADIUS
This section provides an example for performing authentication and accounting by using
RADIUS, including networking requirements, configuration roadmap, configuration
procedure, and configuration files.
Networking Requirements
As shown in Figure 6-2, the users access the network through Device A and the users belong
to the domain named huawei. Device B functions as the access server for the destination
network. To access the destination network, the users have to traverse the network where

Device A and Device B reside and pass remote authentication of the access server. After that,
the users can access the network through Device B. Remote authentication is implemented on
the Device B as follows:
l The RADIUS server performs authentication and accounting for access users.
l The RADIUS server at 10.7.66.66/24 functions as the primary authentication and
accounting server. The RADIUS server at 10.7.66.67/24 functions as the secondary
authentication and accounting server. The default port numbers for authentication and
accounting are 1812 and 1813 respectively.
Figure 6-2 Networking diagram of performing authentication and accounting for users by
using RADIUS
Domain huawei
DeviceB
DeviceA Network
10.7.66.66/24
Destination 10.7.66.67/24
network
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a RADIUS server group, an authentication scheme, and an accounting scheme
on Device B.
2. Apply the RADIUS server group, authentication scheme, and accounting scheme on
Device B to the domain.

NOTE
For administrators, the domain must be the default domain default_admin of administrators. If you
want users from another domain to log in as administrators, run the adminuser-priority command in
this domain. For BAS access users, the domain must be the authentication domain of BAS access users.
Data Preparation
To complete the configuration, you need the following data:
l IP address of the primary (secondary) RADIUS authentication server
l IP address of the primary (secondary) RADIUS accounting server
Procedure
Step 1 Configure a RADIUS server group, an authentication scheme, and an accounting scheme.
# Configure a RADIUS server group named shiva.
<Device> system-view
[~Device] radius-server group shiva
# Configure the IP addresses and interface numbers of the primary RADIUS authentication
and accounting servers.
[*Device-radius-shiva] radius-server authentication 10.7.66.66 1812
[*Device-radius-shiva] radius-server accounting 10.7.66.66 1813
# Configure the IP addresses and interface numbers of the secondary RADIUS authentication
and accounting servers.
# Set the key and the number of retransmission attempts for the RADIUS server.
[*Device-radius-shiva] radius-server shared-key-cipher it-is-my-secret1
[*Device-radius-shiva] radius-server retransmit 2
[DeviceDevice-radius-shiva] commit
[~Device-radius-shiva] quit
# Enter the AAA view.

[~Device] aaa
# Configure authentication scheme 1, with the authentication mode being RADIUS.

[~Device-aaa] authentication-scheme 1
[*Device-aaa-authen-1] authentication-mode radius
[*Device-aaa-authen-1] commit
[~Device-aaa-authen-1] quit
# Configure accounting scheme 1, with the accounting mode being RADIUS.

[~Device-aaa] accounting-scheme 1
[~Device-aaa-accounting-1] accounting-mode radius
[*Device-aaa-accounting-1] commit
[~Device-aaa-accounting-1] quit
Step 2 Configure a domain named huawei and apply authentication scheme 1, accounting scheme 1,
and RADIUS server group shiva in the domain.
[~Device-aaa] domain huawei
[*Device-aaa-domain-huawei] authentication-scheme 1
[*Device-aaa-domain-huawei] accounting-scheme 1
[*Device-aaa-domain-huawei] radius-server group shiva

[*Device-aaa-domain-huawei] commit
Step 3 Verify the configuration.
Run the display radius-server configuration group shiva command on the Router, and you
can see that the configurations of the RADIUS server group meet the requirements.
<Device> display radius-server configuration group shiva
-------------------------------------------------------
Server-group-name : shiva
Vpn: -
Vpn: -
Authentication-server: -
Vpn: -
Vpn: -
Accounting-server : -
Retransmission : 2
Traffic-unit : B
ClassAsCar : NO
User-name-format : Domain-included
Option82 parse mode : -
Attribute-translation: NO
Packet send algorithm: Master-Backup
Tunnel password : cipher
Run the display domain domain-name command on the Router, and you can view the
configurations of the domain.
<Device> display domain huawei
------------------------------------------------------------------------------
Authentication-scheme-name : 1
Accounting-scheme-name : 1
Authorization-scheme-name :
User-group-name : -
Value-added-service : COPS
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-URL : -

IPUser-ReAuth-Time(second) : 300
RADIUS-server-template : shiva
Bill Flow : Disable
Tunnel-acct-2867 : Disabled
Flow Statistic:
Quota-out : Offline
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname Device
#
sysname Device
#
radius-server group shiva
radius-server authentication 129.7.66.66 1812 weight 0
radius-server accounting 129.7.66.66 1813 weight 0
radius-server shared-key-cipher %^%#h{FXVBLZX9#`VI]EWUUaOSHGd5E!.1DGeVYEie=%^
%
radius-server retransmit 2
#
aaa
authentication-scheme 1
authentication-mode radius
#
authorization-scheme default
#
accounting-scheme 1
accounting-mode radius
#
domain huawei
accounting-scheme 1
#
return
6.12.2 Example for Configuring Dynamic ACL Delivery Through

the RADIUS Server
This section provides an example for configuring dynamic ACL delivery through the
RADIUS server.
On the network shown in Figure 6-3, users in the domain named huawei access the network
through Device A. Device B functions as the access server for the target network. The users

can access the target network only through Device A and Device B and after they are being
authenticated by the remote server. Remote authentication on Device B is as follows:
l RADIUS servers are used to perform authentication on the access users.

l The RADIUS server at 10.7.66.66/24 functions as the master authentication server, and
the RADIUS server at 10.7.66.67/24 functions as the backup authentication server. The
default authentication port number 1812 is used.
Figure 6-3 Configuring dynamic ACL delivery through the RADIUS server
Domain huawei
DeviceB
DeviceA Network
10.7.66.66/24
network
1. Configure a RADIUS server group, an authentication scheme, and dynamic ACL

delivery.
2. Bind the RADIUS server group and authentication scheme and apply dynamic ACL
delivery to the domain.
NOTE
Run the adminuser-priority command in the domain view if you want to configure a user not in the
default_admin domain to log in as the administrator. The domain must be configured as the
authentication domain for BAS access users.

Data Preparation
To complete the configuration, you need the IP addresses of the master and backup RADIUS
authentication servers.
Procedure
Step 1 Configure a RADIUS server group, an authentication scheme, and dynamic ACL delivery.
# Configure an IP address and a port number for the master RADIUS authentication server.
# Configure an IP address and a port number for the backup RADIUS authentication server.
# Configure a shared key and the number of retransmissions for the RADIUS server group.
[*Device-radius-shiva] commit
# Configure dynamic ACL delivery through the RADIUS server.

[~Device] aaa
[~Device-aaa] remote-download acl enable
# Configure authentication scheme 1, with RADIUS as the authentication mode.

Step 2 Configure a domain named huawei and bind authentication scheme 1 and RADIUS server
group shiva to the domain.
[*Device-aaa-domain-huawei] quit
Step 3 Configure user templates and BAS interfaces.

[~Device-aaa] default-password template huawei cipher huawei123
[~Device-aaa] default-user-name template huawei include sysname
[*Device-aaa] commit
[*Device-aaa] quit
[~Device] interface GigabitEthernet 0/1/1.1
[*Device-GigabitEthernet0/1/1.1] commit
[~Device-GigabitEthernet0/1/1.1] user-vlan 1
[~Device-GigabitEthernet0/1/1.1-vlan-1-1] quit
[~Device-GigabitEthernet0/1/1.1] bas
[~Device-GigabitEthernet0/1/1.1-bas] access-type layer2-subscriber default-domain
authentication huawei
[~Device-GigabitEthernet0/1/1.1-bas] authentication-method bind
[*Device-GigabitEthernet0/1/1.1-bas] user detect retransmit 2 interval 0
[*Device-GigabitEthernet0/1/1.1-bas] default-user-name-template huawei
[*Device-GigabitEthernet0/1/1.1-bas] commit
[~Device-GigabitEthernet0/1/1.1-bas] default-password-template huawei

[~Device-GigabitEthernet0/1/1.1-bas] quit
[~Device-GigabitEthernet0/1/1.1] quit

Run the display aaa remote-download acl item verbose command on the Router to check
RADIUS server group configurations.
<HUAWEI> display aaa remote-download acl item verbose
-------------------------------------------------------------------------------
ClassifierName ReferedNumByUser RuleNumber ClassifierType
-------------------------------------------------------------------------------
c1 1 1 remote
-------------------------------------------------------------------------------
rc=c1;
rule:(number: 1)
ipv4;ruleid=5;dir=in;su-group=huawei;dipv4=3.1.0.1/24;
rb=b1;
deny;
The used user-id table are :
0
-------------------------------------------------------------------------------
Total Classifier-Behavior Number : 1
----End
Configuration Files
#
sysname HUAWEI
#
user-group huawei
#
radius-server authentication 10.7.66.67 1812 weight
0
%
#
aaa
remote-download acl enable
default-password template huawei cipher %^%#M*p1,itN!
4kQo5%Dc1s(whyJCM@xt0u[,,XMWG/O%^%
default-user-name template huawei include
sysname
#
#
authorization-scheme
default
#
domain huawei
authentication-scheme
1

ip-pool huawei
user-group huawei
#
interface GigabitEthernet0/1/1
#
interface GigabitEthernet0/1/1.1
user-vlan 1
bas
#

access-type layer2-subscriber default-domain authentication huawei

authentication-method bind
user detect retransmit 2 interval 0
default-user-name-template huawei
default-password-template huawei
#
#
return
6.12.3 Example for Configuring RADIUS for User Authentication

and Accounting (Through Flexible Interoperation of RADIUS
Attributes)
This section provides an example for configuring RADIUS for user authentication and
accounting. When a Huawei device interoperates with a RADIUS server, the RADIUS
attributes supported by the two devices may be different. Python scripts can be loaded to
implement flexible interoperation of RADIUS attributes. The example provides the
networking requirements, configuration roadmap, configuration procedure, and configuration
files.
As shown in Figure 6-4, users access the network by logging in to Device A and the users
belong to the domain huawei. Device B functions as an access server on the target network.
To access the target network, users must first traverse the networks on which Device A and
Device B reside and can access the network through Device B after being authenticated by a
remote RADIUS server. Remote authentication and accounting modes on Device B are as
follows:
l The RADIUS server performs authentication and accounting for access users.
l The RADIUS server with an IP address of 10.7.66.66/24 functions as the master
authentication and accounting server, whereas the RADIUS server with an IP address of
10.7.66.67/24 functions as the backup authentication and accounting server. The default
authentication port number and accounting port number are 1812 and 1813, respectively.
However, when Device B interoperates with the RADIUS server, the attributes carried in
authentication and accounting request packets are not all the same. Therefore, you need to
load the python script package to implement flexible interoperation of RADIUS attributes.

Figure 6-4 Networking for configuring RADIUS for user authentication and accounting
Domain huawei
DeviceB
DeviceA Network
10.7.66.66/24
network
1. Configure a RADIUS server group, an authentication scheme, and an accounting

scheme.
2. Bind the RADIUS server group, authentication scheme, and accounting scheme to the
domain.
3. Load the python script package.
4. Configure a python policy template.
5. Bind the python policy template to the RADIUS server group.
NOTE
The python script package must have been uploaded to the cfcard: directory.
Data Preparation
l IP addresses of the master and backup RADIUS authentication servers

l IP addresses of the master and backup RADIUS accounting servers

l Python script package

l access-request.py, the python script that processes Access-Request packets
l acct-request.py, the python script that processes Accounting-Request packets
Procedure
Step 1 Configure a RADIUS server group, an authentication scheme, and an accounting scheme.
<HUAWEI> system-view
# Configure an IP address and a port number for the master RADIUS authentication and
accounting server.
# Configure an IP address and a port number for the backup RADIUS authentication and
accounting server.
# Configure a shared key and the number of retransmissions for the RADIUS server.
[*Device-radius-shiva] commit
# Enter the AAA view.

[~Device] aaa
# Configure authentication scheme 1, with RADIUS as the authentication mode.

# Configure accounting scheme 1, with RADIUS as the accounting mode.

[~Device-aaa] accounting-scheme 1
[~Device-aaa-accounting-1] accounting-mode radius
[*Device-aaa-accounting-1] commit
[~Device-aaa-accounting-1] quit
Step 2 Configure a domain named huawei and bind authentication scheme 1, accounting scheme 1,
and RADIUS server group shiva to the domain.
[*Device-aaa-domain-huawei] accounting-scheme 1
Step 3 Enable the python script extension function.

[~HUAWEI] access enable python extend script-package V800R010C10SPC500.zip
[*HUAWEI] commit
Step 4 Configure a python policy template for packet processing.

# Create a python policy template.

[~HUAWEI] access python-policy py
[*HUAWEI-python-policy py] commit
# Configure the association between packets and scripts in the python policy template named
py.
[~HUAWEI-python-policy py] protocol radius packet access-request direction egress
python-script access-request.py
[*HUAWEI-python-policy py] protocol radius packet accounting-request direction
egress python-script acct-request.py
[*HUAWEI-python-policy py] protocol radius packet process-fail passthrough
[*HUAWEI-python-policy py] commit
[~HUAWEI-python-policy py] quit
Step 5 Bind the RADIUS server group to the python policy template.
[~HUAWEI] radius-server group shiva
[*HUAWEI-radius-shiva] python-policy huawei
[*HUAWEI-radius-shiva] commit

Run the Routerdisplay radius-server configuration group shiva command on the Router to
view the RADIUS server group configuration. The command output shows that the
RADIUS server group configuration meets the requirements.
<HUAWEI> display radius-server configuration group shiva
-------------------------------------------------------
Vpn: -
Vpn: -
Vpn: -
Vpn: -
Retransmission : 2
Traffic-unit : B
ClassAsCar : NO
Run the display domain domain-name command on the Router to view the domain
configuration.
<HUAWEI> display domain huawei

------------------------------------------------------------------------------
Authentication-scheme-name : 1
Accounting-scheme-name : 1
User-group-name : -
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-URL : -
Bill Flow : Disable
Flow Statistic:
Quota-out : Offline
------------------------------------------------------------------------------
Run the display access python-script information command on the Router to view related
information about the loading of a+ python script package.
<HUAWEI> display access python-script information
Script Package Name : cfcard:/V800R010C10SPC500.zip
Script Package Version : V800R010C10SPC500
Script Package Run Time : 2018-05-21 05:06:22
Script Info:
---------------------------------------------------------------
ScriptName State
---------------------------------------------------------------
acct-request.py Running
access-request.py Running
---------------------------------------------------------------
Total = 2
----End
Configuration Files
#
sysname HUAWEI
#


%
python-policy py
#
aaa
#
#
accounting-scheme 1
#
domain huawei
accounting-scheme 1
#
access enable python extend script-package cfcard:/V800R010C10SPC500c.zip
#
access python-policy py
protocol radius packet access-request direction egress python-script access-
request.py
protocol radius packet accounting-request direction egress python-script acct-
request.py
#
#
return

Configuration Guide - User Access 7 IPv4 Address Management Configuration
7 IPv4 Address Management Configuration
About This Chapter
This section describes the concept, rationale, and configuration of IPv4 address and provides
several configuration examples.
Context
NOTE
7.1 Overview of IPv4 Address Management

IPv4 address management includes obtaining an IP address dynamically and configuring a
fixed IP address.
7.2 Licensing Requirements and Limitations for IPv4 Address Management--M2H
7.3 Licensing Requirements and Limitations for IPv4 Address Management--M2K
7.4 Configuring an IPv4 Address Pool and an Address Pool Group
After an IPv4 address pool is configured, users can obtain IPv4 addresses from the IPv4
address pool.
7.5 Configuring a DHCPv4 Server Group
A DHCPv4 server group is required only when a remote address pool is used to assign IP
addresses to users that use a BAS interface for access.
7.6 Configuring DHCPv4 Proxy
7.7 Adjusting DHCPv4 Service Parameters
You can adjust DHCPv4 service parameters to enhance the security of the DHCPv4 service.
7.8 Maintaining DHCPv4
You can maintain DHCPv4 by clearing DHCPv4 statistics, monitoring DHCPv4 operating
status, and debugging DHCPv4.
7.9 Configuration Examples for IPv4 Address Management
This section provides configuration examples of DHCPv4, including networking
requirements, configuration notes, and configuration roadmap.


IPv4 address management includes obtaining an IP address dynamically and configuring a
fixed IP address.
The NE40E allows a user to access the network by obtaining an IP address dynamically or
configuring a fixed IP address.
l Obtaining an IP address dynamically
Users can use DHCP or IPCP (for PPP users) to obtain IP addresses from the address
pool of the NE40E. After a user goes offline, the IP address previously assigned to this
user can be assigned to another user.
l Configuring a static IP address
A user can configure a static IP address on the computer. After the user goes offline, the
static IP address cannot be assigned to other users.
l Obtaining an IP address delivered by the RADIUS server
User IP addresses can be delivered by the RADIUS server to the NE40E in the Framed-
IP-Address attribute. Users can use DHCP or IPCP (for PPP users) to interact with the
NE40E to obtain IP addresses.
The NE40E can allocate address segments through the IPCP protocol. The gateway address
and mask of the address segment must be delivered by the RADIUS server. Therefore, the
NE40E can allocate a gateway and a mask to a family user. Multiple user terminals can be
connected to the gateway and the terminals in the same network segment can communicate
with each other.
7.2 Licensing Requirements and Limitations for IPv4

Address Management--M2H


If DHCPv4 and PPPoEv4 Deploy a local address pool If a PPPoEv4 user requests
users with the same MAC and a remote address pool or to go online when a
address go online from a two local address pools for DHCPv4 user is waiting for
remote address pool at the DHCP and PPPoE users a response from the
same time, the DHCP server with the same MAC DHCPv4 server, the server
may incorrectly distribute address. may send the response for
response packets to users, the DHCPv4 user to the
causing user login failures. PPPoEv4 user. As a result,
both users fail to go online.
If a DHCPv4 user requests
to go online when a
PPPoEv4 user is waiting for
a response from the
DHCPv4 server, the server
may send the response for
the PPPoEv4 user to the
DHCPv4 user. As a result,
If the first user has
successfully gone online and
the remote server can
distinguish between the
DHCPv4 user and the
PPPoE user during address
allocation, the second user
can go online successfully.

In an upgrade scenario None In an upgrade scenario

where RUI inter-chassis where RUI inter-chassis
borrowing is configured, the borrowing is configured, the
device with a RUI-slave device with a RUI-slave
address pool deployed runs address pool deployed runs
a new version, whereas the a new version, whereas the
device with a local address device with a local address
pool deployed runs an old pool deployed runs an old
version. When a PPPoEv4 version. When a PPPoEv4
user requests to go online or user requests to go online or
renew the lease from the renew the lease from the
address pool deployed, the address pool deployed, the
device fails to identify the device fails to identify the
user for whom the NAK user for whom the NAK
message is intended. If the message is intended. If the
NAK message indicates that NAK message indicates that
there is no available address there is no available address
in the local address pool, a in the local address pool, a
failure in identifying the failure in identifying the
receiver of the NAK receiver of the NAK
message will reduce the message will reduce the
login success rate. login success rate.
If a DHCPv4 or PPPoEV4 If a DHCPv4 or PPPoEV4
user with the same MAC user with the same MAC
address as the preceding address as the preceding
PPPoEv4 user requests to go PPPoEv4 user requests to go
online or renew the lease online or renew the lease
from a remote address pool, from a remote address pool,
the two types of users may the two types of users may
fail to go online or renew fail to go online or renew
the lease. the lease.

Address Management--M2K


If DHCPv4 and PPPoEv4 Deploy a local address pool If a PPPoEv4 user requests
users with the same MAC and a remote address pool or to go online when a
address go online from a two local address pools for DHCPv4 user is waiting for
remote address pool at the DHCP and PPPoE users a response from the
same time, the DHCP server with the same MAC DHCPv4 server, the server
may incorrectly distribute address. may send the response for
response packets to users, the DHCPv4 user to the
causing user login failures. PPPoEv4 user. As a result,
If a DHCPv4 user requests
to go online when a
PPPoEv4 user is waiting for
a response from the
DHCPv4 server, the server
may send the response for
the PPPoEv4 user to the
DHCPv4 user. As a result,
If the first user has
successfully gone online and
the remote server can
distinguish between the
DHCPv4 user and the
PPPoE user during address
allocation, the second user
can go online successfully.

In an upgrade scenario None In an upgrade scenario

where RUI inter-chassis where RUI inter-chassis
borrowing is configured, the borrowing is configured, the
address pool deployed runs address pool deployed runs
a new version, whereas the a new version, whereas the
device with a local address device with a local address
pool deployed runs an old pool deployed runs an old
version. When a PPPoEv4 version. When a PPPoEv4
user requests to go online or user requests to go online or
renew the lease from the renew the lease from the
address pool deployed, the address pool deployed, the
device fails to identify the device fails to identify the
user for whom the NAK user for whom the NAK
message is intended. If the message is intended. If the
NAK message indicates that NAK message indicates that
there is no available address there is no available address
in the local address pool, a in the local address pool, a
failure in identifying the failure in identifying the
receiver of the NAK receiver of the NAK
message will reduce the message will reduce the
login success rate. login success rate.
If a DHCPv4 or PPPoEV4 If a DHCPv4 or PPPoEV4
user with the same MAC user with the same MAC
address as the preceding address as the preceding
PPPoEv4 user requests to go PPPoEv4 user requests to go
online or renew the lease online or renew the lease
from a remote address pool, from a remote address pool,
the two types of users may the two types of users may
fail to go online or renew fail to go online or renew
the lease. the lease.
7.4 Configuring an IPv4 Address Pool and an Address

Pool Group
After an IPv4 address pool is configured, users can obtain IPv4 addresses from the IPv4
address pool.
Usage Scenario
A BAS-side address pool needs to be configured to assign IP addresses to access users. If the
NE40E needs to allocate IP addresses to users, you must configure a local address pool on the
NE40E, as shown in Figure 7-1; if a DHCPv4 or BOOTP server needs to allocate IP
addresses to users, you must configure a remote address pool on the NE40E, as shown in
Figure 7-2.

Figure 7-1 Networking diagram for address assignment from the local address pool
DNS Server
Internet
subscriber@isp1 Switch DHCP Server
Figure 7-2 Networking diagram for address assignment from the remote address pool
DHCP
Server
Access
Internet
Network
subscriber@isp2 DHCP Relay
Pre-configuration Tasks
Before configuring an IP address pool, complete the following task:
l Configuring the DHCPv4 Server if a remote address pool is used

NOTE
If two remote address pools are bound to the same DHCP server, whereas configurations of the DHCP
server are not consistent with both remote address pools, either of the remote address pools becomes
invalid. Therefore, ensure that configurations of the DHCP server and two address pools are consistent,
or each remote address pool is bound to a DHCP server.
7.4.1 Creating an Address Pool

It is essential to configure the type, name, gateway, and address segment of an address pool.

Context
Perform the following steps on the Router: Either configure a dynamic address pool or a non-
dynamic address pool.
Procedure
Step 2 (Optional) Run access wait-request-time dhcpv4 time-value
The timeout period for a router to wait for a Request message from a client in response to an
Offer message sent to the client is set.
Step 3 Perform the corresponding steps according to the type of the address pool to be created.
l Create a dynamic address pool.
a. Run ip pool pool-name bas dynamic
A dynamic address pool is created, and the dynamic address pool view is displayed.
A RADIUS server group is bound to the dynamic address pool.
c. Run authentication-name authentication-name password cipher password
An authentication name and a password are configured for the BRAS to apply to a
RADIUS server for dynamic address segments.
d. Run subnet length initial { length | gateway-mask } [ extend { length | gateway-
mask } ]
The mask lengths are configured for the initial and subsequent address segments
being applied for a dynamic address pool.
e. (Optional) Run ip used-thresholdupper-limitupper-valuelower-limitlower-value
The upper and lower address usage thresholds are configured for the dynamic
address pool. The lower threshold for address segment release must be less than the
upper threshold for address segment application.
By default, the upper threshold for address segment application is 80%, and the
lower threshold for address segment release is 20%.
The BRAS checks the dynamic address pool usage every 10 minutes. If the BRAS
detects that the dynamic address pool usage reaches the upper threshold, the BRAS
applies to the RADIUS server for new address segments. If the BRAS detects that
the dynamic address pool usage falls below the lower threshold, the BRAS applies
to the RADIUS server for releasing address segments.
f. (Optional) Run detect retransmit retransmit-value interval days hours minutes
The number of retransmission times and a retransmission interval for detecting
address segment availability are configured for the dynamic address pool.
By default, the number of retransmission times is 3, and the retransmission interval
is 3 days.
l Create a non-dynamic address pool.
a. Run ip pool pool-name [ bas { local | remote } [ rui-slave ] | server ]
An non-dynamic address pool is created and the address pool view is displayed.

Up to 4096 address pools can be configured in the system, including access-side

address pools and network-side address pools. The address pool names must be
unique.
b. Run gateway ip-address mask
The gateway address and mask of the pool are configured.
The subnet mask and gateway address are used to determine whether the IP
addresses in the address segments are in the same subnet with the gateway.
Therefore, you must configure the gateway address and mask before configuring
the address segments.
Or run:gateway unnumbered interface interface-type interface-number
An unnumbered interface gateway is configured for an address pool.
Before configuring gateway in an IP address pool, ensure that the gateway address
and a user address must be on the same network segment, but the gateway address
cannot be assigned to users. Otherwise, many IP addresses are wasted. The
command makes the loopback address of the device as the gateway for the IP
address of all users. This prevents IP addresses from being wasted in each address
pool.
NOTE
n The borrowed interface must be configured with an IP address.

n The gateway unnumbered interface interface-type interface-number command can
only be configured in the IPv4 local address pool.
n If an IP address pool is bound to a domain, the interface gateway can be configured,
deleted or changed only after the address pool is unbound from the domain.
n The gateway route's mask length of the remote address pool must be the same as the
gateway route's mask length of the server address pool on the DHCP server.
The ppp-gateway unnumbered loopback command is used in AAA view when a
PPP user who receives a Framed-Ip-Address from the RADIUS server needs to
choose a loopback interface address as the gateway address.
c. Run section section-num start-ip-address [ end-ip-address ]
An address segment is configured.
A maximum of 256 address segments can be configured in an address pool. An
address segment contains at most 65536 IP addresses. The address segments cannot
overlap each other.
d. (Optional) Run wait-request-time time-value
The timeout period for a router to wait for a Request message from a client in
response to an Offer message sent to the client is set.
NOTE
The wait-request-time time-value command is run in the IP address pool view whereas the
access wait-request-time dhcpv4 time-value command is run in the system view. If the two
commands are both run, the wait-request-time time-value command takes effect.
e. (Optional) Run weight weight-value
A weight is configured for an IPv4 address pool.
NOTE
n After the weight is configured for the IPv4 address pool, you must run the ip-pool
algorithm loading-share remote command in the system view to configure the device
to assign addresses from IPv4 remote address pools based on their weights.
n The ip-pool algorithm loading-share remote command applies only to IPv4 remote
address pools.

f. (Optional) Run ip-pool algorithm loading-share remote [ chasten { restrain-

period period-value | timeout-threshold threshold-value } * ]
A period during which a remote address pool is suppressed and a threshold for the
number of NAK packets in a suppressed remote address pool are configured.
g. (Optional) Run dhcp-server check-remote-ip loose
The BRAS is disabled from checking whether the IP addresses assigned by the
DHCP server are on the network segment to which the gateway address of the
remote address pool belongs.
NOTE
The dhcp-server check-remote-ip loose command takes effect for remote address pools and
remote RUI address pools only.
Step 4 (Optional) Run ip-attribute public
The public network attribute is configured for an IP address pool or an IP address pool group.
After the configuration is complete, the IP address pool or the IP address pool group is used
for the calculation of public IP address pool status.
By default, IP address pools or IP address pool groups have no public network attribute. They
are not used for the calculation of public IP address pool status.
To use the public IP address pool for the calculation of public IP address pool status, run the
ip-pool usage-status threshold command to configure the upper and lower thresholds for IP
address pool usage in a domain to calculate public IP address pool status.
The ip-attribute public command takes effect only on local address pools.
Step 5 (Optional) Run lease days [ hours [ minutes ] ]
The lease of the address pool is configured.
By default, the lease of the IP addresses in an address pool is three days. If the lease is set to
0, the lease of the IP addresses is not limited.
Step 6 (Optional) Run rebinding-time days [ hours [ minutes ] ]
The rebinding time of IP addresses is set.
By default, the rebinding time of IP addresses is 87.5% of the lease of the address pool.
Step 7 (Optional) Run renewal-time days [ hours [ minutes ] ]
The renewal time of IP addresses is set.
Step 8 (Optional) Run recycle start-ip-address [ end-ip-address ]
The status of these IP addresses is set to Idle.
When the user is not online, you can reclaim the occupied IP address manually by running
this command.
Step 9 (Optional) Run conflict auto-recycle interval interval-time
The interval at which conflicting addresses are automatically reclaimed is set.
By default, conflicting addresses are automatically recycled at an interval of 30 minutes.

If the interval-time value is set to 0, the automatic address reclaim function is disabled.
Conflicting addresses will not be assigned to users. You must run the reset conflict-ip-
address command to reclaim conflicting addresses.
If the interval-time value is not set to 0, the usage of IP addresses in the address pool exceeds
the alarm threshold, and the address conflict time exceeds the interval-time value, the Router
automatically reclaims some conflicting addresses and assigns them to users.
This command is valid only in the view of the local or server address pool.
Step 10 (Optional) Run reserved ip-address { lease | mac }
The reservation type of an IP address for a user is configured.
By default, IP addresses are not reserved. When a user goes offline, the IP address is
reclaimed.
If a user is assigned a lease of four days during the first login, the user can still use the
originally-allocated IP address provided that he goes online for the second time within four
days. This is called lease-based IP address reservation.
If a user's MAC address and the allocated IP address are recorded during the first login, the
user can still use the originally-allocated IP address when he goes online for the second time.
This is called MAC-address-based IP address reservation.
Step 11 (Optional) Run vpn-instance instance-name
A VPN instance is bound to the address pool.
Step 12 (Optional) Run warning-threshold threshold-value
The alarm threshold for the address usage of an address pool is set. If the address usage
exceeds the threshold, an alarm is generated on the Router.
By default, the alarm threshold for the address usage of an address pool is set to 80%.
Step 13 (Optional) Run warning-exhaust
The address exhaustion alarm function is enabled for the address pool.
After this command is executed, the system generates an address exhaustion alarm when IP
addresses in the address pool are exhausted, prompting the administrator to plan the IP
addresses. When IP addresses in the address pool are exhausted, users cannot go online.
When IP address usage of the address pool falls below 90%, the address exhaustion alarm is
cleared.
Step 14 (Optional) Run frame-ip lease manage
The lease management function of IP addresses delivered by the RADIUS server is enabled in
an IP address pool.
By default, the lease management function for IP addresses delivered by the RADIUS server
is disabled.
Step 15 (Optional) Run option33 route dest-ip gateway
IP addresses in this address pool are configured as the destination IP address and gateway IP
addresses.
Step 16 (Optional) Run option router disable

The device is disabled from sending DHCP packets carrying Option 3 (network gateway
address) to the client.
Step 17 (Optional) Enable the automatic recycling of IP addresses assigned in RADIUS authentication
responses.
1. Run quit

2. Run aaa

3. Run framed-ip conflict auto-recycle
The automatic recycling of IP addresses assigned in RADIUS authentication responses is

enabled.
By default, IPv4 addresses, IPv6 addresses, or IPv6 prefixes assigned in RADIUS

authentication responses are not recycled automatically.
Step 18 Run commit
----End
7.4.2 (Optional) Configuring Static IP Address Binding

The IP address pool configured for static address bindings contains special IP addresses,
which are assigned to servers in need of fixed IP addresses or users with particular
requirements.
Context
Based on the clients' needs, you can adopt either static address binding or dynamic address
assignment.
When dynamic address assignment is used, a range of IP addresses to be assigned needs to be

specified; when static address binding is used, it can be considered to be a special DHCPv4
address pool with only one address.
Perform the following steps on the Router that functions as a DHCPv4 server:
Procedure
Step 2 Run ip pool pool-name bas local
An IP address pool is created and the IP address pool view is displayed.
Step 3 (Optional) Run static-bind ip-address ip-address mac-address mac-address
Certain IP-MAC addresses are statically bound.
Step 4 Run commit

----End
Follow-up Procedure
Some clients may need fixed IP addresses that are bound to their MAC addresses. When the
client with a specific MAC address uses DHCPv4 to apply for an IP address, the DHCPv4
server finds out the fixed IP address bound to the MAC address and assigns it to the client.
7.4.3 (Optional) Configuring DNS Services for the DHCPv4

Client
You can configure DNS server parameters for the DHCPv4 client. This allows the DHCPv4
client to automatically obtain DNS services automatically. Then, users can use easy-to-
memorize domain names that mean a lot to them rather than complicated IP addresses.
Context
Perform the following steps on the DHCPv4 server that provides DNS services for the
DHCPv4 clients:
Procedure
Step 2 Run ip pool pool-name [ bas { local | remote } | server ]
Step 3 Run dns-suffix suffix-name
The DNS suffix of the IP address pool is configured.
NOTE
This command is valid for only the local address pool and server address pool.
Step 4 Run dns-server ip-address &<1-8>

The IP address of the DNS server of the address pool is configured.
NOTE
If IP addresses are automatically allocated from the BAS address pool, the DNS server can be
configured in both the domain view and the address pool view, but the configuration in the domain view
takes precedence.
If the RADIUS server is used to deliver IP addresses and gateway addresses, the following situations are
available:
l If the RADIUS server also delivers the DNS server address, the DNS server address delivered by
the RADIUS server takes precedence.
l If the RADIUS server does not deliver the DNS server address, the DNS server must be
configured in the domain view, and this configuration does not take effect for the address pool.
Step 5 Run domain-search-list domain-name

The search domain is configured.

If a client sends a packet carrying the Option 119 field to request search domain information
from the DHCP server, the domain-search-list command can be used to configure search
domains so that the DHCP server can send required search domain information to the
user.After the domain-search-list command is run and the first domain name resolution fails,
the configured search domain is used for resolution.
Step 6 Run commit
----End
Follow-up Procedure
On the DHCPv4 server, designate a DNS suffix for each address pool used to assign IP
addresses to clients.
When a host accesses the Internet by using the DNS suffix, the DNS server resolves the DNS
suffix into an IP address. Therefore, to ensure that the client successfully accesses the
Internet, the DHCPv4 server also needs to specify the DNS server address for the client when
it assigns IP addresses.
To improve network reliability, you can configure several DNS servers.
7.4.4 (Optional) Configuring NetBIOS Services for the DHCPv4

Client
You can configure NetBIOS services for the DHCPv4 client to enable users to obtain
NetBIOS services automatically. Then, users can use easy-to-memorize host names rather
than complicated IP addresses.
Context
Perform the following steps on the Router that provides NetBIOS services for the DHCPv4
clients:
Procedure
An address pool is created and the address pool view is displayed.
Step 3 Run netbios-name-server ip-address &<1-8>
The IP address of the NetBIOS server of the DHCPv4 client is configured.
Step 4 Run netbios-type { b-node | h-node | m-node | p-node }
The NetBIOS node type of the DHCPv4 client is configured.
Step 5 Run commit

----End
Follow-up Procedure
For the client using the operating system of Microsoft, Windows Internet Naming Service
(WINS) server provides resolution from the host name to the IP address. This is given to the
host that uses NetBIOS protocol for communication. Most of the Windows clients need to be
configured with WINS.
When a DHCPv4 client communicates in a WAN by adopting the NetBIOS protocol, a

mapping between the host name and the IP address should be set up. The following lists the
types of NetBIOS nodes for obtaining mappings:
l Type b nodes (b-node): "b" stands for broadcast. That is, type b nodes obtain the
mapping relationship by means of broadcast.
l Type h nodes (h-node): "h" stands for hybrid. Type h nodes are type b nodes owning the
"peer-to-peer" communicating mechanism.
l Type m nodes (m-node): "m" stands for mixed. Type m nodes are the type p nodes
owning part of the broadcasting features.
l Type p nodes (p-node): "p" stands for peer-to-peer. That is, type p nodes obtain the
mapping by communicating with NetBIOS servers.
7.4.5 (Optional) Configuring SIP Services for the DHCPv4 Client

You can configure SIP services for the DHCPv4 client to implement multimedia
communications such as multimedia conferences, Internet phones, distance education, and
distance medical treatment.
Context
Perform the following steps on the Router that provides SIP services for the DHCPv4 clients:
Procedure
Step 2 Run ip pool pool-name [ bas local | server ]
Step 3 Run sip-server { { ip-address ip-address } &<1~2> | { list server-name } &<1~2> }
The IP address or name of the SIP server is specified.
Step 4 Run commit
----End

7.4.6 (Optional) Configuring DHCPv4 Self-Defined Options

You can configure DHCPv4 self-defined options to provide more control information and
parameters for the clients.
Context
If both dhcp option125 and option 125 commands are used, only the dhcp option125
command takes effect.
Performs the following steps on the Router that functions as a DHCPv4 server:
Procedure
Step 2 Run ip pool pool-name [ bas local | server ]
Step 3 Run option code { { ip ip-address } &<1-2> | string string | hex hex-string &<1-160>|
{ suboption subcode { ip ip-address | string sub-string } } &<1-16> }
A DHCPv4 option is configured.
Step 4 (Optional) Run dhcp option125 [ enterprise-code enterprise-code ] option125-string
The enterprise code and description encapsulated into DHCP Option 125 for a telecom
equipment supplier are configured.
After this command is used, the enterprise code and description will be encapsulated into the
DHCP Option 125 field of each DHCP Reply packet.
Step 5 Run option force-reply { code }&<1-16>
The DHCP option forcibly replied to a client by a DHCP server is configured.
Some DHCP option information is not replied by a server if a client does not initiate a
request. However, without this DHCP option information, such as an IP address, the client
cannot access the Internet. The option force-reply command is run to configure the server to
forcibly reply a specified DHCP option to the client.
NOTE
l A maximum of 16 forcibly replied DHCP options can be configured in an IP address pool.

l Information about the configured DHCP option code must be supported by the DHCP server.
Otherwise, the server cannot forcibly reply the DHCP option to the client.
Step 6 Run commit

----End
Follow-up Procedure
The Option field in DHCPv4 packets carries control information and parameters that are not
defined in common protocols. If the DHCPv4 server is configured with an Option, the

DHCPv4 client obtains the configuration information saved in the Option field of DHCPv4
response packets.
You need to add the options to the attribute list of the DHCPv4 servers. For example,
l To configure the IP address of a log server to 10.110.204.1, use the option 7 ip
10.110.204.1 command.
l To configure the Option 129 field to represent "huawei", use the option 129 string
huawei command.
NOTE
The value of a common option for the DNS or lease, is determinate. The common option codes include
3, 6, 15,44, 46, 50 to 54, and 57 to 59, 82, 119. When the value is re-set, the system prompts that re-
setting the value is not allowed.
The option command enables DHCPv4 response packets to carry specific options.
Before using this command, you need to know the function of each option. Option 77 identifies client
types or applications of DHCPv4 clients. Based on User Class in the Option field, the DHCPv4 server
selects a proper address pool and configuration parameters. Option 77 is commonly configured on the
client.
7.4.7 (Optional) Configuring Address Protection

Address protection is implemented in special circumstances by locking an IP address pool,
excluding an IP address or an IP address segment, setting a conflict flag, or reclaiming an IP
address.
Context
Methods of protecting addresses in an address pool are as follows:
l Locking the IP address pool
You can lock an IP address pool by running commands. When an IP address pool is
locked, IP addresses in the address pool cannot be assigned to users.
This method is used when the address pool needs to be deleted but there are users using
IP addresses in the address pool. If you lock the address pool, no more IP addresses will
be assigned. After all users log out and the occupied IP addresses are released, you can
delete the address pool.
l Excluding the IP address
You can use this method on a complex network to exclude certain IP addresses.
l Reclaiming the IP address
If an IP address in the address pool is in the Occupied state but no user is using it, you
can reclaim the IP address by running the related command.
Procedure

Step 3 Run lock
The address pool is locked.
Or run excluded-ip-address start-ip-address [ end-ip-address ]:
An IP address or an address segment is excluded.
NOTE
This command is required when you configure static IP addresses.
Or run recycle start-ip-address [ end-ip-address ]:
An IP address or an address segment is reclaimed.
Step 4 Run commit
----End
7.4.8 (Optional) Configuring a Constant Index for an IPv4

Address Pool
By default, the IPv4 address pool, IPv6 prefix pool, and IPv6 address pool do not have
constant indexes. The indexes for these pools automatically change after the device where
these pools reside restarts. After a device where IP pools reside restarts, the NMS loses all IP
pool statistics and can no longer monitor these IP pools. This problem can be solved by
configuring constant indexes for IP pools.
Context
After the ip-pool constant-index enable command is used, the index of the IPv4 address
pool, IPv6 prefix pool, or IPv6 address pool does not change after the device restarts. The
constant-index index command is automatically generated in the views of all the IPv4
address pools, IPv6 prefix pools, and IPv6 address pools configured on the device for users to
check the constant index value. But the constant-index command cannot be used to change
the automatically generated constant index for an IP pool.
Procedure
Step 2 Run ip-pool constant-index enable
The constant index function is enabled for IPv4 address pools, IPv6 prefix pools, and IPv6
address pools.
Step 3 Run commit
----End

7.4.9 (Optional) Allocating IP Addresses Based on Option60

values
When there is no relay device between a DHCP client and a DHCP server, the DHCP server
allocates different network segments and VPN addresses based on Option 60 values carried in
user packets.
Context
Procedure
Step 2 Run dhcp server base-option60 enable
# A network-side DHCP server is enabled to allocate IP addresses based on Option60 values.
Step 3 Run ip pool pool-name server
Step 4 Run client-option60 option60-value
Option 60 values carried in user packets in a specified address pool are configured.
NOTE
l After the command is used, IP addresses can be allocated by the address pool only when Option 60
values in the option60–value command matches Option 60 values carried in user packets.
l The command can only be configured in the address pool on the DHCP server.
Step 5 Run commit

----End
7.4.10 (Optional) Locking an IP Address Pool

This section describes how to lock an IP address pool so that the address pool cannot be used
to assign IP addresses to new users.
Context
An IP address pool with an in-use IP address cannot be deleted. Therefore, configure the drain
function to lock the address pool before you delete the address pool. After an IP address pool
is locked using the lock drain command, DHCP Request messages for lease renewal from
online users will be discarded. The address pool can be deleted after all online users using the
address pool go offline upon lease expiry. If you only need to disable an IP address pool so
that the address pool will not be used to assign IP addresses to new users but online users can
still use assigned IP addresses, configure the lock function to lock the address pool using the
lock command.

Procedure
Step 2 Run ip pool pool-name [ bas { local | remote } ]
The IP address pool view is displayed.
Step 3 Perform either of the following configurations as needed:
l Configure the drain function to lock the address pool.
a. Run lock drain
The IP address pool is locked so that the address pool cannot be used to assign IP
addresses to new users and Request messages for lease renewal from online users
using the address pool are discarded.
b. Run commit
l Configure the lock function to lock the address pool.
a. Run lock
The IP address pool is locked so that the address pool cannot be used to assign IP
addresses to new users but Request messages for lease renewal from online users
can still be processed.
b. Run commit
----End
7.4.11 Configuring an Address Pool Group

An address pool group is a set of address pools sharing specified attributes. An address pool
group simplifies configuration in some situations.
Context
An address pool group can be created if either of the following conditions is met:
l Multiple domains share some address pools.
l A RADIUS server is able to deliver address pool names.
Procedure
Step 2 Run ip pool-group group-name [ bas ]
An address pool group is created and the address pool group view is displayed.
Step 3 (Optional) Run vpn-instance vpn-instance-name
An address pool group is bound to a VPN instance.

The address pool group and its address pools must be bound to the same VPN instance.
The address pool group in a domain and the domain must be bound to the same VPN instance.
Step 4 (Optional) Run ip-attribute public
The public network attribute is configured for an IP address pool or an IP address pool group.
After the configuration is complete, the IP address pool or the IP address pool group is used
for the calculation of public IP address pool status.
To use the public IP address pool for the calculation of public IP address pool status, run the
ip-pool usage-status threshold command to configure the upper and lower thresholds for IP
address pool usage in a domain to calculate public IP address pool status.
The ip-attribute public command takes effect only on local address pools.
Step 5 Run ip-pool pool-name
An address pool is added to an address pool group.
Step 6 (Optional) Run quit
Step 7 (Optional) Run warning-exhaust
The address exhaustion alarm function is enabled for the address pool group.
After this command is executed, the system generates an address exhaustion alarm when IP
addresses in the address pool group are exhausted, prompting the administrator to plan the IP
addresses. When IP addresses in the address pool group are exhausted, users cannot go online.
When IP address usage of the address pool group falls below 90%, the address exhaustion
alarm is cleared.
Step 8 Run commit
----End
Follow-up Procedure
You can run the ip-pool-group group-name [ move-to new-position ] command in AAA
domain view to bind an address pool group to a domain.
7.4.12 Specifying an IPv4 Address Pool for a Domain

An IPv4 address pool configured for a domain is used to assign IPv4 addresses to all users in
this domain.
Context
The IPv4 address pool for a domain can be a local or remote address pool.
A maximum of 1024 IPv4 address pools can be specified for a domain, and one IPv4 address
pool can be used for multiple domains. The IPv4 address pools configured for a domain can
be moved. The range in which the IPv4 address pool can be moved is associated with the
number of address pools configured in the domain. For example, if 10 address pools are
configured in the domain, the address pool can move in the range between 1 and 10.

Procedure
Step 2 Run aaa
Step 4 Run ip-pool pool-name [ move-to position ]
IPv4 address pools are specified for the domain.
Step 5 (Optional) Run ip-pool-group group-name
Configurations of the IP address pool group are displayed.
Step 6 Run commit
----End
7.4.13 (Optional) Configuring the Thresholds for public IP

Address Pool Usage in a Domain
This section describes how to configure the upper and lower thresholds for public IP address
pool usage in a domain to calculate public IP address pool status, which is sent to a Remote
Authentication Dial-In User Service (RADIUS) server.
Context
A domain has public and private network users. A Broadband Remote Access Server (BRAS)
sends public IP address pool status to a RADIUS server. The RADIUS server determines
whether a user is a public or private network user based on user information and the public IP
address pool status. The RADIUS server then sends the corresponding user group name and
IP address pool name or IP address pool group name to the BRAS. The BRAS determines
whether the user is a public or private network user based on the received user group name
and assigns an IP address to the user from the received IP address pool or IP address pool
group.
Procedure
Step 2 Run aaa


Step 4 Run ip-pool usage-status threshold low low-threshold high high-threshold
The upper and lower thresholds are configured for public IP address pool usage in an AAA
domain to calculate public IP address pool status, which is sent to a RADIUS server.
NOTE
This command needs to be used with the ip-attribute public command.

In IP address pool view or IP address pool group view, run the ip-attribute public command to
configure the public network attribute of an IP address pool or an IP address pool group. After the
configuration is complete, the IP address pool or the IP address pool group is used for the calculation of
public IP address pool status.
Step 5 Run commit

----End
7.4.14 Verifying the Configuration of the IPv4 Address Pool and

Address Pool Group
After configuring IP address pools, you can view the configurations of all IP address pools or
a specified IP address pool.
Prerequisites
IP address pool has been configured.
Procedure
l Run the display ip pool [ name pool-name [ section-num [ start-ip-address [ end-ip-
address ] ] | all | used ] ] [ vpn-instance instance-name ] command to check the
configuration of the IP address pool.
l Run the display ip pool-group [ name group-name ] [ vpn-instance instance-name ]
command to check IP address pool configurations.
l Run the display ip-pool pool-usage [ domain dname | pool-name [ pool-name ]]
command to check the usage of the address pool of every domain.
l Run the display ip-pool max-ratio domain command to check IP address pool usage in
all domains on the device.
l Run the display ip-pool pool-usage { upper-threshold | lower-threshold | all-
threshold } command to check information about domains whose IP address pool usage
exceeds a specified threshold.
----End
Example
Run the display ip pool command, and you can view information about all the address pools
configured in the system.
<HUAWEI> display ip pool

-----------------------------------------------------------------------
Pool-Name : huawei
Pool-No : 0
Pool-constant-index: -
Position : Local Status : Unlocked
RUI-Flag : -
Gateway : 10.16.16.1 Mask : 255.255.255.0
Vpn instance : -- Unnumbered gateway: -
IP address Statistic
Total :4
Used :0 Free :4
Conflicted :0 Disable :0
Designated :0 Gateway :0
Ratio :0%
Isolated :0
-----------------------------------------------------------------------
Pool-Name : test
Pool-No : 1
RUI-Flag : -
Gateway : 10.15.15.1 Mask : 255.255.255.0
Total :9
Used :0 Free :9
Ratio :0%
Isolated :0
IP address pool Statistic

Local :2 Remote :0 Server :0
Total :13
Used :0 Free :13
Ratio :0%
Isolated :0
Run the display ip pool [ name pool-name [ section-num [ start-ip-address [ end-ip-

address ] ] | all | used ] ] [ vpn-instance instance-name ] command, and you can view
detailed information about the specified address pool.
<HUAWEI> display ip pool name huawei
Pool-Name : huawei
Pool-No : 2
Lease : 3 Days 0 Hours 0 Minutes
Frameip-Lease-Manage: disable
NetBios Type : N-Node
Auto recycle : 30
Force-reply Option: 38 45
Option 3 : Enable
DNS-Suffix : -
Dom-Search-List0: -
Dom-Search-List1: -
Dom-Search-List2: -
Dom-Search-List3: -
Option-Code 125 : enterprise-code : 2011, string: -
RUI-Flag : -
Attribute : Private
Gateway : 10.16.16.1 Mask : 255.255.255.0

Profile-Name : - Server-Name : -
UNR-Tag : 123
Total Idle : 4 Have Dhcp IP : 1
Timeouts : 0
Timeout Count : 0 Sub Option Count : 0
Option Count : 0 Force-reply Count: 2
Loading-share : Enable Weight : 5
Codes: CFLCT(conflicted) Wait-Request-Time: --
IP Loose Check : 1 Blocked Times : 0
----------------------------------------------------------------------------------
-----
ID start end total used idle CFLCT disable reserved
static-bind
----------------------------------------------------------------------------------
-----
0 10.16.16.2 10.16.16.5 4 0 4 0 0
0 0
----------------------------------------------------------------------------------
-----
Run the display ip pool-group [ name group-name ] [ vpn-instance instance-name ] to

check IP address pool configurations.
<HUAWEI> display ip pool-group
-----------------------------------------------------------------------------
Pool-Group name : ty
Index : 0 Vpn instance : -
Bind pool : 1 Bound by domain : 0
Attribute :Private
Total :65534
Used :0 Free :65534
Designated :0 Ratio :0%
-----------------------------------------------------------------------------
Total: 1
Run the display ip-pool max-ratio domain command to view IP address pool usage in all
domains on the device.
<BASE_VNFC1> display ip-pool max-ratio domain
--------------------------------------------------------------------
Domain name Current Max Time
--------------------------------------------------------------------
default0 0 0 -
default1 0 0 -
default_admin 0 0 -
ppp 2% 10% 2012-08-07 15:28:30
isp1 9% 19% 2012-08-07 14:32:40
isp2 0 0 -
test1 0 0 -
test2 0 0 -
isp 0 0 -
--------------------------------------------------------------------
Run the display ip-pool pool-usage { upper-threshold | lower-threshold | all-threshold }

command to view information about domains whose IP address pool usage exceeds a
specified threshold.
<BASE_VNFC1> display ip-pool pool-usage all-threshold
-------------------------------------
Domain name PoolLen Used Ratio
-------------------------------------------
Lsh(up) 10 9 90%
Isp(up) 10 9 90%
Test(low) 10 0 0%
------------------------------------------


A DHCPv4 server group is required only when a remote address pool is used to assign IP
addresses to users that use a BAS interface for access.
Usage Scenario
The NE40E can be used as a DHCPv4 server to assign IP addresses to users. A remote
DHCPv4 server can also be used with the NE40E functioning as a DHCPv4 relay agent to
assign IP addresses to users.
When IP addresses are allocated by a remote DHCPv4 server, you need to configure the IP
address of the remote DHCPv4 server on the NE40E. This allows the NE40E to communicate
with the DHCPv4 server. The NE40E manages DHCPv4 servers by using DHCPv4 server
groups.
NOTE
A DHCPv4 server group is required only when the remote address pool is used to assign IP addresses to
BAS-side users.
None.
7.5.1 Creating a DHCPv4 Server Group

DHCPv4 servers can work in load balancing or master/backup, or polling mode.
Context
Procedure
Step 2 Run dhcp-server group group-name
A DHCPv4 server group is created and the DHCPv4 server group view is displayed.
Step 3 Run dhcp-server ip-address [ vpn-instance vpn-instance ] [ weight weight-value ]
A DHCPv4 server is configured.
A master DHCPv4 server and seven backup DHCPv4 servers can be configured in a DHCPv4
server group.
Step 4 (Optional) Run dhcp-server algorithm { loading-share | master-backup | polling [ check-

loose ] }
The algorithm for selecting DHCPv4 servers is set.

When there are two servers in a DHCPv4 server group, you can specify the algorithm from
the load balancing, master/backup mode, or polling for selecting DHCPv4 servers.
l Load balancing: The NE40E distributes the load according to the weights of servers.
l Master/backup: The NE40E specifies one server as the master server and the other as the
backup server.
l Polling: The NE40E sends request packets to all servers and selects the server that
receives the packets first. Subsequent packets are sent to only the selected server, except
the discover and select request packets.
Step 5 (Optional) Run release-agent
The DHCPv4 release agent function is configured.
With the DHCPv4 release agent function, the NE40E, instead of the user, sends a DHCPv4
release packet to the DHCPv4 server when the user goes offline.
Step 6 (Optional) Run dhcp rebind forward-mode all
The NE40E is configured to send DHCP Rebind packets to all DHCPv4 servers in a DHCPv4
server group.
Step 7 (Optional) Run dhcp-server giaddr { interface interface-type interface-number | ip-address

[ vpn-instance vpn-instance ] } [ forward-rui-slave ]
The GiAddr address of packets sent by a DHCPv4 server group is configured.
Step 8 Run quit
Step 9 (Optional) Run access user-ip-address trust dhcp-server user-type ppp
The device is enabled to perform loose check on IP addresses assigned by a server when a
remote address pool is used to assign IP addresses to PPP and L2TP users.
Step 10 (Optional) Run dhcp-server [ ip-address [ vpn-instance vpn-instance ] ] { dead-count dead-
count | timeout timeout-value | dead-time dead-time }*
The maximum number of times at which the DHCPv4 server does not send response packets
is set. After the number of times specified by dead-count is exceeded, the DHCPv4 server is
set to Down.
The command is used to reduce the number of status (Up/Down) switchovers for a DHCPv4
server on the live network. If the command is configured, the DHCPv4 server goes Down
only after the number of times at which the DHCPv4 server does not send response packets
exceeds a specified value.
Step 11 (Optional) Run dhcp-server [ ip-address [ vpn-instance vpn-instance ] ] nak-count nak-
count-value
The maximum number of times at which the Router receive NAK packets is set. After the
number of times specified by nak-count is exceeded, the DHCPv4 server is set to Down.
Step 12 (Optional) Run dhcp option-82 agent-remote-id strip

The Router is enabled to delete the remote-id sub-attribute encapsulated into the Option 82
attribute of a received DHCP Request message.

Step 13 Run commit
----End
7.5.2 Associating the IP Address Pool and the DHCPv4 Server

Group
Only the remote IP address pool needs to be associated with the DHCPv4 server group.
Context
Procedure
Step 2 Run ip pool pool-name bas remote
The remote address pool view is displayed.
Step 3 Run dhcp-server group group-name
The address pool is associated with a DHCPv4 server group.
Step 4 (Optional) Run remote-ip lease manage
The lease management function is enabled for the remote address pool.
If some clients do not respond to ARP probe packets sent by the Router, ARP probe is
disabled on access interfaces on the Router. In this case, if a client is powered off or has gone
offline unexpectedly, the Router cannot sense that the client is offline, because the client does
not send any Release packet. As a result, the IP address used by the user cannot be released
from the remote address pool. To prevent this problem, enable the lease management function
for the remote address pool.
NOTE
If destination IP addresses of lease packets sent by a DHCP server to users are user IP addresses instead
of gateway IP addresses, do not enable the lease management function for the remote address pool.
Because the Router directly forwards these packets to users without updating the leases, users will go
offline after the leases expire.
Step 5 Run commit
----End
7.5.3 Verifying the DHCPv4 Server Group Configuration

After configuring DHCPv4 server groups, you can view the configurations of all DHCPv4
server groups.

Prerequisites
DHCPv4 server groups have been configured.
Procedure
l Run the display dhcp-server group [ group-name ] command to check the
configuration of the DHCPv4 server group.
----End
Example
Run the display dhcp-server group command, and you can view information about all
DHCPv4 server groups.
<HUAWEI> display dhcp-server group
Group-Name : remote
Release-Agent : Support
Primary-Server : -
Vpn instance : --
Weight : 0
Status : -
Secondary-Server : -
Vpn instance : --
Weight : 0
Status : -
Algorithm : master-backup
Source : --
Giaddr : --
Rebind forward mode : all
Group-Name : g1
Primary-Server : -
Vpn instance : --
Weight : 0
Status : -
Secondary-Server : -
Vpn instance : --
Weight : 0
Status : -
Source : --
Giaddr : --
2 DHCP server group(s) in total
7.6 Configuring DHCPv4 Proxy

Usage Scenario
To guarantee the security of the DHCPv4 server, you need to enable DHCPv4 proxy when the
DHCPv4 packet sent from the NE40E to a user does not contain the DHCPv4 server IP
address.
DHCPv4 proxy can be used in the scenario shown in Figure 7-3.
l The DHCPv4 server can receive DHCPv4 Discovery and Request packets that are
forwarded by the NE40E and carry the IP address of the NE40E as the source address.
l The user can receive the DHCPv4 Offer packet with the source address of the IP address
of the NE40E and obtain an IP address allocated by the DHCPv4 server to access the
network.

Figure 7-3 Networking diagram of DHCPv4 proxy
DNS server DHCP server RADIUS server
Access
Internet
Network
subscriber
DeviceA
@isp2
7.6.1 Enabling DHCPv4 Proxy

To guarantee the security of the DHCPv4 server, you need to enable DHCPv4 proxy when the
DHCPv4 packet sent from the NE40E to a user does not contain the DHCPv4 server IP
address.
Context
Procedure
Step 2 Run interface interface-type interface-number [ .subinterface-number ]
Step 3 Run bas
A BAS interface is created and the BAS interface view is displayed.
Step 4 Run access-type layer2-subscriber [ default-domain { [ authentication [ force | replace ]
dname ] [ pre-authentication predname ] } ]
The access type is set to Layer 2 subscriber access and the attributes of this access type are
configured.
Step 5 Run dhcp-proxy enable

DHCP proxy is enabled.
NOTE
l Currently, DHCPv4 proxy is used only for the BAS remote address pool of the BAS. The
configuration modification does not take effect on online users.
l DHCPv4 proxy can also be used for Layer 2 users or Layer 2 leased line users.
Step 6 (Optional) Run dhcp lease-proxy [ lease-time ]

DHCP lease proxy is enabled on the BAS interface, and a proxy lease is specified.
NOTE
Using shorter proxy leases can accelerate the identification of client or link faults. However, users renew
their leases more frequently, increasing the processing load of the device. To balance the conflict
between fault detection and processing load, run the dhcp lease-proxy first-step second-step command
to enable DHCP lease proxy with step-based proxy leases.
Step 7 (Optional) Run dhcp lease-proxy renew-packet through-time time-value

The maximum number of times that a lease proxy user's client sends lease renewal packets to
the DHCP server before the original T1 (1/2 of the lease)/T2 (7/8 of the lease) lease arrives is
configured.
Step 8 Run commit
----End
7.7 Adjusting DHCPv4 Service Parameters

You can adjust DHCPv4 service parameters to enhance the security of the DHCPv4 service.
Usage Scenario
After configuring a DHCPv4 server, you need to configure the security function of the
DHCPv4 service. This enhances security of the DHCPv4 service and prevents other
unauthorized DHCPv4 servers from assigning invalid IP addresses to clients. By viewing
logs, the administrator determines whether there are unauthorized DHCPv4 servers assigning
invalid IP addresses to clients.
Before adjusting DHCPv4 parameters, complete the following task:
l Configuring a DHCPv4 server
7.7.1 (Optional)Configuring Global DHCPv4 Parameters

Global DHCPv4 parameters include the maximum number of DHCPv4 access users allowed
for a specified board and the limit on the packet transmission rate of a DHCPv4 server group.
Context

Procedure
Step 2 Run dhcp slot-id max-sessions user-number
The maximum number of DHCPv4 access users allowed for a specified board is set.
Step 3 Run dhcp check-client-packet strict
The function of Router strictly checks packets from a DHCP client is enabled.
Step 4 Run dhcp-server ip-address [ vpn-instance vpn-instance ] send-discover-speed packet-

number time
The limit on the packet transmission rate of a DHCPv4 server group is set.
Step 5 Run dhcp server identifier dest-ip
The destination IP address of a packet forwarded by a DHCP relay as the identifier of the
DHCP server is set.
After the dhcp server identifier dest-ip command is configured, the DHCP response packet
forwarded by the NE40E carries the destination IP address of the request packet as the DHCP
server identifier.
The command only applies to a scenario in which the NE40E is the non-first PE router and
functions as the DHCP server.
Step 6 Run dhcp request-ip-address check { enable | disable }
Check of DHCP request packets with option 50 fields is disabled or enabled.
After a user sends a DHCP request packet with option 50, the NE40E authenticates the user. If
the requested IP address has been assigned to another user, the NE40E replies an NAK packet
to the user. If a large number of users resend DHCP Discover packets to apply for IP
addresses, the NE40E authenticates the users again, causing high CPU usage. To resolve this
problem, run the dhcp request-ip-address check enable command to enable check of DHCP
request packets with option 50 fields. After that, if the request IP addresses have been
assigned to other users, the NE40E replies NAK packets without authenticating users again.
In this manner, high CPU usage is prevented.
Step 7 Run access-line-id attach
The BRAS is enabled to send Option 82 information to the RADIUS server if user packets do
not carry the Option 82 field or the BRAS does not trust the Option 82 field in user packets.
Step 8 (Optional) Run dhcp rebind no-user action keep-silence
The device is disabled from sending an NAK message in response to a client's DHCP Rebind
message if no corresponding user entry exists on the device.
Step 9 (Optional) Run dhcp rebind no-user action nak server-ip server-ip
The device is enabled to send an NAK message in response to a client's DHCP Rebind
message if no corresponding user entry exists on the device.
Step 10 Run commit

----End
7.7.2 Configuring a DHCP Option

DHCP provides a framework for parameter transmission over the TCP/IP network. The
DHCP client and the server can transmit the negotiated parameters and the control
information to each other through the option codes.
Context
When a terminal device, such as the set top box of the digital TV, accesses the network, the
NE40E cannot identify its domain according to its user name. Therefore, the NE40E cannot
allocate IP address to the device. In this case, the terminal device uses Option 60 to carry the
domain information when initiating the DHCP request. After receiving the DHCP request, the
NE40E allocates the IP address to the device according to the domain information contained
in Option 60.
Option 121 allows a DHCP server to allocate static routes to DHCP clients.
Procedure
Step 2 Run dhcp option-60 [ cn | [ offset offset ] { length length | sub-option sub-option-code
[ sub-offset sub-offset ] [ sub-length sub-length ] } ] { domain-included | included-in-
domain } { exact-match | partial-match } [ encrypt ]
The Option 60 attribute is set for DHCP packets. This attribute allows the device to allocate
IP addresses from a corresponding address pool based on the domain name. Option 60 can be
configured to contain the domain name. Partial match or exact match of the domain name can
be configured. You can configure encrypt to encrypt the Option 60 attribute.
If user domain information is obtained from the vendor-class information, the character string
following the domain name delimiter (defaulting to @) in the vendor-class field is used as the
domain name. If no user domain information is obtained from the vendor-class information,
the NE40E performs the following procedure to continue searching for the information. If
there is no domain name delimiter in the field, the NE40E performs a fuzzy or exact match of
the domain name information based on the configured mode. The procedure will stop if user
domain information is obtained.
1. Check if the dhcp option-60 command is configured in the system view. If the command
is configured, obtain user information from the command configuration.
2. Use the authorization domain configured on the BAS interface as the user domain.
Step 3 Run aaa
Step 5 Run dhcp option121 route ip-address mask-length gateway-address

Static routes are allocated to domain users.

Step 6 Run commit
----End
7.7.3 (Optional) Configuring the Format for Encapsulating the

Option 82 Attribute into DHCP Messages
This section describes how to enable a device to insert Sub-option 2 (remote ID) into the
Option 82 attribute or replace Sub-option 2 carried in the Option 82 attribute of a message to
be sent to the DHCP server based on a fixed format.
Context
When IP addresses are assigned from a remote address pool to Layer 2 access users, the
DHCP server identifies a carrier based on the remote ID carried in the Option 82 attribute of a
DHCP message. Therefore, you need to configure a device to insert Sub-option 2 (remote ID)
into the Option 82 attribute or replace Sub-option 2 carried in the Option 82 attribute of a
message to be sent to the DHCP server based on a fixed format. Self-defined character strings
can be encapsulated into Sub-option 2.
Procedure
Step 3 Run bas
The BAS interface view is displayed.
Step 4 Configure the format for encapsulating the Option 82 attribute into DHCP messages. Perform
the following steps as required. The following commands are mutually exclusive.
l Run dhcp option82 rebuild version3 send-to-server [ remote-id { neba | vula } ]
The device is enabled to encapsulate the Option 82 attribute into a message to be sent to
the DHCP server in a fixed format. In this format, self-defined contents cannot be
encapsulated into the Option 82 attribute.
The dhcp option82 rebuild version3 send-to-server command has a higher priority
than the dhcp option-82 agent-remote-id strip command.
l Run dhcp option82 rebuild version4 send-to-server
The device is enabled to encapsulate the Option 82 attribute in the format of
sysname:interface-name:svlan-cvlan into a message to be sent to the DHCP server.
l Run dhcp option82 rebuild self-define { circuit-id circuit-id-value | out-vlan out-vlan-
value | inner-vlan inner-vlan-value | remote-id remote-id-value } * send-to-server
The device is enabled to encapsulate the Option 82 attribute into a message to be sent to
the DHCP server based on the fixed OSP format. In this format, self-defined contents
can be encapsulated into the Option 82 attribute.

NOTE
The dhcp option82 rebuild send-to-server command takes effect only after DHCP proxy is enabled on
the BAS interface.
----End
7.7.4 (Optional) Shortening the User Address Lease Before a

DHCPv4 Server Restarts
The user address lease can be shortened before a DHCPv4 server restarts. This change allows
DHCP users to get online a short period of time after the DHCPv4 server restarts due to an
upgrade without restarting the terminal.
Context
When the NE40E is being upgraded, DHCP users cannot detect that the link goes Down and
dial-up again like PPP users. Therefore, these users do not redial to get online. Instead, the
terminal must be restarted to trigger a DHCP request so that the users can obtain IP addresses
to get online again. In the current upgrade solution, the address pool lease time is shortened at
the lease renewal time before the upgrade date. For example, if the address pool lease renewal
time is 1.5 days, the address pool lease is changed to 30 minutes and the lease renewal time is
changed to 15 minutes 1.5 days before the upgrade. This solution ensures that the terminal can
send lease renewal packets in a shorter period of time after the device is upgraded to allow
DHCP users to get online again.
This upgrade solution has two disadvantages:

l Changing the address pool lease takes effect only for users that obtain addresses from
local address pools. The address lease delivered by a RADIUS server is not changed.
The users that have obtained addresses from the RADIUS server have to wait a
comparatively long period of time to get online again.
l The address pool lease is configured in the address pool view. Manually changing the
lease configurations of all the address pools brings a huge workload.
Using the dhcp upgrade command in the system view to change the address lease for all
DHCP users attached to the device solves these problems.
Procedure
Step 2 Run dhcp upgrade lease day [ hour [ minute ] ] [ renewal-time day [ hour [ minute ] ] ]
[ rebinding-time day [ hour [ minute ] ] ]
The address lease for all DHCPv4 users attached to the device is configured.
After the dhcp upgrade command is used, the lease configured in the system view takes
effect for new users, online users that need to renew the lease, users using addresses in local
address pools, and users using addresses delivered by a RADIUS server.
No configuration file will be generated after the dhcp upgrade command is used. To view the
configuration result, run the display dhcp upgrade command. The dhcp upgrade command
becomes invalid after the device restarts.

If a short lease is configured, a large number of users will renew their lease at the same time,
causing high CPU usage. Therefore, configuring a short lease is not recommended unless the
device needs to be upgraded.
Step 3 Run commit

----End
7.7.5 Configuring Transparent Transmission of DHCPv4 Packets

You need to configure transparent transmission of DHCPv4 packets when STB users send
only one DHCPv4 Discover packet after they restart.
Context
When a user shuts down the STB and then restarts it immediately, the NE40E cannot detect
that the user goes offline and retains the user entry. When receiving the DHCPv4 Discover
packet that the STB sends after restart, the NE40E forces the user to go offline and waits until
the user sends a DHCPv4 Discover packet to obtain the address through DHCPv4.
Some STBs, however, send only one DHCPv4 Discover packet after they restart. In this case,
the users cannot go online after shutting down their STBs.
You can configure the function of transparently transmitting DHCPv4 packets to solve this
problem. Perform the following steps on the Router:
Procedure
Step 2 Run dhcp through-packet
The function of transparently transmitting DHCPv4 packets is configured.
----End
7.7.6 (Optional) Enabling the BRAS to Transparently Transmit

NAK Messages to DHCP Clients
This section describes how to enable a BRAS to transparently transmit NAK messages sent
by the DHCP server in response to the Discover messages to DHCP clients in DHCP remote
address pool scenarios.
Context
In scenarios where IP addresses are assigned from a DHCP remote address pool, if a DHCP
client sends a Discover message to the DHCP server through a BRAS and the BRAS receives
a NAK message from the DHCP server, the BRAS discards the NAK message by default.

After the BRAS is enabled to transparently transmit NAK messages to clients, the clients can
be informed of login failures if parsing of NAK messages is supported on the client terminals.
Procedure
Step 2 Run dhcp through-nak
The BRAS is enabled to transparently transmit NAK messages sent by the DHCP server in
response to the Discover messages to DHCP clients in DHCP remote address pool scenarios.
----End
7.7.7 Enabling a DHCPv4 Server to Detect Unauthorized DHCPv4

Servers
Enabling a DHCPv4 server to detect unauthorized DHCPv4 servers help prevent unauthorized
DHCPv4 servers from allocating invalid IP addresses to clients.
Context
If a private DHCPv4 server exists on the network, clients cannot obtain correct IP addresses
and thus cannot log in to the network because this private DHCPv4 server will interact with
the DHCPv4 clients during address application. Such a private DHCPv4 server is an
unauthorized DHCPv4 server.
The logs contain IP addresses of all the DHCPv4 servers that allocate IP addresses to clients.
By viewing these logs, the administrator can determine whether an unauthorized DHCPv4
server exists.
Perform the following steps on the NE40E that functions as a DHCPv4 server:
Procedure
Step 2 Run dhcp invalid-server-detecting [ interval ]
The interval at which unauthorized DHCPv4 servers are detected is configured.
If the interval at which unauthorized DHCPv4 servers are detected is 0, the NE40E does not
detect unauthorized DHCPv4 servers.
NOTE
You can perform this function on only the devices at the BAS side.
----End
7.7.8 Enabling the Detection of an IP Address Conflict

The DHCPv4 server sends ping packets to detect the usage of an IP address to prevent an IP
address conflict.

Context
Before assigning an IP address to a client, the DHCPv4 server needs to detect whether the IP
address is used by another client. This prevents an IP address conflict.
NOTE
Detection of an IP address conflict can be configured on only network-side devices.
Procedure
Step 2 Run dhcp server ping timeout milliseconds
The longest time for the DHCPv4 server to wait for a ping response is configured.
Step 3 Run dhcp server ping packets number
The maximum number of ping packets sent by the DHCPv4 server is configured.
Step 4 Run commit
----End
Follow-up Procedure
The ping command is used to check whether there is a ping response from the IP address to
be assigned to a client within a specific time. If there is no response after a specific time, the
DHCPv4 server re-sends a ping packet to this IP address until the allowed maximum number
of ping packets are sent. If there is still no response, the DHCPv4 server considers that the IP
address is not in use. This ensures that a unique IP address is assigned to the client.
7.7.9 Saving DHCPv4 Data

After DHCPv4 data is saved to the storage device, the data can be restored from the storage
device when the NE40E fails.
Context
Procedure
Step 2 Run dhcp server database enable
Saving DHCPv4 data to the hard disk is enabled.

Step 3 (Optional) Run dhcp server database write-delay interval
The delay for saving the data is set.
Step 4 Run commit
----End
Follow-up Procedure
The NE40E can save the current DHCPv4 data to the storage device and restore the data from
the storage device when the NE40E fails.
DHCPv4 data is saved with a fixed file name on the storage device. Normally, the IP leasing
information is saved in the lease.txt file and the address conflict information is saved in the
conflict.txt file. Back up these two files to other directories because information in these files
is replaced regularly.
7.7.10 Restoring DHCPv4 Data

Information about the address lease and address conflict can be restored.
Context
NOTE
Only the saved DHCP data can be restored.
Procedure
Step 2 Run dhcp server database recover
DHCPv4 data is restored from the storage device.
Step 3 Run commit
----End
7.7.11 (Optional) Configuring the NE40E to Log Out an Online

User and Deny Access of a New User After Detecting an IPv4
Address Conflict
You can configure the NE40E to log out an online user and deny access of a new user if it
detects that the IP address assigned to the new user from a remote address pool or by the
RADIUS server is the same as the IP address of the online user.

Context
To implement authentication, authorization, and accounting for users separately, users must
use different IP addresses to go online. This requires the NE40E to detect whether the IP
address assigned to a new user conflicts with that of an online user. By default, if the NE40E
detects that the IP address assigned to a new user is the same as the IP address of an online
user, it sends a DHCP Decline message to the DHCP server. Then the new user cannot go
online, but the online user is not affected.
In scenarios in which IP addresses are assigned based on the Option 82 field that carries
physical location information of users and ARP probe is not configured, the online user is
required to go offline to allow the new user to go online. For example, if a CPE is replaced,
users attached to the old CPE will switch to the new CPE to go online. As their physical
location information remains the same, they will be assigned the same IP addresses as before.
However, if the previous IP address lease has not expired, the user information is retained.
Therefore, the NE40E considers that the users are already online and discards the user packets
sent from the new CPE. Subsequently, the users fail to go online through the new CPE. To
allow the users to go online through the new CPE, configure the NE40E to delete the previous
user information and deny new user access so that the users can be triggered to go online
again.
Procedure
Step 2 Run dhcp conflict-ip-address offline user [ include framed-ip ]
The NE40E is configured to log out an online user and deny access of a new user if it detects
that the IP address assigned to the new user from a remote address pool or by the RADIUS
server is the same as the IP address of the online user.
When both the dhcp conflict-ip-address offline and dhcp conflict-ip-address offline user
commands are run, and a new user is assigned the IP address of an online user from a remote
address pool and the two users are both IPv4/IPv6 dual-stack users, the dhcp conflict-ip-
address offline command configuration takes effect. Specifically, the NE40E will log out the
online user only from the IPv4 address after detecting the IPv4 address conflict.
Step 3 Run commit
----End
7.7.12 (Optional) Configuring the Device to Log out a Dual-Stack

User from Both IPv4 and IPv6 Stacks When a Zero Lease Is
Delivered in a CoA message for the User's IPv4 Address
This section describes how to configure the device to log out a dual-stack user from both IPv4
and IPv6 stacks and sends a DHCPv4 NAK message to the user when the RADIUS server
delivers a zero lease for the user's IPv4 address in a CoA message and the user sends a
Request message to renew the lease.

Context
By default, a device logs out a dual-stack user from only the IPv4 stack and sends a DHCPv4
NAK message to the user when the RADIUS server delivers a zero lease for the user's IPv4
address in a CoA message and the user sends a Request message to renew the lease. To enable
the device to logout a dual-stack user from both IPv4 and IPv6 stacks, run the dhcp coa-zero-
lease dual-cut command.
Procedure
Step 2 Run aaa
Step 4 Run dhcp coa-zero-lease dual-cut
The device is enabled to log out a dual-stack user from both IPv4 and IPv6 stacks and sends a
DHCPv4 NAK message to the user when the RADIUS server delivers a zero lease for the
user's IPv4 address in a CoA message and the user sends a Request message to renew the
lease.
Step 5 Run commit
----End
7.7.13 Verifying the DHCPv4 Parameter Configuration

After adjusting DHCPv4 parameters, you can view information about a DHCPv4 server and
the storage path of the DHCPv4 data.
Prerequisites
Adjustment of DHCPv4 parameters has been configured.
Procedure
l Run the display dhcp-server item ip-address [ vpn-instance vpn-instance ] command
to check information about a DHCPv4 server.
l Run the display dhcp server database command to check the storage path and file
information of the DHCPv4 data.
l Run the display dhcp upgrade command to check the lease configuration for DHCPv4
users to determine the time when the NE40E restarts.
----End

Example
Run the display dhcp-server item ip-address command, and you can view information about
a DHCPv4 server.
<HUAWEI> display dhcp-server item 1.2.3.4
IPAddress : 1.2.3.4
State : UP
Speed Limit : 0 packets / 0 seconds
Dead Count : 0
Timeout : 25(Sec)
Dead Time : 3(Min)
Nak Count : 10
Vpn Instance: yl
Run the display dhcp server database command, and you can view the saved path of the
DHCPv4 data.
<HUAWEI> display dhcp server database
Status: disable
Recover from files after reboot: disable
File saving lease items: cfcard:/dhcp/lease.txt
File saving conflict items: cfcard:/dhcp/conflict.txt
Save interval: 300 (seconds)
Run the display dhcp upgrade command, and you can view the configuration to determine
the time when the NE40E restarts.
<HUAWEI> display dhcp upgrade
DHCP upgrade: enable.
Lease time: 0days 0hours 30minutes
Renew time: 0days 0hours 15minutes
Rebind time:0days 0hours 22minutes
Access DHCP user count of new lease: 100
Access DHCP user count of old lease: 100
Access DHCP user count of infinite lease: 10
Max interval from current for old lifetime DHCP user renew: 0 days 0 hours 15
minutes
7.8 Maintaining DHCPv4

You can maintain DHCPv4 by clearing DHCPv4 statistics, monitoring DHCPv4 operating
status, and debugging DHCPv4.
7.8.1 Clearing DHCPv4 Statistics

You can clear DHCPv4 statistics by clearing the DHCPv4 relay statistics.
Context
DHCPv4 statistics cannot be restored after they are cleared. Exercise caution when running
reset commands.

Procedure
l Run the reset dhcp relay statistics [ interface interface-type interface-number [ .sub-
interface-number ] command in the user view to clear the DHCPv4 relay statistics.
l Run the reset ip-pool max-usage [ pool [ pool-name ] | domain [ domain-name ] ]
command in the user view to clear the historical maximum usage of addresses in an IPv4
address pool.
l Run the reset ip-pool max-ratio domain command in the user view to clear statistics
about IP address pool usage in all domains on the device.
----End
7.8.2 Monitoring DHCPv4 Operation Status

You can monitor the DHCPv4 operating status by checking the configurations of an IPv4
address pool, a DHCPv4 server, and the path at which DHCPv4 data is saved and file
information about the data.
Prerequisites
In routine maintenance, you can run the following command in any view to check the
DHCPv4 operating status.
Procedure
l Run the display ip pool [ name pool-name [ section-num [ start-ip-address [ end-ip-
address ] ] | all | used ] ] [ vpn-instance vpn-instance-name ] command to check the
configuration of the IP address pool.
l Run the display dhcp-server group [ group-name ] command to check the
configuration of the DHCPv4 server group.
l Run the display dhcp-server item ip-address [ vpn-instance vpn-instance ] command
to check information about a DHCPv4 server.
l Run the display dhcp-server statistics ip-address [ vpn-instance vpn-instance ]
[ verbose ] command to check the statistics on a DHCPv4 server.
l Run the display dhcp relay address { all | interface interface-type interface-number |
vlan vlan-id } command to check configurations about interfaces where DHCPv4 relay
is enabled.
l Run the display dhcp-access statistics packet command to check statistics about
DHCPv4 services.
l Run the display ip-pool max-usage { pool [ pool-name ] | domain [ domain-name ] }
command in any view to check the historical maximum usage of addresses in an IPv4
address pool.
----End
7.9 Configuration Examples for IPv4 Address

Management
This section provides configuration examples of DHCPv4, including networking

Context
NOTE
In actual networking, the license needs to be loaded. For details, see the HUAWEI NE40E-M2 Series
Universal Service Router Configuration Guide - System Management.
7.9.1 Example for Configuring Address Assignment Based on the

Local Address Pool
This section provides an example for assigning IPv4 addresses from a local IP address pool,
including the networking requirements, configuration roadmap, configuration procedure, and
configuration files.
As shown in Figure 7-4, it is required that a local address pool be configured to assign IP
addresses to access users and the following requirements be met:
l The local address pool is used to assign IP addresses to users in the domain isp1.
l The IP addresses in the address pool range from 10.10.10.3 to 10.10.10.100, and the
gateway address is 10.10.10.2.
l The IP address of the DNS server is 10.20.20.1.
l The IP address of the interface GE3/0/0 which is connected to the DNS server is
10.20.20.2.
l Non-authentication and non-accounting are adopted by the user.
Figure 7-4 Networking diagram for address assignment based on the local address pool
NOTE
Interfaces 1 through 3 in this example are 0/1/0.1,0/2/0,0/3/0 respectively.
DNS Server
10.20.20.1
Interface3
Interface1 Interface2
Internet
subscriber@isp1 Switch DHCP

Server

NOTE
Access users include IPoE users and PPPoE users. The address assignment for the two types of users
differs in the access mode. This section describes only the IPv4 address pool configurations. For details
about the IPoE access configuration, see Example for Configuring the Common IPoE Access
Service.

1. Configure the local address pool, including its gateway address, address range, and the
IP address of the DNS server.
2. Configure the domain isp1 to which the users belong, including the authentication mode
and the accounting mode.
3. Configure the BAS interface, including the user access mode.
Data Preparation
l Name of the address pool, range of the addresses in the pool, and IP addresses of the
gateway and the DNS server
l Name of the user domain
l Authentication mode and accounting mode
Procedure
Step 1 Configure the DHCPv4 server.
# Configure an address pool.
[~HUAWEI] ip pool pool1 bas local
[*HUAWEI-ip-pool-pool1] gateway 10.10.10.2 255.255.255.0
[*HUAWEI-ip-pool-pool1] permit up-id 1024
[*HUAWEI-ip-pool-pool1] section 0 10.10.10.3 10.10.10.100
[*HUAWEI-ip-pool-pool1] dns-server 10.20.20.1
[*HUAWEI-ip-pool-pool1] commit
[~HUAWEI-ip-pool-pool1] quit
# Configure an authentication mode in the authentication template view.

[~HUAWEI] aaa
[~HUAWEI-aaa-] authentication-scheme huawei
[*HUAWEI-aaa-authen-huawei] authentication-mode none
[*HUAWEI-aaa-authen-huawei] commit
[~HUAWEI-aaa-authen-huawei] quit
# Configure an accounting mode in the accounting template view.

[~HUAWEI-aaa] accounting-scheme huawei1
[*HUAWEI-aaa-accounting-huawei1] accounting-mode none
[*HUAWEI-aaa-accounting-huawei1] commit
[*HUAWEI-aaa-accounting-huawei1] quit
# Configure a domain named isp1.

[~HUAWEI-aaa] domain isp1
[*HUAWEI-aaa-domain-isp1] authentication-scheme huawei
[*HUAWEI-aaa-domain-isp1] accounting-scheme huawei1
[*HUAWEI-aaa-domain-isp1] commit

[~HUAWEI-aaa-domain-isp1] ip-pool pool1

[~HUAWEI-aaa-domain-isp1] quit
[~HUAWEI-aaa] quit
# Configure a BAS interface.

[~HUAWEI] interface GigabitEthernet 0/1/0.1
[*HUAWEI-GigabitEthernet0/1/0.1] commit
[~HUAWEI-GigabitEthernet0/1/0.1] user-vlan 1
[~HUAWEI-GigabitEthernet0/1/0.1-vlan-1-1] bas
[~HUAWEI-GigabitEthernet0/1/0.1-bas] access-type layer2-subscriber
[~HUAWEI-GigabitEthernet0/1/0.1-bas] authentication-method bind
[*HUAWEI-GigabitEthernet0/1/0.1-bas] default-domain authentication isp1
[*HUAWEI-GigabitEthernet0/1/0.1-bas] commit
[~HUAWEI-GigabitEthernet0/1/0.1-bas] quit
[~HUAWEI-GigabitEthernet0/1/0.1] quit
# Configure the IP address of the interface GE3/0/0 which is connected to the DNS server.
[~HUAWEI] interface GigabitEthernet 0/3/0
[*HUAWEI-GigabitEthernet0/3/0] ip address 10.20.20.2 255.255.255.0
[*HUAWEI-GigabitEthernet0/3/0] commit
[~HUAWEI-GigabitEthernet0/3/0] quit

# Check the configuration of the local address pool pool1.
[~HUAWEI] display ip pool name pool1
Pool-Name : pool1
Pool-No : 19
Pool-constant-index :-
NetBois Type : N-Node
DNS-Suffix : -,
DNS1 :10.20.20.1
Gateway : 10.10.10.2 Mask : 255.255.255.0
Vpn instance : --
Codes: CFLCT (conflicted)
----------------------------------------------------------------------------------
-----
static-bind
----------------------------------------------------------------------------------
-----
0 10.10.10.3 10.10.10.100 98 0 98 0 0
0 0
----------------------------------------------------------------------------------
-----
# Check the configuration of the domain isp1.

[~HUAWEI] display domain isp1
------------------------------------------------------------------------------
Domain-name : isp1

User-group-name : -
Idle-data-attribute (time, flow) : 0,60
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-URL : -
IPUser-ReAuth-Time (second) : 300
Service-type : STB
Bill Flow : Disable
Flow Statistic:
IP-address-pool-name : pool1
Quota-out : Offline
------------------------------------------------------------------------------
----End
Configuration Files
l Configuration file of HUAWEI
#
sysname HUAWEI
#
ip pool pool1 bas local
gateway 10.10.10.2 255.255.255.0
permit up-id 1024
section 0 10.10.10.3 10.10.10.100
dns-server 10.20.20.1
#
aaa
authentication-scheme huawei
authentication-mode none
#
accounting-scheme huawei1
accounting-mode none
#
domain isp1
authentication-scheme huawei
accounting-scheme huawei1
ip-pool pool1
#
user-vlan 1
bas
#

access-type layer2-subscriber default-domain authentication isp1

#
undo shutdown
ip address 10.20.20.2 255.255.255.0
#
return
7.9.2 Example for Configuring Address Assignment Based on the

Remote Address Pool
This section provides an example for assigning IPv4 addresses from a remote IP address pool,
As shown in Figure 7-5, it is required that a remote address pool be configured to assign IP
addresses to access users and the following requirements be met:
l The remote address pool is used to assign IP addresses to users in the domain isp2.
l The Router, functioning as a relay agent, is connected to the DHCPv4 server through GE
3/0/0 whose IP address is 10.1.1.2/24.
l The IP address of the DHCPv4 server bound to the remote address pool is 10.1.1.1, and
no standby DHCPv4 server is deployed.
l Non-authentication and non-accounting are adopted by the user.
Figure 7-5 Networking diagram for address assignment based on the remote address pool
NOTE
Interfaces 1 through 3 in this example are 0/1/0.1,0/2/0,0/3/0 respectively.
DHCP
Server
10.1.1.1
10.1.1.2/24
Interface3
Access Interface1 Interface2

Internet
Network
subscriber@isp2 Device

1. Create a DHCPv4 server group and a remote address pool, and bind the address pool to
the DHCPv4 server group.
2. Configure the domain isp2 to which the user belongs, including the authentication mode
and the accounting mode.
3. Configure the BAS interface, including the user access mode.
Data Preparation
l Name of the address pool
l IP address of the gateway
l Name of the user domain
l IP address of the interface that connects the Router to the DHCPv4 server
l User access mode
Procedure
Step 1 Configure the Router.
# Create a DHCPv4 server group.
[~HUAWEI] dhcp-server group group1
[*HUAWEI-dhcp-server-group-group1] dhcp-server 10.1.1.1
[*HUAWEI-dhcp-server-group-group1] commit
[~HUAWEI-dhcp-server-group-group1] quit
# Create a remote address pool, and bind the pool to the DHCPv4 server group.
[~HUAWEI] ip pool pool2 bas remote
[*HUAWEI-ip-pool-pool2] gateway 10.10.10.1 24
[*HUAWEI-ip-pool-pool2] dhcp-server group group1
[~HUAWEI] quit
# Configure a domain named isp2.

[~HUAWEI] aaa
[*HUAWEI-aaa] domain isp2
[*HUAWEI-aaa-domain-isp2] authentication-scheme default0
[*HUAWEI-aaa-domain-isp2] accounting-scheme default0
[*HUAWEI-aaa-domain-isp2] ip-pool pool2
[~HUAWEI-aaa] quit
# Configure the Router interface for user access.

[*HUAWEI-GigabitEthernet0/1/0.1] user-vlan 1
[*HUAWEI-GigabitEthernet0/1/0.1-vlan-1-1] bas
[*HUAWEI-GigabitEthernet0/1/0.1-bas] access-type layer2-subscriber
[*HUAWEI-GigabitEthernet0/1/0.1-bas] authentication-method bind

# Configure the Router interface to connect to the DHCPv4 server.


# Check the configurations of the DHCPv4 server group group1.
[~HUAWEI] display dhcp-server group group1
Group-Name : group1
Primary-Server : 10.1.1.1
Vpn instance : --
Weight : 0
Status : up
Secondary-Server : --
Vpn instance : --
Weight : 0
Status : up
Source : --
Giaddr : --
# Check the configurations of the remote address pool pool2.

[~HUAWEI] display ip pool name pool2
Pool-Name : pool2
Pool-No : 0
DHCP-Group : group1
Position : Remote Status : Unlocked
Gateway : 10.10.10.1 Mask : 255.255.255.0
Vpn instance : --
Codes: CFLCT (conflicted)
----------------------------------------------------------------------------------
-----
static-bind
----------------------------------------------------------------------------------
-----
0 10.10.10.0 10.10.10.255 256 0 256 0 0
0 0
----------------------------------------------------------------------------------
-----
# Check the configurations of the domain isp2.

[~HUAWEI] display domain isp2
------------------------------------------------------------------------------
Domain-name : isp2

User-group-name : -
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-URL : -
Bill Flow : Disable
Flow Statistic:
Quota-out : Offline
------------------------------------------------------------------------------
----End
Configuration Files
l Configuration file of Router
#
sysname HUAWEI
#
dhcp-server group group1
dhcp-server 10.1.1.1
#
ip pool pool2 bas remote
gateway 10.10.10.1 255.255.255.0
dhcp-server group group1
#
aaa
authentication-scheme default0
#
accounting-scheme default0
#
domain isp2
ip-pool pool2
#
undo shutdown
user-vlan 1
bas
#
access-type layer2-subscriber default-domain authentication
isp2

#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
return

8 IPv6 Address Management Configuration
About This Chapter
This section describes how to assign IPv6 addresses to access users and manage these IPv6
addresses.
Context
NOTE

On an IPv6 network, IPv6 address management includes configuring a fixed IPv6 address,
receiving an IPv6 address from the RADIUS server, and obtaining an IPv6 address
dynamically.
8.2 Licensing Requirements and Limitations for IPv6 Address Management--M2E
8.3 Licensing Requirements and Limitations for IPv6 Address Management--M2F
8.4 Licensing Requirements and Limitations for IPv6 Address Management--M2H
8.5 Licensing Requirements and Limitations for IPv6 Address Management--M2K
8.6 Configuring a DHCPv6 Relay Agent on the User Side
When independent DHCPv6 servers allocate and manage addresses, the NE40E can be
configured as the relay agent to implement redundancy backup and load balancing among the
remote DHCPv6 servers.
8.7 Configuring a Delegating Router
The NE40E can be configured as a delegating router to allocate and recycle prefixes
according to the requests of requesting routers.
8.8 (Optional) Adjusting DHCPv6 Service Parameters
Configure transparent transmission of DHCPv6 packets, unicast mode, and two-message
exchange between a DHCPv6 client and a DHCPv6 server based on actual network
conditions.
8.9 Configuring DHCPv6 (IA_NA) Address Allocation

This section describes how to configure the NE40E to use DHCPv6 (IA_NA) to allocate IPv6
addresses when the CPE works in bridging mode.
8.10 Configuring DHCPv6 (IA_PD) Prefix Allocation
This section describes how to configure the NE40E to allocate prefixes to the CPE when the
CPE works in unnumbered routing mode. The CPE allocates the prefixes to the attached host
to generate IPv6 addresses.
8.11 Configuring DHCPv6 (IA_NA+IA_PD) Address Allocation
This section describes how to configure the NE40E to use DHCPv6 to allocate IPv6 addresses
and prefixes to the WAN interface on the CPE when the CPE works in numbered routing
mode. The CPE sends the prefixes to the attached hosts for them to generate IPv6 addresses.
8.12 Configuring NDRA Address Allocation
This section describes how to configure the NE40E to use ND to allocate IPv6 addresses
when the CPE works in bridging mode.
8.13 Configuring NDRA+DHCPv6 (IA_PD) Address Allocation
This section describes how to configure the NE40E to use ND to allocate IPv6 addresses to
the WAN interfaces on the CPE and use DHCPv6 (IA_PD) to allocate prefixes to the CPE
when the CPE works in numbered routing mode. The CPE allocates the prefixes to the
attached hosts to generate IPv6 addresses.
8.14 Maintaining IPv6 Address Management
8.15 Configuration Examples for IPv6 Address Management
This section provides several examples of IPv6 address management. Each configuration
example includes the networking requirements, configuration notes, and configuration
roadmap.

On an IPv6 network, IPv6 address management includes configuring a fixed IPv6 address,
receiving an IPv6 address from the RADIUS server, and obtaining an IPv6 address
dynamically.
The NE40E allows a user to access the network by configuring a fixed IP address, receiving
an IPv6 address from the RADIUS server or obtaining an IP address dynamically.
l Configuring a fixed IPv6 address

A user can configure a fixed IPv6 address. After the user goes offline, the fixed IPv6
address cannot be assigned to other users.
l Receiving an IPv6 address from the RADIUS server
The NE40E allows the RADIUS server to use NDRA or DHCPv6 (IA_PD) to allocate
IPv6 prefixes and use DHCPv6 (IA_NA) to allocate IPv6 addresses to users. If an
address allocated to a user by the RADIUS server is part of the local address pool, the
prefix length allocated by the RADIUS server must be consistent with that of the local
address pool. If prefix lengths are different, route forwarding for this user will be
affected.
l Allocating an IPv6 address using dynamic allocation protocols
IPv4 has two address dynamic allocation protocols: IPCP and DHCPv4. IPv6 has two
global unicast address allocation protocols: ND and DHCPv6. IPv6CP is used to
negotiate local link addresses.

– Stateless address allocation using ND

Stateless address allocation is implemented using ND. ND replaces the Address
Resolution Protocol (ARP) and ICMP Router Discovery on an IPv4 network. ND
also provides neighbor unreachability detection (NUD), duplicate address detection
(DAD), and address autoconfiguration.
IPv6 stateless address allocation is implemented through interaction between router
solicitation (RS) and router advertisement (RA).
i. The client sends an RS packet.
ii. After receiving the RS packet, the NE40E replies an RA packet, including the
following contents.
○ Whether address autoconfiguration is enabled
○ Autoconfiguration modes supported by the flags (stateless and stateful
autoconfiguration, including the M flag and the O flag)
○ One or multiple link prefixes (nodes on the local link can automatically
generate addresses using these address prefixes) and the lifetime of link
prefixes
○ Whether the router that sends the RA message can function as a default
router (If the router can function as a default router, the lifetime of the
default router is also contained in the message, expressed in seconds.)
○ Other configuration information about the client, such as the hop limit
and the MTU of the packet initiated by the client
iii. The client receives an RA packet from the router. If address autoconfiguration
is specified in the RA packet, and the RA packet contains correct link prefixes,
the client uses the link prefixes and interface IDs to generate global unicast
addresses.
The IP address lease is renewed when the NE40E sends an RA packet with a new
lifetime.
Advantage:
n The stateless address allocation is simple, and all IPv6 nodes support ND.
n Addresses are automatically allocated without any servers. The clients do not
have to support DHCPv6 clients.
– Stateful address allocation using DHCPv6
In the interaction between RS and RA packets, if the M flag is 0, and the O flag is
1, the clients need to obtain other configuration information except IPv6 addresses
in stateful mode; if the M flag is 1 in the RA packet, the clients need to obtain IPv6
addresses and other configuration information in stateful mode.
Stateful information configuration and stateful address configuration all use
DHCPv6. The client requests configuration from the server, and the server replies
with corresponding configuration according to policies.
n Identity associations for non-temporary addresses (IA_NA): Allocating IPv6
addresses using IA_NA option in DHCP messages
n Identity associations for prefix delegation (IA_PD): Allocating IPv6 prefixes
using the IA_PD option in DHCP messages
Advantage:
n Flexible configuration functions: DHCPv6 offers more information to the
clients and allocates parameters such as the desired addresses.

n Better manageability: DHCPv6 can offer detailed management information.

n Expansibility: Some options of DHCPv6 packets can be defined by carriers,
increasing the expandability.

Address Management--M2E

IP addresses cannot be Do not deploy these services If a user has been online, a
reserved based on MAC at the same time. new user with the same
addresses in scenarios where MAC address as the online
DHCPv6 and PPPoEv6 user cannot go online.
users have the same MAC If the user has been offline,
address and one-to-many the reserved address is
mapping between one MAC occupied by a new user with
address and multiple the same MAC address as
sessions is configured for the offline user.
PPPoEv6 users.

Address Management--M2F


You can run the reserved None Users cannot use reserved
prefix command to prefixes to go online.
configure a reservation type
for the prefixes in a
delegation prefix pool. The
following reservation types
are supported: MAC
address-based reservation,
MAC address and lease-
based reservation, DUID-
based reservation, DUID
and lease-based reservation
l When ND assigns IPv6
prefixes in unshared
mode, MAC-based
reservation does not take
effect for L2TP users
because LNS-side users
have no MAC address.
IPoE and PPPoE support
MAC-based reservation
only.
l When DHCPv6 uses
IA_PD options to assign
IPv6 prefixes to L2TP
users, prefix reservations
based on MAC addresses
and based on MAC
addresses+leases are not
supported.
l IPv6 prefixes delivered
by RADIUS servers
cannot be reserved.
l Prefix reservations are
not supported when one
MAC address maps to
multiple sessions for
PPPoE users.

Address assignment based None None

on the Option 18 or Option
37 attribute:
l Prefixes in the delegation
prefix pool for which the
dhcpv6-unshare-only
command is configured
cannot be delivered by
the RADIUS server.
l The same IPv6 address
in the EUI-64 format or
interface ID negotiated
using PPP cannot be
assigned to users with
the same prefix.
Otherwise, the second
user with the same IPv6
address in the EUI-64
format or interface ID
negotiated using PPP
fails to go online after
the first user goes online.
PPPoEv6 users.

Address Management--M2H


are supported: MAC
mode, MAC-based
only.
l When DHCPv6 uses
and based on MAC
supported.
by RADIUS servers
cannot be reserved.
MAC address maps to
PPPoE users.


37 attribute:
dhcpv6-unshare-only
the RADIUS server.
using PPP cannot be
the same prefix.
PPPoEv6 users.

Address Management--M2K


are supported: MAC
mode, MAC-based
only.
l When DHCPv6 uses
and based on MAC
supported.
by RADIUS servers
cannot be reserved.
MAC address maps to
PPPoE users.


37 attribute:
dhcpv6-unshare-only
the RADIUS server.
using PPP cannot be
the same prefix.
PPPoEv6 users.
8.6 Configuring a DHCPv6 Relay Agent on the User Side

When independent DHCPv6 servers allocate and manage addresses, the NE40E can be
configured as the relay agent to implement redundancy backup and load balancing among the
remote DHCPv6 servers.
Usage Scenario
When users access the NE40E, it functions as a DHCPv6 relay agent and forwards user
address requests to the remote DHCPv6 servers. Configuring multiple DHCPv6 servers is
recommended to perform redundancy backup and load balancing among the remote servers.
The DHCPv6 server group must be bound to the remote address pool. This binding shields the
interactions between NE40E and DHCPv6 servers from the client.

Figure 8-1 Networking diagram of the NE40E as a DHCPv6 relay agent on user side
DHCPv6 Server
DNS Server
Access Backbone
network network
DHCPv6 Relay
HOST CPE agent
The remote DHCPv6 servers have been deployed.
Configuration Procedures
Figure 8-2 Flowchart for configuring a DHCPv6 relay agent on the user side
Configuring a Remote IPv6 Prefix
Pool
Configuring an IPv6 Remote Address

Pool
Configuring a DHCPv6 Server Group
Associating an Address Pool with a

DHCPv6 Server Group
Binding an IPv6 Remote Address

Pool to a Domain
Mandatory
Optional
8.6.1 Configuring a Remote IPv6 Prefix Pool

When the NE40E functions as a DHCPv6 relay agent, a remote IPv6 prefix pool must be
configured to manage the prefixes.
Context

Procedure
Step 2 Run ipv6 prefix prefix-name remote
A remote IPv6 prefix pool is created and the IPv6 prefix pool view is displayed.
Step 3 Run link-address ipv6-address / prefix-length
The link address is configured.
When the remote server allocates addresses or prefixes, link addresses must be configured on
the relay.
Step 4 (Optional) Run lock
The IPv6 prefix pool is locked.
No prefix in the locked IPv6 prefix pool can be allocated, preventing new users from getting
online using the IPv6 prefix pool.
This command applies to a scenario where the IPv6 prefix pool cannot be deleted because it is
being used by online users. Lock the IPv6 prefix pool first to stop it from allocating prefixes.
The prefixes in the IPv6 prefix pool will be released when the users get offline. Then the IPv6
prefix pool can be deleted.
The VPN instance is configured for the prefix pool.
Step 6 Run remote-ip lease manage
The lease management function is enabled for the remote ipv6 prefix pool.
Step 7 Run commit
----End
8.6.2 Configuring a Remote IPv6 Address Pool

Configuring an IPv6 remote address pool including binding the prefix pool to the remote
address pool and configuring priority of the address pool and the route advertisement of the
address pool.
Context
Procedure
Step 2 Run ipv6 pool pool-name bas remote

An IPv6 address pool is created, and the IPv6 address pool view is displayed.
Step 3 Run prefix prefix-name
The IPv6 address pool is bound to the IPv6 prefix pool.
Step 4 (Optional) Run preference preference-value
A priority value is set for the IPv6 address pool.
Step 5 Run export host-route
Advertisement of the routes in the remote address pool is enabled.
Step 6 (Optional) Configure the device to assign addresses from IPv6 remote address pools based on
weights of the address pools.
1. Run weight weight-valuecommit
A weight is configured for the IPv6 address pool.
2. Run commit
3. Run quit
4. Run ipv6-pool algorithm loading-share remote
The device is configured to assign addresses from IPv6 remote address pools based on
their weights.
NOTE
This function applies only to IPv6 remote address pools and local rui-slave address pools.
Step 7 Run commit

----End
8.6.3 Configuring a DHCPv6 Server Group

DHCPv6 server groups are required only when the remote address pool is used to assign IPv6
addresses to BAS-side users.
Context
Perform the following steps on Router:
Procedure
Step 2 Run dhcpv6-server group group-name
A DHCPv6 server group is created and the DHCPv6 server group view is displayed.
Step 3 Run dhcpv6-server { destination ipv6-address [ vpn-instance vpn-instance ] | interface
interface-type interface-number } [ weight weight-value ]

The IPv6 address or outbound interface of a DHCPv6 server is configured.

A maximum of eight DHCPv6 servers can be configured in a DHCPv6 server group.
Step 4 (Optional) Run dhcpv6-server algorithm { loading-share | master-backup | polling }
Load balancing or redundancy backup is configured.
This command takes effect only when there are multiple DHCPv6 servers in a DHCPv6
server group.
l Load balancing: The NE40E distributes the traffic based on the weights of DHCPv6
servers.
l Master/backup: The NE40E specifies one server as the master server and the others as
the backup server.
l Polling: When multiple servers are configured, the NE40E sends Solicit, Request,
Rebind, and Confirm messages to all servers and selects the server that first responds to
the messages for subsequent message exchanges.
Step 5 (Optional) Run release-agent
The DHCPv6 release agent function is configured.
With the DHCPv6 release agent function, the NE40E sends DHCPv6 Release packets to
DHCPv6 servers for the users when they get offline.
Step 6 (Optional) Run dhcpv6-server source { interface interface-type interface-name | link-
address }
The source address or source interface for packets to be sent to the DHCPv6 server group is
configured.
Step 7 Run quit
Step 8 (Optional) Enable the DHCPv6 relay agent to add the Option 18 and Option 37 attributes in
OSP format to a Relay-Forward message sent to a DHCPv6 server.
1. Run interface interface-type interface-number
2. Run dhcpv6 relay option-insert mode type1 [ remote-id { neba | vula } ]
The DHCPv6 relay agent is enabled to add the Option 18 and Option 37 attributes in
OSP format to a Relay-Forward message sent to a DHCPv6 server.
NOTE
– The dhcpv6 relay option-insert mode type1 [ remote-id { neba | vula } ] and dhcpv6 relay
option-insert { interface-id mode { cn-telecom | tr-101 } | remote-id } commands are
mutually exclusive.
– The dhcpv6 relay option-insert mode type1 command takes effect in real time. After the
command is run on an interface, the command configuration takes effect for online users on
the interface.
3. Run quit
Step 9 (Optional) Run dhcpv6-server [ ipv6-address [ vpn-instance vpn-instance ] ] { dead-count
dead-count | timeout timeout-value | dead-time dead-time } *

The threshold of status (Up/Down) switchover for a DHCPv6 server are configured.
Step 10 (Optional) Run dhcpv6-server { ipv6-address [ vpn-instance vpn-instance-name ] | interface

interface-type interface-number } send-solicit-speed packet-number time
The rate at which Solicit packets are sent to the DHCPv6 server is configured.
Step 11 Run commit
----End
8.6.4 Associating an Address Pool with a DHCPv6 Server Group

Associating an address pool with a DHCPv6 server group is required only when the remote
IPv6 address pool is used.
Context
Perform the following steps on NE40E.
Procedure
Step 2 Run ipv6 pool pool-name bas remote
The remote address pool view is displayed.
Step 3 Run dhcpv6-server group group-name
An address pool is associated with a DHCPv6 server group.
Step 4 Run commit
----End
8.6.5 Binding an IPv6 Remote Address Pool to a Domain

Users in the domain can obtain addresses from the address pool only after an IPv6 address
pool is bound to a domain.
Prerequisites
The address pool to be bound has been created and bound to a prefix pool.
Context
Perform the following steps on Router.

Procedure
Step 2 Run aaa
Step 4 Run ipv6-pool pool-name
The IPv6 remote address pool is bound to the domain.
Step 5 (Optional) Run ipv6-warning-threshold threshold-value
The threshold for the usage of IPv6 addresses and prefixes is configured.
Step 6 Run commit
----End
8.6.6 (Optional) Enabling a Device to Insert the Option 18 and

Option 37 Attributes into Messages to Be Sent to the DHCPv6
Server
This section describes how to enable a device to insert the self-defined Option 18 and Option
37 attributes into the Relay-forward messages to be sent to the DHCPv6 server when IPv6
addresses are assigned from a remote IPv6 address pool.
Context
When IPv6 addresses are assigned from a remote IPv6 address pool, you can configure the
device to insert the self-defined Option 18 and Option 37 attributes into Relay-forward
messages to be sent to the DHCPv6 server.
Option 18 identifies the interface on which client messages are received on a DHCP relay
agent, facilitating the forwarding of Relay-reply messages. The DHCP server can also assign
addresses/prefixes based on the Option 18 attribute, which plays a similar role as the circuit-id
sub-attribute carried in the Option 82 attribute of DHCP messages.
A DHCP relay agent inserts additional information about remote users into the Option 37
attribute, which plays a similar role as remote-id sub-attribute carried in the Option 82
attribute of DHCP messages.
Procedure

Step 3 Run bas
Step 4 Run dhcpv6 option-18 rebuild self-define self-define-value send-to-server
The device is enabled to insert the self-defined Option 18 attribute into a Relay-forward
message to be sent to the DHCPv6 server.
The dhcpv6 option-18 rebuild self-define self-define-value send-to-server command is

configured in the BAS interface view, whereas the dhcpv6 relay option-insert interface-id
mode { cn-telecom | tr-101 } and dhcpv6 relay option-insert mode type1 commands are
configured in the interface view. If the commands configured in the two views are both run,
the command configured in the BAS interface view takes effect.
Step 5 Run dhcpv6 option-37 rebuild self-define self-define-value send-to-server
The device is enabled to insert the self-defined Option 37 attribute into a Relay-forward
message to be sent to the DHCPv6 server.
The dhcpv6 option-37 rebuild self-define self-define-value send-to-server command is

configured in the BAS interface view, whereas the dhcpv6 relay option-insert remote-id and
dhcpv6 relay option-insert mode type1 commands are configured in the interface view. If
the commands configured in the two views are both run, the command configured in the BAS
interface view takes effect.
----End
8.6.7 Verifying the DHCPv6 Relay Agent Configuration

After the DHCPv6 relay agent is configured, you can check the DHCPv6 server group
configurations, including the DHCPv6 server DUID and the address pool bound to the
domain.
Procedure
l Run the display ipv6 pool [ pool-name ] command to check the IPv6 address pool
configurations.
l Run the display ipv6 prefix [ prefix-name [ all | used ] ] command to check the IPv6
prefix pool configurations.
l Run the display dhcpv6-server statistics { ipv6-address [ vpn-instance vpn-instance ]|
interface interface-type interface-number }command to check packet statistics on a
DHCPv6 server.
l Run the display dhcpv6-server item { ipv6-address [ vpn-instance vpn-instance ] |
interface interface-type interface-number } command to check information about the
DHCPv6 server.
l Run the display ipv6-pool max-ratio domain command to check information about
IPv6 address pool or prefix pool usage in all domains on the device.

l Run the display ipv6-pool pool-usage { upper-threshold | lower-threshold | all-

threshold } command to check information about domains whose IPv6 address pool or
prefix pool usage exceeds a specified threshold.
----End
8.7 Configuring a Delegating Router

The NE40E can be configured as a delegating router to allocate and recycle prefixes
according to the requests of requesting routers.
Usage Scenario
DHCPv6 PD is used to manage and configure IPv6 network segments.
On an IPv4 network, the NE40E uses DHCPv4 to allocate IPv4 addresses to the CPE; the
CPE allocates private IPv4 addresses to home users and forwards IPv4 packets through NAT.
On an IPv6 network, all users can obtain global unicast addresses. The CPE working in
unnumbered mode uses DHCPv6 to obtain the prefixes from the NE40E and allocates IPv6
addresses to the host.
Figure 8-3 Networking diagram of the NE40E as a delegating router
DHCPv6-PD
Access
network
Requesting
Delegating
DeviceA
DeviceB
Before configuring NE40E as a delegating router, enable IPv6 on interfaces

Figure 8-4 Flowchart for configuring a delegating router
Configuring the DHCPv6 Server

DUID
Configuring an IPv6 Delegation

Prefix Pool
Configuring an IPv6 Delegation

Address Pool
Binding an IPv6 Delegation

Address Pool to a Domain
Mandatory
Optional
8.7.1 Configuring the DHCPv6 Server DUID

A DHCPv6 client uses a DHCPv6 server unique identifier (DUID) to identify the DHCPv6
server when the client communicates with the server.
Context
When the NE40E functions as a DHCPv6 server, DHCPv6 Server DUID should be
configured .
When the NE40E functions as a DHCPv6 relay agent and encapsulates Options 37 to relay-
forward packets, DHCPv6 Server DUID should be configured .
Procedure
Step 2 Run dhcpv6 duid { dhcpv6 duid | llt }
A DUID is configured for a DHCPv6 server.
When a DHCPv6 client interacts with a DHCPv6 server, each of the client and server is
identified by a unique DUID. A DHCPv6 server identifies a DHCPv6 client with a client
DUID and uses the client DUID in the local address allocation; a DHCPv6 client identifies a
DHCPv6 server with a server DUID.
Step 3 Run commit
----End

8.7.2 Configuring an IPv6 Delegation Prefix Pool

When the NE40E functions as a delegation router, an IPv6 delegation prefix pool needs to be
configured to manage prefixes.
Context
l Prefix configuration
Only one prefix and one mask can be configured for a local prefix pool. The mask length
ranges from 1 bit to 128 bits.
l Prefix locking configuration
After a prefix pool is locked, the leases of prefixes that have been allocated cannot be
extended and new addresses cannot be allocated.
l Address conflict resolution configuration
If an IPv6 address status conflict is resolved, the address can be allocated to another user.
l Binding an IPv6 prefix pool to a VPN instance
After a prefix pool is bound to a VPN instance, prefixes in the prefix pool can be
allocated to VPN users.
l Prefix lease configuration
A preferred prefix lifetime and valid prefix lifetime can be configured. The default value
for the preferred prefix lifetime is 2 days, and the default value for the valid prefix
lifetime is 3 days. The preferred prefix lifetime is used to limit the lease renewal time
and rebinding time. By default, the lease renewal time accounts for 50% of the preferred
prefix lifetime, and rebinding time accounts for 80% of the preferred lifetime. The valid
prefix lifetime specifies the validity period in which an address can be used.
l Address reservation configuration
Addresses in the local prefix pool have four reservation types:
– 1: MAC reservation
– 2: MAC+lease-based reservation
– 3: DUID reservation
– 4: DUID+lease-based reservation
l Address withdrawal
The address of an offline user can be withdrawn using the command.
l Exclusive prefix pool configuration
The delegation prefix pool can be used to allocate unshared prefixes to ND users or
prefixes only to DHCPv6 (IA_PD) users.
l Prefix exclusion
In complex network planning, some IPv6 prefixes cannot be allocated to users.
l Address exclusion
In complex network planning, some IPv6 addresses cannot be allocated to users.
Procedure


Step 2 Run ipv6 prefix prefix-name delegation
Step 3 Run prefix prefix-address/prefix-length [ delegating-prefix-length delegating-prefix-length ]
The IPv6 address prefix is configured.
prefix-length specifies the length of an address prefix to be assigned from a delegation prefix
pool. The value is an integer ranging from 1 to 128.
prefix-length specifies the length of an IPv6 prefix assigned by a delegating router to a
requesting router. The configured length of prefixes to be assigned from a delegation prefix
pool must be greater than the length of prefixes in the delegation prefix pool. Otherwise, the
delegating router cannot assign prefixes from the delegation prefix pool to clients.
Step 6 (Optional) Run lifetime preferred-lifetime { days days-value [ hours hours-value [ minutes
minutes-value ] ] | infinite } valid-lifetime { days days-value [ hours hours-value [ minutes
minutes-value ] ] | infinite }
The preferred lifetime and valid lifetime of IPv6 prefixes are configured.
preferred-lifetime of the IPv6 prefixes in the command is used by the system to calculate the
lease renewal time and rebinding time of the IPv6 prefix pool. The time must be no less than
1 minute. The default value is 2 days.
valid-lifetime specifies the validity period of the prefixes. The users using the prefixes will be
logged off after the validity period expires. The valid-lifetime must be no less than 1 minute,
nor less than the preferred prefix lifetime. The default value is 3 days.
Step 7 (Optional) Run reserved prefix { duid | mac } [ lease ]
The reservation type of user prefixes in the prefix pool is configured.
Step 8 (Optional) Run recycle prefix start-prefix [ end-prefix ]
The prefix status is set to idle.
Step 9 (Optional) Run pd-unshare-only
After the pd-unshare-only command is run for a delegation prefix pool, this prefix pool can
be used only for DHCPv6 IA_PD prefix allocation and is preferred in DHCPv6 IA_PD prefix
allocation.

The delegation prefix pool is configured only for DHCPv6 IA_PD prefix allocation.
Step 10 (Optional) Run dhcpv6-unshare-only
The prefix pool is configured to assign only IPv6 addresses not prefixes to users.
NOTE
The dhcpv6-unshare-only command is mutually exclusive with the following commands:

l slaac-unshare-only
l pd-unshare-only
l client-duid client-duid bind prefix prefix-address
Step 11 (Optional) Run frame-ipv6 lease manage

The NE40E is enabled to manage the leases of RADIUS-delivered IPv6 addresses that are in
the supported address pools.
NOTE
To enable the NE40E to manage the leases of RADIUS-delivered IPv6 addresses that are not in the supported
address pools, run the access frame-ipv6 lease manage pool-exclude command in the system view.
Step 12 Run commit

----End
8.7.3 Configuring an IPv6 Delegation Address Pool

Configuring an IPv6 delegation address pool involves configuring the prefix pool to which
the address pool is bound, setting the preference value of the address pool, and configuring
other services such as a DNS or a DNS suffix.
Context
l Prefix binding
A prefix pool can be bound to only one address pool. Similarly, an address pool can be
bound to only one prefix pool. Table 8-1 shows the binding between address pools and
prefix pools.
Table 8-1 Binding between address pools and prefix pools

Address Pool Type Prefix Pool for Binding
User-side local address pool Local prefix pool
User-side delegation address pool Delegation prefix pool
User-side relay address pool Local prefix pool
User-side remote address pool Remote prefix pool
l Priority configuration
Among address pools of the same type, the greater the value of pool, the higher its
priority.

In NDRA address allocation mode, BAS local address pools are used to allocate shared
prefixes, while BAS delegation address pools are used to allocate unshared prefixes. A
BAS delegation address pool configured with slaac-unshare-only takes precedence over
other BAS delegation address pools.
l Address pool binding configuration
An IPv6 address pool whose addresses are in use cannot be deleted. To delete an IPv6
address pool, first run the lock command in the IPv6 address pool view to lock the pool
and then delete it after all online users have logged out.
l DNS suffix configuration
Only one domain name suffix can be set for an IPv6 address pool.
l DNS server configuration
A maximum of two DNS servers can be bound to an IPv6 address pool.
l Address lease configuration
If an IPv6 address pool has been bound to a domain, the address lease cannot be
changed.
Procedure
Step 2 Run ipv6 pool pool-name bas delegation
An IPv6 address pool is created, and the view of the IPv6 address pool is displayed.
The IPv6 address pool is bound to an IPv6 prefix pool.
The default value is 255.
Step 5 (Optional) Run dns-search-list dns-search-list-name
A DNS suffix is configured to perform domain name resolution.
Step 6 (Optional) Run dns-server ipv6-address &<1-2>
A DNS server is specified for an IPv6 address pool. An IPv6 address is used to specify a DNS
server.
Step 7 (Optional) Run renew-time-percent renew-time-percent rebind-time-percent rebind-time-

percent
A lease renewal time and rebinding time are set for the IPv6 address pool.
By default, the renewal time for an IPv6 address pool is 50% of the preferred lifetime and the
rebinding time is 80% of the preferred lifetime.

Step 8 (Optional) Run option code { ipv6-address ipv6-address & <1-2> | string string | hex hex-
string | { suboption subcode { ipv6-address ipv6-address | string string | hex hex-string } }
& <1-16> }
A DHCPv6 user-defined option is configured.
Step 9 Run commit
----End
8.7.4 Binding an IPv6 Delegation Address Pool to a Domain

After an IPv6 delegation address pool is bound to a domain, users in the domain can be
assigned prefixes from the address pool.
Prerequisites
An IPv6 delegation address pool has been configured.
Context
Perform the following steps on Router:
Procedure
Step 2 Run aaa
A domain is created and the AAA domain view is displayed.
An IPv6 delegation address pool is bound to the domain.
Step 5 (Optional) Run ipv6-warning-threshold { upper-limit-value | lower-limit lower-limit-value }
Threshold for the usage of IPv6 addresses and prefixes is configured.
Step 6 (Optional) Run prefix-assign-mode unshared
IPv6 prefix allocation mode is set to unshared mode. IPv6 users do not share the same IPv6
prefix.
Step 7 (Optional) Configure different users of a home connected to the network through a hub to
communicate with each other directly rather than through a BRAS.
NOTE
You must run the dhcpv6-unshare-only command in the IPv6 prefix pool view before performing this
step.
1. Run ipv6-address assign { circuit-id | remote-id } *

The device is configured to assign IPv6 addresses to users based on the Option 18 or
Option 37 attribute.
2. Run ipv6 nd ra link-prefix
The device is configured to send RA packets carrying the first 64 bits of the addresses
assigned to IPv6 users as on-link prefixes.
Step 8 Run commit
----End
8.7.5 Verifying the Delegating Router Configuration

After configuring a delegating router, you can view the configurations of IPv6 address pool,
the prefix pool, and statistics about the DHCPv6 server.
Procedure
configurations.
l Run the display ipv6 prefix [ prefix-name [ all | used | start-ipv6-prefix [ end-ipv6-
prefix ] ] ] command to check the IPv6 prefix pool configurations.
l Run the display dhcpv6 upgrade command to check the lease configuration for
DHCPv6 users to determine the time when the device restarts.
l Run the display dhcpv6-access user-table command to query the detailed information
about online DHCPv6 users.
l Run the display dhcpv6-access statistic command to check statistics about packets
exchanged between users and the DHCPv6 server.
----End
Example
Run the display ipv6 pool command, you can view brief information about all IPv6 address
pools.
<HUAWEI> display ipv6 pool
----------------------------------------------------------------------
Pool name : lj
Pool No : 3
Pool constant index: -
Pool type : BAS LOCAL
RUI-Flag : -
Preference : 255
Renew time : 50
Rebind time : 80
Status : UNLOCKED
Refresh interval : infinite
Used by domain : 0
Dhcpv6 Unicast : disable
Dhcpv6 rapid-commit: disable

Dns list : -
Dns server master : -
Dns server slave : -
AFTR name : -
Warning Threshold : 10
Warning Exhaust Switch: TRUE
----------------------------------------------------------------------
Prefix-Name Prefix-Type
----------------------------------------------------------------------
lj LOCAL
----------------------------------------------------------------------
Run the display ipv6 prefix command, you can view the configuration of all IPv6 prefix
pools.
<HUAWEI> display ipv6 prefix
-------------------------------------------------------------------------------
Index Name Address/Length Type
Constant-index
-------------------------------------------------------------------------------
0 dg 2021::/46 DELEGATION
-
1 dl - REMOTE
-
2 dpc 2011::/64 LOCAL
-
3 god6 2012::/64 LOCAL
-
4 prefix1 - LOCAL
-
5 tt 1000::/64 LOCAL
-
6 wm 1111::/64 LOCAL
-
7 ww 2222::/46 DELEGATION
-
-------------------------------------------------------------------------------
Total created prefix pool(s): 8
Run the display dhcpv6 upgrade command, you can view leases of DHCPv6 users.
<HUAWEI> display dhcpv6 upgrade
DHCPv6 upgrade: enable.
Preferred lifetime: 0days 0hours 30minutes
Valid lifetime: 0days 1hours 0minutes
Renew time percent: 50%
Rebind time percent:80%
Rebind time: 0days 0hours 24minutes
Access DHCPv6 user count of new lifetime: 100
Access DHCPv6 user count of old lifetime: 100
Access DHCPv6 user count of infinite lifetime: 10
Max interval from current for old lifetime DHCPv6 user renew: 0days 0hours
15minutes
Run the display dhcpv6-access user-table command, you can view detailed information
about the DHCPv6 user with user-id set to 2.
<HUAWEI> display dhcpv6-access user-table user-id 2
-------------------------------------------------------------------
Interface : GigabitEthernet0/1/0.3
SVLAN/CVLAN : 3/0
User Link-Local Address : FE80::202:1FF:FE01:10C
User Address Type : IA_NA
DNS search list : -
AFTR name : -
Option15 : 01 02 03 04 05 06 07 08 09
User DUID : 00 03 00 01 00 02 01 01 01 0C
User MAC Address : 0002-0101-010C
User-ID : 2
Index : 1
User State : ONLINE

VPN Instance : -
Session ID : 2147483649
Client DUID to Remote Server : 00 02 00 00 07 DB FF FF 80 00 00 01 01 01 01 01
01 01 00 00
User IPV6 address : 1100::1

T1 : 86400
T2 : 138240
Prefer time : 2 days 0 hours 0 minutes
Valid time : 3 days 0 hours 0 minutes
IA_ID : 38
Prefix length : 128
Lease : 2012/01/23 14:23:39 --- 2012/01/26 14:23:39
Remain-Lease(Sec) : 259029
Address Pool Name : csj-local
User IPV6 PD prefix : 2200::
T1 : 86400
T2 : 138240
Prefer time : 2 days 0 hours 0 minutes
Valid time : 3 days 0 hours 0 minutes
IA_ID : 9
Prefix length : 64
Lease : 2012/01/23 14:23:39 --- 2012/01/26 14:23:39
Remain-Lease(Sec) : 258811
Address Pool Name : csj-del
PCP server name(option 80) : www.pcpserver.com
-------------------------------------------------------------------
Run the display dhcpv6-access statistic command, you can view statistics about packets
exchanged between users and DHCPv6 server.
<HUAWEI> display dhcpv6-access statistic
-------------------------------------------------------------------------
Received Packets
-------------------------------------------------------------------------
Total Packets : 40
Received from Clients : 40

Solicit Packets : 8
Request Packets : 11
Renew Packets : 0
Rebind Packets : 0
Confirm Packets : 0
Release Packets : 7
Decline Packets : 0
Received from Servers : 0

Advertise Packets : 0
Reply Packets : 0
Received Invalid Packets : 22

Invalid UDP Length : 0
NULL Client DUID : 5
NULL Server DUID : 9
NULL IA Option : 8
Invalid IA Option Length : 0
Invalid Client DUID Length : 0
Invalid Server DUID Length : 0
Invalid Server DUID : 0
Invalid Unicast Option : 0
Invalid Preference Option : 0
Other Invalid Packets : 0
vCPE Not Support Packet : 0
-------------------------------------------------------------------------
Sent Packets
-------------------------------------------------------------------------
Total Packets : 18
Sent to Clients : 18

Advertise Packets : 8
Reply Packets : 10
Sent to Servers : 0
Solicit Packets : 0
Request Packets : 0
Renew Packets : 0
Rebind Packets : 0
Confirm Packets : 0
Release Packets : 0
Decline Packets : 0
-------------------------------------------------------------------------
Run the display ipv6-pool max-ratio domain command to view information about IPv6
address pool or prefix pool usage in all domains on the device.
<BASE_VNFC1> display ipv6-pool max-ratio domain
----------------------------------------------------------------------------
Domain name:
Address Current Max Time
NDRA Unshared Prefix Current Max Time
Delegation Prefix Current Max Time
----------------------------------------------------------------------------
isp2
10% 40% 2012-08-07 15:31:50
0 0 -
0 0 -
----------------------------------------------------------------------------
Run the display ipv6-pool pool-usage { upper-threshold | lower-threshold | all-threshold }

command to view information about domains whose IPv6 address pool or prefix pool usage
exceeds a specified threshold.
<BASE_VNFC1> display ipv6-pool pool-usage upper-threshold
--------------------------------------------------------
Domain name:
Address PoolLen Used Ratio
NDRA unshared Prefix PoolLen Used Ratio
Delegation Prefix PoolLen Used Ratio
--------------------------------------------------------
domain1(up)
262144 252222 90%
0 0 0%
0 0 0%
8.8 (Optional) Adjusting DHCPv6 Service Parameters

conditions.
8.8.1 (Optional)Configuring Global DHCPv6 Parameters

conditions.
Context
l Transparent transmission of DHCPv6 packets and the speed threshold at which solicit
packets are sent

When receiving the DHCPv6 Solicit packet that the online user terminal, the NE40E
forces the user to go offline and waits until the user sends a DHCPv6 Solicit packet to
obtain the address through DHCPv6.
If a user terminal that does not support retransmission of DHCP Solicit packets is
restarted immediately after a user logout, the NE40E is unable to detect the logout event.
In this case, run the dhcpv6 through-packet command to enable transparent
transmission of DHCPv6 packets so that the user can normally log in to the NE40E.
The dhcpv6 solicit-speed-threshold command is used when the speed at which users go
online needs to be limited.
l DHCPv6 server unicast mode and two-message exchange between a DHCPv6 client and
a DHCPv6 server
The dhcpv6 unicast-option command must be run if the DHCPv6 server needs to
communicate with DHCPv6 clients in unicast mode.
In certain situations, for example, when a DHCPv6 client retains the last IP address it
was allocated, the client can obtain an IP address through a rapid two-message exchange
if the Solicit packet sent from the client contains the Rapid Commit option and the server
also supports this option.
Procedure
l Configure transparent transmission of DHCPv6 packets.
a. Run system-view

b. Run dhcpv6 through-packet
The function for transparently transmitting DHCPv6 packets is configured.

c. Run dhcpv6 solicit-speed-threshold packet-number seconds
The dhcpv6 solicit-speed-threshold command configures the speed threshold at

which solicit packets are received.
The more solicit packets are sent within a specified time period, the faster users go
online.
l Configure DHCPv6 server unicast mode and two-message exchange between a DHCPv6
client and a DHCPv6 server.
a. Run system-view

b. (Optional) Run dhcpv6 rapid-commit
The DHCPv6 server is configured to support rapid two-message exchange (solicit,

reply).
This command run in the system view allows all DHCPv6 clients with the Rapid
Commit option to obtain IP addresses through a rapid two-message exchange.
Without this command run in the system view, the dhcpv6 rapid-commit
command configured in the view of the IPv6 address pool allocated by the client
determines whether to use a rapid two-message exchange.
c. Run ipv6 pool pool-name { bas { local | delegation | relay } }

d. (Optional) Run dhcpv6 unicast-option
Unicast mode is configured on the DHCPv6 server.Then, the DHCPv6 server can
receive unicast DHCPv6 messages and instruct the DHCPv6 clients to
communicate with the DHCPv6 server in unicast mode.
e. (Optional) Run dhcpv6 rapid-commit
The DHCPv6 server is configured to support rapid two-message exchange (solicit,

reply).
----End
8.8.2 (Optional) Enabling the Device to Parse Option 37 of Any

Format in DHCPv6 Solicit or Request Messages
The device can be enabled to parse Option 37 of any format in DHCPv6 solicit or request
messages.
Context
In DHCPv6 scenarios, Layer 2 relay agents insert Option 37 to the relay header of Relay-
forward messages. When the NE40E receives the Relay-forward messages, the NE40E can
parse Option 37. However, if Layer 2 relay agents insert Option 37 to DHCPv6 Solicit or
Request messages instead of the relay header of Relay-forward messages, the NE40E can
parse Option 37 only if it is 10 or 16 bytes in length. In this case, configure the NE40E to
parse Option 37 of any format in DHCPv6 Solicit or Request messages.
Procedure
Step 2 Run dhcpv6 option-37 any-format decode enable
The NE40E is enabled to parse Option 37 of any format in DHCPv6 Solicit or Request
messages.
Step 3 Run commit
----End
8.8.3 (Optional) Shortening the User Address Lease Before a

DHCPv6 Server Restarts
The user address lease can be shortened before a DHCPv6 server restarts. This change allows
DHCP users to get online a short period of time after the DHCPv6 server restarts due to an
upgrade without restarting the terminal.

Context
When the NE40E is being upgraded, DHCPv6 users cannot detect that the link goes Down
and dial-up again like PPP users. Therefore, these users do not redial to get online. Instead,
the terminal must be restarted to trigger a DHCPv6 request so that the users can obtain IP
addresses to get online again. In the current upgrade solution, the address pool lease time is
shortened at the lease renewal time before the upgrade date. This solution ensures that the
terminal can send lease renewal packets in a shorter period of time after the device is
upgraded to allow DHCPv6 users to get online again.
This upgrade solution has two disadvantages:

l Changing the address pool lease takes effect only for users that obtain addresses from
local address pools. The address lease delivered by a RADIUS server is not changed.
The users that have obtained addresses from the RADIUS server have to wait a
comparatively long period of time to get online again.
l The address pool lease is configured in the address pool view. Manually changing the
lease configurations of all the address pools brings a huge workload.
Using the dhcpv6 upgrade command in the system view to change the address lease for all
DHCP users attached to the device solves these problems.
Procedure
Step 2 Run dhcpv6 upgrade preferred-lifetime day [ hour [ minute ] ] valid-lifetime day [ hour
[ minute ] ] [ renew-time-percent renew-time-percent ] [ rebind-time-percent rebind-time-
percent ]
The address lease for all DHCPv6 users attached to the device is configured.
After the dhcpv6 upgrade command is used, the lease configured in the system view takes
effect for new users, online users that need to renew the lease, users using addresses/prefixes
in local and Delegation address pools, and users using addresses/prefixes delivered by a
RADIUS server.
No configuration file will be generated after the dhcpv6 upgrade command is used. To view
the configuration result, run the display dhcpv6 upgrade command. The dhcpv6 upgrade
command becomes invalid after the device restarts.
If a short lease is configured, a large number of users will renew their lease at the same time,
causing high CPU usage. Therefore, configuring a short lease is not recommended unless the
device needs to be upgraded.
Step 3 Run commit
----End


Address Pool
Context
check the constant value. But the constant-index command cannot be used to change the
automatically generated constant index for an IPv6 prefix pool or IPv6 address pool.
Procedure
address pools.
Step 3 Run commit
----End
8.8.5 Changing the DHCPv6 Option Code for Interconnection

Between Huawei and Non-Huawei Devices
On the NE40E, the vendor-class attribute is carried in DHCPv6 Option 16. The option code
probably differs with that on a non-Huawei device. The DHCPv6 option code can be changed
for interconnection between Huawei and non-Huawei devices.
Context
If the mapping between the vendor-class attribute and a DHCPv6 option code is configured in
both system and BAS interface views, the configuration in the BAS interface view takes
effect.
Procedure
l Configure a mapping between the vendor-class attribute and a DHCPv6 option code in
the system view.
a. Run system-view

b. Run vendor-class dhcpv6 [ option-code option-code | offset offset-length ]*
The mapping between the vendor-class attribute and a DHCPv6 option code as well
as the offset value are configured. After the configuration is complete, the BRAS

uses the offset value to obtain the desired contents in the Value field of the DHCPv6
option.
l Configure a mapping between the vendor-class attribute and a DHCPv6 option code in
the BAS interface view.
a. Run system-view

b. Run interface interface-type interface-number [ .subinterface-number ]

c. Run bas
You can configure an interface as the BAS interface by running the bas command
in the interface view. You can configure an Ethernet interface or its sub-interface, a
VE interface or its sub-interface, an ATM interface or its sub-interface, or an Eth-
Trunk interface or its sub-interface as a BAS interface.
d. Run access-type layer2-subscriber [ default-domain { [ authentication [ force |
replace ] dname ] [ pre-authentication predname ] } ]
Or run:access-type layer3-subscriber [ default-domain { [ pre-authentication

predname ] authentication [ force | replace ] dname } ]
When setting the access type on the BAS interface, you can set the service attributes
of the access users at the same time. You can also set these attributes in later
configurations.
The access type cannot be configured on the Ethernet interface that is added to an
Eth-Trunk interface. You can configure the access type of such an Ethernet interface
only on the associated Eth-Trunk interface.
e. Run vendor-class dhcpv6 [ option-code option-code | offset offset-length ]*
The mapping between the vendor-class attribute and a DHCPv6 option code as well
as the offset value are configured. After the configuration is complete, the BRAS
uses the offset value to obtain the desired contents in the Value field of the DHCPv6
option.
----End
8.8.6 (Optional) Configuring the NE40E to Log Out an Online

User and Deny Access of a New User After Detecting an IPv6
Address Conflict
You can configure the NE40E to log out an online user and deny access of a new user if it
detects that the IPv6 address assigned to the new user from a remote address pool or by the
RADIUS server is the same as the IPv6 address of the online user.

Context
To implement authentication, authorization, and accounting for users separately, users must
use different IPv6 addresses to go online. This requires the NE40E to detect whether the IPv6
address assigned to a new user conflicts with that of an online user. By default, if the NE40E
detects that the IPv6 address assigned to a new user is the same as the IPv6 address of an
online user, it sends a DHCPv6 Decline message to the DHCPv6 server. Then the new user
cannot go online, but the online user is not affected.
In scenarios in which IPv6 addresses are assigned based on the Option 82 field that carries
physical location information of users and ARP probe is not configured, the online user is
required to go offline to allow the new user to go online. For example, if a CPE is replaced,
users attached to the old CPE will switch to the new CPE to go online. As their physical
location information remains the same, they will be assigned the same IPv6 addresses as
before. However, if the previous IPv6 address lease has not expired, the user information is
retained. Therefore, the NE40E considers that the users are already online and discards the
user packets sent from the new CPE. Subsequently, the users fail to go online through the new
CPE. To allow the users to go online through the new CPE, configure the NE40E to delete the
previous user information and deny new user access so that the users can be triggered to go
online again.
Procedure
Step 2 Run dhcpv6 conflict-ip-address offline user [ include framed-ipv6 ]
The NE40E is configured to log out an online user and deny access of a new user if it detects
that the IPv6 address assigned to the new user from a remote address pool or by the RADIUS
server is the same as the IPv6 address of the online user.
Step 3 Run commit
----End
8.8.7 (Optional) Setting Priorities for the DHCPv6 Option

If the DHCPv6 Option is configured in the domain view and in the address pool view and
delivered by the RADIUS server, you can configure priorities for the DHCPv6 Option.
Procedure
Step 2 Run dhcpv6 option-priority radius domain pool
The highest, medium, and lowest priorities are configured for the DHCPv6 Option delivered
by the RADIUS server, configured in the domain view, and configured in the address pool
view, respectively.
Step 3 Run commit

----End
8.9 Configuring DHCPv6 (IA_NA) Address Allocation

This section describes how to configure the NE40E to use DHCPv6 (IA_NA) to allocate IPv6
addresses when the CPE works in bridging mode.
Usage Scenario
In DHCPv6(IA_NA) address allocation mode, IA_NA options are used to carry IA addresses
to be allocated.
Figure 8-5 Networking diagram of DHCPv6(IA_NA) address allocation mode
DHCPv 6(IA_NA)
Access Backbone
network network
HOST CPE
Device
The host initiates a connection request and the CPE transparently forwards the connection
request packet. The NE40E uses DHCPv6 (IA_NA) to allocate IPv6 addresses to the host.
Before configuring DHCPv6 address allocation, enable IPv6.
Figure 8-6 Flowchart for configuring DHCPv6 (IA_NA) address allocation
Configuring a Local DHCPv6 Configuring a DHCPv6 Relay

Server
or
Agent on the User Side
Configuring the state of Address Configuring the state of Address

Allocation(M=1) Allocation(M=1)
Mandatory
Optional
8.9.1 Configuring the NE40E based on Its Role

This section describes how to configure the NE40E based on its role.

Context
When a device acts as a DHCPv6 relay agent, refer to the configuration of 8.6 Configuring a
DHCPv6 Relay Agent on the User Side.
When a device acts as a DHCPv6 server, perform the following operations to allow Layer 3
DHCPv6 users to request for IPv6 addresses from an IPv6 relay address pool.
Procedure
Step 2 Run ipv6 prefix prefix-name local
An IPv6 prefix pool is created, and the IPv6 prefix pool view is displayed.
The address pool is of the relay type, and the prefix pool must be configured as the local
mode.
Step 3 Run prefix prefix-address/prefix-length
An IPv6 address prefix is configured.
Step 4 Run quit
Step 5 Run ipv6 pool pool-name bas relay
The IPv6 address pool is bound to the IPv6 prefix pool.
----End
8.9.2 Configuring the State of Address Allocation

Configuring the state of address allocation according to the IPv6 access mode and address
allocation mode.
Context
Stateful address allocation (M=1) should be configured for IA_NA and IA_NA+IA_PD
address allocation modes.
If the M flag is 1, the clients need to obtain IPv6 addresses and other configuration
information in stateful mode.
NOTE
l For PPPoE users, the domain configuration determines whether stateful or stateless configuration
should be adopted.
l For IPoE users, the interface configuration determines whether stateful or stateless address
configuration should be adopted.

Procedure
l Configure the state of address allocation on an interface.
a. Run system-view

b. Run interface interface-type interface-number

c. Run ipv6 nd autoconfig managed-address-flag
Stateful address allocation mode is enabled.

d. Run ipv6 nd autoconfig other-flag
The O flag is set to 1 to enable stateful mode.
Configures unicast as the destination IP address type for RA packets.
a. Run bas

b. (Optional) Run ipv6 nd ra unicast
The Router is enabled to send RA packets that carry unicast destination IP

addresses in response to IPoEv6 user access requests.
l Configure the state of address allocation in a domain.
a. Run system-view

b. Run aaa


d. Run ipv6 nd autoconfig managed-address-flag [ interface-id ipv6cp ]
Stateful address allocation is configured for PPPoX users.

e. Run ipv6 nd autoconfig other-flag { ndra | dhcpv6 }
The O flag is set.

f. (Optional) Run prefix-assign-mode unshared
The IPv6 prefix allocation mode is set to unshared mode. After the configuration,
IPv6 users do not share the same IP prefix.
g. (Optional) Run dhcpv6-follow-ipv6cp wait-delay { time-value| infinity }
The timeout period for waiting for a DHCPv6 connection request is set.
h. (Optional) Run ipv6 nd ra unicast

addresses in response to PPPv6 user access requests.
l Run commit

----End
8.9.3 Verifying the DHCPv6 (IA_NA) Address Allocation

Configuration
After DHCPv6 address allocation mode is configured, you can check the configuration of the
IPv6 address pool, the prefix pool, the domain, and usage in the address pool bound to the
domain.
Procedure
configurations.
l Run the display domain [ domain-name ] command to check the domain configurations.
l Run the display ipv6-pool pool-usage [ domain domain-name | pool-name [ pool-
name ] ] command to check information about the usage of the address pool.
l Run the display ipv6-pool max-usage { pool [ pool-name ] | domain [ domain-name ] }
address pool.
----End
8.10 Configuring DHCPv6 (IA_PD) Prefix Allocation

This section describes how to configure the NE40E to allocate prefixes to the CPE when the
CPE works in unnumbered routing mode. The CPE allocates the prefixes to the attached host
to generate IPv6 addresses.
Usage Scenario
In DHCPv6 prefix allocation, the IA_PD option is used to carry IA prefixes.
Figure 8-7 Networking diagram of IA_PD prefix allocation
IA-PD
Access Backbone
network network
HOST CPE
unnumbered Device

The CPE initiates a connection request, and the NE40E uses DHCPv6 (IA_PD) to allocate
prefixes to the CPE and the CPE allocates the prefixes to the attached host for the host to
generate IPv6 addresses.
Before configuring PD (IA_PD) prefix allocation, enable IPv6.

Context
PD(IA_PD) prefix allocation is used, and NE40E acts as a delegating router. For details, refer
to the configuration of 8.7 Configuring a Delegating Router.
When NE40E acts as a DHCPv6 relay agent, refer to the configuration of 8.6 Configuring a
DHCPv6 Relay Agent on the User Side.
8.10.2 Checking the DHCPv6 (IA_PD) Prefix Allocation

Configuration
After PD (IA_PD) prefix allocation is configured, you can check the configurations of the
IPv6 address pool, the prefix pool, the domain and address usage in the address pool bound to
a domain.
Procedure
configurations.
----End

8.11 Configuring DHCPv6 (IA_NA+IA_PD) Address

Allocation
This section describes how to configure the NE40E to use DHCPv6 to allocate IPv6 addresses
and prefixes to the WAN interface on the CPE when the CPE works in numbered routing
mode. The CPE sends the prefixes to the attached hosts for them to generate IPv6 addresses.
Usage Scenario
The NE40E uses DHCPv6 to allocate addresses to the WAN interfaces on the CPE and uses
PD to allocate the prefixes to the CPE working in numbered mode. The CPE sends the
prefixes to Home LANs.
Figure 8-8 Networking diagram of DHCPv6(IA_NA+IA_PD) Address Allocation
IA-PD
Access Backbone
network network
HOST CPE
numbered Device
The CPE initiates a connection request, and the NE40E uses DHCPv6 (IA_NA) to allocate
IPv6 addresses to the WAN interfaces on the CPE and uses DHCPv6 (IA_PD) to allocate
prefixes to the CPE and the CPE allocates the prefixes to the attached host for the host to
Before configuring DHCPv6(IA_NA+IA_PD) address allocation, complete the following
tasks:
Setting the CPE working mode to numbered routing mode
Enabling IPv6 on interfaces

Context
When IA_NA is used to allocate addresses to the WAN interfaces on the CPE, refer to the
configuration of 8.9 Configuring DHCPv6 (IA_NA) Address Allocation.
When DHCPv6 (IA_PD) is used to allocate prefixes to the CPE, refer to the configuration of
8.10 Configuring DHCPv6 (IA_PD) Prefix Allocation.

NOTE
In IA_NA+IA_PD address allocation, a DNS server must be configured for both the address pool for
IA_NA address allocation and the address pool for IA_PD address allocation.
8.11.2 Configuring the State of Address Allocation

allocation mode.
Context
Stateful address allocation (M=1) should be configured for IA_NA and IA_NA+IA_PD
address allocation modes.
If the M flag is 1, the clients need to obtain IPv6 addresses and other configuration
information in stateful mode.
NOTE
should be adopted.
Procedure
l Configure the state of address allocation on an interface.
a. Run system-view


c. Run ipv6 nd autoconfig managed-address-flag
Stateful address allocation mode is enabled.

Configures unicast as the destination IP address type for RA packets.
a. Run bas

b. (Optional) Run ipv6 nd ra unicast

addresses in response to IPoEv6 user access requests.
l Configure the state of address allocation in a domain.
a. Run system-view

b. Run aaa


d. Run ipv6 nd autoconfig managed-address-flag [ interface-id ipv6cp ]
Stateful address allocation is configured for PPPoX users.

The O flag is set.

f. (Optional) Run prefix-assign-mode unshared
g. (Optional) Run dhcpv6-follow-ipv6cp wait-delay { time-value| infinity }
h. (Optional) Run ipv6 nd ra unicast

addresses in response to PPPv6 user access requests.
l Run commit
----End
8.11.3 Verifying the DHCPv6 (IA_NA+IA_PD) Address

Allocation Configuration
After DHCPv6 PD (IA_NA+IA_PD) address allocation is configured, you can check the
configuration of the IPv6 address pool, the prefix pool, the domain, and address usage in the
address pool bound to the domain.
Procedure
configurations.
----End

8.12 Configuring NDRA Address Allocation

This section describes how to configure the NE40E to use ND to allocate IPv6 addresses
when the CPE works in bridging mode.
Usage Scenario
NDRA address allocation is implemented using Stateless Address Autoconfiguration
(SLAAC).
The NE40E allocates only the 64-bit IPv6 prefixes. The 64-bit interface ID is generated by the
client itself.
Figure 8-9 Networking diagram of NDRA Address Allocation
NDRA
Access Backbone
network network
HOST CPE
Device
The host initiates a connection request, and the CPE transparently forwards the connection
request packet. The NE40E uses NDRA to allocate IPv6 addresses to the host.
NOTE
If NDRA address allocation is configured for IPoXv6 users, only unshared IPv6 prefixes support to
allocate .
Before configuring NDRA address allocation, complete the following tasks:
Configuring the CPE working mode as bridging mode
Enabling IPv6

Configuring an IPv6 prefix pool
Configuring an IPv6 Address Pool
Binding an IPv6 Address Pool to a

Domain
Configuring the state of Address

Allocation(M=0)
Configuring a Constant Index for an Mandatory

IPv6 Prefix Pool or IPv6 Address Pool Optional
8.12.1 Configuring an IPv6 prefix pool

Before configuring the NDRA address allocation mode, configure an IPv6 prefix pool and
bind it to an address pool.
Context
l Prefix configuration
Only one prefix and one mask can be configured for a local prefix pool. The mask length
ranges from 1 bit to 128 bits.
l Prefix locking configuration
After a prefix pool is locked, the leases of prefixes that have been allocated cannot be
extended and new addresses cannot be allocated.
l Address conflict resolution configuration
If an IPv6 address status conflict is resolved, the address can be allocated to another user.
l Binding an IPv6 prefix pool to a VPN instance
After a prefix pool is bound to a VPN instance, prefixes in the prefix pool can be
allocated to VPN users.
l Prefix lease configuration
A preferred prefix lifetime and valid prefix lifetime can be configured. The default value
for the preferred prefix lifetime is 2 days, and the default value for the valid prefix
lifetime is 3 days. The preferred prefix lifetime is used to limit the lease renewal time
and rebinding time. By default, the lease renewal time accounts for 50% of the preferred
prefix lifetime, and rebinding time accounts for 80% of the preferred lifetime. The valid
prefix lifetime specifies the validity period in which an address can be used.
l Address reservation configuration
Addresses in the local prefix pool have four reservation types:
– 1: MAC reservation
– 2: MAC+lease-based reservation
– 3: DUID reservation

– 4: DUID+lease-based reservation
l Address withdrawal
The address of an offline user can be withdrawn using the command.
l Exclusive prefix pool configuration
The delegation prefix pool can be used to allocate unshared prefixes to ND users or
prefixes only to DHCPv6 (IA_PD) users.
l Prefix exclusion
In complex network planning, some IPv6 prefixes cannot be allocated to users.
l Address exclusion
In complex network planning, some IPv6 addresses cannot be allocated to users.
Procedure
Step 2 Run ipv6 prefix prefix-name [ local | delegation ]
An IPv6 prefix pool is created and the IPv6 prefix pool view is displayed.
l The local prefix pool is used to allocate shared prefixes to ND users.
l The delegation prefix pool can allocate unshared prefixes to ND users. The delegation
prefix pool configured with slaac-unshare-only enjoys a higher priority.
Step 3 (Optional) Run slaac-unshare-only
The delegation prefix pool can be used only in stateless address allocation mode.
After this command is run, the delegation prefix pool no longer allocates prefixes when
receiving a DHCPv6 IAPD packet from the clients applying for addresses. In addition, the
delegation prefix pool configured with this command takes precedence over those without this
configuration.
Step 4 Run prefix prefix-address/prefix-length [ delegating-prefix-length delegating-prefix-length ]
IPv6 prefixes are configured.
The assignable prefix length is the length of the IPv6 prefix that a delegating router allocates
to the requesting router. The assignable prefix length in a prefix pool must be greater than or
equal to the prefix length configured in the prefix pool. Otherwise, the prefix pool cannot
allocate prefixes to users.
Step 5 (Optional) Run excluded-ipv6-address start-ipv6-address [ end-ipv6-address ]
A specified IPv6 address is prohibited.
The prohibited IPv6 address must be in the assignable range of the prefix pool. When the end
IPv6 address is not specified, only the start IPv6 address is prohibited.
Step 6 (Optional) Run excluded-ipv6-prefix start-ipv6-prefix/prefix-length [ end-ipv6-prefix/prefix-
length ]
A specified IPv6 prefix is prohibited.

The prohibited IPv6 prefix must be in the assignable range of the prefix pool. When the end
IPv6 prefix is not specified, only the start IPv6 prefix is prohibited.
Step 9 (Optional) Run lifetime preferred-lifetime { days days-value [ hours hours-value [ minutes
minutes-value ] ] | infinite } valid-lifetime { days days-value [ hours hours-value [ minutes
minutes-value ] ] | infinite }
The preferred lifetime and valid lifetime of IPv6 prefixes are configured.
preferred-lifetime of the IPv6 prefixes in the command is used by the system to calculate the
lease renewal time and rebinding time of the IPv6 prefix pool. The time must be no less than
1 minute. The default value is 2 days.
valid-lifetime specifies the validity period of the prefixes. The users using the prefixes will be
logged off after the validity period expires. The valid-lifetime must be no less than 1 minute,
nor less than the preferred prefix lifetime. The default value is 3 days.
Step 10 (Optional) Run conflict auto-recycle interval interval-time
The interval at which conflicting prefixes are automatically recycled is configured.
This command is valid only to the local prefix pool.
Step 11 (Optional) Run reserved prefix { duid | mac } [ lease ]
The reservation type of user prefixes in the prefix pool is configured.
Step 12 (Optional) Run recycle prefix start-prefix [ end-prefix ]
The prefix status is set to idle.
Step 13 (Optional) Run reserved ipv6-address { duid | mac } [ lease ]
The reservation type for the IPv6 addresses in a local address pool is configured.
Step 14 (Optional) Run recycle ipv6-address start-prefix [ end-prefix ]
The status of IPv6 addresses is set to idle.
Step 15 Run commit
----End

8.12.2 Configuring an IPv6 Address Pool

After an IPv6 prefix pool is configured in NDRA address allocation mode, you need to
configure an IPv6 address pool.
Context
l Prefix binding
A prefix pool can be bound to only one address pool. Similarly, an address pool can be
bound to only one prefix pool. Table 8-2 shows the binding between address pools and
prefix pools.
Table 8-2 Binding between address pools and prefix pools

Address Pool Type Prefix Pool for Binding
User-side local address pool Local prefix pool
User-side delegation address pool Delegation prefix pool
User-side relay address pool Local prefix pool
User-side remote address pool Remote prefix pool
l Priority configuration
Among address pools of the same type, the greater the value of pool, the higher its
priority.
In NDRA address allocation mode, BAS local address pools are used to allocate shared
prefixes, while BAS delegation address pools are used to allocate unshared prefixes. A
BAS delegation address pool configured with slaac-unshare-only takes precedence over
other BAS delegation address pools.
l Address pool binding configuration
An IPv6 address pool whose addresses are in use cannot be deleted. To delete an IPv6
address pool, first run the lock command in the IPv6 address pool view to lock the pool
and then delete it after all online users have logged out.
l DNS suffix configuration
Only one domain name suffix can be set for an IPv6 address pool.
l DNS server configuration
A maximum of two DNS servers can be bound to an IPv6 address pool.
l Address lease configuration
If an IPv6 address pool has been bound to a domain, the address lease cannot be
changed.
Procedure

Step 2 (Optional) Run access wait-request-time dhcpv6 time-value
Advertise message sent to the client is set.
Step 3 Run ipv6 pool pool-name { bas { local | delegation | reomote } }
An IPv6 address pool is created and the IPv6 address pool view is displayed.
NOTE
The parameter remote is controlled by the PAF file. It is disabled by default. That is, the ipv6 pool bas
remote cannot be configured by default.
The IPv6 address pool is bound to an IPv6 prefix pool.
The default value is 255.
Step 6 (Optional) Run dns-server ipv6-address &<1-2>
A DNS server is specified for an IPv6 address pool. An IPv6 address is used to specify a DNS
server.
Step 7 (Optional) Run dns-search-list dns-search-list-name
A DNS suffix is configured to perform domain name resolution.
Step 8 (Optional) Run renew-time-percent renew-time-percent rebind-time-percent rebind-time-

percent
A lease renewal time and rebinding time are set for the IPv6 address pool.
By default, the renewal time for an IPv6 address pool is 50% of the preferred lifetime and the
rebinding time is 80% of the preferred lifetime.
Step 9 (Optional) Run ipv6-pool statistic include shared-user
IPv6 address pool statistics include those about users sharing the prefix pool.
Step 10 (Optional) Run wait-request-time time-value
Advertise message sent to the client is set.
NOTE
The wait-request-time time-value command is run in the IP address pool view whereas the access wait-
request-time dhcpv6 time-value command is run in the system view. If the two commands are both run,
the wait-request-time time-value command takes effect.
Step 11 Run commit
----End

8.12.3 Binding an IPv6 Address Pool to a Domain

Users in the domain can obtain addresses from the address pool only after an IPv6 address
pool is bound to a domain.
Prerequisites
The address pool to be bound has been created and bound to a prefix pool.
Context
Procedure
Step 2 Run aaa
The IPv6 local address pool or the delegation address pool is bound to the domain.
Step 5 (Optional) Run ipv6-warning-threshold { upper-limit-value | lower-limit lower-limit-value }
Threshold for the usage of IPv6 addresses and prefixes is configured.
Step 6 Run commit
----End
8.12.4 (Optional) Configuring the state of Address Allocation

allocation mode.
Context
Stateless address allocation (M=0) should be configured for NDRA and NDRA+IA_PD
address allocation modes. By default, the M flag is 0, you need not configuration.

NOTE
should be adopted.
If the M flag is 0, and the O flag is 1, the clients need to obtain other configuration
information except IPv6 addresses in stateful mode.
Procedure
l State of the interface
a. Run system-view
c. Run undo ipv6 nd autoconfig managed-address-flag
Stateless address allocation mode is enabled.
l State of the domain
a. Run system-view
b. Run aaa
A domain is created and the AAA view is displayed.
d. Run undo ipv6 nd autoconfig managed-address-flag
Stateless address allocation is configured for PPPoX users.
The O flag is set.
f. Run prefix-assign-mode unshared
g. Run dhcpv6-follow-ipv6cp wait-delay time-value
l Run commit
----End


Address Pool
Context
check the constant value. But the constant-index command cannot be used to change the
automatically generated constant index for an IPv6 prefix pool or IPv6 address pool.
Procedure
address pools.
Step 3 Run commit
----End
8.12.6 (Optional) Locking an IPv6 Address Pool

This section describes how to lock an IPv6 address pool so that the address pool cannot be
used to assign IPv6 addresses to new users.
Context
An IPv6 address pool with an in-use IPv6 address cannot be deleted. Therefore, configure the
drain function to lock the IPv6 address pool before you delete the address pool. After an IPv6
address pool is locked using the lock drain command, DHCP Renew or Rebind messages
from online users will be discarded. The IPv6 address pool can be deleted after all online
users using the address pool go offline upon lease expiry. If you only need to disable an IPv6
address pool so that the address pool will not be used to assign IPv6 addresses to new users
but online users can still use assigned IPv6 addresses, configure the lock function to lock the
address pool using the lock command.
Procedure
Step 2 Run ipv6 pool pool-name [ bas { local | remote | delegation | relay } ]
The IPv6 address pool view is displayed.

Step 3 Perform either of the following configurations as needed:

l Configure the drain function to lock the IPv6 address pool.
a. Run lock drain
The IPv6 address pool is locked so that the address pool cannot be used to assign
IPv6 addresses to new users and Renew or Rebind messages from online users
using the address pool are discarded.
NOTE
This command does not take effect for ND users in remote address pool scenarios.
b. Run commit
l Configure the lock function to lock the IPv6 address pool.
a. Run lock
The IPv6 address pool is locked so that the address pool cannot be used to assign
IPv6 addresses to new users but Renew or Rebind messages from online users can
still be processed.
b. Run commit
----End
8.12.7 Verifying the NDRA Address Allocation Configuration

After completing configurations, you can view information about the IPv6 address pool, the
prefix pool, domain configurations, and the address usage of the address pool.
Procedure
l Run the display ipv6 pool [ pool-name ] command to check information about the IPv6
address pool.
l Run the display ipv6 prefix [ prefix-name [ all | used ] ] command to check information
about the prefix pool.
l Run the display domain [ domain-name ] command to check information about the
domain.
l Run the display ipv6-pool max-usage { pool [ pool-name ] | domain [ domain-name ] }
address pool.
----End

8.13 Configuring NDRA+DHCPv6 (IA_PD) Address

Allocation
This section describes how to configure the NE40E to use ND to allocate IPv6 addresses to
the WAN interfaces on the CPE and use DHCPv6 (IA_PD) to allocate prefixes to the CPE
when the CPE works in numbered routing mode. The CPE allocates the prefixes to the
attached hosts to generate IPv6 addresses.
Usage Scenario
The CPE sends a DHCPv6 packet only carrying the IA_PD option to allocate IPv6 prefixes to
Home LANs; the NE40E uses an RA packet to send the IPv6 prefixes allocated to the WAN
interfaces on the CPE to the CPE to generate IPv6 addresses.
Figure 8-10 Networking diagram of NDRA+DHCPv6 (IA_PD) address allocation
NDRA+IA-PD
Access Backbone
network network
HOST CPE
numbered Device
The CPE initiates a connection request, and the NE40E uses NDRA to allocate IPv6
addresses to the WAN interfaces on the CPE and uses DHCPv6 (IA_PD) to allocate prefixes
to the CPE and the CPE allocates the prefixes to the attached host for the host to generate
IPv6 addresses.
Before configuring NDRA+DHCPv6 (IA_PD) address allocation, complete the following
tasks:
Setting the CPE working mode to numbered routing mode
Enabling IPv6 on interfaces

This section describes how to configure the NE40E based on is role.
Context
When NDRA is used to allocate addresses to the WAN interfaces on the CPE, refer to the
configuration of 8.12 Configuring NDRA Address Allocation.
When DHCPv6(IA_PD) is used to allocate prefixes to the CPE, refer to the configuration of
8.10 Configuring DHCPv6 (IA_PD) Prefix Allocation.

NOTE
In NDRA+IA_PD address allocation, a DNS server must be configured for both the address pool for
NDRA address allocation and the address pool for IA_PD address allocation.
8.13.2 (Optional) Configuring the state of Address Allocation

allocation mode.
Context
Stateless address allocation (M=0) should be configured for NDRA and NDRA+IA_PD
address allocation modes. By default, the M flag is 0, you need not configuration.
NOTE
should be adopted.
If the M flag is 0, and the O flag is 1, the clients need to obtain other configuration
information except IPv6 addresses in stateful mode.
Procedure
l State of the interface
a. Run system-view
c. Run undo ipv6 nd autoconfig managed-address-flag
Stateless address allocation mode is enabled.
l State of the domain
a. Run system-view
b. Run aaa
A domain is created and the AAA view is displayed.

d. Run undo ipv6 nd autoconfig managed-address-flag
Stateless address allocation is configured for PPPoX users.

The O flag is set.

f. Run prefix-assign-mode unshared
g. Run dhcpv6-follow-ipv6cp wait-delay time-value
l Run commit
----End
8.13.3 Verifying the NDRA+DHCPv6 (IA_PD) Address Allocation

Configuration
After NDRA+DHCPv6 (IA_PD) address allocation is configured, you can check the
configuration of the IPv6 address pool, the prefix pool, the domain, and address usage in the
address pool bound to the domain.
Procedure
configurations.
----End
8.14 Maintaining IPv6 Address Management
8.14.1 Clearing IPv6 Address Statistics

Context
IPv6 address statistics cannot be restored after they are cleared. Exercise caution when
running the reset ipv6-pool max-ratio domain command.
Procedure
l Run the reset ipv6-pool max-ratio domain command in the user view to clear statistics
about IPv6 address pool usage in all domains on the device.
----End
8.15 Configuration Examples for IPv6 Address

Management
This section provides several examples of IPv6 address management. Each configuration
example includes the networking requirements, configuration notes, and configuration
roadmap.
8.15.1 Example for Assigning IPv6 Prefixes to Users from the

User-side Delegation Address Pool
This section provides an example for assigning IPv6 prefixes to users from a user-side
delegation address pool, including the networking requirements, configuration roadmap,
configuration procedure, and configuration files.
The CPE obtains IPv6 address or prefixes in NDRA+DHCPv6(IA_PD) mode from the
NE40E, and the LAN users attached to the CPE use the prefixes and the interface IDs to
As shown in Figure 8-11:
l The NE40E functions as a delegating router assigning IPv6 prefixes to a requesting

router.
l The requesting router is located in domain isp1. It connects to the delegating router
through GE 1/0/1, and adopts the PPP authentication method.
l RADIUS authentication and RADIUS accounting are used.
l The IP address of the RADIUS server is 10.6.55.55, the respective numbers of
authentication and accounting ports are 1550 and 1551, and the standard RADIUS
protocol is adopted with the key being it-is-my-secret1.
l The IP address of the DNS server is 3002:3101::2:2.

Figure 8-11 Networking diagram of assigning IPv6 prefixes to users from the local delegation
address pool on the user side
NOTE
Interfaces 1 through 2 in this example are 0/1/1, 0/1/2, respectively.
DNS server RADIUS server
Interface1 Interface2 Internet
Requesting DeviceA Delegating DeviceB

suberscriber@isp1 suberscriber@isp1
1. Configure a VT.
2. Configure the AAA scheme.
3. Configure a RADIUS server group.
4. Configure a prefix pool, an address pool (with the IP address of the DNS server
specified), and the binding between the two.
5. Configure a domain named isp1.
6. Configure a DUID for the DHCPv6 server.
7. Configure interfaces.
Data Preparation
l Name of the authentication template and authentication method

l Name of the accounting template and accounting mode
l Name of the RADIUS server group and IP addresses and port numbers of the RADIUS
authentication server and accounting server
l Names of the local IPv6 prefix pool and IPv6 delegation pool, address prefix, and
assignable prefix length
l Names of the user-side local IPv6 address pool and user-side delegation address pool
l Domain name

l Parameters of the BAS interface
Procedure
Step 1 Only the configuration procedure for the NE40E is provided.
# Configure the virtual template.

[*Device] interface Virtual-Template 1
[*Device-Virtual-Template1] ppp authentication-mode pap
[*Device-Virtual-Template1] commit
[~Device-Virtual-Template1] quit
Step 2 Configure AAA schemes.
# Configure an authentication scheme.

[*Device] aaa
[*Device-aaa] authentication-scheme auth1
[*Device-aaa-authen-auth1] authentication-mode radius
[*Device-aaa-authen-auth1] commit
[~Device-aaa-authen-auth1] quit
# Configure an accounting scheme.

[*Device-aaa] accounting-scheme acct1
[*Device-aaa-accounting-acct1] accounting-mode radius
[*Device-aaa-accounting-acct1] commit
[~Device-aaa-accounting-acct1] quit
[~Device-aaa] quit
Step 3 Configure a RADIUS server group.

[*Device] radius-server group rd1
[*Device-radius-rd1] radius-server authentication 10.6.55.55 1550
[*Device-radius-rd1] radius-server accounting 10.6.55.55 1551
[*Device-radius-rd1] radius-server type standard
[*Device-radius-rd1] radius-server shared-key-cipher it-is-my-secret1
[*Device-radius-rd1] commit
[~Device-radius-rd1] quit
Step 4 Configure a local prefix pool.

[*Device] ipv6 prefix pre1 local
[*Device-ipv6-prefix-pre1] prefix 2010:2021::/64
[*Device-ipv6-prefix-pre1] commit
[~Device-ipv6-prefix-pre1] quit
Step 5 Configure a user-side local address pool.

[*Device] ipv6 pool pool1 bas local
[*Device-ipv6-pool-pool1] prefix pre1
[*Device-ipv6-pool-pool1] dns-server 3002:3101::2:2
[*Device-ipv6-pool-pool1] commit
[~Device-ipv6-pool-pool1] quit
Step 6 Configure a delegation prefix pool.

[*Device] ipv6 prefix pre2 delegation
[*Device-ipv6-prefix-pre2] prefix 2011:2022::/62 delegating-prefix-length 63
Step 7 Configure a user-side delegation address pool.

[*Device] ipv6 pool pool2 bas delegation

Step 8 Configure a domain named isp1.

[*Device] aaa
[*Device-aaa] domain isp1
[*Device-aaa-domain-isp1] authentication-scheme auth1
[*Device-aaa-domain-isp1] accounting-scheme acct1
[*Device-aaa-domain-isp1] radius-server group rd1
[*Device-aaa-domain-isp1] ipv6-pool pool1
[*Device-aaa-domain-isp1] commit
[~Device-aaa-domain-isp1] quit
[~Device-aaa] quit
Step 9 Configure a DUID for the DHCPv6 server.

[*Device] dhcpv6 duid llt
Warning:The change of DUID will cause the accessed user work abnormally,
are you sure to change ? [Y/N]: y
Step 10 Configure interfaces.

# Bind GE 0/1/1.1 to a virtual template.
[*Device] interface GigabitEthernet 0/1/1.1
[*Device-GigabitEthernet0/1/1.1] pppoe-server bind virtual-template 1

[*Device-GigabitEthernet0/1/1.1] user-vlan 1
[*Device-GigabitEthernet0/1/1.1] bas
[*Device-GigabitEthernet0/1/1.1-bas] access-type layer2-subscriber default-domain
authentication isp1
[*Device-GigabitEthernet0/1/1.1-bas] commit
[~Device-GigabitEthernet0/1/1.1-bas] quit
# Enable IPv6 on GE 0/1/1.1.

[*Device-GigabitEthernet0/1/1.1] ipv6 enable
[*Device-GigabitEthernet0/1/1.1] ipv6 address auto link-local
[*Device-GigabitEthernet0/1/1.1] commit
[~Device-GigabitEthernet0/1/1.1] quit
# Configure an upstream interface.

[*Device] interface GigabitEthernet 1/0/2
[*Device-GigabitEthernet1/0/2] ipv6 enable
[*Device-GigabitEthernet1/0/2] ipv6 address auto link-local
[*Device-GigabitEthernet1/0/2] ipv6 address 2011::1/64 eui-64
[*Device-GigabitEthernet1/0/2] commit
[~Device-GigabitEthernet1/0/2] quit

# Check information about the prefix pool named pre1. You can see that the prefix pool is a
local prefix pool and the prefix address is 2010:2021::/64.
<HUAWEI> display ipv6 prefix pre1
-------------------------------------------------------------
Prefix Name : pre1
Prefix Index : 4
Prefix constant index: -
Prefix Type : LOCAL
Prefix Address : 2010:2021::
Prefix Length : 64
Reserved Type : NONE
Valid Lifetime : 3 Days 0 Hours 0 Minutes
Preferred Lifetime: 2 Days 0 Hours 0 Minutes
IfLocked : Unlocked
Vpn instance : -
Conflict address : -

Free Prefix Count : 262144

Used Prefix Count : 0
Reserved Prefix Count: 0
-------------------------------------------------------------
delegation prefix pool with the prefix address being 2011:2022::/62.
-------------------------------------------------------------
Prefix Name : pre2
Prefix Index : 5
Prefix Type : DELEGATION
Prefix Length : 62
Preferred Lifetime : 2 Days 0 Hours 0 Minutes
IfLocked : Unlocked
Vpn instance : -
PD Prefix Len : 64
PD Prefix/C-DUID : -
slaac-unshare-only : FALSE
Binded Prefix Count (Free): 0
Binded Prefix Count (Used): 0
-------------------------------------------------------------
# Check information about the address pool named pool1. You can see that the address pool is
a local address pool at the user side and the address pool is bound to the prefix pool named
pre1.
<HUAWEI> display ipv6 pool pool1
----------------------------------------------------------------------
Pool name : pool1
Pool No : 4
Preference : 0
Renew time : 50
Rebind time : 80
Status : UNLOCKED
Refresh interval : 0 Days 0 Hours 0 Minutes
Used by domain : 1
Dns list : -
Dns server master : 3002:3101::2:2
AFTR name : -
----------------------------------------------------------------------
----------------------------------------------------------------------
pre1 LOCAL
----------------------------------------------------------------------
a user-side delegation address pool and the address pool is bound to the local prefix pool
named pre2.
----------------------------------------------------------------------
Pool name : pool2
Pool No : 5

Pool type : BAS DELEGATION

Preference : 255
Renew time : 50
Rebind time : 80
Status : UNLOCKED
Used by domain : 0
Dns list : -
AFTR name : -
----------------------------------------------------------------------
----------------------------------------------------------------------
pre2 DELEGATION
----------------------------------------------------------------------
# Check configurations of the domain isp1. You can see that the domain is bound to IPv6
address pools pool1 and pool2.
------------------------------------------------------------------------------
Domain-name : isp1
Authentication-scheme-name : auth1
Accounting-scheme-name : acct1
User-group-name : -
Online-number : 0
Web-IP-address : -
Web-URL : -
Slave Web-URL : -
Portal-URL : -
RADIUS-server-template : rd1
Bill Flow : Disable
Flow Statistic:

IPv6-Pool-name : pool1
Quota-out : Offline
Service-type : -
Peer-backup : enable
------------------------------------------------------------------------------
----End
Configuration Files
l Router Configuration Files
#
sysname HUAWEI
#
ipv6
#
dhcpv6 duid 006735f300188253a56a
#
radius-server group rd1
radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^%
#
interface Virtual-Template1
ppp authentication-mode pap
#
ipv6 prefix pre1 local
prefix 2010:2021::/64
#
ipv6 prefix pre2 delegation
prefix 2011:2022::/62
delegating-prefix-length 63
#
ipv6 pool pool1 bas local
prefix pre1
#
ipv6 pool pool2 bas delegation
prefix pre2
dns-server 3002:3101::2:2
#
aaa
authentication-scheme auth1
#
accounting-scheme acct1
#
domain isp1
ipv6-pool pool1
ipv6-pool pool2
#

pppoe-server bind Virtual-Template 1

ipv6 enable
ipv6 address auto link-local
bas
#
ipv6 enable
ipv6 address 2011::1/64 eui-64
#
return
8.15.2 Example for Configuring a Remote Address Pool for

DHCPv6 Users' IPv6 Address Assignment
This section provides an example for configuring a user-side remote address pool that is used
to assign IPv6 addresses to DHCPv6 users, including the networking requirements,
configuration roadmap, configuration procedure, and configuration files.
When a DHCPv6 server and clients reside on different links, the Device can function as a
Layer 2 access device to relay user requests for IPv6 addresses or prefixes to the DHCPv6
server.
On the network in Figure 8-12, the requirements are as follows:
l The user accesses the Device in IPoE mode, and the user belongs to the domain isp1.
l The user is assigned an address on the network segment 2660:2321::/64.
l RADIUS authentication and accounting are used.
l The IP address of the RADIUS server is 10.6.55.55. The authentication port number is
1550, and the accounting port number is 1551. The standard RADIUS protocol is used,
with the password it-is-my-secret1.
l The IP address of the DHCPv6 server is 3002:3101::2:2.
Figure 8-12 Configuring a remote address pool to assign IPv6 addresses

NOTE
Interfaces 1 through 2 in this example are 0/1/1.1, 0/1/2, respectively.
DHCPv6 server RADIUS server
Access Interface1 Interface2 Internet

network
user@isp1 Device

1. Configure AAA schemes.
3. Configure a DHCPv6 server group.
4. Configure a remote IPv6 prefix pool.
5. Configure a user-side remote address pool and bind the DHCPv6 server group and IPv6
prefix pool to the address pool.
6. Configure an AAA domain to be used as the default authentication domain.
7. Configure a BAS interface.
Data Preparation
l Remote IPv6 prefix pool name
l Remote address pool name
l Assignable IPv6 prefixes and prefix lengths
Procedure
Step 1 Configure AAA schemes on the Device.
[*Device] aaa

[*Device-aaa-accounting-acct1] quit
[~Device-aaa] quit
Step 2 Configure a RADIUS server group on the Device.

Step 3 Configure a DHCPv6 server group named server1 on the Device.

[*Device] dhcpv6-server group server1
Info: It's successful to create a DHCPV6 server group
[*Device-dhcpv6-server-group-server1] dhcpv6-server destination 3002:3101::2:2
[*Device- dhcpv6-server-group-server1] commit
[~Device- dhcpv6-server-group-server1] quit

Step 4 Configure a remote IPv6 prefix pool named pre1 on the Device.
[*Device] ipv6 prefix pre1 remote
Info:Create a prefix pool
[*Device-ipv6-prefix-pre1] link-address 2660:2321::1/64
[*Device-ipv6-prefix-pre1] dhcpv6-only
NOTE
The dhcpv6-only command allows the IPv6 prefix pool to be used for IPv6 address or prefix assignment only
for DHCPv6 users. If the dhcpv6-only command is not run, the IPv6 prefix pool can be used for both ND and
DHCPv6 users.
Step 5 Configure a user-side remote address pool named pool1 on the Device.
[*Device] ipv6 pool pool1 bas remote
[*Device-ipv6-pool-pool1] dhcpv6-server group server1
Step 6 Configure a domain named isp1 on the Device.

[*Device] aaa
[~Device-aaa] quit
Step 7 Configure a BAS interface.

# Enable IPv6 and configure M and O flags on a user access interface on the Device.
[*Device-GigabitEthernet 0/1/1.1] ipv6 enable
[*Device-GigabitEthernet 0/1/1.1] ipv6 address auto link-local
[*Device-GigabitEthernet 0/1/1.1] ipv6 nd autoconfig managed-address-flag
[*Device-GigabitEthernet 0/1/1.1] ipv6 nd autoconfig other-flag
[*Device-GigabitEthernet 0/1/1.1] commit
[~Device-GigabitEthernet 0/1/1.1] quit
# Configure the interface as a BAS interface.

[HUAWEI-GigabitEthernet 0/1/1.1] user-vlan 1 20
[HUAWEI-GigabitEthernet 0/1/1.1-vlan-1-20] quit
[*Device-GigabitEthernet 0/1/1.1] bas
[*Device-GigabitEthernet 0/1/1.1-bas] access-type layer2-subscriber default-
domain authentication isp1
[*Device-GigabitEthernet 0/1/1.1-bas] authentication-method-ipv6 bind
[*Device-GigabitEthernet 0/1/1.1-bas] commit
[~Device-GigabitEthernet 0/1/1.1-bas] quit
NOTE
l In bind authentication, the user name is automatically generated based on the NE40E's location and
domain name. Therefore, configure a user name based on the generation rule and configure the
password vlan on the RADIUS server.
l For details on the user name generation rule used in bind authentication, see vlanpvc-to-username
in HUAWEI NE40E-M2 Series Universal Service Router Command Reference.

# Display information about the prefix pool named pre1. The command output shows that the
prefix pool is a remote prefix pool with the prefix address of 2660:2321::/64.

<Device> display ipv6 prefix pre1

-------------------------------------------------------------
Prefix Name : pre1
Prefix Index : 5
Prefix Type : REMOTE
Link-Address : 2660:2321::1
Prefix Length : 64
IfLocked : Unlocked
Vpn instance : -
Lease manage : false
Excluded Prefix Count: 0
-------------------------------------------------------------
# Display information about the address pool named pool1. The command output shows that
the address pool is a user-side remote address pool and the address pool is bound to the
remote prefix pool named pre1.
<Device> display ipv6 pool pool1
---------------------------------------------------------------
Pool name : pool1
Pool No : 3
Pool type : BAS REMOTE
RUI-Flag : -
Preference : 255
Renew time : 50
Rebind time : 80
Status : UNLOCKED
Used by domain : 1
Dns list : -
AFTR name : -
State : UP
Server down times : 0
----------------------------------------------------------------------
----------------------------------------------------------------------
pre1 REMOTE
---------------------------------------------------------------
Step 9 Run commit

----End
Configuration Files
#
ipv6
#
#
dhcpv6-server group server1
dhcpv6-server destination 3002:3101::2:2
#
ipv6 prefix pre1 remote
link-address 2660:2321::1/64

#
ipv6 pool pool1 bas remote
prefix pre1
dhcpv6-server group server1
#
aaa
#
#
domain isp1
ipv6-pool pool1
#
user-vlan 1 20
ipv6 enable
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
bas
#
authentication-method-ipv6 bind
#
return
8.15.3 Example for Configuring a Remote Address Pool for ND

Users' IPv6 Address Assignment
This section provides an example for configuring a remote address pool that is used to assign
IPv6 addresses to ND users, including the networking requirements, configuration roadmap,
On the network in Figure 8-13, the Device is a DHCPv6 relay agent, and the remote DHCPv6
server assigns ND prefixes to users. The requirements are as follows:
l The user accesses the Device in IPoE mode through GE 1/0/1.1, and the user belongs to
the domain isp1 and uses bind authentication.
l The user is assigned an address on the network segment 2660:2321::/64.
with the password it-is-my-secret1.
l The IP address of the DHCPv6 server is 3002:3101::2:2.
Figure 8-13 Configuring a remote address pool for ND users' IPv6 address assignment
NOTE
Interfaces 1 through 2 in this example are 0/1/1.1, 0/1/2, respectively.

Interface1
1. Enable IPv6 packet forwarding on the Device.
4. Configure a DHCPv6 server group.
5. Configure a remote IPv6 prefix pool.
6. Configure a user-side remote address pool and bind the DHCPv6 server group and IPv6
prefix pool to the address pool.
7. Configure an AAA domain to be used as the default authentication domain.
Data Preparation
l Remote IPv6 prefix pool name
l Remote address pool name
l Next-hop relay agent's IPv6 address
l Link-address in the prefix pool
NOTE
The remote DHCPv6 server selects an address pool based on the link-address option in packets sent by the
relay agent.
Procedure
Step 1 Configure a DHCPv6 server group.
[*Device] dhcpv6-server group group1
[*Device-dhcpv6-server-group-group1] dhcpv6-server destination 3002:3101::2:2
[*Device-dhcpv6-server-group-group1] commit
[~Device-dhcpv6-server-group-group1] quit
Step 2 Configure a remote prefix pool and a remote address pool.

[*Device] ipv6 prefix pre1 remote
Info:Create a prefix pool
[*Device-ipv6-prefix-pre1] link-address 2660:2321::1/64
[*Device] ipv6 pool pool1 bas remote
[*Device-ipv6-pool-pool1] dhcpv6-server group group1
Step 3 Configure a RADIUS server group on the Device.




[*Device] aaa

[*Device-aaa-accounting-acct1] quit
[~Device-aaa] quit

[*Device] aaa
[*Device-aaa-domain-isp1] prefix-assign-mode unshared
[~Device-aaa] quit
# Configure a BAS interface on the Device.

[HUAWEI-GigabitEthernet 0/1/1.1] user-vlan 1 20
[HUAWEI-GigabitEthernet 0/1/1.1-vlan-1-20] quit
[*Device-GigabitEthernet 0/1/1.1] ipv6 enable
[*Device-GigabitEthernet 0/1/1.1] ipv6 address auto link-local
[*Device-GigabitEthernet 0/1/1.1] bas
[*Device-GigabitEthernet 0/1/1.1-bas] access-type layer2-subscriber default-
domain authentication isp1
[*Device-GigabitEthernet 0/1/1.1-bas] authentication-method-ipv6 bind
[*Device-GigabitEthernet 0/1/1.1-bas] commit
[~Device-GigabitEthernet 0/1/1.1-bas] quit
NOTE
l In bind authentication, the user name is automatically generated based on the NE40E's location and
domain name. Therefore, configure a user name based on the generation rule and configure the
password vlan on the RADIUS server.
l For details on the user name generation rule used in bind authentication, see vlanpvc-to-username
in HUAWEI NE40E-M2 Series Universal Service Router Command Reference.
l The interface configurations determine whether IPoE access users use the stateless address
autoconfiguration (M=0) or stateful address autoconfiguration (M=1) mode. If the M flag is 0 and
the O flag is 1, the client uses the stateless address autoconfiguration mode to obtain an IP address
and uses the stateful address autoconfiguration mode to obtain other configuration parameters.

# Display information about the prefix pool named pre1. The command output shows that the
prefix pool is a remote prefix pool.
<Device> display ipv6 prefix pre1
-------------------------------------------------------------
Prefix Name : pre1
Prefix Index : 5
Prefix Type : REMOTE
Link-Address : 2660:2321::1
Prefix Length : 64
IfLocked : Unlocked
Vpn instance : -
Lease manage : false
-------------------------------------------------------------
# Display information about the address pool named pool1. The command output shows that
the address pool is a user-side remote address pool and the address pool is bound to the
remote prefix pool named pre1.
<Device> display ipv6 pool pool1
---------------------------------------------------------------
Pool name : pool1
Pool No : 3
Pool type : BAS REMOTE
RUI-Flag : -
Preference : 255
Renew time : 50
Rebind time : 80
Status : UNLOCKED
Used by domain : 1
Dns list : -
AFTR name : -
State : UP
Server down times : 0
----------------------------------------------------------------------
----------------------------------------------------------------------
pre1 REMOTE
---------------------------------------------------------------
Step 8 Run commit

----End
Configuration Files
#
ipv6
#
#
dhcpv6-server group group1
dhcpv6-server destination 3002:3101::2:2

#
ipv6 prefix pre1 remote
link-address 2660:2321::1/64
#
ipv6 pool pool1 bas remote
prefix pre1
dhcpv6-server group group1
#
aaa
#
#
domain isp1
ipv6-pool pool1
prefix-assign-mode unshared
#
user-vlan 1 20
ipv6 enable
bas
#
#
return

Configuration Guide - User Access 9 IPoE Access Configuration
9 IPoE Access Configuration
About This Chapter
This chapter describes how to control and manage various types of access services by using
BRAS access.This feature is supported only in the Admin-VS.
This feature is not supported on the M2E.
9.1 Overview of IPoE Access
This section describes basic concepts of IP over Ethernet (IPoE) access, helping you quickly
configure IPoE access.
9.2 Licensing Requirements and Limitations for IPoE--M2F
9.3 Licensing Requirements and Limitations for IPoE--M2H
9.4 Licensing Requirements and Limitations for IPoE--M2K
9.5 Configuring an Authentication Mode for IPoE Access
You can use authentication technologies to exchange authentication packets, user names and
passwords between user terminals and the NE40E. The NE40E supports multiple
authentication technologies.
9.6 Configuring IPoE Access Services
In IPoE accessshuo, users can access the Internet by sending packets without using the client
dial-in software for dialing in.
9.7 Configuring IPoEv6 Access Services
IPoEv6 access users can access the Internet by sending packets without dialing up. Therefore,
dial-up software does not need to be installed on the client.
9.8 Maintaining IPoE Access
Maintaining BRAS access includes monitoring the operating status of the BRAS, clearing the
statistics about login and logout users, and debugging in the case of failures.
9.9 Configuration Examples for IPoE Access Authentication
This section provides examples for configuring the BRAS access service, including
networking requirements, configuration notes, and configuration roadmap.

9.1 Overview of IPoE Access

This section describes basic concepts of IP over Ethernet (IPoE) access, helping you quickly
configure IPoE access.
In IPv4 network access where a user terminal connects to a BRAS's Ethernet interface
through a Layer 2 device, such as a LAN switch, the user IP packets are encapsulated into
IPoE packets by the user terminal's Ethernet interface before they are transmitted to the BRAS
through the Layer 2 device. IPoE is an access mode that allows the BRAS to perform
authentication and authorization on users and user services based on the physical or logical
user information carried in IPoE packets, such as the MAC address, VLAN ID, and Option
82.
IPoE access has the following advantages:
l Simple access mode that does not need dial-up software on the client
l More applicable to multicast services
NOTE
Services are interrupted if the memory size of the master MPU is inconsistent with that of the slave
MPU.
9.2 Licensing Requirements and Limitations for IPoE--

M2F
Item Requirement
81400884 NE40E-M2 Series Controllable V800R009

PPPoE/IPoE feature:
Function License This license
controls PPPoE/
IPoE function
on a device.


Restrictions on IPv6 web None None

authentication users:
l Users who obtain IPv6
addresses with shared
prefixes through ND are
not supported.
l vCPE users are not
supported.
l A dual-stack web user
goes online in the pre-
authentication domain
and is switched to the
from the IPv6 stack.
After the user goes
offline from the IPv6
stack by sending a
Release message, the
user cannot be switched
to the pre-authentication
domain from the IPv4
stack. A dual-stack web
user is switched to the
After the user goes
stack by sending a
stack.
l If the IP address of the
web server configured in
the pre-authentication
domain is the same as
that of the portal server
configured in the
authentication domain,
users are redirected to
the specified portal
server address for the
number of times
specified by the portal-
server redirect-limit
limit command.

When the RADIUS server Do not deliver the Framed- The URPF function does not
delivers the Framed-Route Route attribute to leased line take effect.
attribute to a leased line users if you have high
user, user-to-network traffic requirements for source IP
does not support source IP address check.
address check (URPF).
If a DHCPv6 packet carries A client needs to carry IP Users fail to go online.

the IA_NA and IA_PD address and prefix
options at the same time, an information at the same
HG cannot send two Solicit time.
messages to obtain an IPv6
prefix and address
respectively. If two Solicit
messages are sent, the
address type requested in the
first Solicit message is
assigned for the second
Solicit message.
If a Layer 3 DHCPv6 user Clients are required to Users fail to go online.

sends a login request obtain IPv6 addresses
carrying the IA_NA option, through DHCPv6,
the user cannot be directly
connected to the BAS
interface and must be
interface through a Layer 3
device. The user can apply
for an IPv6 address only.
If a client DUID is
generated in LLT or LL
mode, user access is
supported. If a client DUID
is generated in other modes,
user access is supported
only when the first-hop
relay agent sends a DHCPv6
message in which the
Option 37 carries the client's
MAC address to the BRAS.
User access is not supported
if the preceding conditions
are not met.
Separate collection of Do not collect statistics All traffic of dual-stack

statistics about IPv4 and about IPv4 and IPv6 traffic Layer 3 leased line users is
IPv6 traffic is not supported separately for Layer 3 leased counted as IPv4 traffic.
for Layer 3 leased line users. line dual-stack users.

Flexible access to a VPN None Flexible access to a VPN

supports only PPPoEv4 does not take effect for users
users, dynamic IPoEv4 not supported.
users, and static IPoEv4
users.
The auto save feature None The auto save function does
supports Layer 2 DHCPv4 not take effect.
users with the authentication
and accounting modes set to
non-authentication and non-
accounting, respectively.
In a scenario where the next Do not configure a static Load balancing does not
hop of a static route is the IP user's IP address as the next take effect.
address of a static user, hop of a static route in load-
multiple next hops are not balancing scenarios.
supported for the static user,
that is, route load balancing
is not supported.

M2H
Item Requirement

PPPoE/IPoE feature:
controls PPPoE/
IPoE function
on a device.



not supported.
supported.
After the user goes
stack by sending a
After the user goes
stack by sending a
stack.
configured in the
number of times
limit command.


prefix and address
Solicit message.

If a client DUID is
are not met.



users.
is not supported.

M2K
Item Requirement
88035BKA M2 Series BNG Controllable V800R010C10

Function License feature:
This license
controls the
PPPoE, IPoE,
L2TP, DAA,
and EDSG
function.



not supported.
supported.
After the user goes
stack by sending a
After the user goes
stack by sending a
stack.
configured in the
number of times
limit command.


prefix and address
Solicit message.

If a client DUID is
are not met.



users.
is not supported.
9.5 Configuring an Authentication Mode for IPoE Access

You can use authentication technologies to exchange authentication packets, user names and
passwords between user terminals and the NE40E. The NE40E supports multiple
authentication technologies.
Applicable Environment
Web authentication is an interactive authentication mode in which the user opens the
authentication page on the web authentication server, and enters the user name and password
to be authenticated.
Fast authentication is the simplified web authentication. The user opens the web page for
authentication but does not need to enter the user name and password. The NE40E generates
the user name and password according to information about the BAS interface from which the
user logs in.
Binding authentication means that the NE40E automatically generates the user name and
password based on the user's physical location.
9.5.1 Configuring Web Authentication or Fast Authentication

Web authentication refers to an interactive authentication mode in which a user opens the
authentication page on the Web authentication server, and enters the user name and password
for authentication. Fast authentication refers to an authentication mode in which a user opens
the authentication page on the Web authentication server for authentication, without entering
the user name and password.

Context
When configuring Web authentication or fast authentication, you need the following
parameters:
l IP address and VPN instance of the server

l Port number of the server
l Shared key of the server
l Whether the NE40E reports its own IP address to the server
l Portal protocol version, listening port number, and source interface sending portal
packets
l Pages to which users are redirected
NOTE
Procedure
Step 1 Configuring the Web Authentication Server
1. Run system-view

2. Run web-auth-server ip-address [ vpn-instance instance-name ] [ port port-number ]
[ key { simple simple-key | cipher cipher-key } ] [ nas-ip-address ][ detect-time detect-
time ] [ user-query exclude pre-domain ]
The Web authentication server is configured.
Step 2 (Optional) Configuring the Portal Protocol

1. Run system-view

2. (Optional) Run web-auth-server version { v2 [ v1 ] | v3 }
The portal protocol version is set.

3. (Optional) run:
web-auth-server listening-port port
The number of the listening port on the NE40E is specified.

4. (Optional) run:
web-auth-server source interface interface-type interface-number
The source interface for sending packets is configured on the NE40E.

5. (Optional) run:
web-auth-server reply-message

The NE40E is configured to transparently transmit Remote Authentication Dial in User

Service (RADIUS) packets.
6. Run web response-error-id enable
The host is enabled to send an Access-Reject packet with an error code to the Portal
server.
Step 3 (Optional) Configuring Mandatory Web Authentication
Mandatory web authentication means that the NE40E redirects the access request of a user to
the specified web server for authentication if the user accesses a URL without permission
before the authentication.
1. Run aaa
2. (Optional) Run http-redirect enable
The HTTP packet redirection function is enabled.
The view of the default pre-authentication domain is displayed.
4. (Optional) Run web-server url urlweb-server url-parameterweb-server ip-address
[ ipv6–address ] [ slave ]web-server mode { get | post }web-server redirect-key
{ mscg-ip mscg-ip-key | mscg-name mscg-name-key | user-ip-address user-ip-key |
user-location user-location-key | nas-logic-sysname nas-logic-sysname-key | user-mac-
address { user-mac-key [ simple ] [ type1 ] | cipher aes128 } }, web-server redirect-
key ap-mac-address ap-mac-key [ simple [ type1 ] | cipher aes128 ], web-server
redirect-key ssid ssid-key, web-server redirect-key agent-remote-id agent-remote-id-
key web-server url-parameter { shared-key shared-key | shared-key-cipher shared-
key-cipher }web-server user-first-url-key { key-name | default-name }
The redirection URL address for forced web authentication is configured.
– Or Run
The protocol adopted by Web authentication is set to the extension Portal protocol
supported by the ISP.
– Or Run
The IP address of web authentication server is configured.
The IPv6 address of web authentication server should be configured for a web dual-
stack user.
– Or Run
The HTTP mode of forced web authentication is configured.
– Or Run
The keyword for attributes of a customized portal is configured.
– (Optional) Or Run
Specifies the keyword for generating ciphertext user MAC address or AP MAC
address to be displayed. After the web-server redirect-key command with cipher
aes128 configured is run, this command is used to generate ciphertext user MAC
address or AP MAC address to be displayed.
– Or Run
The keywords for tracing the main page are configured.

NOTE
Redirection URL must be configured in the preauthentication domain for a web dual-stack user.
Otherwise, mandatory web authentication may fail.
5. (Optional) Run web-server { ip-address | url url } bind web-auth-server ip-address
[ vpn-instance vpn-instance ]
The Web authentication server bound to the mandatory Web authentication server is
configured.
6. (Optional) Run web-server { ip-address | url url } bind web-auth-server ip-address
[ vpn-instance vpn-instance ] slave
The Web authentication server bound to the standby mandatory Web authentication
server is configured.
7. (Optional) Run mac-authentication enable
The MAC address authentication is enabled.
NOTE
MAC address authentication is used to simplify Web authentication. If MAC address

authentication is enabled, the user for Web authentication only needs to input the user name and
password at the first time and the RADIUS server records the user's MAC address. When the user
attempts to pass the Web authentication again, the RADIUS server performs the authentication
based on the users' MAC address and the user does not need to input the user name and password
again.
In the existing network, this command is usually used together with the authening authen-fail
online authen-domain domain-name command. If the MAC authentication fails, the user can
perform the Web authentication by inputting the user name and password in the re-direction
domain, and then enter the authentication domain and access the network resources.
8. (Optional) Run http-hostcar enable
The hostcar function is enabled on HTTP packets of forcible web users
9. Run quit
10. Run quit
Step 4 (Optional) Configuring for Optimizing the Web Performance
1. Run system-view
2. Run http-url deny urlstring
The URLs for which web authentication or portal redirection will be performed forcibly
(blacklist) are configured.
3. Run http-url count enable slot [ interval interval-value ] [ aging aging-value ]
Statistics on URLs are collected based on the host field.
4. Run slot slotid
5. Run http-hostcar cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ]
Bandwidth limitations are configured for HTTP packets sent by users for authentication.

6. Run quit
7. Run aaa
9. Run http-hostcar enable [ no-fast-reply ] enable
hostcar and quick reply are configured for HTTP packets of users on which web
authentication is performed forcibly.
10. Run quit
11. Run quit
Step 5 (Optional) Configuring IP address reallocation
The view of the authentication domain is displayed.
2. Run reallocate-ip-address
IP address reallocation is enabled in a domain.
Currently, many PCs do not need to be authenticated and can be connected to the
network. If public IP addresses are allocated to PCs after the PCs start, IP addresses will
be wasted. With IP address reallocation, the NE40E allocates a private address to a user
who is not authenticated, and then allocates a public address to a user who is
authenticated. This solves the problem that public addresses are insufficient, and
improves public address usage.
The reallocate-ip-address command is used only for Web users.
3. Run quit
4. Run quit
Step 6 Configuring the Authentication Domain and Authentication Method on the BAS Interface
Web authentication users are considered unauthorized users before they are authenticated.
Therefore, they cannot obtain IP addresses or access the web authentication server.
This means web authentication cannot be performed on web authentication users. To resolve
this problem, all unauthenticated web authentication users are assigned to a default domain
configured on an interface. This default domain is called the pre-authentication default
domain. Unauthenticated web authentication users can obtain IP addresses through the pre-
authentication default domain and access the web authentication server through the authorities
granted to the pre-authentication default domain for web authentication.


2. Run bas
3. Run access-type layer2-subscriber
The user access type is set to Layer 2 subscriber access.
4. Run default-domain pre-authentication domain-name
The default pre-authentication domain is specified.
5. Run default-domain authentication [ force | replace ] domain-name
The default authentication domain is specified.
6. Run authentication-method { web | fast }authentication-method-ipv6 { web | fast }
or
The Web authentication or fast authentication is configured.
Step 7 Run commit
----End
9.5.2 Configuring Binding Authentication

In addition to Web authentication, users can also be authenticated using binding
authentication.
Context
Procedure
Step 2 Run interface interface-type interface-number
Step 3 Run bas
Step 4 Run access-type layer2-subscriber
The user access type is set to Layer 2 subscriber access.
Step 5 Run default-domain pre-authentication domain-name
Step 6 Run default-domain authentication [ force | replace ] domain-name

Step 7 Run authentication-method { { ppp | dot1x } * | bind }

PPP authentication, 802.1X authentication, or binding authentication is configured.
You can set the authentication mode for only Layer 2 users on the BAS interface. Multiple
authentication modes can be configured on an interface except for the following:
l Web authentication conflicts with fast authentication.
l Binding authentication conflicts with the other authentication modes.
Step 8 Run commit
----End
9.5.3 Verifying the Authentication Mode Configuration for IPoE

Access
After an authentication mode is configured, you can view the authentication mode by
checking the domain configuration.
Procedure
l Run the display web-auth-server configuration command to check the configuration of
the Web authentication server.
l Run the display domain [ domain-name ] command to check the configuration of the
domain.
l Run the display aaa default-user-name [ template template-name | global ] command
to check the mode in which pure IPoE user names are generated.
l Run the display aaa default-password [ template template-name | global ] command to
check the IPoE user password or the password generation mode.
----End
Example
After the configuration is complete, you can run the display web-auth-server configuration
command to view the configuration of the Web authentication server.
<HUAWEI> display web-auth-server configuration
Source interface : -
Listening port : 2000
Portal : version 1, version 2, version 3
Display reply message : enabled
------------------------------------------------------------------------
Server Share-Password Port NAS-IP Vpn-instance
------------------------------------------------------------------------
192.168.3.140 ****** 50100 NO
------------------------------------------------------------------------
1 Web authentication server(s) in total
After the configuration is complete, you can run the display domain [ domain-name ]
command to view the configuration of the domain. For example:
<HUAWEI> display domain
------------------------------------------------------------------------------
Domain name State CAR Access-limit Online BODNum RptVSMNum
------------------------------------------------------------------------------


default_admin Active 0 279552 0 0 0
default Active 0 279552 0 0 0
isp1 Active 0 279552 0 0 0
------------------------------------------------------------------------------
Total 5,5 printed
After the configuration is complete, you can run the display aaa default-user-name
command to view the mode in which IPoE user names are generated. For example:
<HUAWEI> display aaa default-user-name global
Global user name format:enable
Sysname:yes, separator :"-"
Gateway-address:-, separator :no
IP address:-, separator :no
MAC address:-, separator :no
Access-line-id: -, separator :no
Access-line-id circuit-id:-, separator :no, offset: -, parse-mode:%s
Access-line-id remote-id:-, separator :no,offset: -, parse-mode:%s
Vendor-class: -, separator: no,cn-format:-, sub-option:-, offset:-, length:-
Client-id:-, separator :no
DHCPv4 option12:-,separator :no
PE VLAN: -, separator :no
CE VLAN:-, separator :no
Port:-, separator :no
Slot:-, separator :no
Subslot:-, separator :no
After the configuration is complete, you can run the display aaa default-password command
to view the IPoE user password or the mode in which IPoE user passwords are generated. For
example:
<HUAWEI> display aaa default-password global
Global password:the default is ******
9.6 Configuring IPoE Access Services

In IPoE accessshuo, users can access the Internet by sending packets without using the client
dial-in software for dialing in.
Usage Scenario
The IPoE access service is an access authentication service. In IPoE access, a user accesses
the Internet by using the Ethernet or asymmetric digital subscriber line (ADSL). The user uses
a fixed IP address or obtains an IP address by using the Dynamic Host Configuration Protocol
(DHCP). The system then authenticates the user by using Web authentication, fast
authentication, or binding authentication.
The IPoE services can be classified into the IPoE service, IPoEoVLAN service, IPoEoQ
service in different networking.
Before configuring the IPoE access service, complete the following tasks:
l Configuring Authorization, Authentication, and Accounting (AAA) schemes

l Configuring an IPv4 address pool
l Configuring a domain

To configure the IPoE access service, perform the following procedures.
NOTE
Configuring an AAA scheme, 6.6 Configuring RADIUS, Configuring an IPv4 address pool, and
Configuring a domain are not provided here because all the procedures are described in other chapters.
Figure 9-1 Configuration procedures for IPoE

IPoEoVLAN
IPoE
IPoEoQ
Configuring AAA Configuring AAA
Schemes Schemes
Configuring a Configuring a
server template server template
Configuring an Configuring an
IPv4 address IPv4 address
pool pool
Configuring a Configuring a
domain domain
Configuring the Configuring the

web web
authentication authentication
Configuring the Configuring the

ACL ACL
Configuring the Binding a Sub-

BAS interface interface to a
VLAN
Configuring the
BAS interface
Mandatory procedure
Optional procedure
9.6.1 Binding a Sub-interface to a VLAN

The NE40E processes received tagged user packets from different types of users in different
manners to ensure that different types of packets are properly forwarded.
Context
If users access the network by using a sub-interface, the sub-interface needs to be bound to a
VLAN.

You can bind a sub-interface to a VLAN or configure QinQ on a sub-interface. When binding
a sub-interface to a VLAN, you need the following parameters:
l Sub-interface number
l VLAN ID
l QinQ ID
NOTE
l On each main interface, you can set the any-other parameter on only one sub-interface. On one sub-
interface, any-other cannot be set together with start-vlan nor qinq.
l If dot1q termination, QinQ termination, QinQ stacking, or vlan-type dot1q has been configured on a
sub-interface, the user-vlan cannot be configured on this sub-interface.
l Different sub-interfaces cannot be configured with user-side VLANs with the same VLAN ID.
Procedure
Step 2 Run interface interface-type interface-number.subinterface-number
A sub-interface is created and the sub-interface view is displayed.
Step 3 For Layer 2 subscriber access, run:

user-vlan { start-vlan [ end-vlan ] [ dot1q start-qinq-id [ end-qinq-id ] ] | any-other }
A user-side VLAN is created.
For Layer 3 subscriber access, run:
vlan-type dot1q vlan-id
Step 4 Run commit
----End
9.6.2 Configuring a BAS Interface

When an interface is used for broadband access, you need to configure it as a BAS interface,
and then specify the user access type and attributes for the interface.
Context
When configuring a BAS interface, you need the following parameters:
l BAS interface number

l Access type and authentication scheme
l (Optional) Maximum number of users that are allowed access through the BAS interface
and maximum number of users that are allowed access through a specified VLAN

l (Optional) Default domain, roaming domain, and domains that users are allowed to
access
l (Optional) Whether to enable the functions of proxy ARP, DHCP broadcast, accounting
packet copy, IP packet trigger-online, and user-based multicast replication
l (Optional) Whether to trust the access-line-id information reported by clients, user
detection parameters, VPN instances of non-PPP users, and BAS interface name
Perform the following steps on NE40E:
NOTE
l For security purposes, you are advised to configure a password in ciphertext mode and periodically
change the password.
Procedure
NOTE
In scenarios with BRAS access through L2VPN termination, run the ve-group ve-group-id l2-terminate
command to configure the VE interface as an L2VE interface to terminate an L2VPN and bind the
interface to a VE group. In scenarios with BRAS access through L3VPN termination, run the ve-group
ve-group-id l3-terminate command to configure the VE interface as an L3VE interface to terminate an
L3VPN and bind the interface to a VE group. The preceding commands are configured in the VE
interface view. Only Layer 3 static user access is supported in scenarios with BRAS access through
L3VPN termination. For details, see Example for Configuring BRAS Access Through L3VPN
Termination.
Step 3 Run bas

You can configure an interface as the BAS interface by running the bas command in the
interface view. You can configure an Ethernet interface or its sub-interface, a VE interface or
its sub-interface, an ATM interface or its sub-interface, or an Eth-Trunk interface or its sub-
interface as a BAS interface.
configured.
Or run access-type layer3-subscriber [ default-domain { [ pre-authentication predname ]
authentication [ force | replace ] dname } ]
configured.
When setting the access type on the BAS interface, you can set the service attributes of the
access users at the same time. You can also set these attributes in later configurations.

When configuring Layer 3 subscriber access, you can run the layer3-subscriber start-ip-
address end-ip-address [ vpn-instance instance-name ] domain-name domain-name
command and the layer3-subscriber ip-address any domain-name domain-name command
in the system view to specify an IP address segment and authentication domain name.
The access type cannot be configured on the Ethernet interface that is added to an Eth-Trunk
interface. You can configure the access type of such an Ethernet interface only on the
associated Eth-Trunk interface.
When configuring static routes for Layer 3 users, specify the next hop as the user IP address
and do not specify the outbound interface. Otherwise, network-to-user traffic may fail to be
forwarded.
Run access-type layer2-leased-line user-name uname password { cipher password | simple
password } [ bas-interface-name bname | default-domain authentication dname |
accounting-copy radius-server rd-name | nas-port-type { async | sync | isdn-sync | isdn-
async-v120 | isdn-async-v110 | virtual | piafs | hdlc | x.25 | x.75 | g.3-fax | sdsl | adsl-cap |
adsl-dmt | idsl | ethernet | xdsl | cable | wireless-other | 802.11 } ] *
The access type is set to Layer 2 leased line access and the attributes of this access type are
configured.
Run access-type layer3-leased-line { user-name uname | user-name-template } password
{ cipher password | simple password } [ default-domain authentication dname | bas-
interface-name bname | accounting-copy radius-server rd-name | nas-port-type { async |
sync | isdn-sync | isdn-async-v120 | isdn-async-v110 | virtual | piafs | hdlc | x.25 | x.75 | g.3-
fax | sdsl | adsl-cap | adsl-dmt | idsl | ethernet | xdsl | cable | wireless-other | 802.11 } | mac-
address mac-address | client-id client-id ] *
configured.
If there is an online user on the BAS interface, you can change the access type on the interface
only when the online user is a leased line user.
After the access type is set to leased line access, the NE40E performs authentication on the
leased line users immediately.
Step 5 (Optional) Run access leased-line connection chasten request-session request-period
blocking-period quickoffline
Suppression of leased line user access is enabled.
If the duration or traffic volume quota delivered by the RADIUS server to a leased line user is
0, the leased line user can go online but will go offline immediately. This results in frequent
login and logout of leased line users.
The command can be run to configure the maximum number of connection requests allowed,
the interval at which connection requests can be sent, and a blocking period.
Step 6 (Optional) Run trust 8021p-protocol
The 802.1p priority of user packets is set to be trusted.
The trust 8021p-protocol command can be configured only when the access type is set to
Layer 2 subscriber access.
Step 7 (Optional) Run access-limit number [ start-vlan start-vlan [ end-vlan end-vlan ] [ qinq qinq-
vlan ] [ user-type { ipoe | pppoe } ] ]

The number of users that are allowed access through the interface is configured.
l If the access-limit command is configured on a sub-interface enabled with BAS, the
number of VLAN users that access the sub-interface is limited.
l If the access-limit command is configured on a main interface enabled with BAS and the
VLAN range is not specified in the command, the total number of VLAN users that
access the main interface is limited. Note that the configuration of access-limit on a sub-
interface takes precedence over that on the corresponding main interface.
l You can also specify the user-type parameter to limit the maximum number of access
users based on access types.
Step 8 (Optional) Run default-domain pre-authentication domain-name
l Or run default-domain authentication [ force | replace ] domain-name

l Or run permit-domain domain-name &<1-16>
The domain in which users are allowed to access is specified.
Or run deny-domain domain-name&<1-16>
The domain in which users are denied to access is specified.
The permit-domain command cannot be configured together with the deny-domain
command, deny-domain-list command, or permit-domain-list command on a BAS
interface.
l Or run permit-domain-list
The list of domains whose users are allowed to access is specified.
Or run deny-domain-list
The list of domains whose users are denied to access is specified.
Step 9 (Optional) Run client-option82 [ { basinfo-insert { cn-telecom | version3 } | version1 } ]
The NE40E is configured to trust the access-line-id information reported by clients.
Or, run basinfo-insert cn-telecom
The NE40E is configured to insert the access-line-id information in the format defined by
China Telecom insteading of trusting the access-line-id information reported by clients.
Or run basinfo-insert version2
version2 insteading of trusting the access-line-id information reported by clients.
The Router will parse and transmit access-line-id information based on the following
configurations:
l Run the option82-relay-mode dslam { auto-identify | config-identify } command to
allow the Router to extract information from the access-line-id field in the packet sent
from the DSLAM and add the information to Agent-CircuitID and Agent-RemoteID
attributes sent to the RADIUS server. Or run the option82-relay-mode include
{ allvalue | { agent-circuit-id | agent-remote-id [ separator ] } * } command to allow
the NAS-Port-Id attribute sent to the RADIUS server to contain access-line-id
information.

l Run the option82-relay-mode subopt { agent-circuit-id { hex | string } | agent-

remote-id { hex | string } command to configure the format of Agent-CircuitID or
Agent-RemoteID information.
Or run vbas vbas-mac-address [ auth-mode { ignore | reject } ]
The function of locating a user through the virtual BAS (VBAS) is enabled.
Step 10 (Optional) Run client-option60
The Router is configured to trust the Option 60 information reported by clients.
If user domain information is obtained from the Option 60 information, the character string
following the domain name delimiter (defaulting to @) in the Option 60 field is used as the
domain name. If no user domain information is obtained from the Option 60 information, the
Router performs the following procedure to continue searching for the information. If there is
no domain name delimiter in the field, the Router performs a fuzzy or exact match of the
domain name information based on the configured mode. The procedure will stop if user
1. Check whether the client-option60 command is configured on the BAS interface. If the
command is configured, obtain user domain information from the command
configuration.
2. Check whether the dhcp option-60 command is configured in the system view. If the
configuration.
3. Use the authentication domain configured on the BAS interface as the user domain.
Step 11 (Optional) Run option37-relay-mode include remote-id
The DHCP6ACC component is enabled to remove enterprise number information from
Option 37 in a Solicit or Request message to be sent to the UM component.
The following operations must have been performed:
l Run the client-option37 [ basinfo-insert ft-telecom ] command to enable the NE40E to
trust the information in the Option 37 field of DHCPv6 messages sent by clients.
l Run the client-option18 command to enable the server to trust the information in the
Option 18 field of DHCPv6 messages sent by clients.
Step 12 (Optional) Run accounting-copy radius-server radius-name
The accounting packet copy function is enabled.
Step 13 (Optional) Run link-account resolve

An accounting request packet that the NE40E sends to a RADIUS server is allowed to carry
the link-account attribute.
Before running the command, set the access type to Layer 2 subscriber access.
The command affects RADIUS No. 25 attribute in accounting request packets sent by the
NE40E to a RADIUS accounting server.
An interface fills the link-account information in the RADIUS No. 25 attribute class if both
the following situations are met:
l Users getting online from the interface do not need to be authenticated, and RADIUS
accounting is configured on the interface.

l For common Layer 2 users, VLANs and VLAN descriptions are configured on the
interface.
Step 14 Perform the following configurations by service type:
l For IPoE access services:
Run the ip-trigger command to enable user access triggered by IP packets. Or run the
arp-trigger command to enable user access triggered by ARP packets.
l For IPoEv6 access services:
Run the ipv6-trigger command to enable user access triggered by IPv6 packets. Or run
the nd-trigger command to enable user access triggered by NS/NA packets.
Step 15 (Optional) Run wlan-switch enable [ switch-group switch-group-name ]
WLAN user roaming switchover is enabled.
After WLAN user roaming switchover is enabled on a BAS interface, you need to configure
the interface to use received user packets to trigger roaming procedures for WLAN users.
Perform the following configurations based on the actual roaming scenarios:
l If users do not pass through Wi-Fi blind spots when roaming between different APs, run
either the ip-trigger or arp-trigger command or both to configure the interface to
trigger roaming procedures for the WLAN users based on the received IP or ARP
packets, or run the ipv6–trigger command to configure the interface to trigger roaming
procedures for Layer 2 IPv6 users based on the received IPv6 packets.
l If users pass through Wi-Fi blind spots when roaming between different APs, run the
dhcp session-mismatch action roam { ipv4 | ipv6 } * command to configure the
interface to allow users to send DHCPv4 Discover or Request messages or DHCPv6
Solicit messages to re-log in.
NOTE
– The dhcp session-mismatch action roam { ipv4 | ipv6 } * and dhcp session-mismatch
action offline commands override one another. If the two commands are run on the same
interface, the command run later takes effect.
– The dhcp session-mismatch action roam { ipv4 | ipv6 } * command can be configured
together with the ip-trigger, the arp-trigger and the ipv6-trigger commands.
After the preceding steps are performed, WLAN users do not need to be re-authenticated for
login after being logged out when roaming between different APs. This ensures that services
are not interrupted.
Step 16 (Optional) Run user detect retransmit num interval time [ no-datacheck ] or user detect
no-datacheck
User detection parameters are configured.
Step 17 (Optional) Run dhcp session-mismatch action offline
Online users whose physical location information is changed but MAC addresses remain
unchanged are logged out when they resend DHCP or ND login requests.
Step 18 (Optional) Run block [ start-vlan { start-vlan [ end-vlan end-vlan ] [ qinq pe-vlan ] | any
qinq start-qinq-vlan [ end-qinq-vlan ] } | pvc start-vpi/start-vci [ end-vpi/end-vci ] ]
The BAS interface is blocked.
Step 19 Run authentication-method { bind | { ppp } * }

The authentication mode is configured.

authentication modes can be configured on an interface but you should note the following:
l Bind authentication conflicts with other authentication modes.
Step 20 (Optional) Run dhcp-reply trust broadcast-flag
The device is enabled to use the broadcast flag value in a DHCP request packet to determine
the destination MAC address type for a DHCP response packet.
NOTE
After the dhcp-reply trust broadcast-flag command is run, if the broadcast flag value in a DHCP
request packet is 1, the device replies with a DHCP response packet that carries the broadcast address of
all Fs as the destination MAC address; if the broadcast flag value in a DHCP request packet is 0, the
device replies with a DHCP response packet that carries the user MAC address as the destination MAC
address.
The dhcp-reply trust broadcast-flag command applies only to Layer 2 access users.
The dhcp-reply trust broadcast-flag command is mutually exclusive with the dhcp-broadcast
command.
Step 21 (Optional) Run dhcpv6 user-identify-policy { option79-option38 | option38-option79 |

option79 | option38 } [ no-exist-action offline ]
A method is configured for obtaining MAC addresses of Layer 3 DHCPv6 users during login.
Step 22 Run commit
----End
9.6.3 (Optional) Configuring Access Control on a BAS Interface

Configure a BAS interface to filter users that attempt to go online so that only specified users
are allowed to access the Router.
Context
To filter users based on source MAC addresses, configure an ACL rule. When a DHCP or
PPP user attempts to go online, match the user's source MAC address against the ACL rule. If
matched, the user is allowed to go online.
Procedure
Step 2 Run acl { name link-acl-name { link | [ link ] number link-acl-number } | [ number ] link-
acl-number } [ match-order { config | auto } ]
The ACL view is displayed.
Step 3 Run rule [ rule-id ] { deny | permit } source-mac source-mac sourcemac-mask

An ACL rule is configured.
NOTE
BAS interfaces support only ACLs in the range 4000 to 4999,

and the ACL rules can only define users' source MAC addresses. The source MAC address for DHCP
users is the hardware address carried in DHCP packets.
When a BAS interface uses a filter-policy to filter users, note the following:
l If the action specified in the ACL rule is permit, only users matching the rule are
allowed to access the Router.
l If the action specified in the ACL rule is deny, users matching the rule are not allowed to
access the Router, and the other users are allowed to access the Router.
l If the ACL does not have any rules, the BAS interface that references this ACL does not
filter access users based on users' MAC addresses.
l If the ACL referenced by the BAS interface does not exist, the BAS interface does not
Step 4 Run quit
Step 5 (Optional) Run ppp keepalive slow acl acl-num source-mac
PPP slow reply is configured for PPP echo packets with a specified MAC address.
Step 7 Run bas
Step 8 Run filter-policy acl acl-number ppp
The function of filtering DHCP users that attempt to go online based on ACL rules on a BAS
interface is configured.
NOTE
l Before running the filter-policy acl command, the BAS interface must already have the access-type
command configured.
l An access type can be bound to only one ACL on an interface.
l Because IP addresses are assigned to DHCP users based on the MAC addresses contained in user DHCP
packets, if you run the filter-policy acl acl-number dhcp command to filter users, the command filters
users based on source MAC addresses contained in the DHCP packets, rather than those contained in the
Ethernet headers. This command cannot filter out attackers whose MAC addresses contained in Ethernet
headers are inconsistent with those contained in DHCP packets. To protect the device from this type of
attack, run the dhcp check chaddr command.
l The filter-policy acl acl-number ppp command applies to PPPoE, PPoEoA, and L2TP users.
Step 9 Run commit
----End

9.6.4 (Optional) Enabling One-to-Many Mapping Between One

MAC Address and Many Sessions
Context
When the NE40E functions as a BRAS or DHCP server, it can assign IP addresses only to
IPoE users with different MAC addresses. If you want the NE40E to assign IP addresses to
users with the same MAC address, configure one-to-many mapping between one MAC
address and many sessions. These users with the same MAC address must have different
VLAN IDs or interface numbers, and different circuit IDs.
Procedure
Step 2 Run ipoe-server multi-sessions per-mac enable
One-to-many mapping between one MAC address and many sessions is enabled for IPoE
users to allow the NE40E to assign IP addresses to IPoE users with the same MAC address.
Step 3 Run commit
----End
9.6.5 (Optional) Configuring Flexible Access to VPNs

Service priorities can be identified based on 802.1p values of service packets and then
transmitted to corresponding VPNs.
Context
On the network shown in Figure 9-2, service packets carry 802.1p values to identify their
priorities. The BRAS can identify service priorities based on the 802.1p values of received
Layer 2 service packets and transmit the service packets to corresponding VPNs. To allow
this, enable a BAS interface to transmit packets to different VPNs based on 802.1p priorities
of the packets and also bind VPN instances to different 802.1p priorities.

Figure 9-2 Flexible access to VPNs
VPN1
802.1P 1
HSI 802.1P 1
BRAS
802.1P 2 802.1P 3
Layer2
Network 802.1P 2
VPN2
VoIP
802.1P 3
VPN3
iTV
AAA/DHCP Server
Perform the following steps on the BRAS:

1. Create a VPN instance. (Both user and service VPN instances must be configured.)
2. Create a local address pool.
3. Configure a user domain.
4. Configure a user access interface.
5. Configure a network-side ACL and define redirection for the ACL.
6. Configure a network-side interface.
Procedure
Step 1 Create a VPN instance. (Both user and service VPN instances must be configured.)
1. Run system-view
2. Run ip vpn-instance vpn-instance-name
A VPN instance is created, and the VPN instance view is displayed.
3. Run ipv4-family
The IPv4 address family is enabled for the VPN instance, and the VPN instance IPv4
address family view is displayed.
4. Run route-distinguisher route-distinguisher
An RD is configured for the VPN instance IPv4 address family.
5. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-
extcommunity ]
VPN targets are configured for the VPN instance IPv4 address family.
6. Run quit
Return to the VPN instance view.
7. Run quit


Step 2 Create a local address pool.
1. Run ip pool pool-name [ bas { local [ rui-slave ] | remote [ overlap | rui-slave ] |
dynamic } ]
An address pool is created.
2. Run vpn-instance vpn-instance-name
A VPN instance is specified for the address pool.
The VPN instance specified for the address pool must be the user VPN instance
configured in Step 1.
3. Run gateway ip-address { mask | mask-length }
The gateway IP address and subnet mask are configured for the address pool.
4. Run section section-num start-ip-address [ end-ip-address ]
An address segment is configured for the address pool.
5. Run import vpn-instance vpn-instance-name
A VPN instance is imported to the address pool.
The VPN instance imported to the address pool must be the service VPN instance
created in Step 1.
6. Run quit
Step 3 Configure a user domain.
1. Run aaa
A domain is created, and the domain view is displayed.
3. Run authentication-scheme authentication-scheme-name
An authentication domain is configured for the domain.
4. Run accounting-scheme accounting-scheme-name
An accounting scheme is configured for the domain.
5. Run ip-pool pool-name
An address pool is bound to the domain.
6. Run quit
7. Run quit
Step 4 Configure a user access interface.
A sub-interface is created.

2. Run user-vlan { { start-vlan-id [ end-vlan-id ] [ qinq start-pe-vlan [ end-pe-vlan ] ] } }
A user-VLAN sub-interface is configured.

3. Run 802.1p 802.1p-prioirty binding vpn-instance vpn-instance-name
A VPN instance is bound to an 802.1p priority.
The VPN instance bound to the 802.1p priority must be the service VPN instance created
in Step 1.
NOTE
The binding between VPN instances and 802.1p priorities cannot be modified or deleted if the
BAS interface has online users.
4. Run quit
Return to the sub-interface view.

5. Run bas
The sub-interface is configured as a BAS interface, and the BAS interface view is
displayed.
6. Run access-type layer2-subscriber [ default-domain { authentication [ force |
replace ] dname | pre-authentication predname } * | bas-interface-name bname |
accounting-copy radius-server rd-name ] *
The access type of the BAS interface is configured as Layer 2 subscriber access.
7. Run authentication-method { bind | { fast | web } }
An authentication method is configured for the BAS interface.

8. Run 802.1p-to-vpn
The BAS interface is enabled to transmit packets to different VPNs based on the 802.1p
priorities of the packets.
9. Run quit

10. Run quit
Step 5 Configure a network-side ACL and define redirection for the ACL.
1. Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } |
[ number ] basic-acl-number } [ match-order { config | auto } ]
A basic ACL is created.

2. Run rule [ rule-id ] { deny | permit } [ fragment-type { fragment | non-fragment |
non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address
{ source-wildcard | 0 | src-netmask } | any } | time-range time-name | [ vpn-instance
vpn-instance-name | vpn-instance-any ] ] *
A rule is created for the ACL.

3. Run quit

4. Run vpn-group vpn-group-name [ vpn-instance vpn-name [ vpn-name ] &<1-8> ]

A VPN group is created, and a VPN instance is added to the VPN group.
The VPN instance added to the VPN group must be the user VPN instance created in
Step 1.
5. Run traffic behavior behavior-name
A traffic behavior is configured, and the traffic behavior view is displayed.
6. Run redirect vpn-group vpn-group-name
Packet redirection to a specified VPN group is configured.
The VPN group to which packets are redirected must be the one created in Step d.
7. Run quit
8. Run traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is configured, and the traffic classifier view is displayed.
9. Run if-match acl acl { acl-number | name acl-name }
An IPv4 ACL is specified for MF classification.
10. Run quit
11. Run traffic-policy policy-name
A traffic policy is configured.
12. Run share-mode
The shared mode is specified for the traffic policy.
13. Run classifier classifier-name behavior behavior-name [ precedence precedence-
value ]
A traffic behavior is specified for a traffic classifier in the traffic policy.
14. Run quit
Step 6 Configure a network-side interface.
2. Run vlan-type dot1q vlanid { 8021p { 8021p-value1 [ to 8021p-value2 ] } &<1-8> |
dscp { dscp-value1 [ to dscp-value2 ] } &<1-10> | default | eth-type pppoe }
The dot1q VLAN type is configured for the sub-interface.
3. Run ip binding vpn-instance vpn-instance-name
A VPN instance is bound to the sub-interface.
The VPN instance bound to the sub-interface must be the service VPN instance created
in Step 1.
4. Run ip address ip-address { mask | mask-length }
An IP address is configured for the sub-interface.

5. Run traffic-policy policy-name { inbound | outbound }

The traffic policy is applied to the sub-interface.
----End
9.6.6 Verifying the IPoE Access Service Configuration

After configuring IPoE access, you can view information about the IPoE access service.
Procedure
l Run the display access-user command to check information about online users. To view
information about specific users, you can configure parameters in the command to
specify users.
l Run the display web-auth-server configuration command to check the configuration of
the Web authentication server.
l Run the display domain command to check the configuration of the domain.
l Run the display acl command to check the configuration of the ACL.
l Run the display interface command to check the status of the VE interface.
----End
Example
Run the display access-user command. If the IPoE access service is configured successfully,
and you can view information about all access users.
<HUAWEI> display access-user
------------------------------------------------------------------------------
Total users : 9
IPv4 users : 9
IPv6 users : 0
Dual-Stack users : 0
Lac users : 0
RUI local users : 0
RUI remote users : 0
Wait authen-ack : 0
Authentication success : 9
Accounting ready : 9
Accounting state : 0
Wait leaving-flow-query : 0
Wait accounting-start : 0
Wait accounting-stop : 0
Wait authorization-client : 0
Wait authorization-server : 0
------------------------------------------------------------------------------
Domain-name Online-user
------------------------------------------------------------------------------
default0 : 0
default1 : 0
default_admin : 0
wq : 0
chen : 0
isp7 : 0
gaoli : 0
ly : 0
test : 0
lsh : 9
------------------------------------------------------------------------------
The used CID table are :
20-28
------------------------------------------------------------------------------

After the configuration is complete, you can run the display web-auth-server configuration
command to view the configuration of the Web authentication server.
<HUAWEI> display web-auth-server configuration
Source interface : -
Listening port : 2000
Portal : version 1, version 2, version 3
Display reply message : enabled
------------------------------------------------------------------------
Server Share-Password Port NAS-IP Vpn-instance
------------------------------------------------------------------------
192.168.3.140 ****** 50100 NO
------------------------------------------------------------------------
1 Web authentication server(s) in total
After the configuration is complete, you can run the display acl command to view the
configuration of the ACL.
<HUAWEI> display acl 3100
Advanced ACL 3100, 3 rules,
rule 0 permit icmp (2 times matched)
rule 1 permit ip source 10.1.1.1 0 destination 10.2.2.2 0 (0 times matched)
rule 2 permit tcp source 10.110.0.0 0.0.255.255 (0 times matched)
After the configuration is complete, you can run the display interface command to view the
status of the VE interface.
<HUAWEI> display interface virtual-ethernet 1/0/0
Virtual-Ethernet1/0/0 current state : UP
Line protocol current state : UP
Last up time: 2007-11-17, 17:23:43
Description:Virtual-Ethernet81/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.0.1.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc97-a4ab
9.7 Configuring IPoEv6 Access Services

IPoEv6 access users can access the Internet by sending packets without dialing up. Therefore,
dial-up software does not need to be installed on the client.
Context
IPoEv6 access refers to a packet-triggering access mode in which users access the NE40E by
using DHCPv6, ND, or IPv6 packets.
IPoEv6 access services include IPoEv6, IPoEoVLANv6, and IPoEoQv6 services. These
services differ in terms of the protocol stack. In IPoEv6 access mode, users can directly access
the Internet using Web browsers, without having to install client dial-up software on their
PCs.
The service models of different carriers may differ, and the operating modes of home
gateways may also differ on a broadband access network. A home gateway may operate in
bridging mode, numbered routing mode, or unnumbered routing mode.
Before configuring the IPoEv6 access service, complete the following tasks:
l Loading the BRAS license (For details, see the HUAWEI NE40E-M2 Series Universal
Service Router Configuration Guide-System Management.)

l 6.5 Configuring AAA Schemes to configure authentication, authorization, and

accounting schemes
l 6.6 Configuring RADIUS, based on the protocol used by the AAA schemes
l 6.5.6 Configuring an AAA Scheme for a Domain to bind authentication, authorization,
and accounting schemes to the user domain
l 6.9.1 Configuring Servers for a Domain to bind a RADIUS or HWTACACS server to
the user domain
l Enabling IPv6 on the device as well as interfaces and configuring IPv6 addresses (link-
local addresses for Layer 2 access) on IPv6 interfaces
NOTE
If the link-local address is deleted or IPv6 is disabled either from an interface or globally, IPv6 on the
BAS interface goes Down, and IPv4/IPv6 dual-stack users who access the BAS interface are logged out.
9.7.1 Configuring an Authentication Mode

This section describes several authentication modes, which can be chosen based on
networking requirements.
Context
NOTE
IPv4 and IPv6 authentication modes (bind authentication) for an IPv4/IPv6 dual-stack user must be the
same.
l Bind authentication
For configuration details, see 9.5.2 Configuring Binding Authentication.
DHCPv4 options are used in bind authentication mode on an IPv4 network. If the
network is upgraded to an IPv6 network, using the DHCPv6 protocol to allocate IPv6
addresses is recommended. Authentication information can be added to DHCPv6
options, remaining unchanged after the network is upgraded from IPv4 to IPv6.
9.7.2 Configuring an Address Allocation Mode

The address allocation modes supported by the NE40E include NDRA, DHCPv6(IA_NA),
DHCPv6(IA_PD), DHCPv6(IA_NA)+PD(IA_PD), and NDRA+DHCPv6(IA_PD). One of
them can be configured based on networking conditions.
Context
The address allocation mode varies according to the CPE working mode. For details, see the
following table.
CPE Working Scenario: IPv6 Address

Mode Configuration Mode
Bridging mode The host initiates a connection request. NDRA

The CPE transparently forwards the user
request packet, and the NE40E allocates DHCPv6(IA_NA)
an IPv6 address to the host.

CPE Working Scenario: IPv6 Address

Unnumbered The CPE initiates a connection request. DHCPv6(IA_PD)

routing mode After receiving the request, the NE40E
allocates a prefix to the CPE to generate
IPv6 addresses for the hosts attached to
the CPE.
Numbered The CPE initiates a connection request. DHCPv6(IA_NA)

routing mode After receiving the request, the NE40E +PD(IA_PD)
allocates an IPv6 address to the WAN
interface on the CPE and a prefix to NDRA+DHCPv6(IA_PD)
generate IPv6 addresses for the hosts
attached to the CPE.
NOTE
l Layer 3 users of a leased line obtain their addresses from the access router. The NE40E is in charge
of only authentication and accounting, not address allocation.
If an IPv4 network is upgraded to an IPv6 network, the CPE working mode and authentication
mode do not need to be changed unless there are special service requirements. In PPP
authentication mode, either ND or DHCPv6 can be used for address authentication. In bind
authentication mode, using DHCPv6 for address allocation is recommended. In 802.1X or
web authentication mode, using DHCPv6 for address allocation is recommended if user
terminals support ND+PD. The IPv6 addresses assigned using ND to the WAN interfaces on
CPEs can be used to communicate with the BRAS, while prefixes assigned using PD allow
CPEs to generate IPv6 addresses for the attached terminals. By default, the assigned PD
addresses and the IPv6 addresses assigned using ND are released at the same time. To allow a
device to release only the assigned PD addresses and not the IPv6 addresses assigned using
ND for communicating with CPEs, you can configure the device to separately release PD
addresses for IPoE users.
Procedure
Step 2 Run aaa
Step 4 Run ipv6 pd-address-release separate user-type ipoe
The device is enabled to release only the assigned PD addresses in scenarios where CPEs
work in numbered routing mode.
Step 5 Run commit

----End

The NE40E processes received tagged user packets from different types of users in different
manners to ensure that different types of packets are properly forwarded.
Context
VLAN.
l VLAN ID
l QinQ ID
NOTE
l On each main interface, you can set the any-other parameter on only one sub-interface. On one sub-
interface, any-other cannot be set together with start-vlan nor qinq.
Procedure
Step 3 For Layer 2 subscriber access, run:

user-vlan { start-vlan [ end-vlan ] [ dot1q start-qinq-id [ end-qinq-id ] ] | any-other }
For Layer 3 subscriber access, run:
vlan-type dot1q vlan-id
Step 4 Run commit
----End


When an interface is used for broadband access, you need to configure it as a BAS interface,
and then specify the user access type and attributes for the interface.
Context
l (Optional) Maximum number of users that are allowed access through the BAS interface
and maximum number of users that are allowed access through a specified VLAN
access
l (Optional) Whether to enable the functions of proxy ARP, DHCP broadcast, accounting
packet copy, IP packet trigger-online, and user-based multicast replication
l (Optional) Whether to trust the access-line-id information reported by clients, user
detection parameters, VPN instances of non-PPP users, and BAS interface name
Perform the following steps on NE40E:
NOTE
l For security purposes, you are advised to configure a password in ciphertext mode and periodically
change the password.
Procedure
NOTE
interface to a VE group. In scenarios with BRAS access through L3VPN termination, run the ve-group
ve-group-id l3-terminate command to configure the VE interface as an L3VE interface to terminate an
L3VPN and bind the interface to a VE group. The preceding commands are configured in the VE
interface view. Only Layer 3 static user access is supported in scenarios with BRAS access through
L3VPN termination. For details, see Example for Configuring BRAS Access Through L3VPN
Termination.
Step 3 Run bas

interface view. You can configure an Ethernet interface or its sub-interface, a VE interface or
its sub-interface, an ATM interface or its sub-interface, or an Eth-Trunk interface or its sub-
interface as a BAS interface.


configured.
Or run access-type layer3-subscriber [ default-domain { [ pre-authentication predname ]

authentication [ force | replace ] dname } ]
configured.
When configuring Layer 3 subscriber access, you can run the layer3-subscriber start-ip-
address end-ip-address [ vpn-instance instance-name ] domain-name domain-name
command and the layer3-subscriber ip-address any domain-name domain-name command
in the system view to specify an IP address segment and authentication domain name.
When configuring static routes for Layer 3 users, specify the next hop as the user IP address
and do not specify the outbound interface. Otherwise, network-to-user traffic may fail to be
forwarded.
Run access-type layer2-leased-line user-name uname password { cipher password | simple

password } [ bas-interface-name bname | default-domain authentication dname |
accounting-copy radius-server rd-name | nas-port-type { async | sync | isdn-sync | isdn-
async-v120 | isdn-async-v110 | virtual | piafs | hdlc | x.25 | x.75 | g.3-fax | sdsl | adsl-cap |
adsl-dmt | idsl | ethernet | xdsl | cable | wireless-other | 802.11 } ] *
configured.
Run access-type layer3-leased-line { user-name uname | user-name-template } password

{ cipher password | simple password } [ default-domain authentication dname | bas-
interface-name bname | accounting-copy radius-server rd-name | nas-port-type { async |
sync | isdn-sync | isdn-async-v120 | isdn-async-v110 | virtual | piafs | hdlc | x.25 | x.75 | g.3-
fax | sdsl | adsl-cap | adsl-dmt | idsl | ethernet | xdsl | cable | wireless-other | 802.11 } | mac-
address mac-address | client-id client-id ] *
configured.
If there is an online user on the BAS interface, you can change the access type on the interface
only when the online user is a leased line user.
After the access type is set to leased line access, the NE40E performs authentication on the
leased line users immediately.
Step 5 (Optional) Run access leased-line connection chasten request-session request-period

blocking-period quickoffline
Suppression of leased line user access is enabled.

If the duration or traffic volume quota delivered by the RADIUS server to a leased line user is
0, the leased line user can go online but will go offline immediately. This results in frequent
login and logout of leased line users.
The command can be run to configure the maximum number of connection requests allowed,
the interval at which connection requests can be sent, and a blocking period.
Step 6 (Optional) Run trust 8021p-protocol
The 802.1p priority of user packets is set to be trusted.
The trust 8021p-protocol command can be configured only when the access type is set to
Layer 2 subscriber access.
l Or run default-domain authentication [ force | replace ] domain-name

l Or run permit-domain domain-name &<1-16>
Or run deny-domain domain-name&<1-16>
The permit-domain command cannot be configured together with the deny-domain
command, deny-domain-list command, or permit-domain-list command on a BAS
interface.
l Or run permit-domain-list
The list of domains whose users are allowed to access is specified.
Or run deny-domain-list


configurations:
information.
Step 10 (Optional) Run client-option60
The Router is configured to trust the Option 60 information reported by clients.
If user domain information is obtained from the Option 60 information, the character string
following the domain name delimiter (defaulting to @) in the Option 60 field is used as the
domain name. If no user domain information is obtained from the Option 60 information, the
Router performs the following procedure to continue searching for the information. If there is
no domain name delimiter in the field, the Router performs a fuzzy or exact match of the
domain name information based on the configured mode. The procedure will stop if user
1. Check whether the client-option60 command is configured on the BAS interface. If the
configuration.
2. Check whether the dhcp option-60 command is configured in the system view. If the
configuration.
3. Use the authentication domain configured on the BAS interface as the user domain.
Step 11 (Optional) Run option37-relay-mode include remote-id
The DHCP6ACC component is enabled to remove enterprise number information from
Option 37 in a Solicit or Request message to be sent to the UM component.
The following operations must have been performed:
l Run the client-option37 [ basinfo-insert ft-telecom ] command to enable the NE40E to
trust the information in the Option 37 field of DHCPv6 messages sent by clients.
l Run the client-option18 command to enable the server to trust the information in the
Option 18 field of DHCPv6 messages sent by clients.

interface.
Step 14 Perform the following configurations by service type:

l For IPoE access services:
Run the ip-trigger command to enable user access triggered by IP packets. Or run the
arp-trigger command to enable user access triggered by ARP packets.
l For IPoEv6 access services:
Run the ipv6-trigger command to enable user access triggered by IPv6 packets. Or run
the nd-trigger command to enable user access triggered by NS/NA packets.
Step 15 (Optional) Run wlan-switch enable [ switch-group switch-group-name ]
WLAN user roaming switchover is enabled.
After WLAN user roaming switchover is enabled on a BAS interface, you need to configure
the interface to use received user packets to trigger roaming procedures for WLAN users.
Perform the following configurations based on the actual roaming scenarios:
l If users do not pass through Wi-Fi blind spots when roaming between different APs, run
either the ip-trigger or arp-trigger command or both to configure the interface to
trigger roaming procedures for the WLAN users based on the received IP or ARP
packets, or run the ipv6–trigger command to configure the interface to trigger roaming
procedures for Layer 2 IPv6 users based on the received IPv6 packets.
l If users pass through Wi-Fi blind spots when roaming between different APs, run the
dhcp session-mismatch action roam { ipv4 | ipv6 } * command to configure the
interface to allow users to send DHCPv4 Discover or Request messages or DHCPv6
Solicit messages to re-log in.
NOTE
– The dhcp session-mismatch action roam { ipv4 | ipv6 } * and dhcp session-mismatch
action offline commands override one another. If the two commands are run on the same
interface, the command run later takes effect.
– The dhcp session-mismatch action roam { ipv4 | ipv6 } * command can be configured
together with the ip-trigger, the arp-trigger and the ipv6-trigger commands.
After the preceding steps are performed, WLAN users do not need to be re-authenticated for
login after being logged out when roaming between different APs. This ensures that services
are not interrupted.

Step 16 (Optional) Run user detect retransmit num interval time [ no-datacheck ] or user detect
no-datacheck
User detection parameters are configured.
Step 17 (Optional) Run dhcp session-mismatch action offline
Online users whose physical location information is changed but MAC addresses remain
unchanged are logged out when they resend DHCP or ND login requests.
Step 19 Run authentication-method { bind | { ppp } * }

The authentication mode is configured.
authentication modes can be configured on an interface but you should note the following:
l Bind authentication conflicts with other authentication modes.
Step 20 (Optional) Run dhcp-reply trust broadcast-flag
The device is enabled to use the broadcast flag value in a DHCP request packet to determine
the destination MAC address type for a DHCP response packet.
NOTE
After the dhcp-reply trust broadcast-flag command is run, if the broadcast flag value in a DHCP
request packet is 1, the device replies with a DHCP response packet that carries the broadcast address of
all Fs as the destination MAC address; if the broadcast flag value in a DHCP request packet is 0, the
device replies with a DHCP response packet that carries the user MAC address as the destination MAC
address.
The dhcp-reply trust broadcast-flag command applies only to Layer 2 access users.
The dhcp-reply trust broadcast-flag command is mutually exclusive with the dhcp-broadcast
command.
Step 21 (Optional) Run dhcpv6 user-identify-policy { option79-option38 | option38-option79 |

option79 | option38 } [ no-exist-action offline ]
A method is configured for obtaining MAC addresses of Layer 3 DHCPv6 users during login.
Step 22 Run commit
----End
9.7.5 (Optional) Enabling One-to-Many Mapping Between One

MAC Address and Many Sessions
Context
When the NE40E functions as a BRAS or DHCP server, it can assign IP addresses only to
IPoE users with different MAC addresses. If you want the NE40E to assign IP addresses to

users with the same MAC address, configure one-to-many mapping between one MAC
address and many sessions. These users with the same MAC address must have different
VLAN IDs or interface numbers, and different circuit IDs.
Procedure
Step 2 Run ipoe-server multi-sessions per-mac enable
One-to-many mapping between one MAC address and many sessions is enabled for IPoE
users to allow the NE40E to assign IP addresses to IPoE users with the same MAC address.
Step 3 (Optional) Run dhcpv6-server replace client-duid
The NE40E that functions as a DHCPv6 relay agent is configured to replace the client DUID
in a DHCPv6 message sent from a client with the one it generates for that client before
sending the message to a server.
This command is required for uniquely identifying clients if they have the same client DUID.
Step 4 Run commit
----End
9.7.6 Verifying the IPoEv6 Access Service Configuration

After configuring the IPoEv6 access service, you can view the IPoEv6 access configurations.
Procedure
l Run the display access-user command to check information about online users. To view
information about specific users, you can configure parameters in the command to
specify users.
l Run the display bas-interface command to check BAS interface configurations.
l Run the display dhcp upgrade command to check the lease configuration for DHCPv6
users to determine the time when the device restarts.
l Run the display vendor-class dhcpv6 command in the system view to check the
mapping between the vendor-class attribute and a DHCPv6 option as well as the
configured offset value.
----End
Example
Run the display access-user command. If the IPoEv6 access service is configured
successfully, and you can view information about all access users.
------------------------------------------------------------------------------
Total users : 9
IPv4 users : 9
IPv6 users : 0
Lac users : 0

RUI local users : 0

Wait authen-ack : 0
------------------------------------------------------------------------------
------------------------------------------------------------------------------
default0 : 0
default1 : 0
default_admin : 0
wq : 0
chen : 0
isp7 : 0
gaoli : 0
ly : 0
test : 0
lsh : 9
------------------------------------------------------------------------------
20-28
------------------------------------------------------------------------------
Run the display bas-interface command, and you can view information to check BAS
interface configurations.
<HUAWEI> display bas-interface
---------------------------------------------------------------------------
Interface BASIF-access-type config-state access-number
---------------------------------------------------------------------------
Eth-Trunk0 Layer2-subscriber Updated 0
Eth-Trunk0.1 Layer2-subscriber Updated 1
----------------------------------------------------------------------
Total 3 BASIF is configured
Run the display dhcpv6 upgrade command, and you can view the lease configuration for
DHCPv6 users to determine the time when the device restarts.
<HUAWEI> display dhcpv6 upgrade
DHCPv6 upgrade: enable.
Preferred lifetime: 0days 0hours 30minutes
Valid lifetime: 0days 1hours 0minutes
Renew time percent: 50%
Rebind time percent:80%
Rebind time: 0days 0hours 24minutes
Access DHCPv6 user count of new lifetime: 100
Access DHCPv6 user count of old lifetime: 100
Access DHCPv6 user count of infinite lifetime: 10
Max interval from current for old lifetime DHCPv6 user renew: 0days 0hours
15minutes
Run the display vendor-class dhcpv6 command in the system view, and you can view the
mapping between the vendor-class attribute and a DHCPv6 option as well as the configured
offset value.
<HUAWEI> display vendor-class dhcpv6
Vendor-class DHCPv6: enable.
DHCPv6 option code: 17.
DHCPv6 offset : 4

9.8 Maintaining IPoE Access

Maintaining BRAS access includes monitoring the operating status of the BRAS, clearing the
statistics about login and logout users, and debugging in the case of failures.
9.8.1 Displaying BRAS Access Information

You can view BRAS access information, including user login and logout records.
Context
After the preceding configurations, run the following display commands in any view to check
the BRAS configurations.
Procedure
Step 1 Run the display web-auth-server configuration command to check the configuration of the
Web authentication server.
Step 2 Run the display bas-interface command to check the configuration of the BAS interface.
Step 3 Run the display aaa online-fail-record command to check the login failure records.
Step 4 Run the display aaa offline-record command to check the logout records.
Step 5 Run the display aaa abnormal-offline-record command to check the abnormal logout
records.
Step 6 Run the display call rate command to check the total call put-through rate for all types of
users.
Step 7 Run the display access-user command in any view to check information about online users.
The protocol-statistics enable command run in the AAA view enables statistics about
protocol packets, including ND, PPPoE, PPP, DHCPv4, and DHCPv6 packets.
Step 8 Run the display user-flow-statistics [ domain domain-name ]command in any view to check
users' uplink and downlink traffic statistics.
Step 9 Run the display access trigger user-table command in any view to check information about
users whose access packets are limited on a board.
----End
9.8.2 Clearing BRAS Access Information

If there are too many login and logout records, you can delete the BRAS access authentication
information.

Context
BRAS access information cannot be restored after it is cleared. Exercise caution when
running the commands.
To clear BRAS access information, run the following reset commands.
Procedure
Step 1 Run the reset aaa online-fail-record command in the user view to clear the login failure
records.
Step 2 Run the reset aaa offline-record command in the user view to clear the logout records.
Step 3 Run the reset aaa abnormal offline-record command in the user view to clear the abnormal
logout records.
Step 4 Run the reset access trigger user-table command in any view to clear information about
users whose access packets are limited on a board.
Step 5 Run the reset call rate command in the user view to clear the call rate statistics of users.
Step 6 Run commit

----End
9.8.3 Displaying BRAS Access Statistics

Displaying BRAS access statistics helps fault locating and traffic tracing.
Procedure
l Run the display access statistics packet discard mac-spoofing [ ipoe | pppoe ] [ ipv4 |
ipv6 ] { interface { interface-name | interface-type interface-number } | slot slot-id }
command in any view to display statistics about MAC-spoofing-dropped packets of
access users.
l Run the display access statistics trigger slot slot-id command in any view to display
user packet statistics by the board.
l Run the display layer3-subscriber statistics port-mismatch command in any view to
display statistics on Layer 3 users' packets that are discarded due to an interface
mismatch.
----End
Example
Run the display access statistics packet discard mac-spoofing slot slot-id command, you
can view statistics about MAC-spoofing-dropped packets on the board in slot 1.
<HUAWEI> display access statistics packet discard mac-spoofing slot 1

Slot 1 discard statistics:

--------------------------------------------------------------------------
IPv4 packets(high, low) IPv6 packets(high, low)
--------------------------------------------------------------------------
pppoe (4294967295, 4294967295) (4294967295, 4294967295)
ipoe (4294967295, 4294967295) (4294967295, 4294967295)
--------------------------------------------------------------------------
Run the display access statistics trigger slot slot-id command, you can view statistics about
user packets on the board in slot 2.
<HUAWEI> display access-statistics trigger slot 2
IPv4 Packet information:
Passed packet(s) : 0
Dropped packet(s) : 0
IPv6 Packet information:
Passed packet(s) : 0
Dropped packet(s) : 0
Run the display layer3-subscriber statistics port-mismatch command, you can view
statistics on Layer 3 users' packets that are discarded due to an interface mismatch.
<HUAWEI> display layer3-subscriber statistics port-mismatch
---------------------------------------------------------------------------
Interface Statistics
---------------------------------------------------------------------------
Eth-Trunk1.1 4
Eth-Trunk6 3
Eth-Trunk6.1 3
GigabitEthernet3/0/0.1 2
GigabitEthernet3/0/0.2 100
---------------------------------------------------------------------------
Total 5,5 printed
9.8.4 Clearing BRAS Access Statistics

Before you collect statistics on an interface within a certain period, clear the existing statistics
on this interface.
Context
Broadband remote access server (BRAS) access statistics cannot be restored after being
cleared. Therefore, exercise caution when performing the following operations.
Procedure
l Run the reset vlan-statistics interface interface-type interface-number.subinterface-
number pevlan pe-vlan-id [ cevlan ce-vlan-id ] command to clear statistics about traffic
and Point-to-Point Protocol (PPP) packets on a specified sub-interface bound to a
specified virtual local area network (VLAN).
NOTE
The reset vlan-statistics interface interface-type interface-number.subinterface-number pevlan

pe-vlan-id [ cevlan ce-vlan-id ] command can be configured only through a PAF file.
l Run the reset access statistics packet discard mac-spoofing [ ipoe | pppoe ] [ ipv4 |
ipv6 ] { interface { interface-name | interface-type interface-number } | slot slot-id }
command to clear statistics about MAC-spoofing-dropped packets of access users.

l Run the reset access statistics trigger slot slot-id command to clear access packet
statistics on a board.
l Run the reset layer3-subscriber statistics port-mismatch [ interface { interface-name |
interface-type interface-num } ] command to clear statistics on Layer 3 users' packets
that are discarded due to an interface mismatch.
----End
9.8.5 Configuring Automatic Blocking of User Access Domains

and Boards of a BRAS
After automatic blocking of user access domains and boards is configured on a BRAS, the
BRAS automatically blocks the user access domains and boards and logs out online users.
Context
Before a device upgrade, you must manually block the user access domains and boards of the
device and log out online users, then run the reboot command to restart the device after users
go offline. Instead, you can run the bras auto-upgrade enable command to automatically
block the user access domains and boards of the device and log out online users, then run the
reboot command to restart the device.
The reboot command must be run.
Procedure
Step 1 In the user view, run:
bras auto-upgrade enable
Automatic blocking of user access domains and boards is configured on a BRAS.
Step 2 Run reboot
The system is restarted.
The bras auto-upgrade enable command is not stored in the configuration file of the system,
and therefore must be run each time you need this function.
Step 3 Run commit
----End
9.9 Configuration Examples for IPoE Access

Authentication

9.9.1 Example for Configuring Layer 3 IPoE Access with Web

Authentication
This section provides an example of how to configure Layer 3 IPoE access with web
authentication. The example provides the networking requirements, configuration roadmap,
As shown in Figure 9-3, the networking requirements for configuring Layer 3 IPoE access
are as follows:
l A user belongs to the domain isp2. The user connects to GE 1/0/2.1 on Device B through
Device A, a DHCP relay agent. The user then accesses the Internet in Layer 3 IPoE
access mode.
l The user adopts web authentication, Remote Authentication Dial In User Service
(RADIUS) authentication, and RADIUS accounting.
l The IP address of the RADIUS server is 192.168.8.249. The authentication port number
is 1812, and the accounting port number is 1813. The standard RADIUS protocol is
used. The shared key is it-is-my-secret1.
l The IP address of the WEB server is 192.168.8.251. The shared key is webvlan.
Figure 9-3 Networking for configuring Layer 3 IPoE access

NOTE
Interfaces 1 through 4 in this example are GE 0/1/1, GE 0/1/2, GE0/1/1.1, GE 0/1/2.1, respectively.
DNS server WEB server RADIUS server

192.168.8.252 192.168.8.251 192.168.8.249
11.11.11.1/24 192.168.1.1/24 192.168.8.1/24

interface2 interface4 interface1 Internet
interface3
subscriber DeviceA 192.168.1.2/24 DeviceB
@isp2
The configuration roadmap is as follows (all functions, except DHCP relay, are configured on
Device B):
1. Configure DHCP relay on Device A.

2. Configure authentication and accounting schemes.


4. Configure an IP address pool.
5. Configure a pre-authentication domain and a post-authentication domain for web
authentication.
6. Configure a WEB server.
7. Configure Upper Control Limit (UCL) rules and traffic management policies.
8. Configure a BAS interface and an uplink interface.
Data Preparation
l Authentication scheme name and authentication mode

l Accounting scheme name and accounting mode
l Name of the RADIUS server group as well as IP addresses and port numbers of the
RADIUS authentication server and accounting server
l IP address pool name, gateway address, and DNS server address
l Domain names
l IP address of the WEB server
l UCL rules
l Traffic management policies
l BAS interface parameters
Procedure
Step 1 Assign IP addresses to interfaces on Device A and Device B.
# Assign IP addresses to the interfaces on Device A.

<DeviceA> system-view
[~DeviceA] interface GigabitEthernet1/0/2
[*DeviceA-GigabitEthernet1/0/2] ip address 11.11.11.1 255.255.255.0
[*DeviceA-GigabitEthernet1/0/2] quit
[*DeviceA] interface GigabitEthernet1/0/1.1
[*DeviceA-GigabitEthernet1/0/1.1] ip address 192.168.1.2 255.255.255.0
[*DeviceA-GigabitEthernet1/0/1.1] vlan-type dot1q 1
[*DeviceA-GigabitEthernet1/0/1.1] commit
[~DeviceA-GigabitEthernet1/0/1.1] quit
# Assign an IP address to the interface on Device B.

[~DeviceB] interface GigabitEthernet1/0/2.1
[*DeviceB-GigabitEthernet1/0/2.1] ip address 192.168.1.1 255.255.255.0
[*DeviceB-GigabitEthernet1/0/2.1] vlan-type dot1q 1
[*DeviceB-GigabitEthernet1/0/2.1] commit
[~DeviceB-GigabitEthernet1/0/2.1] quit
Step 2 Configure DHCP relay on Device A.

[*DeviceA-GigabitEthernet1/0/2] dhcp select relay
[*DeviceA-GigabitEthernet1/0/2] ip relay address 192.168.1.1
[*DeviceA-GigabitEthernet1/0/2] commit
[~DeviceA-GigabitEthernet1/0/2] quit

Step 3 Configure a network-side IP address pool on Device B. The gateway address of the IP address
pool must be on the same network segment as the IP address of the inbound interface on
Device A, the DHCP relay agent.
<DeviceB> system-view
[~DeviceB] ip pool huawei bas local
[*DeviceB-ip-pool-huawei] gateway 11.11.11.1 24
[*DeviceB-ip-pool-huawei] section 0 11.11.11.2 11.11.11.255
[*DeviceB-ip-pool-huawei] dns-server 192.168.8.252
[*DeviceB-ip-pool-huawei] commit
[~DeviceB-ip-pool-huawei] quit

[~DeviceB] aaa
[*DeviceB-aaa] authentication-scheme auth2
[*DeviceB-aaa-authen-auth2] authentication-mode radius
[*DeviceB-aaa-authen-auth2] commit
[~DeviceB-aaa-authen-auth2] quit

[~DeviceB-aaa] accounting-scheme acct2
[*DeviceB-aaa-accounting-acct2] accounting-mode radius
[*DeviceB-aaa-accounting-acct2] commit
[~DeviceB-aaa-accounting-acct2] quit
[~DeviceB-aaa] quit

[~DeviceB] radius-server group rd2
[*DeviceB-radius-rd2] radius-server authentication 192.168.8.249 1812
[*DeviceB-radius-rd2] radius-server accounting 192.168.8.249 1813
[*DeviceB-radius-rd2] radius-server type standard
[*DeviceB-radius-rd2] radius-server shared-key-cipher it-is-my-secret1
[*DeviceB-radius-rd2] commit
[~DeviceB-radius-rd2] quit
Step 6 Configure domains.

# Configure a domain named default0 to be the pre-authentication domain for web
authentication.
[~DeviceB] user-group huawei
[*DeviceB] aaa
[*DeviceB-aaa] domain default0
[*DeviceB-aaa-domain-default0] user-group huawei
[*DeviceB-aaa-domain-default0] web-server 192.168.8.251
[*DeviceB-aaa-domain-default0] web-server url http://192.168.8.251
[*DeviceB-aaa-domain-default0] ip-pool huawei
[*DeviceB-aaa-domain-default0] commit
[~DeviceB-aaa-domain-default0] quit
# Configure a domain named isp2 to be the post-authentication domain for web

authentication.
[~DeviceB-aaa] domain isp2
[*DeviceB-aaa-domain-isp2] authentication-scheme auth2
[*DeviceB-aaa-domain-isp2] accounting-scheme acct2
[*DeviceB-aaa-domain-isp2] radius-server group rd2
[*DeviceB-aaa-domain-isp2] portal-server 192.168.8.251
[*DeviceB-aaa-domain-isp2] portal-server url http://192.168.8.251/portal/admin/
[*DeviceB-aaa-domain-isp2] commit
[~DeviceB-aaa-domain-isp2] quit
[~DeviceB-aaa] quit
Step 7 Configure a WEB server.

[~DeviceB] web-auth-server 192.168.8.251 key webvlan
Step 8 Configure UCL.

# Configure UCL rules.
[~DeviceB] acl 6000
[*DeviceB-acl-ucl-6000] rule 10 permit ip source user-group huawei destination ip-
address 127.0.0.1 0
[*DeviceB-acl-ucl-6000] rule 15 permit ip source ip-address 127.0.0.1 0
destination user-group huawei
NOTE
In this example, a UCL rule is configured to permit packets destined for 127.0.0.1 to be sent to the CPU
of Device B.
address 192.168.8.252 0
address 192.168.8.249 0
address 192.168.8.251 0
[*DeviceB-acl-ucl-6000] commit
[~DeviceB-acl-ucl-6000] quit
[~DeviceB] acl 6001
[*DeviceB-acl-ucl-6001] rule 10 permit tcp source user-group huawei destination-
port eq www
port eq 8080
[~DeviceB-acl-ucl-6001] commit
[~DeviceB] acl 6002
[*DeviceB-acl-ucl-6002] rule 5 permit ip source ip-address any destination user-
group huawei
# Configure traffic management policies.

[~DeviceB] traffic classifier web_permit
[*DeviceB-classifier-web_permit] if-match acl 6000
[*DeviceB-classifier-web_permit] commit
[~DeviceB-classifier-web_permit] quit
[~DeviceB] traffic behavior web_permit
[*DeviceB-behavior-web_permit] permit
[*DeviceB-behavior-web_permit] commit
[~DeviceB-behavior-web_permit] quit
[~DeviceB] traffic classifier web_deny
[*DeviceB-classifier-web_deny] if-match acl 6001
[*DeviceB-classifier-web_deny] commit
[~DeviceB-classifier-web_deny] quit
[~DeviceB] traffic behavior web_deny
[*DeviceB-behavior-web_deny] http-redirect
[*DeviceB-behavior-web_deny] commit
[~DeviceB-behavior-web_deny] quit
[~DeviceB] traffic classifier web_out
[*DeviceB-classifier-web_out] if-match acl 6002
[*DeviceB-classifier-web_out] commit
[~DeviceB-classifier-web_out] quit
[~DeviceB] traffic behavior web_out
[*DeviceB-behavior-web_out] deny
[*DeviceB-behavior-web_out] commit
[~DeviceB-behavior-web_out] quit
[~DeviceB] traffic policy web

[*DeviceB-policy-web] classifier web_permit behavior web_permit

[*DeviceB-policy-web] classifier web_deny behavior web_deny
[*DeviceB-policy-web] commit
[~DeviceB-policy-web] quit
[~DeviceB] traffic policy web_out
[*DeviceB-policy-web_out] classifier web_permit behavior web_permit
[*DeviceB-policy-web_out] classifier web_out behavior web_out
[*DeviceB-policy-web_out] commit
[~DeviceB-policy-web_out] quit
# Apply user-side traffic management policies globally.

[*DeviceB] traffic-policy web inbound
[*DeviceB] traffic-policy web_out outbound

[*DeviceB] interface GigabitEthernet 1/0/2.1
[*DeviceB-GigabitEthernet1/0/2.1] bas
[*DeviceB-GigabitEthernet1/0/2.1-bas] access-type layer3-subscriber default-
domain pre-authentication default0 authentication isp2
NOTE
For Layer 3 users that do not obtain IP addresses from Device B, run the layer3-subscriber start-ip-
address [ end-ip-address ] [ vpn-instance instance-name ] domain-name domain-name command in the
system view to specify the IP address segment on which the Layer 3 users reside and the authentication
domain name.
[*DeviceB-GigabitEthernet1/0/2.1-bas] commit
[~DeviceB-GigabitEthernet1/0/2.1-bas] quit
# Configure an uplink interface.

[*DeviceB] interface GigabitEthernet 1/0/1
[*DeviceB-GigabitEthernet1/0/1] ip address 192.168.8.1 255.255.255.0
[*DeviceB-GigabitEthernet1/0/1] commit
[~DeviceB-GigabitEthernet1/0/1] quit
----End
Configuration Files
l Device A configuration file
#
sysname DeviceA
#
interface 1/0/2
undo shutdown
ip address 11.11.11.1 255.255.255.0
ip relay address 192.168.1.1
dhcp select relay
#
vlan-type dot1q 1
ip address 192.168.1.2 255.255.255.0
#
return
l Device B configuration file

#
sysname DeviceB
#
user-group huawei

#
radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^
%
#
acl number 6000
rule 10 permit ip source user-group huawei destination ip-address 127.0.0.1 0
rule 15 permit ip source ip-address 127.0.0.1 0 destination user-group huawei
rule 20 permit ip source user-group huawei destination ip-address
192.168.8.252 0
rule 25 permit ip source ip-address 192.168.8.252 0 destination user-group
huawei
192.168.8.249 0
huawei
192.168.8.251 0
huawei
#
acl number 6001
rule 10 permit tcp source user-group huawei destination-port eq www
rule 15 permit tcp source user-group huawei destination-port eq 8080
#
acl number 6002
rule 5 deny ip source ip-address any destination user-group huawei
#
traffic classifier web_permit operator or
if-match acl 6000
traffic classifier web_deny operator or
if-match acl 6001
traffic classifier web_out operator or
if-match acl 6002
#
traffic behavior web_permit
traffic behavior web_deny
http-redirect
traffic behavior web_out
deny
#
traffic policy web
share-mode
classifier web_permit behavior web_permit
classifier web_deny behavior web_deny
traffic policy web_out
share-mode
classifier web_out behavior web_out
#
ip pool huawei bas local
gateway 11.11.11.1 255.255.255.0
section 0 11.11.11.2 11.11.11.255
dns-server 192.168.8.252
#
aaa
#
#
domain default0
user-group huawei
web-server 192.168.8.251
web-server url http://192.168.8.251
ip-pool huawei
domain isp2

portal-server 192.168.8.251
portal-server url http://192.168.8.251/portal/admin/
#
undo shutdown
#
vlan-type dot1q 1
ip address 192.168.1.1 255.255.255.0
bas
#
access-type layer3-subscriber default-domain pre-authentication default0
authentication isp2
#
traffic-policy web inbound
traffic-policy web_out outbound
#
web-auth-server 192.168.8.251 key webvlan
#
return
9.9.2 Example for Configuring Layer 3 IPoE Access with Captive

Portal Redirection
This section provides an example of how to configure Layer 3 IPoE access with captive portal
redirection. The example provides the networking requirements, configuration roadmap,
As shown in Figure 9-4, the networking requirements for configuring Layer 3 IPoE access
are as follows:
l A user belongs to the domain isp2. The user connects to GE 0/1/2.1 on Device B through
Device A, a DHCP relay agent. The user then accesses the Internet in Layer 3 IPoE
access mode.
l The user adopts web authentication, Remote Authentication Dial In User Service
(RADIUS) authentication, and RADIUS accounting.
is 1812, and the accounting port number is 1813. The standard RADIUS protocol is
used. The shared key is it-is-my-secret1.
l A device has all the web server, web authentication server, and portal server
functionalities, with the portal server address 192.168.8.251.
l The IP address of the web server is 192.168.8.251.
l To improve the success rate for captive portal redirection, configure flow-based captive
portal redirection to allow users that access a specified web page at 4.4.4.4 to be
redirected to the portal redirection page.
Figure 9-4 Configuring Layer 3 IPoE access with captive portal redirection
NOTE
Interfaces 1 through 4 in this example are GE 0/1/1, GE 0/1/2, GE0/1/1.1, GE 0/1/2.1, respectively.


192.168.8.252 192.168.8.251 192.168.8.249
11.11.11.1/24 192.168.1.1/24 192.168.8.1/24

interface2 interface4 interface1 Internet
interface3
subscriber DeviceA 192.168.1.2/24 DeviceB
@isp2
The configuration roadmap is as follows (all functions, except DHCP relay, are configured on
Device B):
1. Configure DHCP relay on Device A.
4. Configure an IP address pool.
5. Configure a pre-authentication domain and a post-authentication domain for web
authentication.
6. Configure a web server.
7. Configure a portal server.
8. Configure a portal service policy.
9. Configure UCL rules and traffic management policies.
10. Configure a BAS interface and an uplink interface.
Data Preparation
l Accounting scheme name and accounting mode
l Name of the RADIUS server group as well as IP addresses and port numbers of the
RADIUS authentication server and accounting server
l Domain names
l Portal service policy name
l Portal server address
l UCL rules
l Traffic management policies

Procedure
Step 1 Assign IP addresses to interfaces on Device A and Device B.
# Assign IP addresses to the interfaces on Device A.
[*DeviceA] interface GigabitEthernet0/1/1.1
# Assign an IP address to the interface on Device B.

[~DeviceB] interface GigabitEthernet0/1/2.1
Step 2 Configure DHCP relay on Device A.

[*DeviceA-GigabitEthernet0/1/2] dhcp select relay
[*DeviceA-GigabitEthernet0/1/2] ip relay address 192.168.1.1
Step 3 Configure a network-side IP address pool on Device B. The gateway address of the IP address
pool must be on the same network segment as the IP address of the inbound interface on
Device A, the DHCP relay agent.
<DeviceB> system-view
[~DeviceB] ip pool huawei bas local
[*DeviceB-ip-pool-huawei] gateway 11.11.11.1 24
[*DeviceB-ip-pool-huawei] section 0 11.11.11.2 11.11.11.255
[*DeviceB-ip-pool-huawei] dns-server 192.168.8.252
[*DeviceB-ip-pool-huawei] commit
[~DeviceB-ip-pool-huawei] quit

[~DeviceB] aaa
[*DeviceB-aaa] authentication-scheme auth2
[*DeviceB-aaa-authen-auth2] authentication-mode radius
[*DeviceB-aaa-authen-auth2] commit
[~DeviceB-aaa-authen-auth2] quit

[*DeviceB-aaa] accounting-scheme acct2
[*DeviceB-aaa-accounting-acct2] accounting-mode radius
[*DeviceB-aaa-accounting-acct2] commit
[~DeviceB-aaa-accounting-acct2] quit
[~DeviceB-aaa] quit

[~DeviceB] radius-server group rd2
[*DeviceB-radius-rd2] radius-server authentication 192.168.8.249 1812
[*DeviceB-radius-rd2] radius-server accounting 192.168.8.249 1813
[*DeviceB-radius-rd2] radius-server type standard
[*DeviceB-radius-rd2] radius-server shared-key-cipher it-is-my-secret1

[*DeviceB-radius-rd2] commit
[~DeviceB-radius-rd2] quit

# Configure a domain named default0 to be the pre-authentication domain for web
authentication.
[~DeviceB] user-group huawei
[~DeviceB] aaa
[*DeviceB-aaa] domain default0
[*DeviceB-aaa-domain-default0] user-group huawei
[*DeviceB-aaa-domain-default0] web-server 192.168.8.251
[*DeviceB-aaa-domain-default0] web-server url http://192.168.8.251
[*DeviceB-aaa-domain-default0] ip-pool huawei
[*DeviceB-aaa-domain-default0] commit
[~DeviceB-aaa-domain-default0] quit
[~DeviceB-aaa] quit
# Configure a portal service policy.

[~DeviceB] service-group portal-group
[~DeviceB] service-policy name portal-policy portal
[*DeviceB-service-policy-portal-policy] service-group portal-group
[*DeviceB-service-policy-portal-policy] commit
[~DeviceB-service-policy-portal-policy] quit
# Configure an authentication domain named isp2, and bind the portal service policy to the
authentication domain.
[~DeviceB] aaa
[*DeviceB-aaa] domain isp2
[*DeviceB-aaa-domain-isp2] authentication-scheme auth2
[*DeviceB-aaa-domain-isp2] accounting-scheme acct2
[*DeviceB-aaa-domain-isp2] radius-server group rd2
[*DeviceB-aaa-domain-isp2] portal-server 192.168.8.251
[*DeviceB-aaa-domain-isp2] portal-server url http://192.168.8.251/portal/admin/
[*DeviceB-aaa-domain-isp2] service-policy portal-policy
[~DeviceB-aaa] quit
Step 7 Configure a web server.

[~DeviceB] web-auth-server 192.168.8.251
Step 8 Configure UCLs.

# Configure UCL rules that allow pre-authentication domain users to be redirected to the web
authentication page. Rules in UCL 6000 define the IP addresses of web pages that pre-
authentication users are allowed to access.
[~DeviceB] acl 6000
address 127.0.0.1 0
NOTE
In this example, a UCL rule is configured to permit packets destined for 127.0.0.1 to be sent to the CPU
of Device B.
address 192.168.8.252 0
address 192.168.8.249 0


address 192.168.8.251 0
[~DeviceB] acl 6001
port eq www
port eq 8080
[*DeviceB-acl-ucl-6001] rule 20 permit ip source user-group huawei
# Configure UCL rules that allow authentication users to be redirected to the portal server at
192.168.8.251 when these users access a specified web page at 4.4.4.4.
[~DeviceB] acl 7000
[*DeviceB-acl-ucl-7000] rule 5 permit tcp source service-group portal-group
destination ip-address 4.4.4.4 0 destination-port eq www
destination ip-address 4.4.4.4 0 destination-port eq 8080
destination ip-address 192.168.8.251 0 destination-port eq www
destination ip-address 192.168.8.251 0 destination-port eq 8080
# Configure traffic management policies.

[~DeviceB] traffic classifier web_permit
[*DeviceB-classifier-web_permit] if-match acl 6000
[*DeviceB-classifier-web_permit] commit
[~DeviceB-classifier-web_permit] quit
[~DeviceB] traffic behavior web_permit
[*DeviceB-behavior-web_permit] permit
[*DeviceB-behavior-web_permit] commit
[~DeviceB-behavior-web_permit] quit
[~DeviceB] traffic classifier web_deny
[*DeviceB-classifier-web_deny] if-match acl 6001
[*DeviceB-classifier-web_deny] commit
[~DeviceB-classifier-web_deny] quit
[~DeviceB] traffic behavior web_deny

[*DeviceB-behavior-web_deny] http-redirect
[*DeviceB-behavior-web_deny] commit
[~DeviceB-behavior-web_deny] quit
[~DeviceB] traffic behavior portal
[*DeviceB-behavior-portal] if-match acl 7000
[*DeviceB-behavior-portal] commit
[~DeviceB-behavior-portal] quit
[~DeviceB] traffic behavior portal
[*DeviceB-behavior-portal] redirect-cpu portal
[*DeviceB-behavior-portal] commit
[~DeviceB-behavior-portal] quit
[~DeviceB] traffic policy l3-ipoe
[*DeviceB-policy-l3-ipoe] classifier portal behavior portal
[*DeviceB-policy-l3-ipoe] classifier web_permit behavior web_permit
[*DeviceB-policy-l3-ipoe] classifier web_deny behavior web_deny
[*DeviceB-policy-l3-ipoe] commit
[~DeviceB-policy-l3-ipoe] quit
# Apply user-side traffic management policies globally.

[~DeviceB] traffic-policy l3-ipoe inbound
[~DeviceB] traffic-policy l3-ipoe outbound


[~DeviceB] interface GigabitEthernet 0/1/2.1
[*DeviceB-GigabitEthernet0/1/2.1] bas
[*DeviceB-GigabitEthernet0/1/2.1-bas] access-type layer3-subscriber default-
[*DeviceB-GigabitEthernet0/1/2.1-bas] commit
[~DeviceB-GigabitEthernet0/1/2.1-bas] quit
# Configure an uplink interface.

[~DeviceB] interface GigabitEthernet 0/1/1
Step 10 Run commit

----End
Configuration Files
#
sysname DeviceA
#
undo shutdown
ip address 11.11.11.1 255.255.255.0
ip relay address 192.168.1.1
dhcp select relay
#
vlan-type dot1q 1
ip address 192.168.1.2 255.255.255.0
#
return

#
sysname DeviceB
#
user-group huawei
#
%
#
acl number 6000
rule 10 permit ip source user-group huawei destination ip-address 127.0.0.1 0
rule 15 permit ip source ip-address 127.0.0.1 0 destination user-group huawei
192.168.8.252 0
huawei
192.168.8.249 0
huawei


192.168.8.251 0
huawei
#
acl number 6001
rule 10 permit tcp source user-group huawei destination-port eq www
rule 15 permit tcp source user-group huawei destination-port eq 8080
rule 20 permit ip source user-group huawei
#
acl number 7000
rule 5 permit tcp source service-group portal-group destination ip-address
4.4.4.4 0 destination-port eq www
4.4.4.4 0 destination-port eq 8080
192.168.8.251 0 destination-port eq www
192.168.8.251 0 destination-port eq 8080
#
traffic classifier web_permit operator or
if-match acl 6000
traffic classifier web_deny operator or
if-match acl 6001
traffic classifier portal operator or
if-match acl 7000
#
traffic behavior web_deny
http-redirect
traffic behavior portal
redirect-cpu portal
#
traffic policy l3-ipoe
share-mode
classifier portal behavior portal
classifier web_deny behavior web_deny
#
ip pool huawei bas local
gateway 11.11.11.1 255.255.255.0
section 0 11.11.11.2 11.11.11.255
dns-server 192.168.8.252
#
aaa
#
#
domain default0
user-group huawei
web-server 192.168.8.251
ip-pool huawei
domain isp2
portal-server 192.168.8.251
portal-server url http://192.168.8.251/portal/admin/
service-policy portal-policy
#
undo shutdown
#
vlan-type dot1q 1
ip address 192.168.1.1 255.255.255.0
bas

#
authentication isp2
#
ip route-static 11.11.11.0 255.255.255.0 192.168.1.2
#
traffic-policy l3-ipoe inbound
traffic-policy l3-ipoe outbound
#
web-auth-server 192.168.8.251
#
return
9.9.3 Example for Configuring the IPoE Access Service for VPN
Users by Using Web Authentication
This section provides an example for configuring IPoE access to a VPN by Using Web
Authentication, including the networking requirements, configuration roadmap, configuration
The networking is shown in Figure 9-5. The requirements are as follows:
l The user belongs to domain isp2 and accesses the Internet by using GE 0/1/2 on the
Router in IPoE mode.
l The user adopts Web authentication, RADIUS authentication, and RADIUS accounting.
is 1812 and the accounting port number is 1813. The standard RADIUS protocol is used.
The shared key is it-is-my-secret1.
l The user is a VPN user and belongs to a VPN instance named vpn1.
l The IP address of the Web authentication server is 192.168.8.251 and the key is webvlan.
l The network-side interface is GE 0/1/1.
Figure 9-5 Networking for configuring the IPoE access service

NOTE
Interfaces 1 and 2 in this example are GE 0/1/1, GE 0/1/2, respectively.

192.168.8.252 192.168.8.251 192.168.8.249
192.168.8.1
interface2 interface1
Access
Internet
Network
subscriber
Device
@isp2

1. Configure a VPN instance.
4. Configure an address pool.
5. Configure a pre-authentication domain and an authentication domain for Web
authentication.
6. Configure the Web authentication server.
7. Configure ACL rules and traffic policies.
8. Configure a BAS interface and an upstream interface.
Data Preparation
l VPN instance name, RD, and VPN target
l Authentication template name and authentication mode
l Accounting template name and accounting mode
l RADIUS server group name, and IP addresses and port numbers of the RADIUS
l Domain name
l Web authentication server address
l ACL rules
l Traffic policy
Procedure
Step 1 Configure a VPN instance.
[~HUAWEI] ip vpn-instance vpn1
[*HUAWEI-vpn-instance-vpn1] ipv4-family
[*HUAWEI-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[*HUAWEI-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both
[*HUAWEI-vpn-instance-vpn1-af-ipv4] commit
[~HUAWEI-vpn-instance-vpn1-af-ipv4] quit
[~HUAWEI-vpn-instance-vpn1] quit

[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme auth2
[*HUAWEI-aaa-authen-auth2] authentication-mode radius
[*HUAWEI-aaa-authen-auth2] commit
[~HUAWEI-aaa-authen-auth2] quit

[*HUAWEI-aaa] accounting-scheme acct2

[*HUAWEI-aaa-accounting-acct2] accounting-mode radius
[*HUAWEI-aaa-accounting-acct2] commit
[~HUAWEI-aaa-accounting-acct2] quit
[~HUAWEI-aaa] quit

[~HUAWEI] radius-server group rd2
[*HUAWEI-radius-rd2] radius-server authentication 192.168.8.249 1812
[*HUAWEI-radius-rd2] radius-server accounting 192.168.8.249 1813
[*HUAWEI-radius-rd2] radius-server type standard
[*HUAWEI-radius-rd2] radius-server shared-key-cipher it-is-my-secret1
[*HUAWEI-radius-rd2] commit
[~HUAWEI-radius-rd2] quit
Step 4 Configure an address pool.

[*HUAWEI-ip-pool-pool2] vpn-instance vpn1
Step 5 Configure a domain.
# Configure domain default0 as the pre-authentication domain for Web authentication.

[~HUAWEI] user-group web-before
[*HUAWEI] aaa
[*HUAWEI-aaa] http-redirect enable
[*HUAWEI-aaa] domain default0
[*HUAWEI-aaa-domain-default0] ip-pool pool2
[*HUAWEI-aaa-domain-default0] user-group web-before
[*HUAWEI-aaa-domain-default0] web-server 192.168.8.251
[*HUAWEI-aaa-domain-default0] web-server url http://192.168.8.251
[*HUAWEI-aaa-domain-default0] vpn-instance vpn1
[*HUAWEI-aaa-domain-default0] http-hostcar enable
[*HUAWEI-aaa-domain-default0] commit
[~HUAWEI-aaa-domain-default0] quit
# Configure domain isp2 as the authentication domain for Web authentication.

[*HUAWEI-aaa-domain-isp2] authentication-scheme auth2
[*HUAWEI-aaa-domain-isp2] accounting-scheme acct2
[*HUAWEI-aaa-domain-isp2] radius-server group rd2
[*HUAWEI-aaa-domain-isp2] vpn-instance vpn1
[~HUAWEI-aaa] quit
NOTE
If the reallocate-ip-address command has been run for the web authentication domain isp2 to enable
secondary address allocation, the web authentication domain isp2 must be bound to an address pool. The
secondary address allocation function is optional. In normal circumstances, a private network address is
allocated in the pre-authentication domain before authentication, and a public network address is allocated in
the authentication domain after authentication. This addresses public network address shortage and increases
usage of public network addresses.
However, the secondary address allocation function requires the web server to comply with the Huawei
proprietary protocol for secondary address allocation, and the client must download the plug-in through the
web server.
Step 6 Configure the Web authentication server.

[~HUAWEI] web-auth-server 192.168.8.251 key webvlan

Step 7 Configure an ACL.

# Configure ACL rules.
[~HUAWEI] acl number 6000
[*HUAWEI-acl-ucl-6000] rule 20 permit tcp source user-group web-before
destination-port eq www
[*HUAWEI-acl-ucl-6000] acl number 6001
[*HUAWEI-acl-ucl-6001] rule 5 permit ip source user-group web-before destination
ip-address 192.168.8.251 0
ip-address 192.168.8.252 0
ip-address 127.0.0.1 0
[*HUAWEI-acl-ucl-6001] commit
[~HUAWEI-acl-ucl-6001] quit
ip-address any
[*HUAWEI-acl-ucl-6002] rule 35 permit ip source ip-address any destination user-
group web-before
[*HUAWEI-acl-ucl-6002] rule 35 permit ip source ip-address any destination user-
group web-before
# Configure a traffic policy.

[~HUAWEI] traffic classifier c1
[*HUAWEI-classifier-c1] if-match acl 6000
[*HUAWEI-classifier-c2] commit
[~HUAWEI-classifier-c2] quit
[~HUAWEI] traffic behavior deny1
[*HUAWEI-behavior-deny1] http-redirect plus
[*HUAWEI-behavior-deny1] traffic behavior perm1
[*HUAWEI-behavior-perm1] permit
[*HUAWEI-behavior-perm1] commit
[~HUAWEI-behavior-perm1] quit
[*HUAWEI-behavior-deny2] deny
[*HUAWEI-behavior-deny2] commit
[~HUAWEI-behavior-deny2] quit
[~HUAWEI] traffic policy action1
[*HUAWEI-policy-action1] share-mode
[*HUAWEI-policy-action1] classifier c2 behavior perm1
[*HUAWEI-policy-action1] classifier c1 behavior deny1
[*HUAWEI-policy-action1] classifier c3 behavior deny2
[*HUAWEI-policy-action1] commit
[~HUAWEI-policy-action1] quit
# Apply the traffic policy globally.

[~HUAWEI] traffic-policy action1 inbound
[~HUAWEI] traffic-policy action1 outbound

[~HUAWEI] interface gigabitethernet0/1/2
[*HUAWEI-GigabitEthernet0/1/2] bas
[*HUAWEI-GigabitEthernet0/1/2-bas] access-type layer2-subscriber
[*HUAWEI-GigabitEthernet0/1/2-bas] authentication-method web

[*HUAWEI-GigabitEthernet0/1/2-bas] default-domain authentication isp2

[*HUAWEI-GigabitEthernet0/1/2-bas] commit
[*HUAWEI-GigabitEthernet0/1/2-bas] quit
[*HUAWEI-GigabitEthernet0/1/2] quit
NOTE
The upstream interface connected to MPLS network, the configuration is not mentioned here. For
details, refer to the chapter BGP/MPLS IP VPN of the HUAWEI NE40E-M2 Series Universal Service
Router Configuration Guide - VPN
[HUAWEI] interface GigabitEthernet 0/1/1
[HUAWEI-GigabitEthernet0/1/1] ip address 192.168.8.1 255.255.255.0
----End
Configuration Files
#
sysname HUAWEI
#
user-group web-before
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
#
acl number 6000
#
acl number 6001
rule 5 permit ip source user-group web-before destination ip-address
192.168.8.251 0
192.168.8.252 0
#
acl number 6002
rule 30 permit ip source user-group web-before destination ip-address any
rule 35 permit ip source ip-address any destination user-group web-before
#
traffic classifier c2 operator and
if-match acl 6001
if-match acl 6000
if-match acl 6002
#
traffic behavior perm1
traffic behavior deny1
deny
#
traffic policy action1
classifier c2 behavior perm1
classifier c1 behavior deny1
classifier c3 behavior deny2
traffic-policy action1 inbound
traffic-policy action1 outbound
#
bas


authentication-method web
#
ip address 192.168.8.1 255.255.255.0
#
vpn-instance vpn1
gateway 10.82.1.1 255.255.255.0
section 0 10.82.1.2 10.82.1.200
dns-server 192.168.8.252
#
aaa
domain default0
web-server 192.168.8.251
vpn-instance vpn1
ip-pool pool2
http-hostcar enable
domain isp2
vpn-instance vpn1
#
return
9.9.4 Example for Configuring the IPoEoVLAN Access Service

This section provides an example for configuring the IPoEoVLAN access service, including
the networking requirements, configuration roadmap, configuration procedure, and
l The user belongs to domain isp3 and accesses the Internet by using GE 0/1/2.1 on the
Router in IPoEoVLAN mode. The LAN switch tags user packets with VLAN 1 and
VLAN 2.
l The user adopts binding authentication, RADIUS authentication, and RADIUS
accounting.
is 1812 and the accounting port number is 1813. The standard RADIUS protocol is
adopted. The shared key is it-is-my-secret1.
Figure 9-6 Networking for configuring the IPoEoVLAN access service

NOTE
Interfaces 1 and 2 in this example are GE 0/1/1, GE 0/1/2.1, respectively.


192.168.8.252 192.168.8.249
192.168.8.1
subscriber1
Internet
@isp3
Switch Device
subscriber2
@isp3

4. Configure an authentication domain.
Data Preparation

l IP address pool, gateway address, and DNS server address
l Domain name
Procedure

[~HUAWEI] aaa
[*HUAWEI-aaa-authen-auth3] quit


[~HUAWEI-aaa] quit


NOTE
The configured address pool is used for the authentication domain. The pre-authentication domain is not
required because a user that adopts binding authentication can be authenticated automatically when the
user goes online.
Step 4 Configure an authentication domain.

[~HUAWEI] aaa
[~HUAWEI-aaa] quit
NOTE
When a user obtains an IP address in binding authentication, the Router authenticates the user
automatically. Therefore, you do not need to configure the ACL to control the network access rights of
the user before authentication. Instead, you need to configure the ACL to control the network access
rights of the user after authentication.

[*HUAWEI-GigabitEthernet0/1/2.1] user-vlan 1 2
[*HUAWEI-GigabitEthernet0/1/2.1-vlan-1-2] quit
[*HUAWEI-GigabitEthernet0/1/2.1] bas

NOTE
l The user name for binding authentication is automatically generated based on the location where the
user accesses the NE40E. Therefore, the user name on the RADIUS server must be configured
according to the name generation rule. The password is vlan.
l For details about the user name format used in binding authentication, see the description of the
vlanpvc-to-username command in the HUAWEI NE40E-M2 Series Universal Service Router
Command Reference.

----End
Configuration Files
#
sysname HUAWEI
#
#
user-vlan 1 2
bas
#
ip address 192.168.8.1 255.255.255.0
#
gateway 10.82.2.1 255.255.255.0
section 0 10.82.2.2 10.82.2.200
dns-server 192.168.8.252
#
aaa
domain isp3
ip-pool pool3
#
return
9.9.5 Example for Configuring the IPoEoQ Access Service

This section provides an example for configuring the IPoEoQ access service, including the
files.

l The user accesses the Internet by using GE 0/1/2.2 on the Router in IPoEoQ mode. LAN
switch 1 tags user packets with VLAN 1 and VLAN 2. LAN switch 2 tags user packets
with QinQ 100 (outer VLAN 100).
l The user belongs to domain isp1 and adopts bind authentication and RADIUS
accounting.
is 1812 and the accounting port number is 1813. The standard RADIUS protocol is
Figure 9-7 Networking for configuring the IPoEoQ access service

NOTE
Interfaces 1 and 2 in this example are GE 0/1/1, GE 0/1/2.2, respectively.

192.168.8.252 192.168.8.249
VLAN1
QinQ100 192.168.7.1
user1@isp1 Internet
Lanswitch1 Lanswitch2 Device

VLAN2
user2@isp1

Data Preparation



l Domain name
Procedure
[~HUAWEI] aaa

[~HUAWEI-aaa] accounting-scheme acct1
[~HUAWEI-aaa] quit


Step 4 Configure an authentication domain.

[~HUAWEI] aaa
[~HUAWEI-aaa] quit
Step 5 Configure Ethernet interfaces.

# Configure the user VLAN.
[*HUAWEI-GigabitEthernet0/1/2.2] user-vlan 1 2 qinq 100
[*HUAWEI-GigabitEthernet0/1/2.2-vlan-1-2-QinQ-100-100] commit
[~HUAWEI-GigabitEthernet0/1/2.2-vlan-1-2-QinQ-100-100] quit

[~HUAWEI-GigabitEthernet0/1/2.2] bas




After the configuration is complete, you can run the command display access-user domain to
view information about the online users in the domain.
<HUAWEI> display access-user domain isp1
------------------------------------------------------------------------------
UserID Username Interface IP address MAC
IPv6 address
------------------------------------------------------------------------------
20 user1@isp1 GE0/1/2.2 10.82.0.5
0002-0101-0101
-
21 user2@isp1 GE0/1/2.2 10.82.0.6
0002-0101-0102
-
------------------------------------------------------------------------------
Total users : 2
----End
Configuration Files
#
sysname HUAWEI
#
radius-server shared-key-cipher %^%#clY:%[]x='-RMNJus[s/VJ:3YBq3<..|.{'xgbp+%^%
#
user-vlan 1 2 qinq 100
bas
#
ip address 192.168.7.1 255.255.255.0
#
gateway 10.82.0.1 255.255.255.0
section 0 10.82.0.2 10.82.0.200
dns-server 192.168.7.252
#
aaa
domain default0
domain default1
domain default_admin
domain isp1
ip-pool pool1
#
return

9.9.6 Example for Configuring Local Authentication for Static

Users
This section provides an example for configuring local authentication for static users,
l The user accesses the Internet by using GE 2/0/0.1 on the Router as a static user and the
IP address of the user is 172.192.0.8.
l The user adopts local authentication.
l The system uses the IP address carried in the user packet as the user name.
Figure 9-8 Networking for configuring local authentication for static users
NOTE
Interfaces 1 through 2 in this example are GE 0/1/0, GE 0/2/0.1, respectively.
192.168.8.1
Internet
Device
1. Configure an authentication scheme.

5. Configure a static user.
Data Preparation

l Domain name

Procedure
Step 1 Configure an authentication scheme.
[*HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme local
[*HUAWEI-aaa-authen-local] authentication-mode local
[*HUAWEI-aaa-authen-local] commit
[~HUAWEI-aaa-authen-local] quit
Step 2 Configure the user name format and password.

[*HUAWEI-aaa] default-user-name include ip-address .
[*HUAWEI-aaa] default-password cipher Root@123
[*HUAWEI-aaa] commit
[~HUAWEI-aaa] quit
Step 3 Configure a local account.

[*HUAWEI] local-aaa-server
[*HUAWEI-local-aaa-server] user 172.192.0.8@isp1 password cipher Root@123
authentication-type b
[*HUAWEI-local-aaa-server] commit
[~HUAWEI-local-aaa-server] quit

[*HUAWEI] ip pool pool1 bas local
[*HUAWEI-ip-pool-pool1] excluded-ip-address 172.192.0.8

[*HUAWEI] aaa
[*HUAWEI-aaa-domain-isp1] authentication-scheme local
[~HUAWEI-aaa] quit

[*HUAWEI] interface GigabitEthernet 2/0/0.1
[*HUAWEI-GigabitEthernet2/0/0.1] user-vlan 2005 qinq 510
[*HUAWEI-GigabitEthernet2/0/0.1-vlan-2005-2005-QinQ-510-510] commit
[~HUAWEI-GigabitEthernet2/0/0.1-vlan-2005-2005-QinQ-510-510] quit
[*HUAWEI-GigabitEthernet2/0/0.1-bas] ip-trigger
[*HUAWEI-GigabitEthernet2/0/0.1-bas] arp-trigger
Step 7 Configure a static user.

[*HUAWEI] static-user 172.192.0.8 interface GigabitEthernet 2/0/0.1 user-vlan
2005 qinq 510 detect
Step 8 Configure an upstream interface.

[*HUAWEI] interface GigabitEthernet 1/0/0
Step 9 Run commit



After the configuration is complete, you can run the display access-user domain command to
view information about the online users in the domain.
------------------------------------------------------------------------------
IPv6 address
------------------------------------------------------------------------------
20 172.192.0.8@isp1 GE2/0/0.1 172.192.0.8
0002-0101-0101
-
------------------------------------------------------------------------------
Total users : 1
----End
Configuration Files
#
sysname HUAWEI
#
undo shutdown
ip address 192.168.8.1 255.255.255.0
#
user-vlan 2005 qinq 510
bas
ip-trigger
arp-trigger
#
gateway 172.192.0.1 255.255.255.0
section 0 172.192.0.2 172.192.0.200
excluded-ip-address 172.192.0.8
#
aaa
default-user-name include ip-address .
default-password cipher %^%#oNUw%i-|"WcBgt8=fSVID7F<=K_N+.(ip[H\:a{D%^%#
authentication-scheme local
authentication-mode local
domain isp1
ip-pool pool1
#
local-aaa-server
user 172.192.0.8@isp1 password cipher $1a$7WxAIDb{r+$*F~n0B"*M>+CPC@j
#
static-user 172.192.0.8 172.192.0.8 interface GigabitEthernet2/0/0.1 user-vlan
2005 qinq 510 detect
#
return
9.9.7 Example for Configuring MAC Authentication

This section provides an example for configuring MAC authentication.
On the network shown in Figure 9-9, a user in domain a enters a user name and password for
web authentication when going online for the first time. The RADIUS server automatically

records the MAC address of the user terminal and associates the user name and password with
the MAC address. In subsequent network access, the user can automatically go online without
entering the user name and password. Once the user fails authentication, the user is redirected
to domain b. However, users in domain b can only access limited network addresses, such as
the web server address. If a user in domain b accesses an authorized address, the user is
forcibly redirected to a specified web server where the user must re-enter the user name and
password. After being authenticated, the user belongs to domain c and is able to access
network resources.
Figure 9-9 MAC authentication networking
Portal RADIUS
server server
Access I n t e rne t
network
PC Device
1. Create a MAC authentication domain named a, a pre-authentication domain named b,
and an authentication domain named c.
3. Create a RADIUS server group named d, configure the hw-auth-type attribute in the
authentication request packets and convert the hw-auth-type attribute to the Huawei
proprietary No. 109 attribute in the RADIUS server group view.
4. Create an authentication template named e and configure the redirection domain for
authentication failures in the authentication template.
5. Enable MAC authentication in the MAC authentication domain a and bind the MAC
authentication domain a to the RADIUS server group d and authentication template e.
6. Bind non-authentication and non-accounting schemes to the pre-authentication domain
named b to allow users to have access only to limited resources and be redirected to a
specified web server.
7. Bind the RADIUS authentication and accounting schemes to the authentication domain
c.
8. Configure the device to use the MAC address carried in the access request packets as the
pure user name.
9. Configure a pre-authentication domain and an authentication domain on the BAS
interface.

Procedure
Step 1 Create a MAC authentication domain named a, a pre-authentication domain named b, and an
authentication domain named c.
# Create a MAC authentication domain named a, a pre-authentication domain named b, and

an authentication domain named c.
[*Device] aaa
[*Device-aaa] domain a
[*Device-aaa-domain-a] quit
[*Device-aaa] domain b
[*Device-aaa-domain-b] quit
[*Device-aaa] domain c
[*Device-aaa-domain-c] commit
[~Device-aaa-domain-c] quit
[~Device-aaa] quit
Step 2 Configure AAA schemes and RADIUS server groups.
# Create a RADIUS server group named d, configure the hw-auth-type attribute in the
authentication request packets and convert the hw-auth-type attribute to the Huawei
proprietary No. 109 attribute in the RADIUS server group view.
[*Device] radius-server group d
[*Device-radius-d] radius-server authentication 192.168.7.249 1812
[*Device-radius-d] radius-server accounting 192.168.7.249 1813
[*Device-radius-d] radius-server type standard
[*Device-radius-d] radius-server shared-key-cipher it-is-my-secret1
[*Device-radius-d] radius-attribute include hw-auth-type
[*Device-radius-d] radius-server attribute translate
[*Device-radius-d] radius-attribute translate extend hw-auth-type vendor-specific
2011 109 access-request account
[*Device-radius-d] commit
[~Device-radius-d] quit
# Create a RADIUS server group named rd2.

# Create an authentication template named e and configure the pre-authentication domain b as

the redirection domain for authentication failures in the authentication template e.
[*Device] aaa
[*Device-aaa] authentication-scheme e
[*Device-aaa-authen-e] authening authen-fail online authen-domain b
[*Device-aaa-authen-e] commit
[~Device-aaa-authen-e] quit
[*Device] aaa
[~Device-aaa] quit
[*Device] aaa

[*Device-aaa-authen-auth3] authentication-mode none

# Configure an accounting scheme named acct3, with non-accounting.

[*Device-aaa-accounting-acct3] accounting-mode none
[~Device-aaa] quit

[*Device] ip pool pool2 bas local
[*Device-ip-pool-pool2] gateway 172.16.1.1 255.255.255.0
[*Device-ip-pool-pool2] section 0 172.16.1.2 172.16.1.200
[*Device-ip-pool-pool2] dns-server 192.168.8.252
[*Device-ip-pool-pool2] commit
[~Device-ip-pool-pool2] quit
Step 4 Enable MAC authentication in the MAC authentication domain a and bind the MAC
authentication domain a to the RADIUS server group d and authentication template e.
[*Device-aaa] domain a
[*Device-aaa-domain-a] radius-server group d
[*Device-aaa-domain-a] authentication-scheme e
[*Device-aaa-domain-a] accounting-scheme acct2
[*Device-aaa-domain-a] ip-pool pool2
[*Device-aaa-domain-a] mac-authentication enable
[*Device-aaa-domain-a] commit
[~Device-aaa-domain-a] quit
Step 5 Bind non-authentication and non-accounting schemes to the pre-authentication domain named
b to allow users to have access only to limited resources and be redirected to a specified web
server.
[*Device] user-group web-before
[*Device] aaa
[*Device-aaa] http-redirect enable
[*Device-aaa] domain b
[*Device-aaa-domain-b] authentication-scheme auth3
[*Device-aaa-domain-b] accounting-scheme acct3
[*Device-aaa-domain-b] ip-pool pool2
[*Device-aaa-domain-b] user-group web-before
[*Device-aaa-domain-b] web-server 192.168.8.251
[*Device-aaa-domain-b] web-server url http://192.168.8.251
# Configure a web authentication server.

[HUAWEI] web-auth-server 192.168.8.251 key webvlan

[*Device] acl number 6004
[*Device-acl-ucl-6004] rule 3 permit ip source user-group web-before destination
ip-address any
[*Device-acl-ucl-6004] commit
[~Device-acl-ucl-6004] quit
ip-address 192.168.8.251 0
[*Device-acl-ucl-6005] rule 10 permit ip source ip-address 192.168.8.251 0
destination user-group web-before
ip-address 192.168.8.252 0
[*Device-acl-ucl-6005] rule 20 permit ip source ip-address 192.168.8.252 0 0

[*Device-acl-ucl-6005] rule 30 permit ip source ip-address 127.0.0.1 0
[*Device-acl-ucl-6005] commit[~Device-acl-ucl-6005] quit
[*Device-acl-ucl-6006] rule 5 permit ip destination user-group web-before
[*Device-acl-ucl-6008] rule 5 permit tcp source user-group web-before destination-
port eq www
[*Device-acl-ucl-6008] rule 10 permit tcp source user-group web-before
destination-port eq 8080
# Configure traffic policies.

[*Device] traffic classifier web-out
[*Device-classifier-web-out] if-match acl 6006
[*Device-classifier-web-out] commit
[~Device-classifier-web-out] quit
[*Device] traffic classifier web-be-permit
[*Device-classifier-web-be-permit] if-match acl 6005
[*Device-classifier-web-be-permit] commit
[~Device-classifier-web-be-permit] quit
[*Device] traffic classifier http-before
[*Device-classifier-http-before] if-match acl 6010
[*Device-classifier-http-before] commit
[~Device-classifier-http-before] quit
[*Device] traffic classifier web-be-deny
[*Device-classifier-web-be-deny] if-match acl 6004
[*Device-classifier-web-be-deny] commit
[~Device-classifier-web-be-deny] quit
[*Device] traffic classifier redirect
[*Device-classifier-redirect] if-match acl 6008
[*Device-classifier-redirect] commit
[~Device-classifier-redirect] quit
[*Device] traffic behavior http-discard
[*Device-behavior-http-discard] car cir 0 cbs 0 green pass red discard
[*Device-behavior-http-discard] commit
[~Device-behavior-http-discard] quit
[*Device] traffic behavior web-out
[*Device-behavior-web-out] deny
[*Device-behavior-web-out] commit
[~Device-behavior-web-out] quit
[*Device] traffic behavior perm1
[*Device-behavior-perm1] permit
[*Device-behavior-perm1] commit
[~Device-behavior-perm1] quit
[*Device] traffic behavior deny1
[*Device-behavior-deny1] deny
[*Device-behavior-deny1] commit
[~Device-behavior-deny1] quit
[*Device] traffic behavior redirect
[*Device-behavior-redirect] http-redirect plus
[*Device-behavior-redirect] commit
[~Device-behavior-redirect] quit
[*Device] traffic policy web-out
[*Device-policy-web-out] share-mode
[*Device-policy-web-out] classifier web-be-permit behavior perm1
[*Device-policy-web-out] classifier web-out behavior web-out
[*Device-policy-web-out] commit
[~Device-policy-web-out] quit
[*Device] traffic policy web
[*Device-policy-web] share-mode
[*Device-policy-web] classifier web-be-permit behavior perm1
[*Device-policy-web] classifier http-before behavior http-discard
[*Device-policy-web] classifier redirect behavior redirect

[*Device-policy-web] classifier web-be-deny behavior deny1

[*Device-policy-web] commit
[~Device-policy-web] quit
# Apply the traffic policies in the system view.

[HUAWEI] traffic-policy web inbound
[HUAWEI] traffic-policy web-out outbound
Step 6 Bind the RADIUS authentication and accounting schemes to the authentication domain c.
[*Device-aaa] domain c
[*Device-aaa-domain-c] authentication-scheme auth2
[*Device-aaa-domain-c] accounting-scheme acct2
[*Device-aaa-domain-c] radius-server group rd2
[*Device-aaa-domain-c] commit
[~Device-aaa-domain-c] quit
[~Device-aaa] quit
Step 7 Configure the device to use the MAC address carried in the access request packets as the pure
user name.
[*Device-aaa] default-user-name include mac-address -
[*Device-aaa] default-password cipher Root@123
[~Device-aaa] quit
Step 8 Configure a pre-authentication domain, an authentication domain, and an authentication

method on the BAS interface.
[*Device] interface GigabitEthernet0/1/2
[*Device] bas
[*Device-GigabitEthernet0/1/2-bas] access-type layer2-subscriber default-domain
pre-authentication a authentication c
[*Device-GigabitEthernet0/1/2-bas] authentication-method web
Step 9 Run commit

----End
Configuration Files
#
sysname Device
#
#
radius-server shared-key-cipher %$%$8;fLT*OW4VX|#9Dr(Gl!}M%4%$%$
#
radius-server group d
radius-server shared-key-cipher %$%$8;fLT*OW4VX|#9Dr(Gl!}M%4%$%$
radius-server attribute translate
radius-attribute include HW-Auth-Type
radius-attribute translate extend HW-Auth-Type vendor-specific 2011 109 access-
request account
#
acl number 6004
rule 3 permit ip source user-group web-before destination user-group wlan
#
acl number 6005
192.168.8.251 0

rule 10 permit ip source ip-address 192.168.8.251 0 destination user-group web-

before
192.168.8.252 0
rule 20 permit ip source ip-address 192.168.8.252 0 0 destination user-group web-
before
rule 25 permit ip source user-group web-before destination ip-address 127.0.0.1 0
rule 30 permit ip source ip-address 127.0.0.1 0 destination user-group web-before
#
acl number 6006
rule 5 permit ip destination user-group web-before
#
acl number 6008
rule 5 permit tcp source user-group web-before destination-port eq www
rule 10 permit tcp source user-group web-before destination-port eq 8080
#
acl number 6010
#
traffic classifier web-out operator or
if-match acl 6006
traffic classifier web-be-permit operator or
if-match acl 6005
traffic classifier http-before operator or
if-match acl 6010
traffic classifier web-be-deny operator or
if-match acl 6004
traffic classifier redirect operator or
if-match acl 6008
#
traffic behavior http-discard
car cir 0 cbs 0 green pass red discard
traffic behavior web-out
deny
deny
traffic behavior redirect
http-redirect
#
traffic policy web-out
share-mode
classifier web-be-permit behavior perm1
classifier web-out behavior web-out
traffic policy web
share-mode
classifier http-before behavior http-discard
classifier redirect behavior redirect
classifier web-be-deny behavior deny1
#
gateway 172.16.1.1 255.255.255.0
section 0 172.16.1.2 172.16.1.200
dns-server 192.168.8.252
#
aaa
http-redirect enable
default-user-name include mac-address -
default-password cipher %^%#oNUw%i-|"WcBgt8=fSVID7F<=K_N+.(ip[H\:a{D%^%#
authentication-scheme e
authening authen-fail online authen-domain b
#
#

domain a
authentication-scheme e
accounting-scheme e
ip-pool pool2
mac-authentication enable
domain b
ip-pool pool2
web-server 192.168.8.251
web-server url-parameter
domain c
#
bas
#
access-type layer2-subscriber default-domain pre-authentication a
authentication c
#
traffic-policy web-out outbound
9.9.8 Example for Configuring the IPoE Access Service by Using

ND
This section provides an example for configuring the IPv6 access service by using ND,
l The user belongs to the domain isp6 and accesses the Internet by using GE 0/1/2 on the
NE40E in ND mode. Binding authentication is adopted.
1645 and the accounting port number is 1646. The standard RADIUS protocol is
l The IP address of the DNS server is 3001:0410::1:2.
Figure 9-10 Networking for configuring the IPv6 access service in ND mode
NOTE
Interfaces 1 and 2 in this example are GE 0/1/1, GE 0/1/2, respectively.

Access Internet
Network
subscriber
Device
@isp6
3. Configure a delegation IPv6 prefix pool.
4. Configure a delegation IPv6 address pool and bind the address pool to the prefix pool.
5. Configure an AAA domain and bind the domain to the address pool.
Data Preparation
l Authentication template name and authentication method
l Local prefix pool name
l Prefix length and assignable IPv6 prefixes
l Local address pool name
l Domain name
Procedure
[*HUAWEI] aaa



[~HUAWEI-aaa] quit

[*HUAWEI] radius-server group rd6
Step 3 Configure a delegation prefix pool.

[*HUAWEI] ipv6 prefix pre1 delegation
[*HUAWEI-ipv6-prefix-pre1] prefix 2001:2421::/64
[*HUAWEI-ipv6-prefix-pre1] slaac-unshare-only
[*HUAWEI-ipv6-prefix-pre1] commit
[~HUAWEI-ipv6-prefix-pre1] quit
Step 4 Configure a user-side delegation address pool.

[*HUAWEI] ipv6 pool pool1 bas delegation
[*HUAWEI-ipv6-pool-pool1] prefix pre1
[*HUAWEI-ipv6-pool-pool1] dns-server 3001:0410::1:2
[*HUAWEI-ipv6-pool-pool1] commit
[~HUAWEI-ipv6-pool-pool1] quit

[*HUAWEI] aaa
[*HUAWEI-aaa-domain-isp6] ipv6-pool pool1
[*HUAWEI-aaa-domain-isp6] prefix-assign-mode unshared
[~HUAWEI-aaa] quit

[*HUAWEI-GigabitEthernet0/1/2-bas] access-type layer2-subscriber default-domain
authentication isp6
[*HUAWEI-GigabitEthernet0/1/2-bas] authentication-method-ipv6 bind
[~HUAWEI-GigabitEthernet0/1/2-bas] quit
# Enable IPv6 on GE 0/1/2.

[*HUAWEI-GigabitEthernet0/1/2] ipv6 enable
[*HUAWEI-GigabitEthernet0/1/2] ipv6 address auto link-local

[*HUAWEI-GigabitEthernet0/1/1] ipv6 address 2001::/64 eui-64
[*HUAWEI-GigabitEthernet0/1/1] ipv6 address 3001::1/64

delegation prefix pool and the prefix address is 2010:2021::/64.
-------------------------------------------------------------
Prefix Name : pre1
Prefix Index : 4
Prefix Type : Delegation
Prefix Length : 64
IfLocked : Unlocked
Vpn instance : -
-------------------------------------------------------------
pre1.
----------------------------------------------------------------------
Pool name : pool1
Pool No : 4
Preference : 0
Renew time : 50
Rebind time : 80
Status : UNLOCKED
Used by domain : 1
Dns list : -
AFTR name : -
----------------------------------------------------------------------
----------------------------------------------------------------------
pre1 DELEGATION
----------------------------------------------------------------------
# Check information about the domain named isp6. You can see that the domain is bound to
the IPv6 address pool named pool1.
------------------------------------------------------------------------------
Domain-name : isp6

Value-added-service : DEFAULT
Online-number : 0
Web-IP-address : -
Web-URL : -
Web-auth-server : -
Web-auth-state : -
Slave Web-URL : -
Portal-URL : -
L2TP-group-name : -
-
-
Bill Flow : Disable
Flow Statistic:
Quota-out : Offline
Service-type : -

Dhcp-option64-service : disable
Parse-separator : -
AFTR name : -
------------------------------------------------------------------------------
----End
Configuration Files
l Router Configuration Files.
#
sysname HUAWEI
#
ipv6
#
#
#
prefix 2010:2021::/64
slaac-unshare-only
#
prefix pre1
dns-server 3001:0410::1:2
#
aaa
#
#
domain isp6
ipv6-pool pool1
#
ipv6 enable

bas
#
ipv6 enable
ipv6 address 3001::1/64
#
return
9.9.9 Example for Configuring IPoEv6 Access Using Web

Authentication
This section provides an example for configuring IPoEv6 access using web authentication.
On the IPoEv6 network shown in Figure 9-11, the subscriber belongs to the domain isp2. The
requirements are as follows:
l The subscriber and accesses the Internet through GE 0/1/2 on Device A in IPoEv6 mode.
l The subscriber uses web authentication, and the web authentication server address is
192.168.8.251.
Figure 9-11 Configuring IPoEv6 access using web authentication

NOTE
Interface1 in this example is GE 0/1/2.
Web server Portal server
Interface1
Internet
subscriber
@isp2 DeviceA
1. Configure a local IPv6 address pool.

2. Configure a pre-authentication domain and an authentication domain for web
authentication.
3. Configure a web authentication server and Device A's interface directly connecting to
the web authentication server.

4. Configure UCL rules and a traffic policy.

Data Preparation
l IPv6 address pool name
l Domain name
l Web authentication server's IP address
l UCL rule numbers
l Traffic policy name
Procedure
Step 1 Configure a local IPv6 address pool.
# Configure Device A.
[~DeviceA] ipv6 prefix prefix1
[*DeviceA-ipv6-prefix-prefix1] prefix 2000:2021::/64
[*DeviceA-ipv6-prefix-prefix1] commit
[~DeviceA-ipv6-prefix-prefix1] quit
[~DeviceA] ipv6 pool pool_local bas local
[~DeviceA-ipv6-pool-pool_local] prefix prefix1
[*DeviceA-ipv6-pool-pool_local] commit
[~DeviceA-ipv6-pool-pool_local] quit
[~DeviceA] dhcpv6 duid llt
[~DeviceA] commit

# Configure the domain default0 as the pre-authentication domain for web authentication.
[~DeviceA] user-group web-before
[*DeviceA] commit
[~DeviceA] aaa
[~DeviceA-aaa] domain default0
[~DeviceA-aaa-domain-default0] user-group web-before
[*DeviceA-aaa-domain-default0] web-server url http://[2000::1]/portal/
default.portal
[*DeviceA-aaa-domain-default0] web-server identical-url
[*DeviceA-aaa-domain-default0] ipv6-pool pool_local
[*DeviceA-aaa-domain-default0] authentication-scheme none
[*DeviceA-aaa-domain-default0] accounting-scheme none
[*DeviceA-aaa-domain-default0] commit
[~DeviceA-aaa-domain-default0] quit
# Configure the domain isp2 as the authentication domain for web authentication.
[~DeviceA-aaa] domain isp2
[~DeviceA-aaa-domain-isp2] authentication-scheme none
[*DeviceA-aaa-domain-isp2] accounting-scheme none
[*DeviceA-aaa-domain-isp2] commit
[~DeviceA-aaa-domain-isp2] quit
[~DeviceA-aaa] quit
Step 3 Configure a web authentication server and Device A's interface directly connecting to the web
[~DeviceA] web-auth-server 192.168.8.251 port 50100 key cipher Huawei

[*DeviceA] commit
[~DeviceA] interface gigabitethernet 0/1/2
[*DeviceA-GigabitEthernet0/1/2] ip address 192.168.8.250 24
Step 4 Configure UCLs and UCL rules.

# Configure UCL rules.
[~DeviceA] acl ipv6 6200
[*DeviceA-acl6-ucl-6200] rule 5 permit tcp source user-group any destination ipv6-
address 2000::1/64
[*DeviceA-acl6-ucl-6200] commit
[~DeviceA-acl6-ucl-6200] quit
[~DeviceA] acl ipv6 6300
[~DeviceA-acl6-ucl-6300] rule 5 permit tcp source user-group web-before
[*DeviceA-acl6-ucl-6300] commit
[~DeviceA-acl6-ucl-6300] quit

[~DeviceA] traffic classifier web_permit
[~DeviceA-classifier-web_permit] if-match ipv6 acl 6200
[*DeviceA-classifier-web_permit] commit
[~DeviceA-classifier-web_permit] quit
[~DeviceA] traffic behavior web_permit
[~DeviceA-behavior-web_permit] permit
[*DeviceA-behavior-web_permit] commit
[~DeviceA-behavior-web_permit] quit
[~DeviceA] traffic classifier web_http-redirect
[~DeviceA-classifier-web_http-redirect] if-match ipv6 acl 6300
[*DeviceA-classifier-web_http-redirect] commit
[~DeviceA-classifier-web_http-redirect] quit
[~DeviceA] traffic behavior web_http-redirect
[~DeviceA-behavior-web_http-redirect] http-redirect
[*DeviceA-behavior-web_http-redirect] commit
[~DeviceA-behavior-web_http-redirect] quit
[~DeviceA] traffic policy web
[~DeviceA-policy-web] classifier web_permit behavior web_permit
[*DeviceA-policy-web] classifier web_http-redirect behavior web_http-redirect
[*DeviceA-policy-web] commit
[~DeviceA-policy-web] quit
# Apply the inbound traffic policy globally.

[*DeviceA] traffic-policy web inbound
[*DeviceA] commit

[~DeviceA] interface GigabitEthernet 0/1/2.1
[~DeviceA-GigabitEthernet0/1/2.1] user-vlan 1
[*DeviceA-GigabitEthernet0/1/2.1] ipv6 enable
[*DeviceA-GigabitEthernet0/1/2.1] ipv6 address auto link-local
[*DeviceA-GigabitEthernet0/1/2.1] ipv6 nd autoconfig managed-address-flag
[~Devicea-GigabitEthernet0/1/2.1] bas
[~DeviceA-GigabitEthernet0/1/2.1-bas] access-type layer2-subscriber default-
[*DeviceA-GigabitEthernet0/1/2.1-bas] authentication-method-ipv6 web
[*DeviceA-GigabitEthernet0/1/2.1-bas] commit
[~DeviceA-GigabitEthernet0/1/2.1-bas] quit
----End

Configuration Files
#
sysname DeviceA
#
#
ipv6 prefix prefix1
prefix 2000:2021::/64
#
ipv6 pool pool_local bas local
prefix prefix1
#
acl ipv6 number 6200
rule 5 permit tcp source user-group any destination ipv6-address 2000::1/64
#
#
traffic classifier web_permit
if-match ipv6 acl 6200
traffic classifier web_http-redirect
#
permit
traffic behavior web_http-redirect
http-redirect
#
traffic policy web
share-mode
classifier web_http-redirect behavior web_http-redirect
#
aaa
#
domain default0
web-server url http://[2000::1]/portal/default.portal
web-server identical-url
ipv6-pool pool_local
authentication-scheme none
accounting-scheme none
domain isp2
#
undo shutdown
ip address 192.168.8.250 24
#
user-vlan 1
ipv6 enable
bas
#
authentication isp2
authentication-method-ipv6 web
#
#
web-auth-server 192.168.8.251 port 50100 key cipher Huawei
#
return

9.9.10 Example for Configuring the Dual-Stack Access Service by

Using Web Authentication
This section provides an example for configuring the dual-stack access service by using Web
authentication, including the networking requirements, configuration roadmap, configuration
l The user belongs to the domain isp5 and accesses the Internet by using GE 0/1/2 on the
NE40E in Web authentication mode.
1645 and the accounting port number is 1646. The standard RADIUS protocol is
adopted. The shared key is hello.
l The IP addresses of the two DNS servers are respectively 3001:0410::1:2 and 10.10.10.1.
l The IP address of the Web authentication server is 10.6.55.56 and the key is it-is-my-
secret1.
Figure 9-12 Networking for configuring the dual-stack access service by using Web
authentication
NOTE
Interfaces 1 and 2 in this example are GE0/1/1, GE0/1/2, respectively.
DNS server DNS server RADIUS server Web server

3001:0410::1:2 10.10.10.1 10.6.55.55 10.6.55.56
Access interface2 interface1

Internet
Network
subscriber
Device
@isp5
2. Configure a Web authentication server.
4. Configure an ACL to allow the user to access only the Web server before Web
authentication is implemented.


6. Configure a local IPv6 prefix pool.
7. Configure a local IPv6 address pool and bind the address pool to the prefix pool.
8. Configure a pre-authentication domain and an authentication domain for Web
authentication.
Data Preparation
l Prefix length and assignable IPv6 prefixes
l Domain name
Procedure
[*Device] aaa

[~Device-aaa] quit
Step 2 Configure a Web authentication server.

[*Device] web-auth-server 10.6.55.56 key cipher Root@123

Step 4 Configure an ACL to allow the user to access only the Web server before Web authentication
is implemented.
# Configure a user group.
[*Device] user-group huawei


[*Device] acl 6000 match-order auto
[*Device-acl-ucl-6000] rule permit ip source user-group huawei destination ip-
address 10.6.55.56 0.0.0.255
[*Device-acl-ucl-6000] rule deny ip source user-group huawei destination ip-
address any
# Configure a traffic classifier.

[*Device] traffic classifier c1
[*Device-classifier-c1] if-match acl 6000
[*Device-classifier-c1] commit
[~Device-classifier-c1] quit
# Configure a traffic behavior.

[*Device] traffic behavior b1
[*Device-behavior-b1] permit
[*Device-behavior-b1] commit
[~Device-behavior-b1] quit

[*Device] traffic policy policy
[*Device-trafficpolicy-policy] classifier c1 behavior b1
[*Device-trafficpolicy-policy] commit
[~Device-trafficpolicy-policy] quit

[*Device] traffic-policy policy inbound
[*Device] traffic-policy policy outbound
Step 5 Configure a user-side local IPv4 address pool.

[*Device] ip pool pool2 bas local
[*Device-ip-pool-pool2] dns-server 10.10.10.1
Step 6 Configure a local IPv6 prefix pool.

[*Device] ipv6 prefix pre1 delegation
[*Device-ipv6-prefix-pre1] prefix 2001:2421::/48
[*Device-ipv6-prefix-pre1] slaac-unshare-only

[*Device] ipv6 pool pool1 bas delegation

# Configure a pre-authentication domain named domain1.
[*Device] aaa
[*Device-aaa] domain domain1
[*Device-aaa-domain-domain1] prefix-assign-mode unshared
[*Device-aaa-domain-domain1] user-group huawei
[*Device-aaa-domain-domain1] ipv6-pool pool1
[*Device-aaa-domain-domain1] ip-pool pool2

[*Device-aaa-domain-domain1] web-server 10.6.55.56 3001::3

[*Device-aaa-domain-domain1] web-server url isp1.com
[*Device-aaa-domain-domain1] commit
[~Device-aaa-domain-domain1] quit
# Configure an authentication domain named isp5.

[~Device-aaa] quit

[*Device-GigabitEthernet0/1/2] bas
[*Device-GigabitEthernet0/1/2-bas] access-type layer2-subscriber default-domain
pre-authentication domain1 authentication isp5
[*Device-GigabitEthernet0/1/2-bas] authentication-method web
[*Device-GigabitEthernet0/1/2-bas] authentication-method-ipv6 web
[*Device-GigabitEthernet0/1/2-bas] commit
[~Device-GigabitEthernet0/1/2-bas] quit

[*Device-GigabitEthernet0/1/2] commit
[~Device-GigabitEthernet0/1/2] quit

[*Device-GigabitEthernet0/1/1] ipv6 address 2001::/64 eui-64

# Check information about the address pool named pool2. You can see that the IP address of
pool2's gateway is 10.10.10.2, the IP address of the DNS server is 10.10.10.1, and addresses
in pool2 range from 10.10.10.3 to 10.10.10.100.
<HUAWEI> display ip pool name pool2
Pool-Name : pool2
Pool-No : 0
DNS-Suffix : -
DNS1 :10.10.10.1
Gateway : 10.10.10.2 Mask : 255.255.255.0
Vpn instance : --
Codes: CFLCT(conflicted)
---------------------------------------------------------------------------
---------------------------------------------------------------------------
0 10.10.10.3 10.10.10.100 98 0 98 0 0 0
---------------------------------------------------------------------------
local prefix pool and the prefix address is 2010:2021::/64.


------------------------------------------------------------------------------
Prefix Name : pre1
Prefix Index : 3
Prefix Type : DELEGATION
Prefix Length : 48
Preferred Lifetime : 2 Days 0 Hours 0 Minutes
IfLocked : Unlocked
Vpn instance : -
PD Prefix Len : 64
PD Prefix/C-DUID : -
slaac-unshare-only : TRUE
pd-unshare-only : FALSE
Binded Prefix Count (Free): 0
Binded Prefix Count (Used): 0
Flexibly-Allocted Prefix Count: 0
------------------------------------------------------------------------------
pre1.
----------------------------------------------------------------------
Pool name : pool1
Pool No : 2
Preference : 255
Renew time : 50
Rebind time : 80
Status : UNLOCKED
Used by domain : 0
Dns list : -
AFTR name : -
----------------------------------------------------------------------
----------------------------------------------------------------------
pre1 DELEGATION
----------------------------------------------------------------------
# Check information about the domain named isp5. You can see that the domain is bound to
the IPv6 address pool named pool1 and the IPv4 address pool named pool2.
------------------------------------------------------------------------------
Domain-name : isp5
Slave Web-URL : -

User-group-name : -
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-URL : -
Bill Flow : Disable
Flow Statistic:
Quota-out : Offline
Service-type : -
------------------------------------------------------------------------------
----End
Configuration Files
l Router Configuration Files
#
sysname Device
#
ipv6
#
user-group huawei
#

%
#
acl number 6000 match-order auto
rule 5 permit ip source user-group huawei destination ip-address 10.6.55.0
0.0
.0.255
rule 10 deny ip source user-group huawei destination ip-address any
#
traffic classifier class1 operator or
traffic classifier c1 operator or
if-match acl 6000
#
traffic behavior database
traffic behavior b1
#
traffic policy policy
share-mode
classifier c1 behavior b1
#
ppp authentication-mode chap
#
gateway 10.10.10.2 255.255.255.0
section 0 10.10.10.3 10.10.10.100
#
prefix 2001:2421::/48
slaac-unshare-only
#
dns-server 3001:410::1:2
prefix pre1
#
aaa
authentication-scheme default
#
#
accounting-scheme default
#
domain domain1
ip-pool pool2
ipv6-pool pool1
user-group huawei
web-server 10.6.55.56 3001::3
web-server url isp1.com
domain isp5
#
undo shutdown
ipv6 enable
bas
#
access-type layer2-subscriber default-domain pre-authentication domain1

authentication isp5
#
undo shutdown
ipv6 enable
ipv6 address 2001::/64 eui-64
#
traffic-policy policy inbound
traffic-policy policy outbound
#
web-auth-server 10.6.55.56 port 50100 key cipher %^%#oNUw
%i-|"WcBgt8=fSVID7F<=K_N+.(ip[H\:a{D%^%#
#
return
9.9.11 Example for Configuring BRAS Access Through L2VPN

Termination
This section provides an example for configuring BRAS access through L2VPN termination.
Router B uses OSPF to exchange traffic with Router A through interfaces on multiple boards
in load-balancing mode. Traffic from the same user may be sent from different boards. Router
B uses PBR to send traffic from the same user but different boards through the backplane to
the same authentication board for user authentication, as shown in Figure 9-13.
Requirements are as follows:
l Router A sends upstream traffic to different interfaces on Router B in load-balancing
mode.
l Router B adds all the inbound interfaces to an L2VPN and configures PBR. Then,
Router B routes all traffic from the same user to the specified next hop based on the
source IP address/VLAN ID/DSCP priority. The outbound interface of the next hop
directly connects to the BAS interface and resides on the same network segment as the
BAS interface.
l After user traffic arrives at the BAS interface and the user goes online, user forwarding
entries are delivered. Subsequent user traffic will then be authenticated and forwarded
based on these forwarding entries.
l Downstream traffic is forwarded through the BAS interface to the L2VPN domain based
on user forwarding entries.
l Router B then sends downstream traffic in the L2VPN domain to Router A along routes
(the traffic can be load-balanced). Then, Router A forwards the traffic to the user.

Figure 9-13 Configuring BRAS access through L2VPN termination
1. Configure PBR to redirect user traffic to the primary and backup next hops. If the
primary next hop fails, traffic automatically switches to the backup next hop to trigger
the user to go online.
2. Configure user access interfaces A1 and A2.
3. Configure C1 and C2 IP addresses as the redirection next hop IP addresses.
4. Configure C1 and C2 as the primary and backup BAS interfaces for B1 and B2.
5. Interfaces A1, A2, B1, and B2 belong to the same L2VPN. Interfaces B1, B2, C1, and
C2 belong to the same network segment. If the PBR redirection next hop is C1 or C2,
traffic can be forwarded through B1 or B2.
Data Preparation
l VE group number
l Local L2VPN name
l OSPF configurations
l Layer 2 user authentication mode, accounting mode, and authentication domain name
l Interface IP addresses

Configuration Procedure
1. Configure a local L2VPN.
Configure a local L2VPN on Router B and add A1, A2, B1, and B2 to this L2VPN.
[~HUAWEI] ip vpn-instance access
[*HUAWEI-vpn-instance-access] ipv4-family
[*HUAWEI-vpn-instance-access] route-distinguisher 200:1
[*HUAWEI-vpn-instance-access] vpn-target 111:1 both
[*HUAWEI-vpn-instance-access] quit
2. Configure PBR.
Configure PBR to redirect user traffic to the primary and backup next hops based on the
source IP address. If the primary next hop fails, traffic automatically switches to the
backup next hop to trigger the user to go online.
[~HUAWEI] acl 3000
[~HUAWEI-acl4-advance-3000] rule permit source 192.168.1.1 255.255.255.255
[~HUAWEI-acl4-advance-3000] quit
[~HUAWEI] traffic classifier class1
[*HUAWEI-classifier-class1] if-match acl 3000
[*HUAWEI-classifier-class1] quit
[*HUAWEI] traffic behavior behavior1
[*HUAWEI-behavior-behavior1] redirect ipv4-MultiNhp nhp 192.168.112.2 vpn
access nhp 192.168.223.2 vpn access non-revertive
[*HUAWEI-behavior-behavior1] quit
[*HUAWEI] traffic policy loadbalance
[*HUAWEI-trafficpolicy-loadbalance] share-mode
[*HUAWEI-trafficpolicy-loadbalance] classifier class1 behavior behavior1
[*HUAWEI-trafficpolicy-loadbalance] quit

[~HUAWEI] interface GigabitEthernet1/0/3.100
[*HUAWEI-GigabitEthernet1/0/3.100] vlan-type dot1q 100
[*HUAWEI-GigabitEthernet1/0/3.100] ip binding vpn-instance access
[*HUAWEI-GigabitEthernet1/0/3.100] ip address 192.168.111.1 255.255.255.0
[*HUAWEI-GigabitEthernet1/0/3.100] traffic-policy loadbalance inbound
[*HUAWEI-GigabitEthernet1/0/3.100] ospf enable 100 area 0.0.0.0
[*HUAWEI-GigabitEthernet1/0/3.100] quit
4. Configure the B1 IP address as the redirection next hop IP address.

[~HUAWEI] interface Virtual-Ethernet1/0/0
[*HUAWEI-Virtual-Ethernet1/0/0] ve-group 1 l2-terminate
[*HUAWEI-Virtual-Ethernet1/0/0] quit
[~HUAWEI] interface Virtual-Ethernet1/0/0.100
[*HUAWEI-Virtual-Ethernet1/0/0.100] vlan-type dot1q 100
[*HUAWEI-Virtual-Ethernet1/0/0.100] ip binding vpn-instance access
[*HUAWEI-Virtual-Ethernet1/0/0.100] ip address 192.168.112.1 255.255.255.0
[*HUAWEI-Virtual-Ethernet1/0/0.100] quit
Configure B2 as the backup interface for B1.


5. Configure an authentication domain on the BAS interface.

[~HUAWEI] aaa
[*HUAWEI-aaa-authen-auth2] authentication-scheme auth2

[*HUAWEI] accounting-scheme acct2
[~HUAWEI-aaa] quit
# Configure a RADIUS server group.


# Configure a domain.
[~HUAWEI] aaa
[~HUAWEI-aaa] domain ipv4
[*HUAWEI-aaa-domain-ipv4] commit
[~HUAWEI-aaa-domain-ipv4] authentication-scheme none
[*HUAWEI-aaa-domain-ipv4] accounting-scheme none
[*HUAWEI-aaa-domain-ipv4] commit
[~HUAWEI-aaa-domain-ipv4] ip-pool ipv4
[*HUAWEI-aaa-domain-ipv4] quit
[~HUAWEI-aaa] quit
6. Configure a user to go online through C1.

[HUAWEI-Virtual-Ethernet1/0/1.100] bas
[*HUAWEI-Virtual-Ethernet1/0/1.100-bas] access-type layer2-subscriber default-
domain authentication fastweb
[*HUAWEI-Virtual-Ethernet1/0/1.100-bas] default-user-name-template fastweb
[*HUAWEI-Virtual-Ethernet1/0/1.100-bas] default-password-template fastweb
[*HUAWEI-Virtual-Ethernet1/0/1.100-bas] quit
[~HUAWEI-Virtual-Ethernet1/0/1.100] quit
Configure a user to go online through C2.

[*HUAWEI-Virtual-Ethernet2/0/1.100] bas


domain authentication fastweb
7. Configure a Layer 2 static user.
[~HUAWEI] static-user 192.168.1.1 interface Virtual-Ethernet2/0/1.100 vlan
100 detect
Configuration Files
l Router B configuration file
#
sysname HUAWEI
#
ip vpn-instance access
ipv4-family
#
acl 3000
rule permit source 192.168.1.1 255.255.255.255
#
traffic classifier classifier1
if-match acl 3000
#
traffic behavior behavior1
redirect ipv4-MultiNhp nhp 192.168.112.2 vpn access nhp 192.168.223.2 vpn
access non-revertive
#
traffic policy loadbalance
share-mode
classifier classifier1 behavior behavior1
#
#
interface gigabitethernet1/0/3.100
vlan-type dot1q 100
ip binding vpn-instance access
ip address 192.168.111.1 255.255.255.0
traffic-policy loadbalance inbound
ospf enable 100 area 0.0.0.0
vlan-type dot1q 100
ip address 192.168.222.1 255.255.255.0
#
#
interface Virtual-Ethernet1/0/0
ve-group 1 l2-terminate
interface Virtual-Ethernet1/0/0.100
vlan-type dot1q 100
ip address 192.168.112.1 255.255.255.0
vlan-type dot1q 100
ip address 192.168.223.1 255.255.255.0
#
aaa
#

radius-server authentication 192.168.8.249 1812
radius-server accounting 192.168.8.249 1813
radius-server type standard
radius-server shared-key-cipher it-is-my-secret1
gateway 10.82.1.1 255.255.255.0
section 0 10.82.1.2 10.82.1.200
dns-server 192.168.8.252
vpn-instance vpn1
#
aaa
domain ipv4
ip-pool ipv4
#
vlan-type dot1q 100
ip address 192.168.112.2 255.255.255.0
access-type layer2-subscriber default-domain authentication fastweb
default-user-name-template fastweb
default-password-template fastweb
#
#
vlan-type dot1q 100
ip address 192.168.223.1 255.255.255.0
#
bas
access-type layer2-subscriber default-domain authentication fastweb
#
static-user 192.168.1.1 interface Virtual-Ethernet2/0/1.100 vlan 100 detect
#
ospf 100
area 0.0.0.0
#
return
9.9.12 Example for Configuring BRAS Access Through L3VPN

Termination
This section provides an example for configuring BRAS access through L3VPN termination.
Router B uses OSPF to exchange traffic with Router A through interfaces on multiple boards
in load-balancing mode. Traffic from the same user may be sent from different boards. Router
B uses PBR to send traffic from the same user but different boards through the backplane to
the same authentication board for Layer 3 user authentication, as shown in Figure 9-14.
NOTE
Only Layer 3 static user access is supported in scenarios with BRAS access through L3VPN
termination.
Requirements are as follows:

l Router A sends upstream traffic to different interfaces on Router B in load-balancing

mode.
l Router B adds all the inbound interfaces to an L3VPN and configures PBR. Then,
Router B routes all traffic from the same user to the specified next hop based on the
source IP address/VLAN ID/DSCP priority. The outbound interface of the next hop
directly connects to the BAS interface and resides on the same network segment as the
BAS interface.
l After user traffic arrives at the BAS interface and the user goes online, user forwarding
entries are delivered. Subsequent user traffic will then be authenticated and forwarded
based on these forwarding entries.
l Downstream traffic is forwarded through the BAS interface to the L3VPN domain based
on user forwarding entries.
l Router B then sends downstream traffic in the L3VPN domain to Router A along routes
(the traffic can be load-balanced). Then, Router A forwards the traffic to the user.
Figure 9-14 Configuring BRAS access through L3VPN termination
1. Configure PBR to redirect user traffic to the primary and backup next hops. If the
primary next hop fails, traffic automatically switches to the backup next hop to trigger
the user to go online.
3. Configure C1 and C2 IP addresses as the redirection next hop IP addresses.

4. Configure C1 and C2 as the primary and backup BAS interfaces for B1 and B2.
5. Interfaces A1, A2, B1, and B2 belong to the same L3VPN. Interfaces B1, B2, C1, and
C2 belong to the same network segment. If the PBR redirection next hop is C1 or C2,
traffic can be forwarded through B1 or B2.
Data Preparation
l VE group number
l Local L3VPN name
l OSPF configurations
l Layer 3 user authentication mode, accounting mode, and authentication domain name
l Interface IP addresses
1. Configure a local L3VPN.
Configure a local L3VPN on Router B and add A1, A2, B1, and B2 to this L3VPN.
[~HUAWEI] ip vpn-instance access
[*HUAWEI-vpn-instance-access] ipv4-family
[*HUAWEI-vpn-instance-access] route-distinguisher 200:1
[*HUAWEI-vpn-instance-access] vpn-target 111:1 both
[*HUAWEI-vpn-instance-access] quit
2. Configure PBR.
Configure PBR to redirect user traffic to the primary and backup next hops based on the
source IP address. If the primary next hop fails, traffic automatically switches to the
backup next hop to trigger the user to go online.
[~HUAWEI] acl 3000
[*HUAWEI-acl-adv-3000] rule permit source 192.168.1.1 255.255.255.255
[*HUAWEI-acl-adv-3000] quit
[~HUAWEI] traffic classifier class1
[*HUAWEI-classifier-class1] if-match acl 3000
[*HUAWEI-classifier-class1] quit
[~HUAWEI] traffic behavior behavior1
[*HUAWEI-behavior-behavior1] redirect ipv4-MultiNhp nhp 192.168.112.2 vpn
access nhp 192.168.223.2 vpn access non-revertive
[*HUAWEI-behavior-behavior1] quit
[~HUAWEI] traffic policy loadbalance
[*HUAWEI-trafficpolicy-loadbalance] share-mode
[*HUAWEI-trafficpolicy-loadbalance] classifier class1 behavior behavior1
[*HUAWEI-trafficpolicy-loadbalance] quit


4. Configure the B1 IP address as the redirection next hop IP address.

Configure B2 as the backup interface for B1.

5. Configure an authentication domain on the BAS interface.

[~HUAWEI] aaa
[*HUAWEI-aaa-authen-auth2] authentication-scheme auth2

[*HUAWEI] accounting-scheme acct2
[~HUAWEI-aaa] quit
# Configure a RADIUS server group.


# Configure a domain.
[~HUAWEI-BRAS] aaa
[~HUAWEI-BRAS-aaa] domain ipv4
[*HUAWEI-BRAS-aaa-domain-ipv4] commit
[~HUAWEI-BRAS-aaa-domain-ipv4] authentication-scheme none
[*HUAWEI-BRAS-aaa-domain-ipv4] accounting-scheme none
[*HUAWEI-BRAS-aaa-domain-ipv4] commit
[~HUAWEI-BRAS-aaa-domain-ipv4] ip-pool ipv4
[*HUAWEI-BRAS-aaa-domain-ipv4] quit
[~HUAWEI-BRAS-aaa] quit
6. Configure a user to go online through C1.

[*HUAWEI-Virtual-Ethernet1/0/1] ve-group 1 l3-access


[HUAWEI-Virtual-Ethernet1/0/1.100] bas
domain pre-authentication fastweb
[~HUAWEI-Virtual-Ethernet1/0/1.100] quit
Configure a user to go online through C2.
[*HUAWEI-Virtual-Ethernet2/0/1] ve-group 1 l3-access
[*HUAWEI-Virtual-Ethernet2/0/1.100] bas
domain pre-authentication fastweb
7. Configure a Layer 3 static user.
[~HUAWEI] layer3-subscriber 192.168.1.1 vpn-instance access domain-name
fastweb
Configuration Files
l Router B configuration file
#
sysname HUAWEI
#
ip vpn-instance access
ipv4-family
#
acl 3000
rule permit source 192.168.1.1 255.255.255.255
#
traffic classifier classifier1
if-match acl 3000
#
traffic behavior behavior1
redirect ipv4-MultiNhp nhp 192.168.112.2 vpn access nhp 192.168.223.2 vpn
access non-revertive
#
traffic policy loadbalance
share-mode
classifier classifier1 behavior behavior1
#
#
interface gigabitethernet1/0/3.100
vlan-type dot1q 100
ip address 192.168.111.1 255.255.255.0
vlan-type dot1q 100
ip address 192.168.222.1 255.255.255.0

#
#
vlan-type dot1q 100
ip address 192.168.112.1 255.255.255.0
vlan-type dot1q 100
ip address 192.168.223.1 255.255.255.0
#
aaa
#
radius-server type standard
radius-server shared-key-cipher it-is-my-secret1
gateway 10.82.1.1 255.255.255.0
section 0 10.82.1.2 10.82.1.200
dns-server 192.168.8.252
vpn-instance vpn1
#
aaa
domain ipv4
ip-pool ipv4
ve-group 1 l3-access
#
vlan-type dot1q 100
ip address 192.168.112.2 255.255.255.0
access-type layer3-subscriber default-domain pre-authentication fastweb
#
#
vlan-type dot1q 100
ip address 192.168.223.1 255.255.255.0
#
bas
access-type layer3-subscriber default-domain pre-authentication fastweb
#
layer3-subscriber 192.168.1.1 domain-name fastweb
#
ospf 100
area 0.0.0.0
#
return

9.9.13 Example for Configuring RADIUS Proxy Authentication

This section provides an example for configuring RADIUS proxy authentication, including
the networking requirements, configuration roadmap, configuration procedure, and
On the network shown in Figure 9-15, to allow WLAN users to access the network, configure
RADIUS proxy authentication to allow EAP authentication on the AC and RADIUS
accounting on the Router. The user access process is as follows:
1. A WLAN user sends an EAP packet to the AC. Upon receipt, the AC terminates the EAP
packet, converts it to a RADIUS packet, and sends the RADIUS packet to the Router.
2. The Router functions as a RADIUS proxy to listen to and forward authentication packets
sent by the AC to the RADIUS server and authentication response packets replied by the
RADIUS to the AC. During this process, the Router saves the authorization information
delivered by the RADIUS server to the WLAN user.
3. After being authenticated, the WLAN user sends DHCP packets to the Router to obtain
an IP address. The Router first searches for the authorization information of the WLAN
user based on the MAC address. If the matching authorization information exists, the
Router assigns an available IP address to the WLAN user and uses the saved
authorization information to authorize the user. In the meantime, the Router sends an
Accounting Start packet to the RADIUS server to perform accounting for the WLAN
user.
4. The Router responds to the accounting packets sent by the AC, without sending them to
the RADIUS server.

Figure 9-15 Networking diagram for configuring RADIUS proxy authentication
RADIUS Internet
server
Router AC
L2 Switch
AP
AP
1. Configure a RADIUS server group, an authentication scheme, an accounting scheme,
and an address pool.
2. Bind the RADIUS server group, authentication scheme, accounting scheme, and address
pool to the domain.
3. Configure RADIUS proxy.
4. Configure BAS access.
5. Configure an IP address to be accessed by the AC.
NOTE
Five ports are available to listen to RADIUS packets by default: ports 1812, 1813, 1645, 1646, and
3799. To allow another port to listen to RADIUS packets, run the radius-server extended-source-ports
port-number port-number command in the system view to specify a listening port.
Data Preparation
l IP address of the RADIUS authentication server
l IP address of the RADIUS accounting server

l IP address of the AC interface that sends RADIUS packets
Procedure
Step 1 Configure a RADIUS server group, an authentication scheme, an accounting scheme, and an
address pool.
[*HUAWEI-radius-shiva] radius-server authentication 10.1.123.151 1812
[*HUAWEI-radius-shiva] radius-server accounting 10.1.123.151 1813
[~HUAWEI-radius-shiva] quit
# Configure a local address pool named pool1.

[*HUAWEI-ip-pool-pool1] gateway 172.30.0.1 24
# Configure an authentication scheme named rdp, with RADIUS proxy as the authentication
mode.
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme rdp
[*HUAWEI-aaa-authen-rdp] authentication-mode radius-proxy
[*HUAWEI-aaa-authen-rdp] commit
[~HUAWEI-aaa-authen-rdp] quit
# Configure an accounting scheme named rds, with RADIUS as the accounting mode.
[~HUAWEI-aaa] accounting-scheme rds
[*HUAWEI–aaa-accounting-rds] accounting-mode radius
[*HUAWEI–aaa-accounting-rds] commit
[~HUAWEI–aaa-accounting-rds] quit
Step 2 Configure a domain named radiusproxy and bind the authentication scheme rdp, accounting
scheme rds, and RADIUS server group shiva to the domain.
[~HUAWEI-aaa] domain radiusproxy
[*HUAWEI-aaa-domain-radiusproxy] authentication-scheme rdp
[*HUAWEI-aaa-domain-radiusproxy] accounting-scheme rds
[*HUAWEI-aaa-domain-radiusproxy] radius-server group shiva
[*HUAWEI-aaa-domain-radiusproxy] ip-pool pool1
[*HUAWEI-aaa-domain-radiusproxy] commit
[~HUAWEI-aaa-domain-radiusproxy] quit
[~HUAWEI-aaa] quit
Step 3 Configure RADIUS proxy.

[~HUAWEI] radius-client 10.1.0.201 server-group shiva shared-key-cipher !QAZ2wsx
[*HUAWEI] commit
NOTE
The IP address specified following radius-client is the IP address of the AC interface that sends
RADIUS packets. In this example, the RADIUS server group bound to the domain is the same as that
used for RADIUS proxy. In actual applications, the two RADIUS server groups can be different.
Step 4 Configure an IP address to be accessed by the AC.

[*HUAWEI-GigabitEthernet5/0/3] ip address 10.1.0.197 8

NOTE
This IP address is configured for communication with the AC. The RADIUS authentication packets
initiated on the AC are sent to this IP address. If the Router has another IP address to communicate with
the AC, this configuration is not needed.
Step 5 Configure BAS access on an interface.

authentication radiusproxy
[*HUAWEI-GigabitEthernet5/0/4-bas] authentication-method bind
NOTE
RADIUS proxy applies only to IPoE users and not PPPoE users.

Run the display radius-server configuration group shiva command on the Router to check
<HUAWEI> display radius-server configuration group shiva
-------------------------------------------------------
Vpn: -
Vpn: -
Retransmission : 3
Traffic-unit : B
ClassAsCar : NO


Run the display domain command on the Router to check domain configurations.
<HUAWEI> display domain radiusproxy
------------------------------------------------------------------------------
Domain-name : radiusproxy
Authentication-scheme-name : rdp
Accounting-scheme-name : rds
Online-number : 0
Web-IP-address : -
Web-URL : -
Web-auth-server : -
Web-auth-state : -
Slave Web-URL : -
Portal-URL : -
L2TP-group-name : -
-
-
Bill Flow : Disable
Flow Statistic:

Quota-out : Offline
Service-type : -
Parse-separator : -
AFTR name : -
------------------------------------------------------------------------------
Run the display radius-client configuration command on the Router to check RADIUS
proxy configurations.
[HUAWEI] display radius-client configuration
-----------------------------------------------------------------------------
IP-Address VPN-instance Shared-key Group
Domain-authorization Roam-domain
-----------------------------------------------------------------------------
10.1.0.201 -- ****** shiva
NO --
-----------------------------------------------------------------------------
1 Radius client(s) in total
Run the display radius-client statistics command to check statistics about RADIUS packets
exchanged between a RADIUS client and proxy.
<HUAWEI> display radius-client statistics client-ip 10.1.123.151
Authentication packets:
Access Requests : 0 Access Accepts : 0
Access Challenges : 0 Access Rejects : 0
Accouting packets:
Account Requests : 0 Account Responses : 0

DM packets:
Author Requests : 0 Author Acks : 0
Author Naks : 0
Abnormal Attribute Length packets:
Access Requests : 0 Account Requests : 0
Author Acks : 0 Author Naks : 0
Corrected Access Requests : 0
----End
Configuration Files
#
sysname HUAWEI
#
#
aaa
authentication-scheme rdp
authentication-mode radius-proxy
#
accounting-scheme rds
#
domain radiusproxy
ip-pool pool1
#
interface GigabitEthernet 5/0/3
undo shutdown
ip address 10.1.0.197 255.0.0.0
#
undo shutdown
bas
#
access-type layer2-subscriber default-domain authentication radiusproxy
#
#
gateway 172.30.0.1 255.255.255.0
section 0 172.30.0.2 188.0.0.254
#
return
9.9.14 Example for Configuring the Ethernet Layer 2 Leased Line

Access Service
This section provides an example for configuring the Ethernet Layer 2 leased line access
service, including the networking requirements, configuration roadmap, configuration
l The Ethernet Layer 2 leased line users access the Internet by using GE 1/0/2.1 on the
Router.

l The user name is layer2lease1@isp1 and the password is Root@123 for the leased line.
l The VLAN ID for leased line users ranges from 1 to 100.
l The leased line users obtain IP addresses from the Router by using DHCP.
l RADIUS authentication and RADIUS accounting are used. The IP address of the
RADIUS server is 192.168.7.249. The authentication port number is 1645 and the
accounting port number is 1646. The RADIUS+1.1 protocol is adopted. The shared key
is itellin.
Figure 9-16 Networking for configuring the Ethernet Layer 2 leased line access service

192.168.7.252 192.168.7.249
VLAN1
VLAN2
. 192.168.7.1
..
.. GE1/0/2.1 GE1/0/1
. Internet
VLAN100 LAN Switch Device

5. Configure access interfaces.
Data Preparation

l Domain name

Procedure
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme auth1
Step 2 Configure an accounting scheme.

[~HUAWEI-aaa] quit

[*HUAWEI-radius-rd1] radius-server type plus11
[*HUAWEI-radius-rd1] radius-server shared-key itellin


[~HUAWEI] aaa
[~HUAWEI-aaa]quit
Step 6 Configure access interfaces.
If the access interface is an Ethernet sub-interface, you must configure a VLAN. If the access
interface is an Ethernet main interface, no VLAN is required.
You can configure multiple VLANs for an interface used for Layer 2 leased line access.
[~HUAWEI] license
[~HUAWEI-license] active bas slot 1
[*HUAWEI-license] commit
[~HUAWEI-license]quit
[*HUAWEI-GigabitEthernet1/0/2.1] user-vlan 1 100

[*HUAWEI-GigabitEthernet1/0/2.1-bas] access-type layer2-leased-line user-name
layer2lease1 password simple Root@123 default-domain authentication isp1
----End
Configuration Files
#
sysname HUAWEI
#
license
active bas slot 1
#
radius-server shared-key itellin
radius-server type plus11
radius-server traffic-unit kbyte
#
user-vlan 1 100
bas
access-type layer2-leased-line user-name layer2lease1 password simple Root@123
default-domain authentication isp1
#
ip address 192.168.7.1 255.255.255.0
#
gateway 10.82.0.1 255.255.255.0
section 0 10.82.0.2 10.82.0.200
dns-server 192.168.7.252
#
aaa
domain default0
domain default1
domain isp1
ip-pool pool1
#
return
9.9.15 Example for Configuring the Ethernet Layer 3 Leased Line

Access
This section provides an example for configuring Ethernet Layer 3 leased line access services
based on a networking diagram, including the networking requirements, configuration
roadmap, configuration procedure, and configuration files.

l The user accesses the Internet by using GE 1/0/6.1 on the Router in the Ethernet Layer 3
leased line mode.
l The user name is layer3lease1@isp1 for the leased line.
l The network segment for the Layer 3 leased line user is 11.11.11.0/24.
l RADIUS authentication and RADIUS accounting are used. The IP address of the
RADIUS server is 192.168.8.249. The authentication port number is 1812 and the
accounting port number is 1813. The RADIUS+1.1 protocol is adopted. The shared key
is itellin.
Figure 9-17 Networking for configuring the Ethernet Layer 3 leased line access service
RADIUS server
192.168.8.249
192.168.1.2
Internet Internet
11.11.11.0/24 192.168.1.1
PC LSW Device
4. Configure a VLAN and an IP address for a sub-interface.
6. Configure a static route.
Data Preparation
l Gateway and DNS server addresses
l Domain name
l VLAN ID and IP address of the sub-interface


l Static route
Procedure
[~HUAWEI] aaa

[~HUAWEI-aaa] quit

[~HUAWEI-radius-rd1] commit

[~HUAWEI] aaa
[~HUAWEI-aaa]quit
Step 5 Configure a VLAN.

[~HUAWEI] license
[~HUAWEI-license] active bas slot 1
[~HUAWEI-slot-1] quit
# Configure a VLAN.
l If the access interface is an Ethernet sub-interface, you must configure a VLAN. If the
access interface is an Ethernet main interface, no VLAN is required.
l You can configure only one VLAN for interfaces used for Layer 3 leased line access.

[*HUAWEI-GigabitEthernet1/0/6] mode user-termination
[*HUAWEI-GigabitEthernet1/0/6] interface GigabitEthernet 1/0/6.1
[*HUAWEI-GigabitEthernet1/0/6.1] control-vid 1 dot1q-termination
[*HUAWEI-GigabitEthernet1/0/6.1] dot1q termination vid 3
Step 6 Configure an IP address.


[*HUAWEI-GigabitEthernet1/0/6.1-bas] access-type layer3-leased-line user-name
layer3lease1 password simple Root@123 default-domain authentication isp1
Step 8 Configure a static route.

[~HUAWEI] ip route-static 11.11.11.0 255.255.255.0 192.168.1.2
----End
Configuration Files
#
sysname HUAWEI
#
license
active bas slot 1
#
#
mode user-termination
#
control-vid 1 dot1q-termination
dot1q termination vid 3
ip address 192.168.1.1 255.255.255.0
bas
access-type layer3-leased-line user-name layer3lease1 password simple Root@123
default-domain authentication isp1
#
ip address 192.168.7.1 255.255.255.0
#
aaa
domain default0
domain default1
domain isp1
#
ip route-static 11.11.11.0 255.255.255.0 192.168.1.2
#
return
9.9.16 Example for Configuring Layer 2 IPoE Access (Web

Authentication)
This section provides an example for configuring Layer 2 IPoE access (web authentication).

In web authentication mode, users must enter user names and passwords on a portal page
before accessing the Internet.
Figure 9-18 Networking for configuring Layer 2 IPoE access (web authentication)
P o rta l R A D IU S
se rv e r s e rve r
Access
N e tw o rk
PC R o u te r
1. Create a pre-authentication domain named pre-web and an authentication domain named
after-auth.
3. Create a RADIUS server group.
4. Configure forcible redirection to a specified web server in the pre-authentication domain
pre-web, and bind a user group that can access only limited resources, authentication
scheme (non-authentication), and accounting scheme (non-accounting) to the domain.
5. Bind an authentication scheme (RADIUS authentication) and accounting scheme
(RADIUS accounting) to the authentication domain after-auth.
6. Configure a pre-authentication domain and authentication domain on a BAS interface.
Procedure
Step 1 Create a pre-authentication domain and an authentication domain.
# Create a pre-authentication domain named pre-web and an authentication domain named
after-auth.
[~HUAWEI] aaa
[*HUAWEI-aaa] domain pre-web
[*HUAWEI-aaa-domain-pre-web] commit
[~HUAWEI-aaa-domain-pre-web] quit
[*HUAWEI-aaa] domain after-auth
[*HUAWEI-aaa-domain-after-auth] commit
[~HUAWEI-aaa-domain-after-auth] quit
[~HUAWEI] quit
Step 2 Configure AAA schemes and a RADIUS server group.

# Configure a RADIUS server group named rd2.


[*HUAWEI-radius-rd2] radius-server shared-key-cipher Root@1234
# Configure an authentication scheme named auth2, with RADIUS authentication specified.

[~HUAWEI] aaa
# Configure an accounting scheme named acct2, with RADIUS accounting specified.

[~HUAWEI-aaa] quit
# Configure an authentication scheme named auth3, with non-authentication specified.

[~HUAWEI] aaa
[*HUAWEI-aaa-authen-auth3] authentication-mode none
# Configure an accounting scheme named acct3, with non-accounting specified.

[*HUAWEI-aaa-accounting-acct3] accounting-mode none
[~HUAWEI-aaa] quit

Step 4 Configure forcible redirection to a specified web server in the pre-authentication domain pre-
web, and bind a user group that can access only limited resources, authentication scheme
(non-authentication), and accounting scheme (non-accounting) to the domain.
[~HUAWEI] user-group web-before
[*HUAWEI] aaa
[*HUAWEI-aaa] domain pre-web
[*HUAWEI-aaa-domain-pre-web] authentication-scheme auth3
[*HUAWEI-aaa-domain-pre-web] accounting-scheme acct3
[*HUAWEI-aaa-domain-pre-web] ip-pool pool2
[*HUAWEI-aaa-domain-pre-web] user-group web-before
[*HUAWEI-aaa-domain-pre-web] web-server 192.168.8.251
[*HUAWEI-aaa-domain-pre-web] web-server url http://192.168.8.251

[*HUAWEI] web-auth-server 192.168.8.251 key webvlan
# Configure web fast reply.

[*HUAWEI] slot 1
[*HUAWEI-slot-1] http-reply enable

[*HUAWEI-slot-1] commit

ip-address any
ip-address 192.168.8.251 0
[*HUAWEI-acl-ucl-6005] rule 10 permit ip source ip-address 192.168.8.251 0
ip-address 192.168.8.252 0
[*HUAWEI-acl-ucl-6005] rule 20 permit ip source ip-address 192.168.8.252 0 0
[*HUAWEI-acl-ucl-6006] rule 5 permit ip destination user-group web-before
[*HUAWEI-acl-ucl-6008] rule 5 permit tcp source user-group web-before destination-
port eq www

[~HUAWEI] traffic classifier web-out
[*HUAWEI-classifier-web-out] if-match acl 6006
[*HUAWEI-classifier-web-out] commit
[~HUAWEI-classifier-web-out] quit
[~HUAWEI] traffic classifier web-be-permit
[*HUAWEI-classifier-web-be-permit] if-match acl 6005
[*HUAWEI-classifier-web-be-permit] commit
[~HUAWEI-classifier-web-be-permit] quit
[~HUAWEI] traffic classifier http-before
[*HUAWEI-classifier-http-before] if-match acl 6010
[*HUAWEI-classifier-http-before] commit
[~HUAWEI-classifier-http-before] quit
[*HUAWEI] traffic classifier web-be-deny
[*HUAWEI-classifier-web-be-deny] if-match acl 6004
[*HUAWEI-classifier-web-be-deny] commit
[~HUAWEI-classifier-web-be-deny] quit
[~HUAWEI] traffic classifier redirect
[*HUAWEI-classifier-redirect] if-match acl 6008
[*HUAWEI-classifier-redirect] commit
[~HUAWEI-classifier-redirect] quit
[~HUAWEI] traffic behavior http-discard
[HUAWEI-behavior-http-discard] car cir 0 cbs 0 green pass red discard
[*HUAWEI-behavior-http-discard] commit
[~HUAWEI-behavior-http-discard] quit
[~HUAWEI] traffic behavior web-out
[*HUAWEI-behavior-web-out] deny
[*HUAWEI-behavior-web-out] commit
[~HUAWEI-behavior-web-out] quit
[~HUAWEI] traffic behavior perm1
[*HUAWEI-behavior-perm1] permit

[*HUAWEI-behavior-perm1] commit
[*HUAWEI-behavior-deny1] deny
[~HUAWEI] traffic behavior redirect
[*HUAWEI-behavior-redirect] http-redirect plus
[*HUAWEI-behavior-redirect] commit
[~HUAWEI-behavior-redirect] quit
[~HUAWEI] traffic policy web-out
[*HUAWEI-policy-web-out] share-mode
[*HUAWEI-policy-web-out] classifier web-be-permit behavior perm1
[*HUAWEI-policy-web-out] classifier web-out behavior web-out
[*HUAWEI-policy-web-out] commit
[~HUAWEI-policy-web-out] quit
[~HUAWEI] traffic policy web
[*HUAWEI-policy-web] share-mode
[*HUAWEI-policy-web] classifier web-be-permit behavior perm1
[*HUAWEI-policy-web] classifier http-before behavior http-discard
[*HUAWEI-policy-web] classifier redirect behavior redirect
[*HUAWEI-policy-web] classifier web-be-deny behavior deny1
[*HUAWEI-policy-web] commit
[~HUAWEI-policy-web] quit

[*HUAWEI] traffic-policy web inbound
[*HUAWEI] traffic-policy web-out outbound
Step 5 Configure the authentication domain after-auth.

[*HUAWEI-aaa-domain-after-auth] authentication-scheme auth2
[*HUAWEI-aaa-domain-after-auth] accounting-scheme acct2
[*HUAWEI-aaa-domain-after-auth] radius-server group rd2
[HUAWEI-aaa] quit
Step 6 Configure a pre-authentication domain, authentication domain, and authentication method on

a BAS interface.
NOTE
Versions earlier than V600R007C00 do not require BAS activation by license. You can directly run the
bas enable command in the slot view.
[~HUAWEI] interface GigabitEthernet0/1/0
pre-authentication pre-web authentication after-auth
----End
Configuration Files
#
sysname HUAWEI
#
license
active bas slot 1
#
#
slot 1
http-reply enable
#


radius-server shared-key-cipher Root@1234
#
request account
#
acl number 6004
rule 3 permit ip source user-group web-before destination user-group web-before
#
acl number 6005
192.168.8.251 0
before
192.168.8.252 0
before
#
acl number 6006
#
acl number 6008
#
acl number 6010
#
if-match acl 6006
if-match acl 6005
if-match acl 6010
if-match acl 6004
if-match acl 6008
#
deny
deny
http-redirect
#
share-mode
traffic policy web
share-mode
#


gateway 172.16.1.1 255.255.255.0
section 0 172.16.1.2 172.16.1.200
dns-server 192.168.8.252
#
aaa
#
#
domain pre-web
ip-pool pool2
web-server 192.168.8.251
domain after-auth
#
bas
#
access-type layer2-subscriber default-domain pre-authentication pre-web
authentication after-auth
#
9.9.17 Example for Configuring Layer 2 IPoE Access (Web+MAC

Authentication)
This section provides an example for configuring Layer 2 IPoE access (web+MAC
authentication).
Applicability
This example applies to ME60 series routers running V600R006C00 or later.
Web+MAC authentication is the most common authentication mode for Layer 2 IPoE access.
In web+MAC authentication mode, a user must enter the user name and password on a portal
page when accessing the Internet for the first time. The RADIUS server automatically records
the terminal's MAC address and associates it with the user name. When the user accesses the
Internet again within a certain time, the user does not need to enter the user name and
password again.
The authentication process is as follows:
By default, the user enters the MAC authentication domain. If the user accesses the Internet
for the first time, the MAC address fails to be found on the RADIUS server and the

authentication fails. The user is forcibly switched to the web authentication domain and can
access only the web authentication page. On this page, the user enters the user name and
password for authentication. After the authentication is successful, the user enters the
authentication domain after-auth and can access the Internet properly. If the user accesses the
Internet not for the first time, the MAC address can be found on the RADIUS server and the
authentication succeeds. The user then enters the authentication domain after-auth and can
access the Internet properly.
Figure 9-19 Networking for configuring Layer 2 IPoE access (web+MAC authentication)
P o rta l R A D IU S
se rv e r s e rve r
Access
N e tw o rk
PC R o u te r
1. Create a MAC authentication domain named mac-auth, a web authentication domain

named web-auth, and an authentication domain named after-auth.
3. Create a RADIUS server group named d, configure the hw-auth-type attribute for
authentication request packets in the RADIUS server group, and configure attribute
translation to translate the hw-auth-type attribute into Huawei proprietary No. 109
attribute.
4. Create an authentication scheme named mac-auth, and configure the user to be
redirected to the web authentication domain web-auth when authentication fails in the
authentication scheme.
5. Enable MAC authentication in the MAC authentication domain mac-auth, and bind the
RADIUS server group d and authentication scheme mac-auth to the domain.
6. Configure forcible redirection to a specified web server in the web authentication domain
web-auth, and bind a user group that can access only limited resources, authentication
7. Bind an authentication scheme (RADIUS authentication) and accounting scheme
(RADIUS accounting) to the authentication domain after-auth.
8. Run the default-user-name include mac-address command in the AAA view to
directly use the MAC address carried in a user connection request packet as the user
name.
9. Configure a MAC authentication domain (mac-auth) and authentication domain (after-
auth) on a BAS interface.

Procedure
Step 1 Create a MAC authentication domain, a web authentication domain, and an authentication
domain.
# Create a MAC authentication domain named mac-auth, a web authentication domain
named web-auth, and an authentication domain named after-auth.
[*HUAWEI] aaa
[*HUAWEI-aaa] domain mac-auth
[*HUAWEI-aaa-domain-mac-auth] quit
[*HUAWEI-aaa] domain web-auth
[*HUAWEI-aaa-domain-web-auth] quit
[~HUAWEI-aaa] quit

# Create a RADIUS server group named d, configure the hw-auth-type attribute for
translation to translate the hw-auth-type attribute into Huawei proprietary No. 109 attribute.
[~HUAWEI] radius-server group d
[*HUAWEI-radius-d] radius-server authentication 192.168.7.249 1812
[*HUAWEI-radius-d] radius-server accounting 192.168.7.249 1813
[*HUAWEI-radius-d] radius-server type standard
[*HUAWEI-radius-d] radius-server shared-key-cipher Root@1234
[*HUAWEI-radius-d] radius-attribute include hw-auth-type
[*HUAWEI-radius-d] radius-server attribute translate
[*HUAWEI-radius-d] radius-attribute translate extend hw-auth-type vendor-specific
2011 109 access-request account
[*HUAWEI-radius-d] commit
[~HUAWEI-radius-d] quit
# Configure a RADIUS server group named rd2.

[*HUAWEI] radius-server group rd2
[*HUAWEI-radius-rd2] radius-server shared-key-cipher Root@1234
# Create an authentication scheme named mac-auth, and configure the user to be redirected
to the web authentication domain web-auth when authentication fails in the authentication
scheme.
[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme mac-auth
[*HUAWEI-aaa-authen-mac-auth] authening authen-fail online authen-domain web-auth
[*HUAWEI-aaa-authen-mac-auth] commit
[~HUAWEI-aaa-authen-mac-auth] quit
# Configure an authentication scheme named auth2, with RADIUS authentication specified.

[~HUAWEI] aaa
# Configure an accounting scheme named acct2, with RADIUS accounting specified.



[~HUAWEI-aaa] quit
# Configure an authentication scheme named auth3, with non-authentication specified.

[~HUAWEI] aaa
[*HUAWEI-aaa-authen-auth3] authentication-mode none
# Configure an accounting scheme named acct3, with non-accounting specified.

[*HUAWEI-aaa-accounting-acct3] accounting-mode none
[~HUAWEI-aaa] quit

Step 4 Enable MAC authentication in the MAC authentication domain mac-auth, and bind the
RADIUS server group d and authentication scheme mac-auth to the domain.
[~HUAWEI-aaa] domain mac-auth
[*HUAWEI-aaa-domain-mac-auth] radius-server group d
[*HUAWEI-aaa-domain-mac-auth] authentication-scheme mac-auth
[*HUAWEI-aaa-domain-mac-auth] accounting-scheme acct2
[*HUAWEI-aaa-domain-mac-auth] ip-pool pool2
[*HUAWEI-aaa-domain-mac-auth] mac-authentication enable
[*HUAWEI-aaa-domain-mac-auth] commit
[~HUAWEI-aaa-domain-mac-auth] quit
Step 5 Configure forcible redirection to a specified web server in the web authentication domain
web-auth, and bind a user group that can access only limited resources, authentication
[*HUAWEI] user-group web-before
[~HUAWEI] aaa
[~HUAWEI-aaa] domain web-auth
[*HUAWEI-aaa-domain-web-auth] authentication-scheme auth3
[*HUAWEI-aaa-domain-web-auth] accounting-scheme acct3
[*HUAWEI-aaa-domain-web-auth] ip-pool pool2
[*HUAWEI-aaa-domain-web-auth] user-group web-before
[*HUAWEI-aaa-domain-web-auth] web-server 192.168.8.251
[*HUAWEI-aaa-domain-web-auth] web-server url http://192.168.8.251

[*HUAWEI] web-auth-server 192.168.8.251 key webvlan
# Configure web fast reply.

[*HUAWEI] slot 1



*HUAWEI-acl-ucl-6004] rule 5 permit ip source user-group web-before destination
ip-address any
ip-address 192.168.8.251 0
ip-address 192.168.8.252 0
[*HUAWEI-acl-ucl-6005] rule 20 permit ip source ip-address 192.168.8.252 0 0
[*HUAWEI-acl-ucl-6006] rule 5 permit ip destination user-group web-before
[*HUAWEI-acl-ucl-6008] rule 5 permit tcp source user-group web-before destination-
port eq www

[*HUAWEI] traffic classifier web-out
[*HUAWEI-classifier-web-out] if-match acl 6006
[~HUAWEI-classifier-web-out] quit
[*HUAWEI] traffic classifier web-be-permit
[*HUAWEI-classifier-web-be-permit] if-match acl 6005
[~HUAWEI-classifier-web-be-permit] quit
[*HUAWEI] traffic classifier http-before
[*HUAWEI-classifier-http-before] if-match acl 6010
[~HUAWEI-classifier-http-before] quit
[*HUAWEI] traffic classifier web-be-deny
[*HUAWEI-classifier-web-be-deny] if-match acl 6004
[~HUAWEI-classifier-web-be-deny] quit
[*HUAWEI] traffic classifier redirect
[*HUAWEI-classifier-redirect] if-match acl 6008
[~HUAWEI-classifier-redirect] quit
[*HUAWEI] traffic behavior http-discard
[*HUAWEI-behavior-http-discard] car cir 0 cbs 0 green pass red discard
[~HUAWEI-behavior-http-discard] quit
[*HUAWEI] traffic behavior web-out
[HUAWEI-behavior-web-out] deny
[~HUAWEI-behavior-web-out] quit
[*HUAWEI] traffic behavior perm1
[HUAWEI-behavior-perm1] permit
[*HUAWEI] traffic behavior deny1
[HUAWEI-behavior-deny1] deny
[*HUAWEI] traffic behavior redirect
[*HUAWEI-behavior-redirect] http-redirect plus
[*HUAWEI] traffic policy web-out
[*HUAWEI-policy-web-out] share-mode
[*HUAWEI-policy-web-out] classifier web-be-permit behavior perm1
[*HUAWEI-policy-web-out] classifier web-out behavior web-out
[~HUAWEI-policy-web-out] quit
[*HUAWEI] traffic policy web

[*HUAWEI-policy-web] share-mode
[*HUAWEI-policy-web] classifier web-be-permit behavior perm1
[*HUAWEI-policy-web] classifier http-before behavior http-discard
[*HUAWEI-policy-web] classifier redirect behavior redirect
[*HUAWEI-policy-web] classifier web-be-deny behavior deny1
[*HUAWEI-policy-web] commit
[~HUAWEI-policy-web] quit

[*HUAWEI] traffic-policy web inbound
[*HUAWEI] traffic-policy web-out outbound
Step 6 Configure the authentication domain after-auth.

[~HUAWEI-aaa] domain after-auth
[*HUAWEI-aaa-domain-after-auth] authentication-scheme auth2
[*HUAWEI-aaa-domain-after-auth] accounting-scheme acct2
[*HUAWEI-aaa-domain-after-auth] radius-server group rd2
[~HUAWEI-aaa] quit
Step 7 Run the default-user-name include mac-address command in the AAA view to directly use
the MAC address carried in a user connection request packet as the user name.
[*HUAWEI-aaa] default-user-name include mac-address -
[*HUAWEI-aaa] default-password simple Root@123
[~HUAWEI-aaa] quit
Step 8 Configure a MAC authentication domain, authentication domain, and authentication method
on a BAS interface.
[~HUAWEI] license
[*HUAWEI-license] active bas slot 1
[~HUAWEI-license] quit
NOTE
[~HUAWEI] interface GigabitEthernet0/1/0
[~HUAWEI-GigabitEthernet0/1/0] bas
pre-authentication mac-auth authentication after-auth
----End
Configuration Files
#
sysname HUAWEI
#
license
active bas slot 1
#
#
slot 1
http-reply enable
#
#

request account
#
acl number 6004
rule 3 permit ip source user-group web-before destination user-group web-before
#
acl number 6005
192.168.8.251 0
before
192.168.8.252 0
before
#
acl number 6006
#
acl number 6008
#
acl number 6010
#
if-match acl 6006
if-match acl 6005
if-match acl 6010
if-match acl 6004
if-match acl 6008
#
deny
deny
http-redirect
#
share-mode
traffic policy web
share-mode
#
gateway 172.16.1.1 255.255.255.0
section 0 172.16.1.2 172.16.1.200

dns-server 192.168.8.252
#
aaa
authentication-scheme mac-auth
authening authen-fail online authen-domain web-auth
#
#
domain mac-auth
authentication-scheme mac-auth
ip-pool pool2
domain web-auth
ip-pool pool2
web-server 192.168.8.251
domain after-auth
#
bas
#
access-type layer2-subscriber default-domain pre-authentication mac-auth
authentication after-auth
#
9.9.18 Example for Configuring WLAN User Access Based on

RADIUS Proxy Authentication
This section provides an example for configuring WLAN user access based on RADIUS
proxy authentication.
On the network shown in Figure 9-20, when WLAN users access the Internet, EAP packets
are used for RADIUS authentication on the AC. The Router is then used for RADIUS
accounting. The user access process is as follows:
1. A WLAN user sends an EAP packet to the AC. The AC terminates the EAP packet and
sends a RADIUS packet to the Router.
2. RouterThe Router functions as a RADIUS proxy. The Router listens to authentication
packets sent from the AC to the RADIUS server and forwards them to the RADIUS
server, and listens to authentication response packets sent by the RADIUS server and
forwards them to the AC. In the proxy process, the Router saves the authorization
information delivered by the RADIUS server to the user account.

3. After the authentication is successful, the user sends a DHCP packet to the Router to
obtain an IP address. During address obtainment, the Router queries the authorization
information saved for the user account in the proxy process based on the user's MAC
address. If the user account's authorization information exists, the Router assigns an idle
IP address to the user and uses the saved authorization information to authorize the user.
In addition, the Router sends an accounting start packet to the RADIUS server for user
accounting.
4. The Router directly responds to accounting packets sent by the AC without sending them
to the RADIUS server.
Figure 9-20 Networking for configuring WLAN user access based on RADIUS proxy
authentication
R A D IU S In te rn e t
se rve r
R o u te r AC
L 2 S w itc h
AP
AP
1. Configure a RADIUS server group, an authentication scheme, an accounting scheme,
and an address pool.
2. Bind the RADIUS server group, authentication scheme, accounting scheme, and address
pool to the domain.
3. Configure the RADIUS proxy function.
4. Configure BAS access on an interface.
5. Configure an IP address for AC access on an interface.
NOTE
By default, the Router can listen to RADIUS packets through ports 1812, 1813, 1645, 1646, and 3799.
To use another port to listen to RADIUS packets, run the radius-server extended-source-ports port-
number port-number command in the system view to specify a listening port.
Data Preparation

l IP address of the RADIUS authentication server

l IP address of the RADIUS accounting server
l Interface IP address for the AC to send RADIUS packets
Procedure
Step 1 Configure a RADIUS server group, an authentication scheme, an accounting scheme, and an
address pool.
[*HUAWEI-radius-shiva] radius-server authentication 10.1.123.151 1812
[*HUAWEI-radius-shiva] radius-server accounting 10.1.123.151 1813
[~HUAWEI-radius-shiva] quit
# Configure a local IP address pool named a.

[HUAWEI] ip pool a bas local
[*HUAWEI-ip-pool-a] gateway 172.30.0.1 24
[*HUAWEI-ip-pool-a] section 0 172.30.0.2 172.30.0.254
[*HUAWEI-ip-pool-a] commit
[~HUAWEI-ip-pool-a] quit
# Configure an authentication scheme named rdp, with RADIUS proxy authentication

specified.
[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme rdp
[*HUAWEI-aaa-authen-rdp] authentication-mode radius-proxy
[*HUAWEI-aaa-authen-rdp] commit
[~HUAWEI-aaa-authen-rdp] quit
# Configure an accounting scheme named rds, with RADIUS accounting specified.

[*HUAWEI-aaa] accounting-scheme rds
[*HUAWEI–aaa-accounting-rds] accounting-mode radius
[*HUAWEI-aaa-accounting-rds] commit
[~HUAWEI–aaa-accounting-rds] quit
Step 2 Configure a domain named radiusproxy, and bind the authentication scheme rdp, accounting
scheme rds, and RADIUS server group shiva to the domain.
[~HUAWEI-aaa] domain radiusproxy
[*HUAWEI-aaa-domain-radiusproxy] authentication-scheme rdp
[*HUAWEI-aaa-domain- radiusproxy] accounting-scheme rds
[*HUAWEI-aaa-domain- radiusproxy] radius-server group shiva
[*HUAWEI-aaa-domain- radiusproxy] ip-pool a
Step 3 Configure RADIUS proxy.

[*HUAWEI] radius-client 10.1.0.201 server-group shiva shared-key-cipher !QAZ2wsx
NOTE
The IP address configured after radius-client is the interface IP address for the AC to send RADIUS
packets. In this example, the RADIUS server group bound to the domain is the same as that for
RADIUS proxy. In practice, the RADIUS server group bound to a domain may be different from that for
RADIUS proxy.
Step 4 Configure an IP address for AC access.

[*HUAWEI-GigabitEthernet0/1/2] ip address 10.1.0.197 8

NOTE
This IP address is used for AC access. RADIUS authentication packets sent by the AC should be sent to
this address. If the Router has another IP address connected to the AC, you may not configure the IP
address.
Step 5 Configure BAS access on an interface.

[~HUAWEI] license
[HUAWEI-license] active bas slot 1
authentication radiusproxy
NOTE
The BAS access configuration on an interface in RADIUS proxy scenarios is the same as that in IPoE
access scenarios. RADIUS proxy applies only to IPoE users and not PPPoE users.

Run the display radius-server configuration group shiva command on the Router to check
[*HUAWEI-radius-shiva] display radius-server configuration group shiva
-------------------------------------------------------
Vpn: -
Vpn: -
Retransmission : 3

Traffic-unit : B
ClassAsCar : NO
Run the display domain command on the Router to check domain configurations.
[*HUAWEI-aaa] display domain radiusproxy
------------------------------------------------------------------------------
Domain-name : radiusproxy
Authentication-scheme-name : rdp
Accounting-scheme-name : rds
Online-number : 0
Web-IP-address : -
Web-URL : -
Web-auth-server : -
Web-auth-state : -
Slave Web-URL : -
Portal-URL : -
L2TP-group-name : -
-
-
Bill Flow : Disable
Flow Statistic:

IP-address-pool-name : a
Quota-out : Offline
Service-type : -
Parse-separator : -
AFTR name : -
------------------------------------------------------------------------------
Run the display radius-client configuration command on the Router to check RADIUS
proxy configurations.
[*HUAWEI] display radius-client configuration
-----------------------------------------------------------------------------
IP-Address VPN-instance Shared-key Group
Domain-authorization Roam-domain
-----------------------------------------------------------------------------
10.1.0.201 -- ****** shiva
NO --
-----------------------------------------------------------------------------
1 Radius client(s) in total
----End
Configuration Files
#
sysname HUAWEI
#
license

active bas slot 5

#
#
aaa
authentication-mode radius-proxy
#
#
domain radiusproxy
ip-pool a
#
undo shutdown
ip address 10.1.0.197 255.0.0.0
#
undo shutdown
bas
#
access-type layer2-subscriber default-domain authentication radiusproxy
#
#
ip pool a bas local
gateway 172.30.0.1 255.255.255.0
section 0 172.30.0.2 188.0.0.254
#
return
9.9.19 Example for Configuring Dumb Terminal Access Based on

a VLAN ID
This section provides an example for configuring dumb terminal access based on a VLAN ID.
Dumb terminals refer to printers and access control devices on a campus network. Generally,
these devices are not assigned IP addresses. Dumb terminals access the Internet in static user
mode, and authentication based on a sub-interface's VLAN ID is used.
On the network shown in Figure 9-21, the printer accesses the Router through GE 0/1/2.1 in
static user mode. The fixed IP address is 172.192.0.8.
Figure 9-21 Networking for configuring dumb terminal access based on a VLAN ID
NOTE
Interface1 through Interface2 in this example are GE0/1/2.1,GE 0/1/1, respectively.
In te rfa c e 1 In te rfa c e 2 In te rn e t
1 7 2 .1 9 2 .0 .8 1 9 2 .1 6 8 .8 .1
R o u te r

1. Configure an authentication scheme, with local authentication specified.
2. Configure an address pool, with the IP address 172.192.0.8 reserved for the printer.
3. Configure an authentication domain named printer.
4. Configure a BAS interface, with the default authentication domain set to printer.
Data Preparation
l Address pool name, gateway address, and DNS server address
l Domain name
Procedure
Step 1 Configure an authentication scheme, with local authentication specified.
[~HUAWEI] aaa

[*HUAWEI-aaa] default-user-name include ip-address
[~HUAWEI-aaa] quit

[*HUAWEI] local-aaa-server
[*HUAWEI-local-aaa-server] user 172.192.0.8@printer password cipher Root@123



[~HUAWEI] aaa
[~HUAWEI-aaa] domain printer
[~HUAWEI-aaa] quit

NOTE
[~HUAWEI-GigabitEthernet0/1/2.1-vlan-100-100] quit
[*HUAWEI-GigabitEthernet0/1/2.1-bas] default-domain authentication printer
[*HUAWEI-GigabitEthernet0/1/2.1-bas] ip-trigger
[*HUAWEI-GigabitEthernet0/1/2.1-bas] arp-trigger
NOTE
In this example, binding authentication is configured. A user name and password for authentication are
automatically generated. The automatically generated user name and password must be the same as the
created local user name and password because local authentication is used. The user name and password
configured using the default-user-name and default-password commands in the AAA view are used as
the automatically generated user name and password. For details, see "Configuration Files."
Step 7 Configure a static user.

[*HUAWEI] static-user 172.192.0.8 interface GigabitEthernet 0/1/2.1 vlan 100
detect
[*HUAWEI]static-user detect interval 1

After completing the preceding configurations, run the display access-user domain
command to check that the user in the domain goes online properly.
------------------------------------------------------------------------------
IPv6 address
------------------------------------------------------------------------------
20 172.192.0.8@isp1 GE0/1/2.1 172.192.0.8 0002-0101-0101 -
------------------------------------------------------------------------------
Total users : 1
----End
Configuration Files
#
sysname HUAWEI
#
user-vlan 100

bas
access-type layer2-subscriber default-domain authentication printer
ip-trigger
arp-trigger
#
gateway 172.192.0.1 255.255.255.0
section 0 172.192.0.2 172.192.0.200
#
aaa
default-user-name include ip-address
default-password cipher Root@123
domain printer
ip-pool pool1
#
local-aaa-server
user 172.192.0.8@isp1 password cipher Root@123 authentication-type B
#
static-user 172.192.0.8 172.192.0.8 interface GigabitEthernet0/1/2.1 vlan 100
detect
static-user detect interval 1
#
return
9.9.20 Example for Configuring Dumb Terminal Access Based on

a MAC Address
This section provides an example for configuring dumb terminal access based on a MAC
address.
Dumb terminals refer to printers and access control devices on a campus network. Generally,
these devices are not assigned IP addresses. Dumb terminals access the Internet in static user
mode, and authentication based on MAC addresses is used.
On the network shown in Figure 9-22, the printer accesses the Router through GE 0/1/2.
Figure 9-22 Networking for configuring dumb terminal access based on a MAC address
NOTE
Interface1 through 2 in this example are GE0/1/2,GE 0/1/1.
In te rfa c e 1 in te rfa c e 2 In te rn e t
1 7 2 .1 9 2 .0 .8 1 9 2 .1 6 8 .8 .1
R o u te r

1. Configure an authentication scheme, with local authentication specified.

2. Configure an address pool, with the IP address 172.192.0.8 reserved for the printer.
3. Configure an authentication domain named printer.
4. Configure a BAS interface, with the user access mode set to Layer 2 common user
access and the default authentication domain set to printer.
Data Preparation

l Address pool name, gateway address, and DNS server address
l Domain name
Procedure
[~HUAWEI] aaa

[*HUAWEI-aaa] default-user-name include ip-address
[~HUAWEI-aaa] quit

[~HUAWEI] local-aaa-server
[*HUAWEI-local-aaa-server] user 172.192.0.8@printer password cipher Root@123


[~HUAWEI] aaa
[*HUAWEI-aaa] domain printer
[~HUAWEI-aaa] quit

NOTE
[*HUAWEI-GigabitEthernet0/1/2-bas] access-type layer2-subscriber
[*HUAWEI-GigabitEthernet0/1/2-bas] default-domain authentication printer
[*HUAWEI-GigabitEthernet0/1/2-bas] ip-trigger
[*HUAWEI-GigabitEthernet0/1/2-bas] arp-trigger
[~HUAWEI-GigabitEthernet0/1/2-bas] quit
NOTE
In this example, binding authentication is configured. A user name and password for authentication are
automatically generated. The automatically generated user name and password must be the same as the
created local user name and password because local authentication is used. The user name and password
configured using the default-user-name and default-password commands in the AAA view are used as
the automatically generated user name and password. For details, see "Configuration Files."
Step 7 Configure a static user. If the network has multiple printers, perform the following
configuration for each printer.
[*HUAWEI] static-user 172.192.0.8 gateway 172.192.0.1 interface GigabitEthernet
0/1/2 mac-address 0026-73b5-dfc8 domain-name printer detect
[*HUAWEI]static-user detect interval 1

After completing the preceding configurations, run the display access-user domain
command to check that the user in the domain goes online properly.
<*HUAWEI> display access-user domain printer
------------------------------------------------------------------------------
IPv6 address
------------------------------------------------------------------------------
20 172.192.0.8@printer GE0/1/2.1 172.192.0.8 0026-73b5-
dfc8 -
------------------------------------------------------------------------------
Total users : 1
----End
Configuration Files
#
sysname HUAWEI
#
bas
access-type layer2-subscriber default-domain authentication printer
ip-trigger
arp-trigger
#
gateway 172.192.0.1 255.255.255.0
section 0 172.192.0.2 172.192.0.200
#
aaa
default-user-name include ip-address
default-password cipher Root@123

domain printer
ip-pool pool1
#
local-aaa-server
user 172.192.0.8@printer password cipher Root@123 authentication-type B
#
static-user 172.192.0.8 gateway 172.192.0.1 interface GigabitEthernet0/1/2 mac-
address 0026-73b5-dfc8 domain-name printer detect
static-user detect interval 1
#
return

Configuration Guide - User Access 10 PPPoE Access Configuration
10 PPPoE Access Configuration
About This Chapter
Point-to-Point Protocol over Ethernet (PPPoE) allows a remote access device to provide
access services for hosts on Ethernet networks and to implement user access control and
accounting. This chapter describes how to configure PPPoE and provides networking
applications.This feature is not supported on the M2E.This feature is supported only on the
Admin-VS.
10.1 Overview of PPPoE Access

Point-to-Point Protocol over Ethernet (PPPoE) is a link-layer protocol that transmits PPP
datagrams through PPP sessions established over point-to-point connections on Ethernet
networks.
10.2 License Requirements and Limitations for PPPoE--M2E
10.3 Licensing Requirements and Limitations for PPPoE--M2F
10.4 Licensing Requirements and Limitations for PPPoE--M2H
10.5 Licensing Requirements and Limitations for PPPoE--M2K
10.6 Configuring PPPoE Access Services
Configuring PPPoE access services allows access control and accounting for hosts.
10.7 Configuring PPPoEv6 Access Services
In PPPoEv6 access mode, a terminal is required to support the PPPoEv6 dial-up function.
10.8 Maintaining PPPoE Access
This section describes how to clear PPP and PPPoE packet statistics.
10.9 Configuration Examples for PPPoE Access

10.1 Overview of PPPoE Access

Point-to-Point Protocol over Ethernet (PPPoE) is a link-layer protocol that transmits PPP
datagrams through PPP sessions established over point-to-point connections on Ethernet
networks.
As a supplementary protocol of PPP, PPPoE provides access services for users on Ethernet
networks, and implements user control and accounting.
PPPoE uses the client/server model. A PPPoE client initiates a connection request to a PPPoE
server. After a session is established, the PPPoE server provides access control and
authentication for the PPPoE client. The PPPoE user login process involves two stages:
PPPoE negotiation and PPP negotiation. PPP negotiation includes Link Control Protocol
(LCP) negotiation, Password Authentication Protocol (PAP)/Challenge Handshake
Authentication Protocol (CHAP) authentication, and Network Control Protocol (NCP)
negotiation.
A PPPoE session can be established either between devices or between a host and a device.
l When a PPPoE session is established between two devices, all hosts transmit data over
the same PPP session, without the need to install PPPoE client dialup software.
Generally, all users in an enterprise share an account. Figure 10-1 shows the networking
of this mode. The CPE is a PPPoE client and located within an enterprise, and a carrier
network device is the PPPoE server.

Figure 10-1 PPPoE networking 1
Carrier
PPPoE
network DSLAM server
device
Internet
Client CPE
device
Host A Host B Host C
l When a PPPoE session is established between a host and a device, it is needed for each
host. Each host is a PPPoE client, and a carrier network device is the PPPoE server.
Figure 10-2 shows the networking of this mode. Each host has an account for access
control and accounting. Each host must have the PPPoE client dialup software installed
to function as a PPPoE client. This networking applies to campuses and residential areas.
Figure 10-2 PPPoE networking 2
PPPoE client
PPPoE
server
Host A
Internet
PPPoE client
Host B

PPPoE access has the following advantages:

l Multi-protocol transmission
PPP data packets are transmitted over Ethernet. In addition to IP, PPP data packets can
have other types of protocols encapsulated, even link-layer protocols, such as Ethernet.
l Flexible accounting
PPPoE access provides rich accounting data, such as the numbers of incoming and
outgoing packets and bytes, and start and end time of connections.
l IPv4/IPv6 dual stack
PPPoE access supports allocation of both IPv4 and IPv6 addresses.
NOTE
MPU.
10.2 License Requirements and Limitations for PPPoE--

M2E

N/A
10.3 Licensing Requirements and Limitations for PPPoE--

M2F
Item Requirement

PPPoE/IPoE feature:
controls PPPoE/
IPoE function
on a device.


If the number of connection Do not enable the chasten The chasten function does
requests is restricted based function based on a not take effect and users
on a specified MAC address specified MAC address after cannot be blocked.
of a PPPoE user, the chasten one-to-many mapping
function takes effect only between one MAC address
when one MAC address and multiple sessions is
maps to multiple sessions. enabled.
If the chasten function for
PPPoE users who go online
through inter-board trunk
interfaces is implemented
based on a specified board,
after the master main control
board on which the inter-
board trunk interfaces reside
is switched, the number of
connection requests must be
recalculated.

M2H
Item Requirement

PPPoE/IPoE feature:
controls PPPoE/
IPoE function
on a device.


recalculated.

M2K
Item Requirement

This license
controls the
PPPoE, IPoE,
L2TP, DAA,
and EDSG
function.

recalculated.
10.6 Configuring PPPoE Access Services

Configuring PPPoE access services allows access control and accounting for hosts.
Usage Scenario
As network data services are developing rapidly, broadband users are increasing explosively.
Carriers need an access device that can provide access services for multiple remote hosts and
also provide user access control and accounting. Ethernet is the most economical technology
for connecting multiple hosts to access devices, and PPP provides well-developed user access
control and accounting. However, PPP cannot be applied to Ethernet. To address this problem,
PPPoE has been developed. PPPoE is a link layer protocol that transmits PPP datagrams
through PPP sessions established over point-to-point connections on Ethernet networks. As a
supplement to PPP, PPPoE allows a remote access device to provide access services for hosts
on Ethernet networks and to implement user access control and accounting. With these
features, PPPoE is widely acknowledged among broadband access carriers, and therefore
widely applied.
Before configuring PPPoE access services, complete the following tasks:
l Configure AAA schemes.

l Configure a server template.
l Configure a local or remote IPv4 address pool.
l Configure a domain.

Perform the following configurations as required.
Figure 10-3 Flowchart for configuring PPPoE access
Configure a VT.
Configure PPPoE server

parameters.
Bind the VT to an interface.
Configure PPP user access

limitations.
Check the configurations.
Mandatory
Optional
10.6.1 Configuring a VT
Layer 2 protocols cannot directly carry each other. Before configuring PPPoE access, create a
virtual template (VT).
Context
Layer 2 protocols, such as PPP can communicate only over a virtual access (VA) session. A
VA session, however, cannot be manually created or configured. Instead, a VA session is
automatically generated after PPPoE services are configured and PPPoE parameters are
configured in a VT.
Based on interface parameters defined in a VT, a device can automatically create VA
interfaces for Layer 2 communication.
l PPP packets are encapsulated based on parameters configured in a VT. A VT defines
NCP parameters, such as IP addresses and upper-layer application protocols.
l A VA session transmits data between the local and remote ends based on parameters
defined in a VT.
When a VT is used for PPPoE services, the link layer protocol can only be PPP, and the
network layer protocol can only be IP.

Before deleting a VT, ensure that the VT is not in use and the VA session automatically
generated upon VT creation has been deleted.
Procedure
Step 2 Run interface virtual-template virtual-template-number
A VT is created and its view is displayed, or the view of an existing VT is displayed.
Step 3 Run ppp authentication-mode { auto | { pap | chap | mschapv1 | mschapv2 } * }
A PPP authentication mode is configured.
Step 4 (Optional) Perform the following steps to configure PPP negotiation parameters:
l Run ppp timer { negotiate seconds | retransmit retry-times } *
A PPP negotiation timeout period and the maximum number of retransmission times
allowed are configured.
l Run ppp delay-lcp-negotiation [ force ]
Delayed LCP packet transmission is configured.
l Run ppp keepalive { interval interval-time | retransmit times | response-timeout
response-timeout-time } * [ datacheck | no-datacheck ]
A PPP detection interval and the maximum number of retransmission times allowed are
configured.
l Run ppp keepalive adjustment { system-state | retransmit }
Adjustment of the number of PPP detection times is enabled.
l Run mtu mtu
An MTU is configured in the VT.
l Run ppp mru mru
An MRU is configured for PPP negotiation.
l Run pppoe-motm motm-value
The device is configured to encapsulate clock synchronization information to the MOTM
tag in a PPPoE active discovery message (PADM).
l Run quit
l Run pppoe ppp-max-payload enable
The device is enabled to negotiate the MRU in compliance with standard protocols.
Step 5 (Optional) Run ppp chap user user-name
A user name is specified.
Step 6 Run commit
----End

10.6.2 Binding a VT to an Interface

Bind a VT to an interface so that data on the interface can be transmitted based on parameters
defined in the VT.
Context
After a VT is configured, bind it to an interface. The type of the interface to which a VT is
bound varies depending on the user access type.
l The VT configured for PPPoE services must be bound to a main interface.

l The VT configured for PPPoEoVLAN services must be bound to a sub-interface.
Procedure
Step 2 Run interface interface-type interface-number [ . subinterface-number ]
The interface or sub-interface view is displayed.
Specify a main interface for PPPoE access users and a sub-interface for PPPoEoVLAN access
users.
Step 3 Run pppoe-server bind virtual-template vt-number
A VT is bound to the interface.
Step 4 Run commit
----End
10.6.3 (Optional) Configuring PPPoE Server Parameters

PPPoE server parameters can be configured as needed for negotiation between a PPPoE
server and client.
Context
PPPoE uses the client/server model. A PPPoE client initiates a connection request to a PPPoE
server. After a session is established, the PPPoE server provides access control and
authentication for the PPPoE client. To help clients identify PPPoE servers, configure a name,
service name, and service name matching mode for each PPPoE server. To allow successful
PPPoE negotiation between Huawei and non-Huawei devices, configure the timing for
sending PADM or PADN packets and a delimiter between MOTM items.
Procedure

Step 3 Run pppoe-server ac-name ac-name
A name is configured for the PPPoE server.
Step 4 Run pppoe-server service-name-parameter service-name-parameter
A service name is configured for the PPPoE server.
Step 5 Run pppoe-server service-name-type exact-match
A service name matching mode is configured.
Step 6 Run pppoe-server send { padm | padn } [ ipcp | ip6cp | { first | last | all } ncp ]
When PADM or PADN packets are sent is configured.
Step 7 Run pppoe-server motm item delimiter delimiter
A delimiter between MOTM items is configured.
Step 8 Run quit
Step 9 Run pppoe-server send padt always
Delayed PADT packet transmission is enabled.
Step 10 Run commit
----End
10.6.4 Binding Sub-interfaces to a VLAN

To restrict broadcast packets on a LAN and enhance the LAN security or create virtual
groups, you need to configure VLANs. VLANs are applicable to only Ethernet sub-interfaces.
Context
VLAN.
l VLAN ID
l QinQ ID

NOTE
l On each main interface, you can set the user-vlan any-other on only one sub-interface. On one sub-
interface, user-vlan any-other cannot be set together with user-vlan start-vlan nor user-vlan qinq.
l The user-vlan command cannot be configured on a sub-interface of a Layer 2 interface.
Procedure
Step 3 Run user-vlan { start-vlan [ end-vlan ] [ qinq start-qinq-id [ end-qinq-id ] ] | any-other }
Step 4 Run commit
----End

When an interface is used for broadband access, you need to configure it as a BAS interface.
When PPPoX users use a BAS interface to access the network, you must specify the access
type as Layer 2 subscriber access.
Context
l (Optional) Maximum number of users that are allowed to access through the BAS
interface and maximum number of users that are allowed to access through a specified
VLAN
access
l (Optional) Whether to enable the functions of accounting packet copy and locating a user
Procedure

Step 3 Run bas

NOTE
interface to a VE group. The preceding commands are configured in the VE interface view.
The bas command run in the view of an interface configures the interface as a BAS interface.
A GE interface or its sub-interface, an Eth-Trunk interface or its sub-interface, an ATM
interface or its sub-interface, or a VE interface or its sub-interface can be configured as a BAS
interface.
Step 4 Run access-type layer2-subscriber [ default-domain { authentication [ force | replace ]

dname | pre-authentication predname } * | bas-interface-name bname | accounting-copy
radius-server rd-name ] *
configured.

l Or run:
default-domain authentication ppp-user domain-name
The default authentication domain for PPP users is specified.

NOTE
– If the default-domain authentication ppp-user domain-name command is configured, the

authentication domain specified in this step is used as the default authentication domain for
PPP users.
– If the default-domain authentication ppp-user domain-name command is not configured but
the default-domain authentication [ force | replace ] domain-name command is configured,
the authentication domain specified using the default-domain authentication [ force |
replace ] domain-name command is used as the default authentication domain for PPP users.
– If neither of the commands is configured, the default authentication domain for PPP users is
default1.
l Or run:
roam-domain domain-name
The roaming domain is specified.
l Or run:
permit-domain domain-name &<1-16>
Or run:
deny-domain domain-name &<1-16>
The permit-domain-list command, deny-domain-list, deny-domain, or permit-
domain command cannot be configured together on one BAS interface.
l Or run:
permit-domain-list domainlist-name>
The list of domains whose users are allowed to access is specified, and users of other
domains are denied the access by using the BAS interface.
Or run:
deny-domain-list domainlist-name
configurations:


information.
interface.
Step 11 (Optional) Run authentication-method ppp [ web ]
PPP authentication, or PPP and web authentication is configured.
Step 12 (Optional) Run ppp keepalive slow
PPP slow reply is configured on the BAS interface, allowing the BAS interface to send PPP
echo packets to the CPU for processing.
Step 13 Run commit
----End
10.6.6 (Optional) Configuring Access Control on a BAS Interface

Configure a BAS interface to filter users that attempt to go online so that only specified users
are allowed to access the Router.

Context
To filter users based on source MAC addresses, configure an ACL rule. When a DHCP or
PPP user attempts to go online, match the user's source MAC address against the ACL rule. If
matched, the user is allowed to go online.
Procedure
Step 2 Run acl { name link-acl-name { link | [ link ] number link-acl-number } | [ number ] link-
acl-number } [ match-order { config | auto } ]
The ACL view is displayed.
Step 3 Run rule [ rule-id ] { deny | permit } source-mac source-mac sourcemac-mask
An ACL rule is configured.
NOTE
BAS interfaces support only ACLs in the range 4000 to 4999,

and the ACL rules can only define users' source MAC addresses. The source MAC address for DHCP
users is the hardware address carried in DHCP packets.
When a BAS interface uses a filter-policy to filter users, note the following:
l If the action specified in the ACL rule is permit, only users matching the rule are
allowed to access the Router.
l If the action specified in the ACL rule is deny, users matching the rule are not allowed to
access the Router, and the other users are allowed to access the Router.
l If the ACL does not have any rules, the BAS interface that references this ACL does not
l If the ACL referenced by the BAS interface does not exist, the BAS interface does not
Step 4 Run quit
Step 5 (Optional) Run ppp keepalive slow acl acl-num source-mac
PPP slow reply is configured for PPP echo packets with a specified MAC address.
Step 7 Run bas
Step 8 Run filter-policy acl acl-number ppp
The function of filtering DHCP users that attempt to go online based on ACL rules on a BAS
interface is configured.

NOTE
l Before running the filter-policy acl command, the BAS interface must already have the access-type
command configured.
l An access type can be bound to only one ACL on an interface.
l Because IP addresses are assigned to DHCP users based on the MAC addresses contained in user DHCP
packets, if you run the filter-policy acl acl-number dhcp command to filter users, the command filters
users based on source MAC addresses contained in the DHCP packets, rather than those contained in the
Ethernet headers. This command cannot filter out attackers whose MAC addresses contained in Ethernet
headers are inconsistent with those contained in DHCP packets. To protect the device from this type of
attack, run the dhcp check chaddr command.
l The filter-policy acl acl-number ppp command applies to PPPoE, PPoEoA, and L2TP users.
Step 9 Run commit

----End
10.6.7 (Optional) Configuring Refined IPv4 Route Advertisement

Refined IPv4 route advertisement can classify routes and advertise them to different networks.
Context
User routes include routes generated by an address pool, and routes generated based on either
the Framed-Route attribute or IP-Netmask attribute delivered by the RADIUS server.
Management users can advertise routes to the management network while users accessing the
Internet can advertise routes to the Internet. Routes are classified based on tags and imported
using routing policies. This process allows various routes to be advertised to specific
networks.
Procedure
l Configure a tag value of a route for a specified type of address pool, such as local or
remote address pools.
a. Run system-view
b. Run ip unr { framed-route-tag tag-value | framed-ip-netmask-tag tag-value |
framed-ip-address-tag tag-value } *
The route tag is configured.
c. Run commit
l Configure a tag value of a route for a single address pool.
a. Run system-view
b. Run ip pool (system view)
The IP address pool view is displayed.
c. Run unr tag tag-value

d. Run commit
----End
Follow-up Procedure
Create a routing policy. Specify a route tag to classify routes. Use OSPF or BGP to import
various routes. For details, see Routing Policy Configuration.
10.6.8 (Optional) Configuring PPP User Access Limitations

To prevent unauthorized users from initiating a brute force attack to crack the password of an
authorized user or the number of access users, configure the maximum number of users
allowed to go online through a board or MAC address.
Context
On live networks, unauthorized users may use a brute force attack to crack the password of an
authorized user or the number of access users. To prevent this problem, configure the
maximum number of users allowed to go online through a board.
Multiple users may use the same MAC address for network access. To allow PPPoE users to
use the same MAC address to go online through the same device, configure the maximum
number of users allowed to go online through a MAC address.
When PPPoE users are online, a downstream device failure will cause the NE40E to receive a
large number of NCP negotiation requests from some users, resulting in high CPU usage.
Therefore, the number of NCP negotiation times must be limited.
Procedure
Step 2 Run pppoe-server slot-number max-sessions session-number
The maximum number of users allowed to go online through a board is configured.
Step 3 Run pppoe-server max-sessions remote-mac session-number
The maximum number of users allowed to go online through a MAC address is configured.
Step 4 Run pppoe-server negotiation times limit
The number of NCP negotiation times is limited.
Step 5 Run commit
----End
10.6.9 (Optional) Configuring URPF for PPP Users

Enabling URPF for PPP users prevents source address spoofing attacks.

Procedure
l Configure URPF for PPPoE-type users.
a. Run system-view

b. Run interface virtual-template virtual-template-number
A virtual template is created and the virtual template view is displayed.

c. Enable URPF for PPPoE-type users.
n For the IPv4 PPPoE-type users, run the ip urpf strict enable [ check subnet ]
command to enable the IPv4 URPF function.
d. Run commit
----End
10.6.10 (Optional) Configuring the PPP Magic Number Check

Function
You can configure the PPP magic number check function to detect whether a PPPoE user
stays online after the user logs in.
Context
After a PPPoE user goes online, the device periodically sends Echo Request packets to the
client.
When receiving an Echo Reply packet from the user, the device compares the magic number
carried in the packet with that learned during LCP negotiation. If the two magic numbers are
the same, the user is considered online. Otherwise, the user is considered offline.
Procedure
Step 2 Run ppp keepalive strict-check magic-number
The PPP magic number check function is enabled so that the device compares the magic
number in a received Echo Reply packet with that learned during LCP negotiation.
Step 3 Run commit
----End
10.6.11 (Optional) Configuring Flexible Access to VPNs

Service priorities can be identified based on 802.1p values of service packets and then
transmitted to corresponding VPNs.

Context
On the network shown in Figure 10-4, service packets carry 802.1p values to identify their
priorities. The BRAS can identify service priorities based on the 802.1p values of received
Layer 2 service packets and transmit the service packets to corresponding VPNs. To allow
this, enable a BAS interface to transmit packets to different VPNs based on 802.1p priorities
of the packets and also bind VPN instances to different 802.1p priorities.
Figure 10-4 Flexible access to VPNs
VPN1
802.1P 1
HSI 802.1P 1
BRAS
802.1P 2 802.1P 3
Layer2
Network 802.1P 2
VPN2
VoIP
802.1P 3
VPN3
iTV
AAA/DHCP Server
Perform the following steps on the BRAS:

1. Create a VPN instance. (Both user and service VPN instances must be configured.)
2. Create a local address pool.
3. Configure a user domain.
4. Configure a user access interface.
5. Configure a network-side ACL and define redirection for the ACL.
6. Configure a network-side interface.
Procedure
Step 1 Create a VPN instance. (Both user and service VPN instances must be configured.)
1. Run system-view

2. Run ip vpn-instance vpn-instance-name
A VPN instance is created, and the VPN instance view is displayed.

3. Run ipv4-family
The IPv4 address family is enabled for the VPN instance, and the VPN instance IPv4
address family view is displayed.
4. Run route-distinguisher route-distinguisher
An RD is configured for the VPN instance IPv4 address family.

5. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-

extcommunity ]
VPN targets are configured for the VPN instance IPv4 address family.
6. Run quit
Return to the VPN instance view.
7. Run quit
Step 2 Create a local address pool.
1. Run ip pool pool-name [ bas { local [ rui-slave ] | remote [ overlap | rui-slave ] |
dynamic } ]
An address pool is created.
2. Run vpn-instance vpn-instance-name
A VPN instance is specified for the address pool.
The VPN instance specified for the address pool must be the user VPN instance
configured in Step 1.
3. Run gateway ip-address { mask | mask-length }
The gateway IP address and subnet mask are configured for the address pool.
An address segment is configured for the address pool.
5. Run import vpn-instance vpn-instance-name
A VPN instance is imported to the address pool.
The VPN instance imported to the address pool must be the service VPN instance
created in Step 1.
6. Run quit
Step 3 Configure a user domain.
1. Run aaa
A domain is created, and the domain view is displayed.
3. Run authentication-scheme authentication-scheme-name
An authentication domain is configured for the domain.
4. Run accounting-scheme accounting-scheme-name
An accounting scheme is configured for the domain.
5. Run ip-pool pool-name
An address pool is bound to the domain.
6. Run quit


7. Run quit
Step 4 Configure a user access interface.
2. Run user-vlan { { start-vlan-id [ end-vlan-id ] [ qinq start-pe-vlan [ end-pe-vlan ] ] } }
A user-VLAN sub-interface is configured.
3. Run 802.1p 802.1p-prioirty binding vpn-instance vpn-instance-name
A VPN instance is bound to an 802.1p priority.
The VPN instance bound to the 802.1p priority must be the service VPN instance created
in Step 1.
NOTE
The binding between VPN instances and 802.1p priorities cannot be modified or deleted if the
BAS interface has online users.
4. Run quit
5. Run bas
The sub-interface is configured as a BAS interface, and the BAS interface view is
displayed.
6. Run access-type layer2-subscriber [ default-domain { authentication [ force |
replace ] dname | pre-authentication predname } * | bas-interface-name bname |
accounting-copy radius-server rd-name ] *
The access type of the BAS interface is configured as Layer 2 subscriber access.
7. Run authentication-method { bind | { fast | web } }
An authentication method is configured for the BAS interface.
8. Run 802.1p-to-vpn
The BAS interface is enabled to transmit packets to different VPNs based on the 802.1p
priorities of the packets.
9. Run quit
10. Run quit
Step 5 Configure a network-side ACL and define redirection for the ACL.
1. Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } |
[ number ] basic-acl-number } [ match-order { config | auto } ]
A basic ACL is created.
2. Run rule [ rule-id ] { deny | permit } [ fragment-type { fragment | non-fragment |
non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address

{ source-wildcard | 0 | src-netmask } | any } | time-range time-name | [ vpn-instance

vpn-instance-name | vpn-instance-any ] ] *
A rule is created for the ACL.
3. Run quit
4. Run vpn-group vpn-group-name [ vpn-instance vpn-name [ vpn-name ] &<1-8> ]
A VPN group is created, and a VPN instance is added to the VPN group.
The VPN instance added to the VPN group must be the user VPN instance created in
Step 1.
5. Run traffic behavior behavior-name
A traffic behavior is configured, and the traffic behavior view is displayed.
6. Run redirect vpn-group vpn-group-name
Packet redirection to a specified VPN group is configured.
The VPN group to which packets are redirected must be the one created in Step d.
7. Run quit
8. Run traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is configured, and the traffic classifier view is displayed.
9. Run if-match acl acl { acl-number | name acl-name }
An IPv4 ACL is specified for MF classification.
10. Run quit
11. Run traffic-policy policy-name
A traffic policy is configured.
12. Run share-mode
The shared mode is specified for the traffic policy.
13. Run classifier classifier-name behavior behavior-name [ precedence precedence-
value ]
A traffic behavior is specified for a traffic classifier in the traffic policy.
14. Run quit
Step 6 Configure a network-side interface.
2. Run vlan-type dot1q vlanid { 8021p { 8021p-value1 [ to 8021p-value2 ] } &<1-8> |
dscp { dscp-value1 [ to dscp-value2 ] } &<1-10> | default | eth-type pppoe }
The dot1q VLAN type is configured for the sub-interface.

3. Run ip binding vpn-instance vpn-instance-name
A VPN instance is bound to the sub-interface.
The VPN instance bound to the sub-interface must be the service VPN instance created
in Step 1.
4. Run ip address ip-address { mask | mask-length }
An IP address is configured for the sub-interface.

5. Run traffic-policy policy-name { inbound | outbound }
The traffic policy is applied to the sub-interface.
----End
10.6.12 (Optional) Enabling BGP Route Forwarding Between a

CPE and BRAS
Context
On the network shown in Figure 10-5, a CPE uses PPPoE dialup to obtain an IP address from
a BRAS. By default, the CPE can use the IP address to establish a BGP connection with the
BRAS, and the BRAS can learn the BGP route from the CPE. However, traffic cannot be
forwarded through the BGP route. After BGP route forwarding is enabled between a CPE and
BRAS, access user information is added to information about the BGP routes with the next
hops being the IP addresses of PPPoE users, allowing traffic to be forwarded through the BGP
route between the CPE and BRAS.
Figure 10-5 Networking
user1
I n t e r n et
CPE BRAS
user2
Procedure
Step 2 Run aaa
Step 3 Run bgp over pppoe enable

BGP route forwarding is enabled between a CPE and BRAS.
----End
10.6.13 Verifying the PPPoE Access Service Configuration

After PPPoE access is configured, check the configurations.
Procedure
l Run the display pppoe statistics command to check statistics about PPPoE packets and
authentication messages.
l Run the display pppoe statistics online-fail-record command to check statistics about
PPPoE user login failures due to the limit on the number of access users (configured
using the access-ip-limit command).
----End
Example
Run the display pppoe statistics command to view PPPoE packet statistics on the board in
slot 1.
<HUAWEI> display pppoe statistics slot 1
---------------------------------------------------------------------
PPPoE Statistic Information
Slot: 1
---------------------------------------------------------------------
ACTIVE_SESSION : 3 TOTAL_SESSION : 3
RECV_PADI_PKT : 6 DISCARD_PADI_PKT : 2
SEND_PADO_PKT : 4
RECV_PADR_PKT : 4 DISCARD_PADR_PKT : 1
SEND_PADS_PKT : 3 DISCARD_PADR_SAMEMAC: 0
SEND_NULL_PADS_PKT : 0
RECV_PADT_PKT : 0 DISCARD_PADT_PKT : 0
SEND_PADT_PKT : 0
SEND_PADM_PKT : 0
SEND_PADM_URL_PKT : 0
SEND_PADM_MOTM_PKT : 0
SEND_PADN_PKT : 0
RECV_SESSION_PKT : 9 DISCARD_SESSION_PKT : 0
SEND_SESSION_PKT : 9
RECV_PKT : 19 DISCARD_PKT : 3
---------------------------------------------------------------------
Invalid PAD Packets
---------------------------------------------------------------------
Invalid Version : 0
Invalid PAD Code : 0
Invalid PAD Tags : 0
Invalid PAD Tag length : 0
Invalid PAD Type : 0
Invalid PADI Session : 0
Invalid PADR Session : 0
Invalid PAD packet length : 0
Other Invalid PAD packets : 0
Total Invalid PAD packets : 0
---------------------------------------------------------------------
Run the display pppoe statistics online-fail-record command to view statistics about PPPoE
user login failures due to access IP limit.
<HUAWEI> display pppoe statistics online-fail-record slot 3

---------------------------------------------------------------------
Online failed due to access-ip-limit : 2
---------------------------------------------------------------------
10.7 Configuring PPPoEv6 Access Services

In PPPoEv6 access mode, a terminal is required to support the PPPoEv6 dial-up function.
10.7.1 Configuring an Address Allocation Mode

The address allocation modes supported by the NE40E include NDRA, DHCPv6(IA_NA),
DHCPv6(IA_PD), DHCPv6(IA_NA)+PD(IA_PD), and NDRA+DHCPv6(IA_PD). One of
them can be configured based on networking conditions.
Context
The address allocation mode varies according to the CPE working mode. For details, see the
following table.
CPE Working Scenario IPv6 Address
Bridging mode The host initiates a connection request. NDRA

The CPE transparently forwards the user
request packet, and the NE40E allocates DHCPv6(IA_NA)
an IPv6 address to the host.
Unnumbered The CPE initiates a connection request. DHCPv6(IA_PD)

routing mode After receiving the request, the NE40E
allocates a prefix to the CPE to generate
IPv6 addresses for the hosts attached to
the CPE.
Numbered The CPE initiates a connection request. DHCPv6(IA_NA)

routing mode After receiving the request, the NE40E +PD(IA_PD)
allocates an IPv6 address to the WAN
interface on the CPE and a prefix to NDRA+DHCPv6(IA_PD)
generate IPv6 addresses for the hosts
attached to the CPE.
NOTE
l Layer 2 IPv6 leased-line access equals the situation where the CPE works in unnumbered or
numbered routing mode.
l Layer 3 users of a leased line obtain their addresses from the access router. The NE40E is in charge
of only authentication and accounting, not address allocation.
If an IPv4 network is upgraded to an IPv6 network, the CPE working mode and authentication
mode do not need to be changed unless there are special service requirements. In PPP
authentication mode, either ND or DHCPv6 can be used for address authentication. In bind
authentication mode, using DHCPv6 for address allocation is recommended. In 802.1X or

Web authentication mode, using DHCPv6 for address allocation is recommended if user
terminals support DHCPv6.
In addition to choosing an address allocation mode, perform the following steps on the
NE40E if needed:
Procedure
Step 2 Run aaa
A domain is created, and the AAA domain view is displayed.
Step 4 Run user-basic-service-ip-type { ipv4 | ipv6 | ipv6-pd } *
The IP type that is used for the services of users logging in from the domain is specified. If
address allocation of the specified IP type fails, users are not allowed to log in.
Step 5 (Optional) Run ipv6 nd ra haltNE40E
The NE40E is suppressed from sending RA messages to IPv6 access users.
Step 6 (Optional) Run ppp address-release separate
PPP dual-stack users can go offline from a single stack.
The ppp address-release separate and any-address-release offline commands are mutually
exclusive.
The ppp address-release separate command takes effect for both PPPoX and L2TP users.
Step 7 Run commit
----End
10.7.2 Configuring a Virtual Template

Layer 2 protocols cannot directly carry each other. Before configuring PPPoE access, create a
virtual template (VT).
Context
Layer 2 protocols, such as PPP can communicate only over a virtual access (VA) session. A
VA session, however, cannot be manually created or configured. Instead, a VA session is
automatically generated after PPPoE services are configured and PPPoE parameters are
configured in a VT.
Based on interface parameters defined in a VT, a device can automatically create VA

interfaces for Layer 2 communication.

l PPP packets are encapsulated based on parameters configured in a VT. A VT defines

NCP parameters, such as IP addresses and upper-layer application protocols.
l A VA session transmits data between the local and remote ends based on parameters
defined in a VT.
When a VT is used for PPPoE services, the link layer protocol can only be PPP, and the
network layer protocol can only be IP.
Before deleting a VT, ensure that the VT is not in use and the VA session automatically
generated upon VT creation has been deleted.
Procedure

Step 4 (Optional) Perform the following steps to configure PPP negotiation parameters:
l Run ppp timer { negotiate seconds | retransmit retry-times } *
A PPP negotiation timeout period and the maximum number of retransmission times
allowed are configured.
l Run ppp delay-lcp-negotiation [ force ]
Delayed LCP packet transmission is configured.
l Run ppp keepalive { interval interval-time | retransmit times | response-timeout
response-timeout-time } * [ datacheck | no-datacheck ]
A PPP detection interval and the maximum number of retransmission times allowed are
configured.
l Run ppp keepalive adjustment { system-state | retransmit }
Adjustment of the number of PPP detection times is enabled.
l Run mtu mtu
An MTU is configured in the VT.
l Run ppp mru mru
An MRU is configured for PPP negotiation.
l Run pppoe-motm motm-value
The device is configured to encapsulate clock synchronization information to the MOTM
tag in a PPPoE active discovery message (PADM).
l Run quit
l Run pppoe ppp-max-payload enable
The device is enabled to negotiate the MRU in compliance with standard protocols.
Step 5 (Optional) Run ppp chap user user-name

A user name is specified.

Step 6 Run commit
----End
10.7.3 Binding the Virtual Template to an Interface

Bind a VT to an interface so that data on the interface can be transmitted based on parameters
defined in the VT.
Context
After a VT is configured, bind it to an interface. The type of the interface to which a VT is
bound varies depending on the user access type.
l The VT configured for PPPoE services must be bound to a main interface.
l The VT configured for PPPoEoVLAN services must be bound to a sub-interface.
Procedure
Specify a main interface for PPPoE access users and a sub-interface for PPPoEoVLAN access
users.
A VT is bound to the interface.
Step 4 Run commit
----End

To restrict broadcast packets on a LAN and enhance the LAN security or create virtual
groups, you need to configure VLANs. VLANs are applicable to only Ethernet sub-interfaces.
Context
VLAN.

l VLAN ID
l QinQ ID
NOTE
l On each main interface, you can set the user-vlan any-other on only one sub-interface. On one sub-
interface, user-vlan any-other cannot be set together with user-vlan start-vlan nor user-vlan qinq.
l The user-vlan command cannot be configured on a sub-interface of a Layer 2 interface.
Procedure
Step 4 Run commit
----End

If an interface is used for broadband user access, you need to configure the interface as a BAS
interface and set the access type and other attributes.
Context
l Specified domains for the BAS interface
– Default authentication domain
If no domain name is entered during user authentication, the NE40E regards the
user as a member in the default authentication domain by default.
– Roaming domain
The roaming domain is used for users whose domain names are unidentified. If a
user enters an unidentified domain name during authentication, the NE40E
classifies the user as a roaming domain user and conducts the following
authentication.
– Domain for user access

If a domain for user access is specified on a BAS interface, users can log in to the
NE40E from the domain. If they log in to the NE40E from other domains, the
NE40E will deny their access requests.
– Domain denying user access
If a domain denying user access is specified on a BAS interface, users cannot log in
to the NE40E from the domain. If they log in to the NE40E from other domains, the
NE40E will accept their access requests.
l Additional functions of the BAS interface
– Access triggered by IPv6 packets
– Access triggered by NS or NA packets
– BAS interface name
Knowing the BAS interface name facilitates memorization and management.
– Accounting packet copy
The accounting packet copy function sends accounting information to two RADIUS
servers at the same time and waits for their responses. The function is used when
original accounting information needs to be stored on multiple devices (for
example, the multi-carrier networking scenario). After the function is configured,
accounting packets are sent to two RADIUS servers simultaneously (as the original
accounting information) to facilitate later account settlement.
l Packet processing mode
– access-line-id
On a broadband telecommunication network, the DSLAM obtains DHCP packets
and adds access-line-id information to them. access-line-id records information
about the user's physical interface. As the access-line-id information is transmitted
to the NE40E, DHCP server, and RADIUS server, the devices are informed of the
user location. The management system then implements proper security and address
allocation strategies based on the user location information.
– link-account
If only RADIUS accounting is used, the RADIUS accounting server uses
VLAN/PVC descriptions to identify common Layer 2 users and uses interface
descriptions to identify Layer 3 leased line users. The BRAS encapsulates the
descriptions into the Class attributes and sends it to the RADIUS accounting server.
Procedure
Step 3 Run bas
interface view. An Ethernet interface or its sub-interface, or an Eth-Trunk interface or its sub-
interface can be set to a BAS interface.

Step 4 Configure the access type.

l Run access-type layer2-subscriber [ default-domain [ authentication dname ] ]
interface. You can configure the access type only on the Eth-Trunk interface.
Step 5 Configure the authentication mode.
Run authentication-method ppp [ web ]
or run authentication-method-ipv6 ppp [ web ]
PPP or PPP Web authentication is configured.
Step 6 (Optional) Specify domains on the BAS interface.
NOTE
The permit-domain command, deny-domain command, deny-domain-list command, and permit-

domain-list command cannot be configured on the same BAS interface.
l Configure the default pre-authentication domain.
Run default-domain pre-authentication domain-name
l Configure the default authentication domain.
Run default-domain authentication [ force | replace ] domain-name
NOTE
Run default-domain authentication ppp-user domain-name

The default authentication domain for PPP users is specified.
– If the default-domain authentication ppp-user domain-name command is configured, the
authentication domain specified in this step is used as the default authentication domain for PPP
users.
– If the default-domain authentication ppp-user domain-name command is not configured but the
default-domain authentication [ force | replace ] domain-name command is configured, the
authentication domain specified using the default-domain authentication [ force | replace ]
domain-name command is used as the default authentication domain for PPP suers.
– If neither of the commands is configured, the default authentication domain for PPP users is
default1.
l Configure the roaming domain.
Run roam-domain domain-name
The roaming domain is specified.
l Configure the domain for user access.
Run permit-domain domain-name &<1-16>
A domain for user access is specified.
l Configure the domain denying user access.
Run deny-domain domain-name&<1-16>
A domain denying user access is specified.
Or, run deny-domain-list
A list of domains denying user access is configured.

Step 7 (Optional) Configure additional functions of the BAS interface.

l Configure access triggered by packets.
– Run ipv6-trigger
Access triggered by IPv6 packets is configured.
– Or, run nd-trigger
Access triggered by NS or NA packets is configured.
l Configure the accounting packet copy function.
Run accounting-copy radius-server radius-name
l Configure the user detection interval.
Run user detect retransmit number interval time
The user detection interval is configured.
l Block the BAS interface.
Run block [ start-vlan { start-vlan [ end-vlan end-vlan ] [ qinq pe-vlan ] | any qinq
start-qinq-vlan [ end-qinq-vlan ] } | pvc start-vpi/start-vci [ end-vpi/end-vci ] ]
l Limit the number of users on the BAS interface.
Run access-limit number
The number of users on the BAS interface is limited.
If the command is run and the VLANinformation is specified, the number of users in
specified VLAN(s) on the BAS interface is limited.
If the command is run and the VLAN information is not specified, the number of users in
each VLAN/PVC on the BAS interface is limited. If the two types of configurations
coexist on a BAS interface, they do not conflict. The number of users in the specified
VLAN/PVC is subject to the limit set for the specified VLAN. The number of users in
any one of the other unspecified VLANs is subject to the limit set for each VLAN on the
BAS interface.
Step 8 (Optional) Configure the packet processing mode.
l Configure the method of processing access-line-id information.
Run the client-option82 [ { basinfo-insert { cn-telecom | version3 } | version1 } ] or
client-access-line-id [ basinfo-insert cn-telecom | version1 ] command to configure the
NE40E to trust the access-line-id information sent from the client.
Or, run the basinfo-insert cn-telecom command to configure the NE40E to distrust the
access-line-id information sent from the client and insert the access-line-id information
in the format defined by China Telecom.
Or, run the basinfo-insert version2 to configures the Router to insert the access-line-id
information in the format defined by version2 if the Router does not trust the access-
line-id information sent from the DHCP client.
configurations:
– Run the option82-relay-mode dslam or access-line-id dslam { auto-identify |
config-identify } command to allow the Router to extract information from the
access-line-id field in the packet sent from the DSLAM and add the information to
Agent-CircuitID and Agent-RemoteID attributes sent to the RADIUS server. Or,
run the option82-relay-mode include or access-line-id include { allvalue |

{ agent-circuit-id | agent-remote-id [ separator ] }* } command to allow the NAS-

Port-Id attribute sent to the RADIUS server to contain access-line-id information.
– Run the option82-relay-mode subopt or access-line-id translate { agent-circuit-
id { hex | string } | agent-remote-id { hex | string } command to configure the
format of Agent-CircuitID or Agent-RemoteID information.
Or, run vbas vbas-mac-address [ auth-mode { ignore | reject } ]
l Configure the method of processing link-account information.
Run link-account resolve
The accounting-request packet carrying link-account information is sent to a RADIUS
server.
The RADIUS No.25 attribute for accounting-request packets sent by the device to a
RADIUS accounting server is affected.
An interface fills in the link-account information in the RADIUS No.25 attribute class if
both the following situations are met:
– Users getting online from the interface do not need to be authenticated and
RADIUS accounting is configured on the interface.
– For common Layer 2 users, VLANs and VLAN descriptions are configured on the
interface, or PVCs and PVC descriptions are configured on the interface.
Step 9 Run commit
----End
10.7.6 (Optional) Configuring Refined IPv6 Route Advertisement

Refined IPv6 route advertisement can classify routes and advertise them to different networks.
Context
IPv6 network segment routes and address pool routes are classified based on tags and
imported using routing policies. This process allows various routes to be advertised to specific
networks. IPv6 network segment routes are generated based on Delegated-IPv6-Prefix
attributes that are delivered by a RADIUS server.
Procedure
l Configure a tag value of a route for a specified type of address pool, such as local or
remote address pools.
a. Run system-view

b. Run ipv6 unr { delegated-ipv6-prefix-tag tag-value | delegated-pool-tag tag-
value | framed-ipv6-address-tag tag-value | framed-ipv6-prefix-tag tag-value |
framed-ipv6-route-tag tag-value | local-pool-tag tag-value | remote-pool-tag tag-
value } *

l Configure a tag value of a route for a single address pool.

a. Run system-view

b. Run ipv6 pool (system view)
The IPv6 address pool view is displayed.

c. Run unr tag tag-value
----End
Follow-up Procedure
Create a routing policy. Specify a route tag to classify routes. Use OSPFv3 or BGP+ to import
different routes. For details, see Routing Policy Configuration.
10.7.7 (Optional) Configuring the PPP Magic Number Check

Function
You can configure the PPP magic number check function to detect whether a PPPoE user
stays online after the user logs in.
Context
After a PPPoE user goes online, the device periodically sends Echo Request packets to the
client.
When receiving an Echo Reply packet from the user, the device compares the magic number
carried in the packet with that learned during LCP negotiation. If the two magic numbers are
the same, the user is considered online. Otherwise, the user is considered offline.
Procedure
Step 2 Run ppp keepalive strict-check magic-number
The PPP magic number check function is enabled so that the device compares the magic
number in a received Echo Reply packet with that learned during LCP negotiation.
Step 3 Run commit
----End
10.7.8 Verifying the PPPoXv6 Access Service Configuration

After configuring the PPPoXv6 access service, check the PPPoXv6 access configurations.

Procedure
l Run the display access-user command to check information about all access users. You
can specify the command parameters to view the specific user information.
l Run the display sub-interface interface-type interface-number pevlan pe-vlan-id
[ cevlan ce-vlan-id ] command to check information about a sub-interface bound to a
specified VLAN on an interface.
l Run the display bas-interface command to check information about the BAS interface.
l Run the display vlan-statistics interface interface-type interface-number.subinterface-
number pevlan pe-vlan-id [ cevlan ce-vlan-id ] [ verbose ] command to check statistics
about traffic and PPP packets on a specified sub-interface bound to a specified VLAN.
NOTE
The display vlan-statistics interface interface-type interface-number.subinterface-number pevlan

pe-vlan-id [ cevlan ce-vlan-id ] [ verbose ] command can be configured only through a PAF file.
l display vlan-statistics interface interface-type interface-number pevlan pe-vlan-id
command to check statistics about traffic on a specified interface bound to a specified
VLAN.
l Run the display ppp slot slot-number chasten-user [ mac-address mac-address ]
command to check information about the PPP users that are forbidden to access the
NE40E.
l Run the display ppp { user-id user-id | username username | ip-address ipv4-address
[ vpn-instance instance-name ] | ipv6-address ipv6-address [ vpn-instance instance-
name ] | circuit-id circuit-id-text | remote-id circuit-id-text } command to check
information about the PPP status.
NOTE
Configuring the ui-mode type1 command in the system view influences the output format of the
display command.
----End
Example
Run the display access-user command. If the IPoEv6 access service is configured
successfully, and you can view information about all access users.
------------------------------------------------------------------------------
Total users : 9
IPv4 users : 9
IPv6 users : 0
Lac users : 0
RUI local users : 0
Wait authen-ack : 0
------------------------------------------------------------------------------
------------------------------------------------------------------------------
default0 : 0

default1 : 0
default_admin : 0
wq : 0
chen : 0
isp7 : 0
gaoli : 0
ly : 0
test : 0
lsh : 9
------------------------------------------------------------------------------
20-28
------------------------------------------------------------------------------
Run the display sub-interface interface-type interface-number pevlan pe-vlan-id [ cevlan ce-
vlan-id ] command, you can view information about the sub-interface bound to VLAN 1000
on Eth-Trunk 11.
<HUAWEI> display sub-interface Eth-Trunk11 pevlan 1000
Sub-interface: Eth-Trunk11.1000
Sub-interface-status: UP
PeVlan/CeVlan: 1000/0
The BAS function has been enabled
Run the display bas-interface command, you can view brief information about all BAS
interfaces.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------
Run the display vlan-statistics interface interface-type interface-number pevlan pe-vlan-id

command, you can view traffic statistics on the interface GE 0/1/1.
<HUAWEI> display vlan-statistics interface GigabitEthernet 0/1/1
Interface Name: GigabitEthernet0/1/1
input: 0 packets, 0 bytes
output: 0 packets, 0 bytes
ipv4 input: 0 packets, 0 bytes
ipv4 output: 0 packets, 0 bytes
ipv6 input: 0 packets, 0 bytes
ipv6 output: 0 packets, 0 bytes
Run the display ppp slot slot-number chasten-user command, you can view information
about the users that are forbidden to access the interface board in slot 1.
[HUAWEI] display ppp slot 1 chasten-user
------------------GLOBAL PPP CHASTEN USERS SLOT 1 ---------------------
To be possibly blocked User Num: 0 (online-fail)
To be possibly blocked User Num: 0 (quick-offline)
To be possibly blocked User Num by Option105: 0 (online-fail)
To be possibly blocked User Num by Option105: 1 (quick-offline)
(1):MAC 00-02-01-01-01-01 Option105(circuitid:123 remoteid:abcde) will be free
after 89s (quick-offline)
Blocked User Num : 0 (online-fail)
Blocked User Num : 1 (quick-offline)
------------------PPPOE VLAN CHASTEN USERS SLOT 1 ---------------------
To be possibly blocked User Num: 0 (online-fail)
To be possibly blocked User Num: 0 (quick-offline)
To be possibly blocked User Num by Option105: 0 (online-fail)
To be possibly blocked User Num by Option105: 0 (quick-offline)
Blocked User Num : 0 (online-fail)
Blocked User Num : 0 (quick-offline)

If the ui-mode type1 command is not configured, run the display ppp user-id user-id
command to display PPP configurations.
<HUAWEI> display ppp user-id 100
--------------------------------------------------------------------------
Basic information of user
--------------------------------------------------------------------------
User Name :huawei@test1
Session ID :1
User Mac :0016-ecaa-975b
Interface :Eth-Trunk3.409
PeVlan/CeVlan :409/0
VPI/VCI :0/0
IP :10.0.0.200
Gateway :10.0.0.1
User IP Netmask(Client) :255.255.255.0
User IP Netmask(Radius):255.255.255.128
User IP Netmask(Result) :255.255.255.128
Primary DNS :0.0.0.0
Second DNS :0.0.0.0
IPV6 Interface IDType :AUTO
IPv6 Local InterfaceID :2 e0:fcff:fe5f:d7ae
IPv6 Peer InterfaceID :2 16:ec0 :1 aa:975b
--------------------------------------------------------------------------
LCP information
--------------------------------------------------------------------------
Authentication :CHAP
MTU :1480
MRU :1492
MagicNumber :0x2a954e9b
CalledNumber :
CallingNumber :
Keep Alive Time :300
Retransmit Times :10
--------------------------------------------------------------------------
LAC-LNS information
--------------------------------------------------------------------------
Lac-PeerIp :0.0.0.0
Lac-PeerTunnelId :0
Lac-PeerSessionId :0
Lac-LocalIp :0.0.0.0
Lac-LocalTunnelId :0
Lac-LocalSessionId :0
Lac-SrcUDPPort :0
Lac-DstUDPPort :0
Lns-PeerIp :0.0.0.0
Lns-PeerTunnelId :0
Lns-PeerSessionId :0
Lns-LocalIp :0.0.0.0
Lns-LocalTunnelId :0
Lns-LocalSessionId :0
Lns-SrcUDPPort :0
Lns-DstUDPPort :0
--------------------------------------------------------------------------
10.8 Maintaining PPPoE Access

This section describes how to clear PPP and PPPoE packet statistics.
10.8.1 Clearing PPPoE Statistics

If excessive user login and logout records exist, clear PPPoE statistics.

Procedure
l Run the reset pppoe statistics { slot slot-id | interface interface-type interface-number }
command to clear PPPoE packet statistics.
l Run the reset pppoe statistics online-fail-record { slot slot-id } command to clear
statistics about PPPoE user login failures due to access IP limit (maximum number of
access users).
----End
10.9 Configuration Examples for PPPoE Access

10.9.1 Example for Configuring PPPoE Access for IPv4 Users

This section provides an example for configuring PPPoEoVLAN access for IPv4 users.
On the network shown in Figure 10-6, subscriber1 belongs to VLAN1, and subscriber2
belongs to VLAN2. The network-side interface on the Router is GE 0/1/1. To allow
subscriber1 and subscriber2 to use IPv4 addresses to go online, configure PPPoEoVLAN
access. The requirements are as follows:
l Subscribers belong to domain isp1 and use PPPoEoVLAN to go online through GE
0/1/2.1 on the Router. The LAN switch marks the priorities of user packets from VLAN1
and VLAN2.
is 1645, and the accounting port number is 1646. RADIUS+1.1 is used, with the
password hello .
Figure 10-6 Networking for configuring PPPoEoVLAN access for IPv4 users
NOTE
Interfaces 1 and 2 in this example are GE0/1/1 and GE0/1/2.1, respectively.

192.168.7.252 192.168.7.249
VLAN1
subscriber1@isp1
Internet
192.168.7.1/24
Device
VLAN2
subscriber2@isp1

1. Configure a VT.
4. Configure an IPv4 address pool.
5. Configure a domain.
6. Bind the VT to a sub-interface.
Data Preparation
l VT number
l Authentication and accounting schemes and their names
l RADIUS server group name and server address
l DNS server address
l User domain
Procedure
Step 1 Configure a VT.
[~HUAWEI] interface virtual-template 1
[*HUAWEI-Virtual-Template1] ppp authentication-mode chap
[*HUAWEI-Virtual-Template1] quit
[*HUAWEI] commit

[~HUAWEI] aaa
[*HUAWEI] commit

[*HUAWEI-aaa-accounting-acct1] quit
[*HUAWEI-aaa] quit
[*HUAWEI] commit

[*HUAWEI-radius-rd1] radius-server shared-key-cipher hello
[*HUAWEI-radius-rd1] quit
[*HUAWEI] commit


[~HUAWEI-ip-pool-pool1] section 0 10.82.0.2 10.82.0.200
[*HUAWEI-ip-pool-pool1] quit
[*HUAWEI] commit

[~HUAWEI] aaa
[~HUAWEI-aaa] quit
[~HUAWEI] commit
Step 7 Configure user VLANs on the sub-interface and bind the VT to it.
# Configure user VLANs on GE 0/1/2.1 and bind the VT to it.
[~HUAWEI] interface gigabitethernet 0/1/2.1
[*HUAWEI] commit
[~HUAWEI-GigabitEthernet0/1/2.1] user-vlan 1 2
[*HUAWEI-GigabitEthernet0/1/2.1] pppoe-server bind virtual-template 1
[*HUAWEI] commit

[*HUAWEI-GigabitEthernet0/1/2.1-bas] authentication-method ppp
[*HUAWEI-GigabitEthernet0/1/2.1-bas] quit
[*HUAWEI] commit
NOTE
In this example, users go online with the domain name isp1 being carried in the user name. Therefore,
the BAS interface does not need to have any authentication domain configured. If users go online
without the domain name being carried in the user name, you must specify an authentication domain on
the BAS interface.

# Check information about the address pool named pool1. The command output shows that
the gateway address is 10.82.0.1, the addresses in the pool range from 10.82.0.2 to
10.82.0.200, and the DNS server address is 192.168.7.252.
Pool-Name : pool1
Pool-No : 0 Pool-constant-index :-
DNS-Suffix : -
DNS1 :192.168.7.252
Gateway : 10.82.0.1 Mask : 255.255.0.0
Vpn instance : --
---------------------------------------------------------------------------
---------------------------------------------------------------------------
0 10.82.0.2 10.82.0.200 98 0 98 0

0 0
---------------------------------------------------------------------------
# Check information about the domain named isp1. The command output shows that the
address pool named pool1 is bound to the domain.
------------------------------------------------------------------------------
Domain-name : isp1
Slave Web-URL : -
User-group-name : -
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-URL : -
Service-type : STB
Bill Flow : Disable
Flow Statistic:
Quota-out : Offline
Service-type : -
------------------------------------------------------------------------------
----End

Configuration Files
#
sysname HUAWEI
#
#
#
#
user-vlan 1 2
bas
access-type layer2-subscriber
#
ip address 192.168.7.1 255.255.255.0
#
gateway 10.82.0.1 255.255.255.0
section 0 10.82.0.2 10.82.0.200
dns-server 192.168.7.252
#
aaa
domain default0
domain default1
domain isp1
ip-pool pool1
#
return
10.9.2 Example for Configuring PPPoE Access for IPv6 Users

This section provides an example for configuring PPPoE access for IPv6 users.
On the network shown in Figure 10-7, to allow the IPv6 user to go online, configure PPPoE
l The subscriber belongs to domain isp5 and uses PPPoE to go online through GE 0/1/2.1
on the Router.
l The IP address of the RADIUS server is 3001:0410::1:1. The authentication port number
password hello.
l The DNS server address is 3001:0410::1:2.

Figure 10-7 Networking for configuring PPPoE for IPv6 users

NOTE

3001:0410::1:2 3001:0410::1:1
access
network Internet
subscriber1 2011::1/64
@isp5 Device
1. Configure a VT.
5. Configure a local IPv6 address pool and bind the address pool to the prefix pool.
6. Configure an AAA domain and bind it to the IPv6 address pool.
Data Preparation
l VT number
l Start and end VLAN IDs of GE 0/1/2.1
l Domain name
Procedure

[*HUAWEI] commit

[~HUAWEI] aaa
[*HUAWEI] commit
[*HUAWEI-aaa] quit
[*HUAWEI] commit

[*HUAWEI-radius-rd5] radius-server authentication 3001:0410::1:1 1645
[*HUAWEI-radius-rd5] radius-server accounting 3001:0410::1:1 1646
[*HUAWEI] commit

[~HUAWEI] ipv6 prefix pre1 local
[~HUAWEI-ipv6-prefix-pre1] prefix 2001:2421::/64
[~HUAWEI-ipv6-prefix-pre1] quit
[~HUAWEI] commit

[~HUAWEI] ipv6 pool pool1 bas local
[~HUAWEI-ipv6-pool-pool1] prefix pre1
[~HUAWEI-ipv6-pool-pool1] dns-server 3001:0410::1:2
[~HUAWEI-ipv6-pool-pool1] quit
[~HUAWEI] commit

[~HUAWEI] aaa
[~HUAWEI-aaa-domain-isp5] ipv6-pool pool1
[~HUAWEI-aaa] quit
[~HUAWEI] commit

# Bind the VT to GE 0/1/2.1.
[*HUAWEI] commit
# Configure GE 0/1/2.1 as a BAS interface.

[~HUAWEI-GigabitEthernet0/1/2.1-vlan-1-100] quit
[~HUAWEI-GigabitEthernet0/1/2.1-bas] access-type layer2-subscriber default-domain
authentication isp5

[~HUAWEI-GigabitEthernet0/1/2.1-bas] authentication-method-ipv6 ppp

[~HUAWEI] commit

[~HUAWEI-GigabitEthernet0/1/2] ipv6 enable
[*HUAWEI-GigabitEthernet0/1/2] quit
[*HUAWEI] commit
# Configure the network-side interface.

[*HUAWEI-GigabitEthernet0/1/1] ipv6 address 2001::/64 eui-64
[*HUAWEI] commit

# Check information about the prefix pool named pre1. The command output shows that the
prefix pool is a local prefix pool and the prefix address is 2010:2021::/64.
-------------------------------------------------------------
Prefix Name : pre1
Prefix Index : 4
Prefix Type : LOCAL
Prefix Length : 64
IfLocked : Unlocked
Vpn instance : -
-------------------------------------------------------------
the address pool is a user-side local address pool and it is bound to the local prefix pool
named pre1.
----------------------------------------------------------------------
Pool name : pool1
Pool No : 4
Preference : 0
Renew time : 50
Rebind time : 80
Status : UNLOCKED
Used by domain : 1
Dns list : -
AFTR name : -
----------------------------------------------------------------------
----------------------------------------------------------------------

pre1 LOCAL
----------------------------------------------------------------------
domain is bound to the IPv6 address pool named pool1.
------------------------------------------------------------------------------
Domain-name : isp5
Slave Web-URL : -
User-group-name : -
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-URL : -
Bill Flow : Disable
Flow Statistic:
Quota-out : Offline
Service-type : -
------------------------------------------------------------------------------
----End

Configuration Files
#
sysname HUAWEI
#
ipv6
#
radius-server authentication 3001:0410::1:1 1645 weight 0
radius-server accounting 3001:0410::1:1 1646 weight 0
#
#
prefix 2010:2021::/64
#
prefix pre1
dns-server 3001:0410::1:2
#
aaa
#
#
domain isp5
ipv6-pool pool1
#
#
ipv6 enable
bas
#
ipv6 enable
#
return
10.9.3 Example for Configuring PPPoE Access for IPv4/IPv6 Dual-

Stack Users
This section provides an example for configuring PPPoE access for IPv4/IPv6 dual-stack
users.
On the network in Figure 10-8, to allow the IPv4/IPv6 dual-stack user to go online, configure
PPPoE access. The requirements are as follows:

l The subscriber belongs to domain isp5 and uses PPPoE to go online through GE 0/1/2 on
the Device.
with the password hello.
l The IP addresses of the two DNS servers are 3001:0410::1:2 and 10.10.10.1,
respectively.
Figure 10-8 Networking for configuring PPPoE access for IPv4/IPv6 dual-stack users
NOTE
Interfaces 1 and 2 in this example are GE0/1/1 and GE0/1/2, respectively.
DNS server DNS server RADIUS server

3001:0410::1:2 10.10.10.1 10.6.55.55
Access Internet
Network interface2 interface1
subscriber 2011::1/64
@isp5 Device
1. Configure a VT.
6. Configure a local IPv6 address pool and bind the prefix pool to the address pool.
7. Configure an AAA domain and bind the IPv4 and IPv6 address pools to the domain.
Data Preparation
l VT number


l RADIUS server group name and IP addresses and port numbers of the RADIUS
l Domain name
Procedure
[*HUAWEI] commit

[~HUAWEI] aaa
[*HUAWEI] commit
[*HUAWEI-aaa] quit
[*HUAWEI] commit

[*HUAWEI] commit

[*HUAWEI] commit

[~HUAWEI] ipv6 prefix pre1 local
[*HUAWEI-ipv6-prefix-pre1] prefix 2001:2421::/64
[*HUAWEI-ipv6-prefix-pre1] quit
[*HUAWEI] commit

[*HUAWEI-ipv6-pool-pool1] prefix pre1
[*HUAWEI-ipv6-pool-pool1] dns-server 3001:0410::1:2

[*HUAWEI-ipv6-pool-pool1] quit
[*HUAWEI] commit

[~HUAWEI] aaa
[*HUAWEI-aaa-domain-isp5] ipv6-pool pool1
[*HUAWEI-aaa-domain-isp5] quit
[*HUAWEI-aaa] quit
[*HUAWEI] commit

# Bind the VT to the user-side interface.
[*HUAWEI] commit
# Configure the user-side interface as a BAS interface.

[~HUAWEI-GigabitEthernet0/1/2] bas
authentication isp5
[*HUAWEI-GigabitEthernet0/1/2-bas] quit
[*HUAWEI] commit
[*HUAWEI] commit
# Configure the network-side interface.

[*HUAWEI-GigabitEthernet0/1/1] ipv6 address 2011::1/64 eui-64
[*HUAWEI] commit

Pool-Name : pool2
DNS-Suffix : -
DNS1 :10.10.10.1
Gateway : 10.10.10.2 Mask : 255.255.255.0
Vpn instance : --
---------------------------------------------------------------------------
---------------------------------------------------------------------------
0 10.10.10.3 10.10.10.100 98 0 98 0 0 0
---------------------------------------------------------------------------
# Check information about the prefix pool named pre1. The command output shows that the
prefix pool is a local prefix pool and the prefix address is 2010:2021::/64.

-------------------------------------------------------------
Prefix Name : pre1
Prefix Index : 4
Prefix Type : LOCAL
Prefix Length : 64
IfLocked : Unlocked
Vpn instance : -
-------------------------------------------------------------
the address pool is a user-side local address pool and it is bound to the local prefix pool
named pre1.
----------------------------------------------------------------------
Pool name : pool1
Pool No : 4 Pool-constant-index :-
Preference : 0
Renew time : 50
Rebind time : 80
Status : UNLOCKED
Used by domain : 1
Dns list : -
AFTR name : -
----------------------------------------------------------------------
----------------------------------------------------------------------
pre1 LOCAL
----------------------------------------------------------------------
# Check information about the domain named isp5. The command output shows that the IPv6
address pool named pool1 and the IPv4 address pool named pool2 are bound to the domain.
------------------------------------------------------------------------------
Domain-name : isp5
Slave Web-URL : -
User-group-name : -

Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-URL : -
Service-type : STB
Bill Flow : Disable
Flow Statistic:
Quota-out : Offline
Service-type : -
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname HUAWEI
#
#
#
#
gateway 10.10.10.2 255.255.255.0
section 0 10.10.10.3 10.10.10.100
#
prefix 2010:2021::/64
#
prefix pre1

#
aaa
#
#
domain isp5
ip-pool pool2
ipv6-pool pool1
#
#
ipv6 enable
bas
#
ipv6 enable
#
return
10.9.4 Example for Connecting BRAS Users to the Internet

Through VLL
As shown in Figure 10-9, PE1, P, and PE2 form a VLL in Martini mode. The Router
functions as PE2, which is the BRAS. Users of the BRAS connect to the Internet through the
VLL. Two virtual interfaces VE5/0/0 and VE5/0/1 are created on the Router. VE5/0/0
terminates the VLL label, and VE5/0/1 functions as the BAS interface to authenticate users.
The requirements are as follows:
l The user belongs to domain isp1 and connects to the Internet through VE5/0/1.1 in
PPPoEoVoQ mode.
l The user obtains an IP address from address pool pool1. The address segment in the
address pool is 172.82.1.2-172.82.1.200.
l RADIUS authentication and RADIUS accounting are adopted. The IP address of the
RADIUS server is 192.168.7.249 and the ports for authentication and accounting are
1812 and 1813 respectively. The protocol is RADIUS+1.1 and the key is itellin.
l The accounting scheme is actt1 and the authentication scheme is auth1.

Figure 10-9 Networking for connecting BRAS users to the Internet through VLL
LoopBack1 LoopBack1 LoopBack1

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE 1/0/0 GE 5/0/0 GE 1/0/0
10.1.1.1/24 10.2.1.2/24 2.1.1.2/24 Internet
GE 1/0/0 GE 2/0/0 PE 2
GE 5/0/0 PE 1 10.1.1.2/24 P 10.2.1.1/24
VE 5/0/0 VE 5/0/1.1
Martini
VLL ( BAS )
Switch
User
1. Configure the VE interface for terminating the VLL packets and the VE interface for
accessing the Internet on the Router. Bind the two VE interfaces to a VE-Group.
2. Configure the VLL.
3. Enable VLL access.
4. Configure the BRAS access service and configure VE5/0/1 as the BAS interface.
Data Preparation
l VE-Group number
l MPLS LSR IDs of the PE and P routers, namely, the IP addresses of their Loopback1
interfaces
1. Create two VE interfaces on the PE2 and bind the two interfaces to a VE-Group.
# Create interface VE5/0/0 to terminate the MPLS L2VPN packets.
[~HUAWEI] sysname PE2
[*PE2] commit
[~PE2] interface virtual-ethernet5/0/0
[*PE2-Virtual-Ethernet5/0/0] ve-group 1 l2-terminate
[*PE2-Virtual-Ethernet5/0/0] quit
[*PE2] commit
# Create interface VE5/0/1 to access the Internet.

[*PE2-Virtual-Ethernet5/0/1] ve-group 1 l3-access

[*PE2] commit
2. Configure the VLL.

# Configure the IGP protocol on the VLL backbone. The OSPF protocol is used in this
example.
Configure OSPF on the interfaces of the PE and the P. The 32-bit loopback addresses of
PE1, P, and PE2 should be advertised.
For configuration details, see "Configuration Files" in this section.
# Configure the basic MPLS capability and LDP on the MPLS backbone.
– Configure PE1.
[*PE2] commit
[~PE1] mpls lsr-id 1.1.1.9
[*PE1] mpls
[*PE1-mpls] quit
[*PE1] mpls ldp
[*PE1-mpls-ldp] quit
[*PE1] commit
[~PE1] interface gigabitethernet1/0/0
[*PE1-GigabitEthernet1/0/0] mpls
[*PE1-GigabitEthernet1/0/0] mpls ldp
[*PE1-GigabitEthernet1/0/0] undo shutdown
[*PE1-GigabitEthernet1/0/0] quit
[*PE1] commit
[~PE1] quit
– Configure P.
[~HUAWEI] sysname P
[*P] commit
[~P] mpls lsr-id 2.2.2.9
[*P] mpls
[*P-mpls] quit
[*P] commit
[~P] mpls ldp
[*P-mpls-ldp] quit
[*P] interface gigabitethernet1/0/0
[*P-GigabitEthernet1/0/0] mpls
[*P-GigabitEthernet1/0/0] mpls ldp
[*P-GigabitEthernet1/0/0] undo shutdown
[*P-GigabitEthernet1/0/0] quit
[*P] commit
[~P] interface gigabitethernet2/0/0
[*P-GigabitEthernet2/0/0] mpls
[*P-GigabitEthernet2/0/0] mpls ldp
[*P-GigabitEthernet2/0/0] undo shutdown
[*P-GigabitEthernet2/0/0] quit
[*P] commit
[~P] quit
– Configure PE2.
[~PE2] mpls lsr-id 3.3.3.9
[*PE2] mpls
[*PE2-mpls] quit
[*PE2] commit
[~PE2] mpls ldp
[*PE2-mpls-ldp] quit
[*PE2] commit
[~PE2] interface gigabitethernet5/0/0
[*PE2-GigabitEthernet5/0/0] mpls
[*PE2-GigabitEthernet5/0/0] mpls ldp

[*PE2] commit
[~PE2] quit
# Set up a remote LDP session between the PE routers.

– Configure PE1.
[~PE1] mpls ldp remote-peer pe2
[*PE1-mpls-ldp-remote-1] remote-ip 3.3.3.9
[*PE1-mpls-ldp-remote-1] quit
[*PE1] commit
[~PE1] quit
– Configure PE2.
[~PE2] mpls ldp remote-peer pe1
[*PE2-mpls-ldp-remote-1] remote-ip 1.1.1.9
[*PE2-mpls-ldp-remote-1] quit
[*PE2] commit
[~PE2] quit
# Enable VLL on the PE and create a static VC connection.

– On PE1, create an L2VC on GigabitEthernet1/0/0, which is connected to the CE.
[~PE1] mpls l2vpn
[*PE1-l2vpn] quit
[*PE1] commit
[~PE1] interface gigabitethernet 5/0/0.1
[*PE1-GigabitEthernet5/0/0.1] vlan-type dot1q 1
[*PE1-GigabitEthernet5/0/0.1] mpls l2vc 3.3.3.9 101
[*PE1-GigabitEthernet5/0/0.1] undo shutdown
[*PE1-GigabitEthernet5/0/0.1] quit
[*PE1] commit
[~PE1] quit
– On PE2, create an L2VC on VE2/0/0.

[~PE2] mpls l2vpn
[*PE2-l2vpn] quit
[*PE2] commit
[~PE2] interface virtual-ethernet5/0/0.1
[*PE2-Virtual-Ethernet5/0/0.1] vlan-type dot1q 1
[*PE2-Virtual-Ethernet5/0/0.1] mpls l2vc 1.1.1.9 101
[*PE2-Virtual-Ethernet5/0/0.1] quit
[*PE2] commit
[~PE2] quit
# Verify the configuration.

View the L2VPN connection information on the PE routers, and you can see that an
L2VC is set up and is in Up state.
Take PE2 for example.
[~PE2] display mpls l2vc
Total ldp vc : 1 1 up 0 down
*Client Interface : Virtual-Ethernet5/0/0
Session State : up
AC Status : up
VC State : up
VC ID : 101
VC Type : ethernet
Destination : 1.1.1.9
Local VC Label : 1025
Remote VC Label : 1024
Control Word : Disable
Local VC MTU : 1500
Romete VC MTU : 1500
Tunnel Policy Name : --
Traffic Behavior Name: --
PW Template Name : --
Create time : 0 days, 0 hours, 3 minutes, 14 seconds
UP time : 0 days, 0 hours, 1 minutes, 48 seconds
Last change time : 0 days, 0 hours, 1 minutes, 48 seconds

3. Configure the BRAS access service. Configure VE5/0/1 as the BAS interface so that
users connect to the Internet through VE5/0/1.
# Configure a virtual template interface.
[~PE2] interface virtual-template 1
[*PE2-Virtual-Template1] ppp authentication-mode chap
[*PE2-Virtual-Template1] quit
[*PE2] commit
# Configure the authentication scheme.

[~PE2] aaa
[*PE2-aaa] authentication-scheme auth1
[*PE2-aaa-authen-auth1] authentication-mode radius
[*PE2-aaa-authen-auth1] quit
[*PE2] commit
# Configure the accounting scheme.

[~PE2-aaa] accounting-scheme acct1
[*PE2-aaa-accounting-acct1] accounting-mode radius
[*PE2-aaa-accounting-acct1] quit
[*PE2-aaa] quit
[*PE2] commit
# Configure the RADIUS server group.

[~PE2] radius-server group rd1
[*PE2-radius-rd1] radius-server authentication 192.168.7.249 1812
[*PE2-radius-rd1] radius-server accounting 192.168.7.249 1813
[*PE2-radius-rd1] radius-server type plus11
[*PE2-radius-rd1] radius-server shared-key itellin
[*PE2-radius-rd1] quit
[*PE2] commit
# Configure the address pool.

[~PE2] ip pool pool1 bas local
[*PE2-ip-pool-pool1] gateway 172.82.1.1 255.255.255.0
[*PE2-ip-pool-pool1] section 0 172.82.1.2 172.82.1.200
[*PE2-ip-pool-pool1] dns-server 192.168.7.252
[*PE2-ip-pool-pool1] quit
[*PE2] commit
# Configure domain isp1.

[~PE2] aaa
[*PE2-aaa] domain isp1
[*PE2-aaa-domain-isp1] authentication-scheme auth1
[*PE2-aaa-domain-isp1] accounting-scheme acct1
[*PE2-aaa-domain-isp1] radius-server group rd1
[*PE2-aaa-domain-isp1] quit
[*PE2] commit
# Specify the VT interface for VE2.

[*PE2-Virtual-Ethernet5/0/1] pppoe-server bind virtual-template 1
[*PE2] commit
# Configure the BAS interface.

[~PE2] interface virtual-ethernet5/0/1.1
[*PE2-Virtual-Ethernet5/0/1.1] user-vlan 1 2 qinq 100
[*PE2-Virtual-Ethernet5/0/1.1.1-vlan-1-2-QinQ-100] quit
[*PE2-Virtual-Ethernet5/0/1.1] commit
[~PE2-Virtual-Ethernet5/0/1.1] bas
[*PE2-Virtual-Ethernet5/0/1.1-bas] access-type layer2-subscriber
[*PE2-Virtual-Ethernet5/0/1.1-bas] authentication-method ppp
[*PE2-Virtual-Ethernet5/0/1.1-bas] quit
[*PE2-Virtual-Ethernet5/0/1.1] commit
[~PE2-Virtual-Ethernet5/0/1.1] quit
# Configure the uplink interface.

[~PE2] interface GigabitEthernet 1/0/0

[*PE2-GigabitEthernet1/0/0] ip address 2.1.1.2 255.255.255.0
[*PE2] commit
Configuration Files
The following are the configuration files of the routers.
l Configuration file of PE1
#
sysname PE1
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
mpls ldp
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
mpls ldp remote-peer pe2
remote-ip 3.3.3.9
#
vlan-type dot1q 1
mpls l2vc 3.3.3.9 101
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
l Configuration file of P
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#

ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
l Configuration file of PE2
#
sysname PE2
#
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer pe1
remote-ip 1.1.1.9
#
#
undo shutdown
ip address 2.1.1.2 255.255.255.0
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
#
vlan-type dot1q 1
mpls l2vc 1.1.1.9 101
#
undo shutdown
#
undo shutdown
bas
authentication-method ppp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
gateway 172.82.1.1 255.255.255.0
section 0 172.82.1.2 172.82.1.200
dns-server 192.168.7.252
#
aaa

domain isp1
ip-pool pool1
#
ospf 1
area 0.0.0.0
network 10.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
10.9.5 Example for Configuring Rate Limiting for PPPoEv4 Access

This section provides an example for configuring PPPoEoVLAN access for IPv4 users.
On the network shown in Figure 10-10, subscriber1 belongs to VLAN1, and subscriber2
belongs to VLAN2. The network-side interface on the Router is GE 0/1/1. To allow
subscriber1 and subscriber2 to use IPv4 addresses to go online, configure PPPoEoVLAN
l Subscribers belong to domain isp1 and use PPPoEoVLAN to go online through GE
0/1/2.1 on the Router. The LAN switch marks the priorities of user packets from VLAN1
and VLAN2.
password hello .
Figure 10-10 Networking for configuring PPPoEoVLAN access for IPv4 users
NOTE

192.168.7.252 192.168.7.249
VLAN1
subscriber1@isp1
Internet
192.168.7.1/24
Device
VLAN2
subscriber2@isp1

1. Configure a VT.
4. Configure an IPv4 address pool.
5. Configure a domain.
6. Bind the VT to a sub-interface.
Data Preparation
l VT number
l DNS server address
l User domain
Procedure
[*HUAWEI] commit

[~HUAWEI] aaa
[*HUAWEI] commit

[*HUAWEI-aaa] quit
[*HUAWEI] commit

[*HUAWEI] commit

[~HUAWEI-ip-pool-pool1] section 0 10.82.0.2 10.82.0.200

[*HUAWEI] commit

[~HUAWEI] aaa
[~HUAWEI-aaa] quit
[~HUAWEI] commit
Step 7 Configure user VLANs on the sub-interface and bind the VT to it.
# Configure user VLANs on GE 0/1/2.1 and bind the VT to it.
[*HUAWEI] commit
[*HUAWEI] commit

[*HUAWEI-GigabitEthernet0/1/2.1-bas] authentication-method ppp
[*HUAWEI-GigabitEthernet0/1/2.1-bas] quit
[*HUAWEI] commit
NOTE
In this example, users go online with the domain name isp1 being carried in the user name. Therefore,
the BAS interface does not need to have any authentication domain configured. If users go online
without the domain name being carried in the user name, you must specify an authentication domain on
the BAS interface.
Step 9 Configure rate limiting for PPPoEv4 access.

[~HUAWEI] qos-profile 10M
[*HUAWEI-qos-profile-10M] car cir 1024 cbs 1024000 green pass red discard
[*HUAWEI-qos-profile-10M] commit
[~HUAWEI-qos-profile-10M] quit
[*HUAWEI-GigabitEthernet0/1/2.1-bas] qos-profile 10M inbound
[*HUAWEI-GigabitEthernet0/1/2.1-bas] qos-profile 10M outbound

Pool-Name : pool1
DNS-Suffix : -
DNS1 :192.168.7.252


Gateway : 10.82.0.1 Mask : 255.255.0.0
Vpn instance : --
---------------------------------------------------------------------------
---------------------------------------------------------------------------
0 10.82.0.2 10.82.0.200 98 0 98 0
0 0
---------------------------------------------------------------------------
address pool named pool1 is bound to the domain.
------------------------------------------------------------------------------
Domain-name : isp1
Slave Web-URL : -
User-group-name : -
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-URL : -
Service-type : STB
Bill Flow : Disable
Flow Statistic:
Quota-out : Offline
Service-type : -

------------------------------------------------------------------------------
# Check online connection information based on a specified domain name.

<HUAWEI> display access-user domain isp1 verbose
------------------------------------------------------------------------------
Basic:
User access index :

8192
State :
Used
User name :
ceshi9
Domain name : pppoe-

bohao
User backup state :

No
RUI user state :

-
User access interface :

GigabitEthernet0/1/2.1
User access PeVlan/CeVlan :

2004/-
User access slot :

0
User MAC : 507b-9d31-

d8c2
User IP address :
10.144.254.250
User IP netmask :
255.255.255.255
User gateway address :

10.144.254.241
User Primary-DNS :
103.44.168.6
User Secondary-DNS :
103.44.168.7
User Authen IP Type :

ipv4/-/-
User Basic IP Type :

-/-/-
User access type :

PPPoE
User authentication type : PPP

authentication

Agent-Circuit-Id :
-
Agent-Remote-Id :
-
Access-line-id Information(pppoe+):
-
Access start time : 2018-01-10

11:24:52
User-Group :
-
Next-hop :
-
Policy-route-IPV6-address :
-
AAA:
RADIUS-server-template :
pppoe
Server-template of second acct:

-
Current authen method : RADIUS

authentication
Authen result :
Success
Current author method :

Idle
Author result :
Success
Action flag :
Idle
Authen state :
Authed
Author state :
Idle
Configured accounting method : No

accounting
Quota-out :
Offline
Current accounting method : No

accounting
Realtime-accounting-switch :
Close
Realtime-accounting-interval(sec) :
-
Realtime-accounting-send-update :

No
Realtime-accounting-traffic-update :
No
Accounting start time : 2018-01-10

11:24:52
Online time (h:min:sec) :

00:00:02
Accounting state :
Ready
MTU :
1280
MRU :
1280
Session time limit : 86400

second(Radius)
Time remained(s) :
86398(s)
Idle-cut direction :
Both
Idle-cut-data (time,rate,idle): 14400 sec, 60 kbyte/min, 0 min 0

sec(Radius)
Ipv4 Realtime speed : 104 kbyte/
min
Ipv4 Realtime speed inbound : 104 kbyte/

min
Ipv4 Realtime speed outbound : 0 kbyte/

min
Dot1X:
User MSIDSN name :

-
EAP user :
No
MD5 end :
No
VPN&Policy-
route:
Vpn-Instance :
-
Multicast
Service:
Multicast-profile :
-

Multicast-profile-ipv6 :
-
Max Multicast List Number :

4
IGMP enable :
Yes
ACL&QoS:
Inbound Family-profile-name :
1M
Outbound Family-profile-name :
1M
Inbound family qos configuration : User-

CAR
Inbound cir :
1024(kbps)
Inbound pir :
0(kbps)
Inbound cbs :
1024000(bytes)
Inbound pbs :
0(bytes)
Outbound family qos configuration : User-

CAR
Outbound cir :
1024(kbps)
Outbound pir :
0(kbps)
Outbound cbs :
1024000(bytes)
Outbound pbs :
0(bytes)
Inbound qos configuration : User-

CAR
Inbound cir : 15729(kbps)

(Radius)
Inbound pir :
0(kbps)
Inbound cbs :
2941323(bytes)
Inbound pbs :
0(bytes)
Outbound qos configuration : User-

CAR
Outbound cir : 15729(kbps)

(Radius)

Outbound pir :
0(kbps)
Outbound cbs :
2941323(bytes)
Outbound pbs :
0(bytes)
Link bandwidth auto adapt :

Disable
UpPriority :
Unchangeable
DownPriority :
Unchangeable
Flow
Statistic:
If flow info contain l2-head :

Yes
Flow-Statistic-Up :
Yes
Flow-Statistic-Down :
Yes
Up packets number(high,low) :
(0,17)
Up bytes number(high,low) :
(0,2320)
Down packets number(high,low) :

(0,9)
Down bytes number(high,low) :

(0,2909)
IPV6 Up packets number(high,low) :

(0,0)
IPV6 Up bytes number(high,low) :

(0,0)
IPV6 Down packets number(high,low) :

(0,0)
IPV6 Down bytes number(high,low) :

(0,0)
Dslam
information :
Circuit
ID :-
Remote
ID :-
Actual datarate upstream :

0(Kbps)
Actual datarate downstream :

0(Kbps)
Min datarate upstream :

0(Kbps)
Min datarate downstream :

0(Kbps)
Attainable datarate upstream :

0(Kbps)
Attainable datarate downstream :

0(Kbps)
Max datarate upstream :

0(Kbps)
Max datarate downstream :

0(Kbps)
Min lowpower datarate upstream :

0(Kbps)
Min lowpower datarate downstream :

0(Kbps)
Max delay upstream :

0(s)
Max delay downstream :

0(s)
Actual delay upstream :

0(s)
Actual delay downstream :

0(s)
Access loop encapsulation :0x000000
----End
Configuration Files
#
sysname HUAWEI
#
#
#
#
user-vlan 1 2
bas
qos-profile 10M inbound
qos-profile 10M outbound

#
qos-profile 10M
#
ip address 192.168.7.1 255.255.255.0
#
gateway 10.82.0.1 255.255.255.0
section 0 10.82.0.2 10.82.0.200
dns-server 192.168.7.252
#
aaa
domain default0
domain default1
domain isp1
ip-pool pool1
#
return
10.9.6 Example for Configuring IPv4/IPv6 Dual-Stack Access

Based on Web+MAC Authentication
This section provides an example for configuring IPv4/IPv6 dual-stack access based on web
+MAC authentication.
For example, wired users, wireless users, and dumb terminals in faculty dormitory areas,
student dormitory areas, and office areas implement IPv4/IPv6 dual-stack access based on
web authentication. When a user accesses the Internet for the first time, the user enters the
MAC authentication domain. During web authentication, the user must enter the user name
and password. The RADIUS server automatically records the terminal's MAC address and
associates it with the user name and password. The user automatically accesses the Internet
when going online again. This authentication mode is called MAC authentication. If the user
fails authentication, the user is redirected to the web authentication domain. A user in the web
authentication domain can access only limited network addresses, such as the web server's
address. When a user in the domain accesses an authorized address, the user is redirected to a
specified web server. The user must enter the correct user name and password. After the
authentication is successful, the user enters the authentication domain and can access network
resources properly. When the user logs in to next time, the Router authenticates the user based
on the terminal's MAC address.
l The IP address of the RADIUS server is 10.1.2.10. The authentication and accounting
ports are 1812 and 1813, respectively. The standard RADIUS protocol is adopted, with
the key being Root@1234.
l The IP addresses of the two DNS servers are 3001:DA8:20D:30::30 and 10.1.6.2,
respectively.
l The IP address of the web server is 10.1.1.10, and the key is Root@123.

Figure 10-11 Networking for configuring IPv4/IPv6 dual-stack access based on web+MAC
authentication
NOTE
Interface1 in this example is GE0/1/0.
DNS P o rta l
se rve r(IP v6 ) se rve r
A cce s s
N e tw o rk In te rfa ce 1 In te rn e t
PC
DNS R A D IU S
se rve r(IP v4 ) se rve r
1. Enable IPv6 packet forwarding.

2. Create a MAC authentication domain named mac-domain, a web authentication domain
named web-domain, and an authentication domain named after-domain.
3. Configure AAA schemes. Create a RADIUS server group named group1, configure the
hw-auth-type attribute for authentication request packets in the RADIUS server group,
and configure attribute translation to translate the hw-auth-type attribute into Huawei
proprietary No. 109 attribute.
4. Configure address pools.
5. Enable MAC authentication in the MAC authentication domain mac-domain, and bind
the RADIUS server group group1 and authentication scheme portal-mac-auth to the
domain.
6. Configure forcible redirection to a specified web server in the web authentication domain
web-domain, and bind a user group that can access only limited resources,
authentication scheme (non-authentication), and accounting scheme (non-accounting) to
the domain.
7. Configure ACL rules for the web authentication domain web-domain.
8. Configure the authentication domain after-domain.
9. Run the default-user-name include mac-address command in the AAA view to
directly use the MAC address carried in a user connection request packet as the user
name.
10. Configure a DUID for the DHCPv6 server.
11. Enable IPv6 and configure the MAC authentication domain, authentication domain, and
authentication method on a BAS interface.

Procedure
Step 1 Enable IPv6 packet forwarding.
[~HUAWEI] ipv6
Step 2 Create a MAC authentication domain, a web authentication domain, and an authentication
domain.
[~HUAWEI] aaa
[*HUAWEI-aaa] domain mac-domain
[~HUAWEI-aaa-domain-mac-domain] quit
[*HUAWEI-aaa] domain web-domain
[~HUAWEI-aaa-domain-web-domain] quit
[*HUAWEI-aaa] domain after-domain
[*HUAWEI-aaa-domain-after-domain] commit
[~HUAWEI-aaa-domain-after-domain] quit
[~HUAWEI-aaa] quit
# Create a RADIUS server group named group1, configure the hw-auth-type attribute for
translation to translate the hw-auth-type attribute into Huawei proprietary No. 109 attribute.
[~HUAWEI] radius-server group group1
[*HUAWEI-radius-group1] radius-server authentication 10.1.2.10 1812
[*HUAWEI-radius-group1] radius-server accounting 10.1.2.10 1813
[*HUAWEI-radius-group1] radius-server shared-key-cipher Root@1234
[*HUAWEI-radius-group1] radius-attribute include hw-auth-type
[*HUAWEI-radius-group1] radius-server attribute translate
[*HUAWEI-radius-group1] radius-attribute translate extend hw-auth-type vendor-
specific 2011 109 access-request account
[*HUAWEI-radius-group1] commit
[~HUAWEI-radius-group1] quit
# Create an authentication scheme named portal-mac-auth, and configure the user to be

redirected to the web authentication domain web-domain when authentication fails in the
authentication scheme.
[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme portal-mac-auth
[*HUAWEI-aaa-authen-portal-mac-auth] authening authen-fail online authen-domain
web-domain
[*HUAWEI-aaa-authen-portal-mac-auth] commit
[~HUAWEI-aaa-authen-portal-mac-auth] quit
# Configure an authentication scheme named radius, with RADIUS authentication specified.

[*HUAWEI-aaa] authentication-scheme radius
[*HUAWEI-aaa-authen-radius] authentication-mode radius local
[*HUAWEI-aaa-authen-radius] commit
[~HUAWEI-aaa-authen-radius] quit
# Configure an authentication scheme named none, with non-authentication specified.

[*HUAWEI-aaa] authentication-scheme none
[*HUAWEI-aaa-authen-none] authentication-mode none
[*HUAWEI-aaa-authen-none] commit
[~HUAWEI-aaa-authen-none] quit
# Configure an accounting scheme named radius, with RADIUS accounting specified.

[*HUAWEI-aaa] accounting-scheme radius
[*HUAWEI-aaa-accounting-radius] accounting interim interval 10 hash
[*HUAWEI-aaa-accounting-radius] commit
[~HUAWEI-aaa-accounting-radius] quit

# Configure an accounting scheme named none, with non-accounting specified.

[*HUAWEI-aaa] accounting-scheme none
[*HUAWEI-aaa-accounting-none] accounting-mode none
[*HUAWEI-aaa-accounting-none] commit
[~HUAWEI-aaa-accounting-none] quit
[~HUAWEI-aaa] quit
Step 4 Configure address pools.

l # Configure an IPv4 address pool.
l # Configure an IPv6 prefix pool.

[~HUAWEI] ipv6 prefix prefix1 local
[*HUAWEI-ipv6-prefix-prefix1] prefix 3001:DA8:801D:2005::/64
[*HUAWEI-ipv6-prefix-prefix1] commit
[~HUAWEI-ipv6-prefix-prefix1] quit
l # Configure an IPv6 address pool.

[*HUAWEI-ip-pool-pool1] prefix prefix1
[*HUAWEI-ip-pool-pool1] dns-server 3001:DA8:20D:30::30
Step 5 Enable MAC authentication in the MAC authentication domain mac-domain, and bind the
RADIUS server group group1 and authentication scheme portal-mac-auth to the domain.
[~HUAWEI] user-group mac-group
[~HUAWEI] aaa
[*HUAWEI-aaa] domain mac-domain
[*HUAWEI-aaa-domain-mac-domain] radius-server group group1
[*HUAWEI-aaa-domain-mac-domain] authentication-scheme portal-mac-auth
[*HUAWEI-aaa-domain-mac-domain] accounting-scheme radius
[*HUAWEI-aaa-domain-mac-domain] ip-pool pool1
[*HUAWEI-aaa-domain-mac-domain] ipv6-pool pool1
[*HUAWEI-aaa-domain-mac-domain] mac-authentication enable
[*HUAWEI-aaa-domain-mac-domain] user-group mac-group
[*HUAWEI-aaa-domain-mac-domain] commit
[~HUAWEI-aaa-domain-mac-domain] quit
[~HUAWEI-aaa] quit
Step 6 Configure forcible redirection to a specified web server in the web authentication domain
web-domain, and bind a user group that can access only limited resources, authentication
[~HUAWEI] user-group web-group
[~HUAWEI] aaa
[*HUAWEI-aaa] domain web-domain
[*HUAWEI-aaa-domain-web-domain] authentication-scheme none
[*HUAWEI-aaa-domain-web-domain] accounting-scheme none
[*HUAWEI-aaa-domain-web-domain] ip-pool pool1
[*HUAWEI-aaa-domain-web-domain] ipv6-pool pool1
[*HUAWEI-aaa-domain-web-domain] user-group web-group
[*HUAWEI-aaa-domain-web-domain] web-server 10.1.1.10
[*HUAWEI-aaa-domain-web-domain] web-server url http://10.1.1.10
[*HUAWEI-aaa-domain-web-domain] commit
[~HUAWEI-aaa-domain-web-domain] quit
[~HUAWEI-aaa] quit

[*HUAWEI] web-auth-server 10.1.1.10 key cipher Root@123

# Enable HTTP fast reply.

[*HUAWEI] slot 1
Step 7 Configure ACL rules for the web authentication domain web-domain.
l # Configure IPv4 ACL rules.
destination user-group web-group
[*HUAWEI-acl-ucl-6000] rule 10 permit ip source user-group web-group
destination ip-address 10.1.1.10 0
destination ip-address 10.1.6.2 0
[*HUAWEI-acl-ucl-6001] rule 5 permit tcp source user-group web-group
[*HUAWEI-acl-ucl-6001] rule 10 permit tcp source user-group web-group
destination ip-address any
[*HUAWEI-acl-ucl-6003] rule 5 permit ip destination user-group web-group
l # Configure IPv6 ACL rules.

[~HUAWEI] acl ipv6 number 6000
[*HUAWEI-acl6-ucl-6000] rule 5 deny ipv6 source user-group web-group
destination ipv6-address 3001:DA8:20D:30::30/128
[*HUAWEI-acl6-ucl-6000] rule 10 deny ipv6 source ipv6-address 3001:DA8:20D:
30::30/128 destination user-group web-group
[~HUAWEI-acl6-ucl-6000] quit
[~HUAWEI] acl ipv6 number 6001
[*HUAWEI-acl6-ucl-6001] rule 5 permit tcp source user-group web-group
[*HUAWEI-acl6-ucl-6001] rule 10 permit tcp source user-group web-group
[*HUAWEI-acl6-ucl-6001] rule 15 permit ipv6 source user-group web-group
[~HUAWEI-acl6-ucl-6001] quit
l # Configure a traffic policy.

[~HUAWEI] traffic classifier 6000
[*HUAWEI-classifier-6000] if-match acl 6000
[*HUAWEI-classifier-6000] if-match ipv6 acl 6000
[~HUAWEI-classifier-6000] quit
[*HUAWEI-classifier-6001] if-match ipv6 acl 6001
[~HUAWEI] traffic behavior permit
[*HUAWEI-behavior-permit] permit

[~HUAWEI] traffic behavior in-deny

[*HUAWEI-behavior-in-deny] deny
[~HUAWEI-behavior-in-deny] quit
[~HUAWEI] traffic behavior out-deny
[*HUAWEI-behavior-out-deny] deny
[~HUAWEI-behavior-out-deny] quit
[~HUAWEI] traffic behavior redirect
[*HUAWEI-behavior-redirect] http-redirect
[~HUAWEI] traffic policy before-auth-in
[*HUAWEI-policy-before-auth-in] share-mode
[*HUAWEI-policy-before-auth-in] classifier 6000 behavior permit
[*HUAWEI-policy-before-auth-in] classifier 6001 behavior redirect
[*HUAWEI-policy-before-auth-in] classifier 6002 behavior in-deny
[~HUAWEI-policy-before-auth-in] quit
[~HUAWEI] traffic policy before-auth-out
[*HUAWEI-policy-before-auth-out] share-mode
[*HUAWEI-policy-before-auth-out] classifier 6000 behavior permit
[*HUAWEI-policy-before-auth-out] classifier 6003 behavior out-deny
[~HUAWEI-policy-before-auth-out] quit

[*HUAWEI] traffic-policy before-auth-in inbound
[*HUAWEI] traffic-policy before-auth-out outbound
Step 8 Configure the authentication domain after-domain.

[~HUAWEI] aaa
[*HUAWEI-aaa] domain after-domain
[*HUAWEI-aaa-domain-after-domain] authentication-scheme radius
[*HUAWEI-aaa-domain-after-domain] accounting-scheme radius
[*HUAWEI-aaa-domain-after-domain] radius-server group group1
[*HUAWEI-aaa-domain-after-domain] commit
[~HUAWEI-aaa-domain-after-domain] quit
Step 9 Run the default-user-name include mac-address command in the AAA view to directly use
the MAC address carried in a user connection request packet as the user name.
[*HUAWEI-aaa] default-user-name include mac-address -
[~HUAWEI-aaa] quit
Step 10 Configure a DUID for the DHCPv6 server.

[*HUAWEI] dhcpv6 duid 12345678
Step 11 Enable IPv6 and configure the MAC authentication domain, authentication domain, and
authentication method on a BAS interface.
[~HUAWEI] license
[*HUAWEI-license] active bas slot 1
[~HUAWEI] interface gigabitethernet0/1/0
[*HUAWEI-GigabitEthernet0/1/0] ipv6 nd autoconfig managed-address-flag
[*HUAWEI-GigabitEthernet0/1/0] ipv6 nd autoconfig other-flag
pre-authentication mac-domain authentication after-domain
[*HUAWEI-GigabitEthernet0/1/0-bas] authentication-method-ipv6 web

1. A user logs in to the PC and obtains an IP address.
2. Run the display access-user domain web-domain command on the Router to check
information about online users.
3. The user enters another website in the address bar and is automatically redirected to the
address of the web server.

4. The user enters the user name and password, and accesses the Internet after the
authentication succeeds.
5. Run the display domain mac-domain command to check that the IPv4 and IPv6 address
pools are bound to the domain mac-domain.
----End
Configuration Files
#
sysname HUAWEI
#
license
active bas slot 1
#
ipv6
#
user-group after-domain
user-group web-domain
user-group mac-domain
#
dhcpv6 duid 12345678
#
slot 1
http-reply enable
#
radius-server group group1
request account
#
rule 5 deny ipv6 source user-group web-group destination ipv6-address
3001:DA8:20D:30::30/128
rule 10 deny ipv6 source ipv6-address 3001:DA8:20D:30::30/128 destination user-
group web-group
#
rule 5 permit tcp source user-group web-group destination-port eq www
rule 10 permit tcp source user-group web-group destination-port eq 8080
rule 15 permit ipv6 source user-group web-group
#
acl number 6000
rule 5 permit ip source ip-address 10.1.1.10 0 destination user-group web-group
rule 10 permit ip source user-group web-group destination ip-address 10.1.1.10 0
rule 15 permit ip source ip-address 10.1.6.2 0 destination user-group web-group
rule 20 permit ip source user-group web-group destination ip-address 10.1.6.2 0
#
acl number 6001
rule 5 permit tcp source user-group web-group destination-port eq www
rule 10 permit tcp source user-group web-group destination-port eq 8080
rule 15 permit ip source user-group web-group
#
acl number 6002
rule 5 permit ip source user-group web-group destination user-group web-group
rule 10 permit ip source user-group web-group destination ip-address any
#
acl number 6003
rule 5 permit ip destination user-group web-group
#
acl number 6010
#

traffic classifier 6000 operator or

if-match acl 6000
if-match acl 6001
if-match acl 6002
if-match acl 6003
#
traffic behavior in-deny
deny
traffic behavior out-deny
deny
traffic behavior permit
deny
http-redirect
#
traffic policy before-auth-in
share-mode
classifier 6000 behavior permit
classifier 6001 behavior redirect
classifier 6002 behavior in-deny
traffic policy before-auth-out
share-mode
classifier 6000 behavior permit
classifier 6003 behavior out-deny
#
gateway 10.10.17.1 255.255.240.0
section 0 10.10.17.2 10.10.19.254
dns-server 10.1.6.2
#
ipv6 prefix prefix1 local
prefix 3001:DA8:801D:2005::/64
#
prefix prefix1
dns-server 3001:DA8:20D:30::30
#
aaa
authentication-scheme portal-mac-auth
authening authen-fail online authen-domain web-domain
authentication-scheme radius
authentication-mode radius local
#
accounting-scheme radius
accounting interim interval 10 hash
#
domain mac-domain
authentication-scheme portal-mac-auth
ip-pool pool1
ipv6-pool pool1
user-group mac-group
domain web-domain

ip-pool pool1
ipv6-pool pool1
user-group web-group
web-server 10.1.1.10
domain after-domain
#
ipv6 enable
bas
#
access-type layer2-subscriber default-domain pre-authentication mac-domain
authentication after-domain
#
traffic-policy before-auth-in inbound
traffic-policy before-auth-out outbound
#
web-auth-server 10.1.1.10 key cipher Root@1234

Configuration Guide - User Access 11 802.1X Access Configuration
11 802.1X Access Configuration
About This Chapter
Configure 802.1X access services to exchange messages between access users and
authentication servers.This feature is not supported on the M2E.This feature is supported only
on the Admin-VS.
11.1 Overview of 802.1X Access
IEEE 802.1X authentication allows only authorized users or devices to access a network,
which improves network security.
11.2 802.1X Authentication Features Supported by the NE40E
Different authentication modes can be configured for 802.1X authentication.
11.3 Configuring 802.1X Access Services
Before configuring 802.1X access services, familiarize yourself with the usage scenario,
complete the pre-configuration tasks, and obtain the data required for the configuration.
11.4 Configuration Examples for 802.1X Access
This section provides examples for configuring 802.1X authentication, including networking
11.1 Overview of 802.1X Access

IEEE 802.1X authentication allows only authorized users or devices to access a network,
which improves network security.
IEEE 802.1X is an IEEE standard for Port-based Network Access Control and is part of the
IEEE 802.1X group of networking protocols. The standard adopts a client/server approach to
authenticate users, preventing unauthorized users or devices from connecting to a LAN.
Before granting access to services, IEEE 802.1X authenticates users or devices attached to
controlled interfaces on the Router. The access to controlled interfaces is allowed or denied as
determined by the authorization status of controlled interfaces. Controlled interfaces in the
unauthorized state will deny the user or device access. The authorization status (authorized or
unauthorized) of controlled interfaces is controlled by the Router based on authentication
results from the authentication server. Before a user or device is authenticated, 802.1X access
control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic to pass

through the Ethernet interface to which the user or device is connected. After authentication is
successful, normal traffic can pass through the Ethernet interface. This mechanism improves
network security by allowing only authorized users or devices to access the network.
NOTE
MPU.
11.2 802.1X Authentication Features Supported by the

NE40E
Different authentication modes can be configured for 802.1X authentication.
The NE40E supports the following 802.1X authentication features:
Authentication Mode
l EAP termination authentication: The NE40E terminates the EAP packets sent from the
client, parses user names and passwords, encrypts the passwords, and sends the packets
to an AAA server for authentication. EAP termination authentication includes the
Password Authentication Protocol (PAP) authentication and Challenge Handshake
Authentication Protocol (CHAP) authentication.
– PAP is a two-way handshake authentication protocol that uses plaintext passwords.
It has low security.
– CHAP is a three-way handshake authentication protocol that uses ciphertext
passwords, and therefore is more secure than PAP.
l EAP relay authentication: The NE40E directly encapsulates 802.1X user authentication
information and EAP packets into the attribute fields of RADIUS packets, and sends the
RADIUS packets to an AAA server.
11.3 Configuring 802.1X Access Services

Before configuring 802.1X access services, familiarize yourself with the usage scenario,
complete the pre-configuration tasks, and obtain the data required for the configuration.
Usage Scenario
To prevent unauthorized users or devices from gaining access to a network and ensure
network security, you can configure 802.1X access services to allow only authorized users to
access the network.
l Configure link-layer protocol parameters for interfaces to go Up at the link layer.
l Configure a routing protocol to implement IP connectivity of the network.
Perform one or more of the following configurations as required.

11.3.1 Creating a Dot1x Template

When 802.1X authentication is used, an authentication server and 802.1X client perform
authentication negotiation based on parameters defined in a dot1x template.
Context
After a dot1x template is created in the system view, configure parameters for the dot1x
template:
l Run the eap-end command to specify the authentication method for 802.1X users using
the dot1x template. Choose EAP termination mode or EAP relay mode as required.
l Run the authentication timeout command in the template view to set the timeout period
for the BRAS to wait for an EAP Response packet from the authentication server. If the
BRAS does not receive an EAP Response packet from the authentication server within a
specified timeout period, the BRAS considers that a user goes offline and logs out the
user.
l During 802.1X authentication, the BRAS sends an EAP-Request/Identity packet to the
client. If you want the BRAS to retransmit the packet when the client does not respond,
run the request command to set the timeout period for the BRAS to wait for an EAP-
Response/Identity packet from the client and the number of retransmissions of EAP-
Request/Identity packets. If the client does not respond with an EAP-Response/Identity
packet within the timeout period and after packet retransmissions reach the specified
number, the user is logged out.
l If users go online through 802.1X authentication, run the reauthentication interval
command to set the interval for the BRAS to send re-authentication request packets. If
re-authentication fails, the users are logged out to ensure that only authorized users can
access the network.
l In some cases, accounting continues after 802.1X users go offline. To resolve such
issues, run the keepalive command to set the number of and timeout period for
handshake packet retransmissions between the EAP client and server. If the client does
not respond within the timeout period and after handshake packet retransmissions reach
the specified number, the user is logged out.
Procedure
Step 2 Run dot1x-template dot1x-template-number
A dot1x template is created and the dot1x template view is displayed.
Dot1x templates are identified by numbers. The Router has a default dot1x template
numbered 1. This template can be modified but cannot be deleted.
Step 3 (Optional) Run eap-end [ chap | pap ]
The EAP authentication method is set for 802.1X users.
Step 4 (Optional) Run authentication timeout time
The timeout period for the BRAS to wait for an EAP Response packet from the authentication
server is set.

Step 5 (Optional) Run request { interval time | retransmit times } *

The timeout period for the BRAS to wait for an EAP-Response/Identity packet from the client
and the number of retransmissions of EAP-Request/Identity packets is set.
Step 6 (Optional) Run reauthentication interval time
The interval for the BRAS to send re-authentication request packets is set.
Step 7 (Optional) Run keepalive { interval time | retransmit times } *

The number of and timeout period for handshake packet retransmissions between the EAP
client and server is set.
Step 8 Run commit
----End
11.3.2 Binding a dot1x Template to a Domain

When 802.1X authentication is used for users in a domain, authentication negotiation is
performed based on parameters defined in a dot1x template.
Procedure
Step 2 Run aaa
Step 4 Run dot1x-template dot1x-template-number
A dot1x template is bound to a domain.
Step 5 Run commit
----End
11.3.3 (Optional) Binding a Sub-interface to a VLAN

When restrictions on broadcast packets are required in a LAN to enhance the LAN security or
to set up virtual working groups, VLANs must be configured. VLANs can be used only on
Ethernet sub-interfaces.
Context
When a user accesses the network through a main interface, you do not need to bind the main
interface to a VLAN. When a user accesses the network through a sub-interface, you need to
bind the sub-interface to a VLAN.

l Number of the sub-interface
l VLAN ID
l QinQ ID
NOTE
l Each main interface can be configured with only one any-other sub-interface. The user-vlan any-
other parameter cannot be configured together with the user-vlan start-vlan parameter or the user-
vlan qinq parameter on the same sub-interface.
l If a sub-interface has configured with dot1q termination, QinQ termination, QinQ stacking, or
VLAN-type dot1q, the user-vlan command cannot be run on the sub-interface.
l User VLANs with the same VLAN ID cannot be configured on different sub-interfaces.
Procedure
Step 3 Run user-vlan { start-vlan-id [ end-vlan-id ] [ qinq start-pe-vlan [ end-pe-vlan ] ] } | any-
other }
User-side VLANs are created.
Step 4 Run commit
----End
11.3.4 Configuring a BAS interface

When an interface is used for broadband access, you need to configure it as a BAS interface
and set the access type and relevant attributes for this interface.
Procedure
Step 2 Run interface interface-type interface-number [ .subinterface-number [ p2p | p2mp ] ]
The user-side interface view is displayed.
Step 3 Run commit
Step 4 Run bas

interface view. An Ethernet interface, an Eth-Trunk interface, a Virtual Ethernet (VE)
interface or a sub-interface of the preceding interfaces can be configured as a BAS interface.
Step 5 Perform one or more operations in Table 11-1 to set the desired interface parameters.
Table 11-1 Configure a BAS interface.

BAS Command Description
Interface
Parameter
Access type access-type layer2-subscriber Configure a user who accesses a

and relevant [ default-domain { authentication network from a BAS interface as a
attributes for [ force | replace ] dname | pre- Layer 2 common user, allowing
Layer 2 authentication prename } * | bas- such users to have independent
common interface-name bname | service attributes and directly
users accounting-copy radius-server rd- access a Layer 2 network. A BRAS
name ] * performs authentication and
accounting on these users
separately. When setting the access
type on the BAS interface, you can
set the service attributes of the
access users at the same time or
later. The access type cannot be
configured on the Ethernet interface
that is added to an Eth-Trunk
interface. You can configure the
access type only on the Eth-Trunk
interface.
User authentication-method Configure 802.1X authentication

authentication for user access through a BAS
method interface.
Maximum access-limit user-number Limit the number of online users in

number of a domain. If the number of online
users on a users exceeds the specified upper
BAS interface limit, the system rejects users'
access requests and notifies the
users of authentication failures.
This facilitates the management of
access users.
The function client-option82 [ { basinfo-insert Enable the function to locate a user

to trust the { cn-telecom | version3 } | through DHCP Option 82 or PPPoE
access-line-id version1 } ] +.
information
reported by
clients

BAS Command Description

Interface
Parameter
The function vbas Enable the function to locate a user

to enable through the virtual BAS (VBAS).
VBAS on a You do not need to run this
BAS interface command if the function to locate a
user through DHCP Option 82 or
PPPoE+ is enabled.
The function Run link-account resolve When a RADIUS server performs

to enable the accounting for users who go online
NE40E to in non-authentication mode, the
carry link- server needs to differentiate users.
account Run this command to enable the
information NE40E to carry link-account
in the information in the accounting
accounting request packets sent to the
request RADIUS server.
packets sent
to a RADIUS
server
Step 6 Run commit

----End
11.3.5 Verifying the 802.1X Access Configuration

After 802.1X access services are configured, check the configurations.
Procedure
l Run the display dot1x-template number command to check dot1x template
configurations.
l Run the display bas-interface command to check BAS interface configurations.
----End
Example
Run the display dot1x-template number command to view configurations of the dot1x
template numbered 1.
<HUAWEI> display dot1x-template 1
Template index : 1
Reauthentication switch : On
Keepalive switch : Off
Reauthentication interval(S) : 3600
Keepalive retransmit : 0
Keepalive interval(S) : 20
Request interval(S) : 30
Request retransmit : 2

Server response time(S) : 30

Send-EAP-SIM : No
EAP-end : Yes
EAP-end-authentication-method: CHAP
Run the display bas-interface command to view configurations of all BAS interfaces.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------
11.4 Configuration Examples for 802.1X Access

This section provides examples for configuring 802.1X authentication, including networking
11.4.1 Example for Configuring 802.1X Access

This section provides an example for configuring 802.1X access services. A networking
diagram is provided to help you understand the configuration procedure. The example
provides the networking requirements, configuration roadmap, configuration procedure, and
To prevent unauthorized users or devices from gaining access to a network and ensure
network security, you can configure 802.1X access services to allow only authorized users to
access the network. As shown in Figure 11-1,
l Subscriber belongs to the domain isp4 and accesses the Internet through GE 1/0/2 on the
Router in 802.1X authentication mode.
NOTE
In the 802.1X system, the NE40E functions as a relay device, which must use the RADIUS server
to transmit EAP packets.
l The IP address of the RADIUS server is 192.168.7.249. The authentication port is
numbered 1645 and the accounting port is numbered 1646. The RADIUS+1.1 protocol is
adopted, with the key being itellin.
l The network-side interface on the NE40E is GE 2/0/1.

Figure 11-1 Networking for configuring 802.1X access services

D N S se rve r R A D IU S se rve r
1 9 2 .1 6 8 .7 .2 5 2 1 9 2 .1 6 8 .7 .2 4 9
Access in te rfa c e 1 in te rfa c e 2 In te rn e t

N e tw o rk 1 9 2 .1 6 8 .7 .1
su b scrib e r@ isp 4 R o u te r
1. Configure a dot1x template.
2. Configure an authentication scheme.
3. Configures an accounting scheme.
6. Configure a domain named isp4.
Data Preparation
l dot1x template name
l Timeout period for the BRAS to wait for an EAP Response packet from the
authentication server
l Timeout period for the BRAS to wait for an EAP-Response/Identity packet from the
client and the number of retransmissions of EAP-Request/Identity packets
l Number of and timeout period for handshake packet retransmissions between the EAP
client and server
l IP address of the RADIUS server
l Address pool name, gateway address, IP address range, and DNS server address
Procedure
Step 1 Configure a dot1x template.
[~HUAWEI] sysname Router
[*HUAWEI] commit
[~Router] dot1x-template 4
[*Router-dot1x-template-4] authentication timeout 20
[*Router-dot1x-template-4] request interval 20 retransmit 3
[*Router-dot1x-template-4] reauthentication interval 1800
[*Router-dot1x-template-4] keepalive interval 15 retransmit 2
[*Router-dot1x-template-4] commit

[~Router-dot1x-template-4] quit

[~Router] aaa
[~Router-aaa] authentication-scheme auth4
[*Router-aaa-authen-auth4] authentication-mode radius
[*Router-aaa-authen-auth4] commit
[~Router-aaa-authen-auth4] quit

[~Router-aaa] accounting-scheme acct4
[*Router-aaa-accounting-acct4] accounting-mode radius
[*Router-aaa-accounting-acct4] commit
[~Router-aaa-accounting-acct4] quit
[~Router-aaa] quit

[~Router] radius-server group rd4
[*Router-radius-rd4] radius-server authentication 192.168.7.249 1645
[*Router-radius-rd4] radius-server accounting 192.168.7.249 1646
[*Router-radius-rd4] radius-server type plus11
[*Router-radius-rd4] commit
[~Router-radius-rd4] quit

[~Router] ip pool pool4 bas local
[~Router-ip-pool-pool4] gateway 10.82.1.1 255.255.255.0
[~Router-ip-pool-pool4] section 0 10.82.1.2 10.82.1.200
[~Router-ip-pool-pool4] dns-server 192.168.7.252
[*Router-ip-pool-pool4] commit
[~Router-ip-pool-pool4] quit

[~Router] aaa
[~Router-aaa] domain isp4
[*Router-aaa-domain-isp4] authentication-scheme auth4
[*Router-aaa-domain-isp4] accounting-scheme acct4
[*Router-aaa-domain-isp4] commit
[~Router-aaa-domain-isp4] radius-server group rd4
[~Router-aaa-domain-isp4] ip-pool pool4
[*Router-aaa-domain-isp4] dot1x-template 4
[~Router-aaa-domain-isp4] quit
[~Router-aaa] quit

[~Router] license
[~Router-license] active bas slot 1
[~Router-license] quit
[~Router] interface gigabitEthernet 1/0/2.1
[*Router-GigabitEthernet1/0/2.1] commit
[~Router-GigabitEthernet1/0/2.1] user-vlan 100
[~Router-GigabitEthernet1/0/2.1-vlan-100-100] quit
[~Router-GigabitEthernet1/0/2.1] bas
[~Router-GigabitEthernet1/0/2.1-bas] access-type layer2-subscriber
[~Router-GigabitEthernet1/0/2.1-bas] default-domain authentication isp4
[*Router-GigabitEthernet1/0/2.1-bas] commit
[~Router-GigabitEthernet1/0/2.1-bas] authentication-method dot1x
[*Router-GigabitEthernet1/0/2.1-bas] commit
[~Router-GigabitEthernet1/0/2.1-bas] quit
[~Router-GigabitEthernet1/0/2.1] quit
----End

Configuration Files
#
sysname Router
#
license
active bas slot 1
#
#
user-vlan 100
bas
authentication-method dot1x
#
gateway 10.82.1.1 255.255.255.0
section 0 10.82.1.2 10.82.1.200
dns-server 192.168.7.252
#
dot1x-template 4
authentication timeout 20
request retransmit 3 interval 20
reauthentication interval 1800
keepalive retransmit 2 interval 15
#
aaa
domain isp4
dot1x-template 4
ip-pool pool4
#
return
11.4.2 Example for Configuring 802.1X Access

This section provides an example for configuring 802.1X access.
On the network shown in Figure 11-2, to allow the user to go online, configure 802.1X
l The user belongs to the domain isp4 and accesses the Internet through GE 0/1/0 on the
Router in 802.1X mode.
NOTE
In the 802.1X system, the NE40E functions as a relay device, which must use the RADIUS server
to transmit EAP packets.
l The IP address of the RADIUS server is 192.168.7.249. The authentication and
accounting ports are 1645 and 1646, respectively. The RADIUS+1.1 protocol is adopted,
with the key being itellin.


l The network-side interface on the NE40E is GE 0/2/0.
Figure 11-2 Networking for configuring 802.1X access

NOTE
Interface1 through 2 in this example are GE0/1/0, GE 0/2/0, respectively.
D N S se rve r R A D IU S se rve r
1 9 2 .1 6 8 .7 .2 5 2 1 9 2 .1 6 8 .7 .2 4 9
Access in te rfa c e 1 in te rfa c e 2 In te rn e t

N e tw o rk 1 9 2 .1 6 8 .7 .1
su b scrib e r@ isp 4 R o u te r
1. Configure a dot1x template.
Data Preparation
l dot1x template name
l Timeout period for waiting for an EAP response packet from the authentication server
l Number of packet retransmissions by the client and timeout period
l Number of handshake packet retransmissions between the EAP client and server and
timeout period
l RADIUS server address
l Address pool name, gateway address, address range, and DNS server address
Procedure
Step 1 Configure a dot1x template.
[~HUAWEI] dot1x-template 4
[*HUAWEI-dot1x-template-4] authentication timeout 20
[*HUAWEI-dot1x-template-4] request interval 20 retransmit 3
[*HUAWEI-dot1x-template-4] reauthentication interval 1800
[*HUAWEI-dot1x-template-4] keepalive interval 15 retransmit 2
[*HUAWEI-dot1x-template-4] commit
[~HUAWEI-dot1x-template-4] quit

[~HUAWEI] aaa



[~HUAWEI-aaa] quit



[~HUAWEI] aaa
[*HUAWEI-aaa-domain-isp4] dot1x-template 4
[~HUAWEI-aaa] quit

NOTE
[~HUAWEI] interface gigabitEthernet 0/1/0.1
[HUAWEI-GigabitEthernet0/1/0.1-vlan-100] quit
[*HUAWEI-GigabitEthernet0/1/0.1-bas] authentication-method dot1x
----End
Configuration Files
#
sysname HUAWEI
#


#
bas
user-vlan 100
authentication-method dot1x
#
gateway 10.82.1.1 255.255.255.0
section 0 10.82.1.2 10.82.1.200
dns-server 192.168.7.252
#
dot1x-template 4
authentication timeout 20
request retransmit 3 interval 20
reauthentication interval 1800
keepalive retransmit 2 interval 15
#
aaa
domain isp4
dot1x-template 4
ip-pool pool4
#
return

Configuration Guide - User Access 12 L2TP Access Configuration
12 L2TP Access Configuration
About This Chapter
An L2TP tunnel can be established to provide access services for enterprises, small-scale
ISPs, and mobile office staff.This feature is not supported on the S2E.This feature is
supported only on the Admin-VS.
12.1 Overview of L2TP Access

Layer 2 Tunneling Protocol (L2TP) combines the advantages of Layer 2 Forwarding (L2F)
and Point-to-Point Tunneling Protocol (PPTP), and is an IETF industry standard for Layer 2
tunneling protocols.
12.2 Licensing Requirements and Limitations for L2TP--M2F
12.3 Licensing Requirements and Limitations for L2TP--M2H
12.4 License Requirements and Limitations for L2TP--M2E
12.5 Licensing Requirements and Limitations for L2TP--M2K
12.6 Configuring an LAC
An L2TP tunnel is established between an LAC and an LNS. You need to start an L2TP
connection and set tunnel parameters and the authentication mode on the LAC.
12.7 Configuring an LNS
An L2TP tunnel is established between an LAC and an LNS. You need to enable an L2TP
connection and set tunnel parameters and the authentication mode on the LNS.
12.8 Configuring L2TP Tunnel Switching
Currently, the networking modes are diversified. If a user accesses the LNS across several
tunnels, configure L2TP tunnel switching on the intermediate devices.
12.9 (Optional) Configuring L2TP HQoS
To control the L2TP service traffic in a refined manner, you can configure L2TP HQoS.
12.10 (Optional) Adjusting L2TP Connection Parameters
By adjusting L2TP connection parameters, you can flexibly control the establishment of
L2TP tunnels and the interconnection between Huawei devices and non-Huawei devices.
12.11 Maintaining L2TP
L2TP maintenance can be performed by monitoring L2TP and clearing L2TP tunnels.

12.12 Configuration Examples for L2TP Access

This section provides several examples for configuring L2TP, including the networking
12.1 Overview of L2TP Access

Layer 2 Tunneling Protocol (L2TP) combines the advantages of Layer 2 Forwarding (L2F)
and Point-to-Point Tunneling Protocol (PPTP), and is an IETF industry standard for Layer 2
tunneling protocols.
L2TP establishes point-to-point tunnels on public networks (such as the Internet) to

encapsulate and transmit Point-to-Point Protocol (PPP) data frames. In this way, remote users
(such as enterprise branches and traveling staff) can communicate with the intranet through
L2TP tunnels and access intranet resources. This provides a secure, economical, and effective
way for remote users to access private enterprise networks. L2TP provides tunneling
transmission for PPP packets, allows Layer 2 link endpoints and PPP session endpoints to
reside on different devices, and adopts the packet switching technology for information
exchange. In this manner, L2TP extends the PPP model. L2TP combines the advantages of
the L2F and PPTP protocols and is an IETF industry standard for Layer 2 tunneling protocols.
Figure 12-1 L2TP networking
DeviceB
DeviceA
Remote Internet Private
user network
PPPoE LNS
LAC
/ISDN
Tunnel
Remote
branch
On the network shown in Figure 12-1, the typical L2TP networking consists of the following
parts:
l Remote system: A remote system is a remote user or a remote branch that connects to the
intranet of an enterprise. It is usually a host of a dial-up user or a device on a private
network.
l L2TP Access Concentrator (LAC): An LAC is the endpoint of an L2TP tunnel and is
located between the LNS and the remote system to transmit packets between the LNS
and the remote system. It encapsulates the packets received from the remote system into
L2TP packets, sends the packets to the LNS, decapsulates the packets received from the
LNS, and sends the packets to the remote system.
l L2TP Network Server (LNS): An LNS is a device that provides PPP and L2TP
processing capabilities and is usually located at the edge of an enterprise intranet. As the
other end of an L2TP tunnel, the LNS is the logical end point of the PPP sessions
transmitted by the LAC through the tunnel. L2TP establishes an L2TP tunnel on the
public network to extend PPP connections of the remote system from the original NAS
to the LNS on the enterprise intranet.
A device that functions as both an LNS and LAC is called an L2TP Tunnel Switch (LTS).

Common L2TP Tunnel Modes

l NAS-initiated mode
In NAS-initiated mode, the LAC (NAS) initiates L2TP tunnel establishment requests.
After a dial-up user of the remote system accesses the LAC through PPPoE or ISDN, the
LAC initiates an L2TP tunnel establishment request to the LNS. L2TP tunnels in NAS-
initiated mode have the following features:
– The remote system supports only the PPP protocol and does not need to support
L2TP.
– The authentication and accounting for remote dial-in users can be performed by the
LAC or LNS.
l Client-initiated mode
In client-initiated mode, a LAC client (a remote system that supports L2TP) directly
initiates L2TP tunnel establishment requests. The LAC client has a public IP address and
can communicate with the LNS through the Internet. If L2TP dial-up is triggered on the
LAC client, the LAC client directly initiates an L2TP tunnel establishment request to the
LNS instead of establishing a tunnel through the LAC. L2TP tunnels in client-initiated
mode have the following features:
– L2TP tunnels are established between the remote system and the LNS to ensure
high security.
– L2TP tunnels in client-initiated mode have high requirements on the remote system.
The remote system must be a LAC client that supports L2TP and can communicate
with the LNS. Therefore, this mode has poor scalability.
12.2 Licensing Requirements and Limitations for L2TP--

M2F
Item Requirement

L2TP Function feature:
License This license
controls the
L2TP LNS &
LTS function on
a device. Each
device requires
one such
license.


l In L2TP user access None None

scenarios, the isolation
between online and
offline users is not
supported.
l HQoS is not supported
on an LTS. After HQoS
is configured on the
outbound interface of an
LNS, TM implements
HQoS for the traffic
before it passes through
the NP.
l DAA/EDSG is not
supported on an LAC or
LTS. DAA/EDSG only
supports CAR on an
LNS. If SQ is
implemented, traffic
volume quotas of users
will be taken up.
l Forwarding performance
of an LTS and
LNS:ingress board (A)
+tunnel board (B)
+egress board (C)
If A=C, B=C, or
A=B=C, and no SQ is
configured and no
replication service is
deployed, the board's
maximum forwarding
bandwidth can be
achieved. If the
preceding conditions are
not met, the forwarding
performance reduces by
50%.
l User-side sampling is not
supported on an
LAC/LTS/LNS in L2TP
access scenarios.
l Separate collection of
IPv4 traffic statistics and
IPv6 traffic statistics is
not supported on an

LAC/LTS in L2TP
scenarios.
l Flexible access to a VPN
is not supported for
LAC/LTS/LNS users in
L2TP access scenarios.
l The bound tunnel source
interface on the LNS side
cannot be a PWIF
interface.
In L2TP LNS user traffic If the board where the If the half-line-rate
forwarding scenarios, the outbound interface resides forwarding mode is not
high-performance does not have an eTM configured, packet loss may
forwarding mode can be subcard installed, run the occur during LNS user
configured only when the forward-mode loopback l2tp traffic forwarding.
board where the outbound command to configure the
interface resides has an eTM LNS user access board to
subcard installed. work in half-line-rate
Otherwise, you need to run forwarding mode.
the forward-mode
{ through | loopback } l2tp
command to configure the
board from which LNS
users go online to work in
half-line-rate forwarding
mode.

M2H

Item Requirement

L2TP Function feature:
License This license
controls the
L2TP LNS &
LTS function on
a device. Each
device requires
one such
license.




between online and
supported.
LNS, TM implements
the NP.
l DAA/EDSG is not
LTS. DAA/EDSG only
supports CAR on an
LNS. If SQ is
will be taken up.
of an LTS and
+tunnel board (B)
+egress board (C)
If A=C, B=C, or
A=B=C, and no SQ is
configured and no
maximum forwarding
bandwidth can be
achieved. If the
50%.
supported on an
LAC/LTS/LNS in L2TP
access scenarios.
not supported on an

LAC/LTS in L2TP
scenarios.
cannot be a PWIF
interface.
the forward-mode
mode.
12.4 License Requirements and Limitations for L2TP--M2E


N/A


M2K
Item Requirement

This license
controls the
PPPoE, IPoE,
L2TP, DAA,
and EDSG
function.



between online and
supported.
LNS, TM implements
the NP.
l DAA/EDSG is not
LTS. DAA/EDSG only
supports CAR on an
LNS. If SQ is
will be taken up.
of an LTS and
+tunnel board (B)
+egress board (C)
If A=C, B=C, or
A=B=C, and no SQ is
configured and no
maximum forwarding
bandwidth can be
achieved. If the
50%.
supported on an
LAC/LTS/LNS in L2TP
access scenarios.
not supported on an

LAC/LTS in L2TP
scenarios.
cannot be a PWIF
interface.
the forward-mode
mode.
12.6 Configuring an LAC

An L2TP tunnel is established between an LAC and an LNS. You need to start an L2TP
connection and set tunnel parameters and the authentication mode on the LAC.
Usage Scenario
When an L2TP user goes online, the LAC sets up a tunnel with the remote LNS and sends the
packets to the LNS through the tunnel. When the NE40E functions as an LAC, you must
configure an L2TP group, that is, enable LAC on the NE40E.
When the NE40E functions as an LAC, the process of initiating an L2TP connection after the
L2TP user goes online is shown in Figure 12-2.

Figure 12-2 Process of initiating an L2TP connection
domain L2TP group

isp1 lac1
subscriber LNS tunnelling
domain name:isp1 group-name:lac1 to 1.1.1.1
user1@isp1 (1) ip pool:pool1 1.1.1.1
LNS1 address:1.1.1.1
L2TP group:lac1 (2) LNS2 address:2.2.2.2 (3) (4)
aging time:5min
...... ......
(1) The NE40E reads the domain name contained in the user name.
(2) The NE40E reads the L2TP group name specified for the domain.
(3) The NE40E reads the LNS address specified for the L2TP group.
(4) The NE40E initiates a connection with the LNS.
Before configuring an LAC, complete the following tasks:
l Configuring PPPoX access services, including configuring the virtual template, AAA
scheme, and BAS interface, and specifying a virtual template for an interface
l Configuring the domain to which L2TP users belong
l Configuring the RADIUS server group if the users in the specified domain use the L2TP
attributes delivered by the RADIUS server
l Enabling L2TP

Figure 12-3 Flowchart for configuring the LAC
Enabling L2TP
Configuring an
L2TP Connection on
the LNS
Configuring L2TP
Tunnel
Authentication
Configuring L2TP
User Attributes
Configuring AAA
Schemes
Configuring LAC-
side User Access
必选步骤
可选步骤
12.6.1 Enabling L2TP

After L2TP is enabled and an L2TP group is configured on an LAC and an LNS, an L2TP
tunnel can be set up between the LAC and the LNS.
Context
L2TP functions can be used only after L2TP is enabled. When L2TP is disabled, even if L2TP
parameters are configured, the NE40E does not provide L2TP functions.
Procedure
Step 2 Run l2tp enable
L2TP is enabled.
Step 3 Run commit
----End

12.6.2 Configuring an L2TP Connection on the LAC

Enabling an L2TP connection on an LAC is the prerequisite of setting up an L2TP tunnel on
the LAC.
Context
When an LAC and an LNS are interconnected, the LAC must have a route to the LNS. For
example, when the NE40E functions as an LNS, if the LNS is configured with a loopback
interface, a route to the loopback interface must be configured on the LAC.
Procedure
Step 2 Run l2tp-group group-name
The L2TP group view is displayed.
Step 3 Run tunnel name name
The name of the local end of a tunnel is specified.
The tunnel name is used for tunnel negotiation between the LAC and LNS. In different tunnel
authentication modes, the tunnel name must meet different requirements.
l In local authentication mode, only the tunnel password is needed. The tunnel name is
used by the LNS to select an L2TP group to respond to a connection request from the
LAC. There is no special requirement on the format of the tunnel name. The tunnel name
configured on the LAC must be the same as the receiver tunnel name configured on the
LNS. No tunnel name needs to be configured on the LNS. In strict local authentication
mode, the LAC checks the validity of the tunnel name and password of the remote LNS.
If the LNS tunnel name and password delivered by the RADIUS server or the locally
configured LNS tunnel name and password are different from those of the remote LNS,
the check fails and the tunnel cannot be established.
l In AAA authentication mode, an L2TP tunnel is treated as a user, and the tunnel name is
required to be in the format of username@domain. When establishing an L2TP tunnel,
the LAC or LNS must forward the received user name and password to the AAA server
for authentication. In addition, the user name and password must be configured on the
AAA server.
Step 4 Run start l2tp { ip ip-address [ weight lns-weight | preference preference | remote lns-name
| identifier-name identifier-name ] * } &<1-8>
An L2TP connection is configured on the LAC.

NOTE
l When configuring an L2TP connection on the LAC, you must specify the IP addresses and weights
of the LNSs. Up to eight LNSs can be configured in each L2TP group.
l The L2TP group is configured as the LAC in this configuration.
l The IP address of the LNS is optional. If the IP address of the LNS is delivered by the RADIUS
server, you do not need to configure it.
l The LNS weights are applicable to only the load balancing mode. In load balancing mode, the
NE40E allocates sessions to the LNSs in the proportion of their weights. In other modes, the NE40E
sets up connections to the LNSs in the sequence in which the LNSs are configured until an LNS
responds. Then, the other LNSs function as backups.
l preference preference configured in the start l2tp command takes effect only after the tunnel
priority command is run to configured priority-based load balancing for the LNS. The NE40E
establishes a tunnel with the LNS with the highest priority. If the LNS with the highest priority is
unavailable, the NE40E selects an LNS based on the LNS priorities in descending order. If multiple
LNSs have the same priority, the NE40E establishes tunnels with the LNSs, and load balancing is
implemented between these tunnels.
l If the LAC is configured to check the tunnel name of the LNS, the remote lns-name parameter must
be configured in the start l2tp command. This setting allows L2TP tunnel authentication to be
enabled.
Step 5 (Optional) Run tunnel-per-user

Each L2TP user is configured to use a separate L2TP tunnel.
Step 6 (Optional) Run lac mtu enable
The MTU of the VT is applied to the LAC.
Step 7 (Optional) Run lac mss enable
The MSS of the VT is applied to the LAC.
Step 8 (Optional) Run tunnel load-sharing
Load balancing of LNSs is enabled.
Step 9 (Optional) Run l2tp aging time
The duration during which the LNS is locked is configured.
When the NE40E attempts to set up a tunnel to an LNS but finds that the LNS runs
abnormally, the NE40E marks the LNS as unusable and does not set up a tunnel to the LNS
during a period of time. This period is the LNS locking duration. After the locking duration
expires, the NE40E attempts to set up a tunnel to the LNS again.
Step 10 (Optional) Run avp nas-port enable
The LAC is enabled to encapsulate the NAS-Port attribute into the AVP100 field of an ICRQ
message to be sent to the LNS.
Step 11 (Optional) Run tunnel source interface-type interface-number
The source interface of tunnels is configured.

NOTE
l When the LAC initiates a tunnel setup request, it sends the source IP address of the local end to the LNS
for the communication between the LAC and LNS. To improve reliability of the communication between
the LAC and LNS, you can configure the source interface of the tunnel. Then, the LAC uses the IP
address of the specified interface as the source address to set up a tunnel.
l The configuration of the IP of the tunnel source in the L2TP groups, of the source interface bounded to
the LNS groups and of the RBS tunnel source of dual-device hot backup cannot be the same.
Step 12 (Optional) Run allow-address-change { setup-only | always }

The NE40E is configured to use the changed source IP address of packets replied by the LNS
as the destination IP address of packets to be sent during tunnel establishment or hello
detection process.
Step 13 (Optional) Run tunnel window receive window-size
An L2TP receive window size is set for out-of-order packets.
Step 14 Run quit
Step 15 (Optional) Run tunnel priority
Priority-based load balancing is configured
After the tunnel priority command is run, the following situations are available:
The NE40E establishes a tunnel with the LNS with the highest priority. If the LNS with the
highest priority is unavailable, the NE40E selects an LNS based on the LNS priorities in
descending order.
The NE40E establishes tunnels with LNSs with the same priority, and load balancing is
implemented between these tunnels.
Load balancing can be implemented for tunnels in an L2TP group based on the master/backup
status, weight, or priority. Any two of the three modes are mutually exclusive. If tunnels have
been configured in an L2TP group, the load balancing configurations cannot be changed.
Step 16 (Optional) Run qos link-adjustment vendor redback { lns | lac } * [ slot slot-id ]
Redback packet adjustment is configured so that user traffic statistics is collected based on the
redback mode.
This command is supported only on the Admin VS.
Step 17 Run commit
----End
12.6.3 Configuring Tunnel Authentication

An L2TP tunnel can be successfully established only after L2TP tunnel authentication
succeeds.
Context
An L2TP tunnel supports either local or remote authentication (RADIUS authentication).

NOTE
l When configuring an authentication password, select the ciphertext mode becasue the password is
Procedure
l Local authentication
If local authentication is used, the LAC or LNS must use only the tunnel password, but
not the tunnel name. The tunnel name is used by the LNS to select an L2TP group to
respond to the LAC connection request. The format of the tunnel name is not restricted;
however, the tunnel name configured on the LAC must be the same as remote tunnel
name configured on the LNS.
a. Run system-view

b. Run l2tp-group group-name

c. Run tunnel name tunnel-name [ lns-ip lns-ip-address ]
The local tunnel name is specified.

d. Run tunnel authentication [ strict ]
Tunnel authentication is enabled.
You can decide whether to enable tunnel authentication before creating a tunnel
connection. To ensure tunnel security, it is recommended that tunnel authentication
be enabled.
The tunnel authentication request can be initiated by the LAC or the LNS. As long
as one end is enabled with tunnel authentication, the identity authentication is
performed in the tunnel setup process. The tunnel can be set up only if the
passwords of both ends are the same and not null; otherwise, the local end
automatically tears down the tunnel. If tunnel authentication is disabled on both
ends, tunnel authentication is not performed, irrespective of whether passwords on
both ends are the same.
The tunnel authentication strict command configuration takes effect only for the
L2TP group on the LAC. After strict tunnel authentication is configured, the LAC
performs validity check on the remote LNS's tunnel name and password. If the LNS
tunnel name and password delivered by the RADIUS server or locally configured
are different from those of the remote LNS, tunnel establishment fails. After strict
tunnel authentication is configured, you can configure the RADIUS server to
deliver the Tunnel-Server-Auth-ID attribute or configure an LNS tunnel name in the
L2TP group view of the LAC based on site requirements.
e. Run tunnel password { simple | cipher } password [ lns-ip lns-ip-address ]
The password for tunnel authentication is set.

f. Run commit
l Remote authentication (RADIUS authentication)
If remote authentication is used, the LAC or LNS takes the L2TP tunnel as a user;
therefore, the format of the tunnel name must be username@domain. When the tunnel is
set up, the LAC or LNS sends the received user name and password of each other to the
AAA server (RADIUS server) for authentication. The AAA server must be configured
with the identical user name and password.
a. Run system-view
c. Run tunnel authentication
be enabled.
d. Run tunnel aaa-authentication
The AAA tunnel authentication is enabled.
AAA tunnel authentication indicates that the L2TP tunnel is not authenticated
locally, but authenticated on the AAA server (RADIUS server).
e. Run commit
l Forcible RADIUS tunnel authentication
a. Run system-view
c. Run tunnel radius-force
The forcible tunnel authentication is enabled.
Forcible RADIUS tunnel authentication indicates that the RADIUS server
determines whether tunnel authentication is performed. If the attributes delivered by
the RADIUS server contain the tunnel password, the tunnel password is used for
tunnel authentication; otherwise, tunnel authentication is not performed.

d. Run commit
----End
12.6.4 Configuring L2TP User Attributes

An L2TP tunnel is configured in the L2TP group view. You need to associate an L2TP group
and a domain, that is, to configure L2TP user attributes. You need to note that the L2TP
attributes delivered by the RADIUS server takes precedence over the locally configured L2TP
attributes.
Context
After configuring an L2TP group, you can apply the L2TP group to a domain. Then, the
domain and the L2TP tunnel can be associated. By associating a domain with an L2TP tunnel,
the NE40E delivers the services of an ISP in a batch to the access server (LNS) of the ISP
using the associated L2TP tunnel. In this manner, multi-ISP service wholesale is
implemented.
Do as follows on the NE40E:
NOTE
Procedure
Step 2 Run aaa
An L2TP group is specified for the domain.
Step 5 (Optional) Run l2tp-user radius-force
Users in the specified domain use the L2TP attributes delivered by the RADIUS server.
The L2TP attributes for domain users can be specified by the L2TP group that belongs to the
domain or delivered by the RADIUS server. When domain users use the L2TP attributes
delivered by the RADIUS server, you do not need to specify the L2TP group for the domain,
the L2TP group is invalid even though is specified.
The RADIUS server can deliver the attributes such as tunnel-type(64), tunnel_client_endpoint
(66), tunnel_server_endpoint (67), tunnel-client-auth-id (90), tunnel_password(69), and

tunnel-assignment-id(82). If the RADIUS server does not deliver the L2TP group name, the
NE40E considers the user as an ordinary PPP user.
The L2TP attributes delivered by the RADIUS server have a higher priority than the local
L2TP attributes. For example, if the LNS address configured in group lac1 is 10.10.10.1 and
the RADIUS server delivers the LNS address 10.20.20.1 and L2TP group lac1, the LNS
address 10.20.20.1 takes effect. If the RADIUS server delivers only the L2TP group lac1, the
LNS address 10.10.10.1 takes effect.
NOTE
The L2TP group name and the tunnel type must be delivered together so that the L2TP attributes
delivered by the RADIUS server can take effect and the functions of the L2TP user can be implemented.
The L2TP attributes delivered by the RADIUS server have a higher priority than the local
L2TP attributes. If the L2TP attributes are not delivered by the RADIUS server, do not run
this command. Otherwise, L2TP dial-up fails.
Step 6 (Optional) Run l2tp-authorize [ password { simple simple-password | cipher ciper-

password } ]
The LAC is configured to authenticate an L2TP user using the domain name of the user. This
means that the LAC sends the domain name of the user and the set password to the RADIUS
server for authentication.
If the l2tp-authorize command is configured for a domain, there are the following cases:
l When a new PPP user is to be authenticated by the RADUIS server, and the domain of
the PPP user is configured with the l2tp-authorize command, the authentication is set to
be the virtual user authentication in the user information table. Otherwise, the original
processing flow is followed.
l In the virtual router authentication, the LAC sends the user name (the domain name of
the user) and the password (huawei by default) to the RADIUS server.
l If the RADIUS server denies the authentication or the sending of the user name and
password fails, the LAC sends the original PPP user name to the RADIUS server for the
secondary authentication.
l If the RADIUS server accepts the authentication request, but tunnel-type and
TunnelServerEndpoint delivered by the RADUIS server are incorrect, the LAC sends the
original PPP user name to the RADIUS server for the secondary authentication.
l If the RADIUS server accepts the authentication request, and tunnel-type and
TunnelServerEndpoint delivered by the RADUIS server are correct, accounting is
performed for the PPP user, and the user name used in the accounting is the original PPP
user name.
If the l2tp-authorize command is not configured for a domain, the LAC sends the user name
and password entered by the user to the RADIUS server for authentication.
Step 7 Run commit
----End

12.6.5 Configuring AAA Schemes

Context
This configuration is used to authenticate the identity information (user name and password)
of a remote dial-in user using AAA. The LAC can initiate a tunnel establishment request only
after the user identity is authenticated. Otherwise, the LAC does not establish a tunnel for the
user.
Two AAA authentication modes are supported: local authentication and remote
authentication.
Procedure
Step 1 If the local authentication mode is used, you need to configure a local user name and
password on the LAC. The LAC authenticates a dial-in user by checking whether the user
name and password of the user are the same as the locally configured user name and
password.
Step 2 If the remote authentication mode is used, you need to configure a user name and password on
the RADIUS server. The LAC sends the user name and password of a dial-in user to the
RADIUS server, and the RADIUS server authenticates the user.
Step 3 For details about AAA operations, see Configuring AAA Schemes. For details about
RADIUS server operations, see Configuring a RADIUS.
----End
12.6.6 Configuring LAC-side User Access

This section describes how to configure LAC-side user access to implement control and
accounting for each access host.
Context
In L2TP access scenarios, users access the network through the LAC. Therefore, you need to
configure an access mode and access interface on the LAC.
Procedure

Step 4 Run quit

This interface is the physical interface through which users go online. The main interface
view is displayed for PPPoE access users and the sub-interface view is displayed for
PPPoEoVLAN access users.
The VT is bound to the interface.
User-side VLANs are created.
Step 8 Run bas
Step 9 Run access-type layer2-subscriber [ default-domain { authentication [ force | replace ]

dname | pre-authentication predname } * | bas-interface-name bname | accounting-copy
radius-server rd-name ] *
When setting the access type on a BAS interface, you can set the service attributes of the
access users at the same time or later.
interface. You can configure the access type only on the Eth-Trunk interface.
Step 10 Run commit
----End
12.6.7 Verifying the LAC Configuration

This section describes how to check the configurations of the L2TP group, session
information, and the tunnel on the LAC after the LAC is configured and users go online.
Procedure
l Run the display l2tp-group [ group-name ] command to check the L2TP group
configuration.
l Run the display l2tp session lac [ session-item session-id | source-ip source-ip-address |
destination-ip destination-ip-address ] command to check information about the current
LAC session.
l Run the display l2tp tunnel lac [ tunnel-item tunnel-id | tunnel-name remote-name ]
command to check information about the tunnel on the LAC.
l Run the display l2tp tunnel [ lac slot slot-id ] [ tunnel-item tunnel-id | tunnel-name
remote-name ]command to view information about L2TP tunnels.

l Run the display l2tp session { lac slot slot-id } [ session-item session-id | source-ip
source-ip-address | destination-ip destination-ip-address ]command to view information
about L2TP sessions.
----End
Example
Run the display l2tp-group command, and you can view the following:
l GroupType is displayed as REQUEST_DIALIN_L2TP.
l LnsIPAddress and LnsWeight are respectively displayed as the IP addresses and
weights of the LNSs.
l Source Ip is displayed as the IP address assigned to the source interface of the tunnel.
<HUAWEI> display l2tp-group lac
-----------------------------------------------
L2tp-index : 3
Group-Name : lac
Description :
GroupType : REQUEST_DIALIN_L2TP
TunnelAuth : Not tunnel authentication
Tunnel aaa Auth : Not tunnel aaa-authentication
Tunnel Avp46 : Not tunnel Avp46
Local tunnel name : lac
Tunnel RecvWindow : 0
Encrypt : 0
avp-hidden : 0
Algorithm : Load-sharing
Radius-auth : 0
Hello interval : 60
Retransmit : 5
Timeout : 2
Idle cut : 60
Session limit : 65535
Used : 2
IfIndex : 0xffffffff
Source Ip : 255.255.255.255
VTNum : 65535
DefaultDomain :
DomainType : default
TunnelAlarm : on
MTUFlag : Enable
MSSFlag : Enable
Tunnel per user : 0
Config Dscp : 255
ForceChap : 0
LcpReg : 0
LcpMisReg : 0
LnsNum : 2
LnsIPAddress : 2
1): 55.55.55.55 w: 1
2): 55.55.55.55 w: 1
LnsName : 2
1): NULL
2): NULL
LnsWeight :
1): 5
2): 5
3): 5
4): 5
5): 5
6): 5
7): 5
8): 5
UsedLnsNum : 2

1): 55.55.55.55 TID: 5 expire: 0 lnsIndex: 1

2): 55.55.55.55 TID: 6 expire: 0 lnsIndex: 2
UnLnsNum : 0
QOS-mode : tunnel
QOS-Profile In :
QOS-Profile Out :
RemoteUsed : 0
CallingNORemoteIdEnable: Disable
LacNasPortEnable : 0
CallingNOAvpFormat : radius-force
-----------------------------------------------
<HUAWEI> display l2tp tunnel lac

---------------------------------------------------------
-----------tunnel information in LAC----------------------
LocalTID RemoteTID RemoteAddress Port Sessions RemoteName
--------------------------------------------------------------------------
2 21 7.7.7.7 1701 20 209lns
--------------------------------------------------------------------------
Total 1,1 printed
<HUAWEI> display l2tp session lac
LocalSID RemoteSID LocalTID RemoteTID PPPID UserID UserName
----------------------------------------------------------------------------
16 9 13 9 3433006165 192283 tpsa@test_l2tp
----------------------------------------------------------------------------
Total 1, printed 1
12.7 Configuring an LNS

An L2TP tunnel is established between an LAC and an LNS. You need to enable an L2TP
connection and set tunnel parameters and the authentication mode on the LNS.
Usage Scenario
When the NE40E functions as an LNS, you must configure the L2TP group, that is, enable
LNS on the NE40E. The LNS responds to the tunnel setup request from the LAC,
authenticates users, and then assigns IP addresses to them.
The NE40E provides a tunnel board to process the tunnel service. In this manner, the NE40E
can function as multiple LNSs with each LNS being configured with an IP address.
The NE40E manages the LNS service by using LNS groups. An LNS group functions as an
LNS. You can configure an IP address for an LNS group and specify the tunnel board for it.
NOTE
l When the NE40E functions as an LNS, it is recommended that the IP address of the loopback
interface be used as the IP address of the LNS.
l The LNS cannot use the DHCP server to allocate IP addresses to users because the LNS does not
know users' MAC addresses. Therefore, the LNS allocates only IP address in the local address pool
to users.
l When the LNS interconnects with an LAC, the LNS must have a route to the LAC. For example,
when the NE40E functions as an LAC, if the LAC is configured with a source interface on the
tunnel, the route to the source interface must be configured on the LNS.
Pre-configuration Task
Before configuring the LNS, complete the following tasks:

l Enabling L2TP
l Creating a virtual template for L2TP connection setup
l Configuring the local address pool in which the IP addresses are allocated to L2TP users
l Configuring the domain of L2TP users and specifying the address pool for the domain
Figure 12-4 Flowchart for configuring the LNS
Enabling L2TP
Configuring an
L2TP Connection on
the LNS
Configuring L2TP
Tunnel
Authentication
Configuring User
Authentication on
the LNS
Create an LNS
group
Configuring AAA
Schemes
Configuring an
Address Assignment
Mode
必选步骤
可选步骤
12.7.1 Enabling the L2TP Function

After L2TP is enabled and an L2TP group is configured on an LAC and an LNS, an L2TP
tunnel can be set up between the LAC and the LNS.
Context
L2TP functions can be used only after L2TP is enabled. When L2TP is disabled, even if L2TP
parameters are configured, the NE40E does not provide L2TP functions.

Procedure
Step 2 Run l2tp enable
L2TP is enabled.
Step 3 Run commit
----End
12.7.2 Configuring an L2TP Connection on the LNS

To set up a tunnel, you need to set the virtual template and user authentication domain in the
L2TP group view on the LNS.
Context
The LNS can receive tunnel setup requests from different LACs by using different virtual
templates. After receiving a tunnel setup request, the LNS checks the LAC name. The LNS
allows the remote end to set up the tunnel if the LAC name is consistent with the name of the
valid remote end.
The L2TP group is configured as the LNS (ACCEPT_DIALIN_L2TP) in this configuration.
NOTE
l When the NE40E functions as an LNS to interconnect with another Huawei device that functions as
an LAC, it is recommended that you set the MTU in the virtual template to be less than 1462
(assume that the interface MTU is 1500).
l When the NE40E functions as an LNS to interconnect with an LAC that does not support L2TP
packet fragmentation, it is recommended that you set the MTU in the virtual template to a value
smaller than 1454 (assume that the interface MTU on the LAC is 1500). If an L2TP packet is longer
than 1500, the packet is fragmented into invalid packets on the LAC.
l If the MTU is configured manually, ensure that the MTUs negotiated by the L2TP user, LAC, and
LNS are the same.
Procedure
Step 3 Run allow l2tp virtual-template virtual-template-number remote remote-name
An L2TP connection is configured on the LNS.
Except for the default L2TP group default-lns, all L2TP groups must be configured with
remote-name when the connection on the LNS is configured.

NOTE
In an L2TP group, the start command and the allow command conflict with each other. This means that
if you run either of the commands, the other command becomes invalid.
Step 4 (Optional) Run default-domain authentication { domain-name | force domain-name |

replace domain-name }
The authentication domain is configured for L2TP users.
The default-domain authentication command configures the default authentication domain
for L2TP users. When a user goes online from the LAC by using a user name without a
domain name, the LNS logs the user in by using the default domain. The user domain adopts
the configuration of the default domain. If the default authentication domain is not specified,
when the user goes online from the LAC by using a user name without a domain name, the
LNS allows the user to go online from domain default1.
The default-domain authentication force command configures the forcible authentication
domain for L2TP users. When a user goes online from the LAC, the LNS logs the user in by
using the forcible authentication domain, but does not change the domain name. The user
domain adopts the configuration of the forcible authentication domain.
The default-domain authentication replace command configures the authentication domain
substitute for L2TP users. When a user goes online from the LAC, the LNS switches the user
to the domain substitute and changes the user domain name to the name of the authentication
domain substitute. The user domain adopts the configuration of the authentication domain
substitute.
Step 5 (Optional) Run roam-domain domain-name
A roaming domain is configured for the LNS.
Step 6 (Optional) Run tunnel window receive window-size
An L2TP receive window size is set for out-of-order packets.
Step 7 (Optional) Run lns calling-station-id format agent-remote-id
The LNS is configured to parse the Agent-Remote-Id attribute carried in an IRCQ packet sent
from the LAC and encapsulate the attribute into the Calling-Station-Id attribute to be sent to
the RADIUS server.
Step 8 Run quit
Step 9 (Optional) Run qos link-adjustment vendor redback { lns | lac } * [ slot slot-id ]
Redback packet adjustment is configured so that user traffic statistics is collected based on the
redback mode.
This command is supported only on the Admin VS.
Step 10 (Optional) Run avp nas-port enable
The LNS is enabled to parse the NAS-Port attribute carried in the AVP100 field of an ICRQ
message received from the LAC.
Step 11 (Optional) Run radius-attribute include nas-port lns
The LNS is enabled to encapsulate the NAS-Port attribute received from the LAC into a
packet to be sent to the RADIUS server.

Step 12 (Optional) Run lns avp calling-number translate agent-remote-id

The LNS is enabled to copy the value of the calling-number attribute carried in an ICRQ
message from the LAC to the Agent-Remote-Id field.
Step 13 Run commit
----End
12.7.3 Configuring L2TP Tunnel Authentication

An L2TP tunnel can be successfully established only after L2TP tunnel authentication
succeeds.
Context
An L2TP tunnel supports either local or remote authentication (RADIUS authentication).
NOTE
Procedure
l Local authentication
If local authentication is used, the LAC or LNS must use only the tunnel password, but
not the tunnel name. The tunnel name is used by the LNS to select an L2TP group to
respond to the LAC connection request. The format of the tunnel name is not restricted;
however, the tunnel name configured on the LAC must be the same as remote tunnel
name configured on the LNS.
a. Run system-view
c. Run tunnel name tunnel-name [ lns-ip lns-ip-address ]
The local tunnel name is specified.
d. Run tunnel authentication [ strict ]
be enabled.

The tunnel authentication strict command configuration takes effect only for the
L2TP group on the LAC. After strict tunnel authentication is configured, the LAC
performs validity check on the remote LNS's tunnel name and password. If the LNS
tunnel name and password delivered by the RADIUS server or locally configured
are different from those of the remote LNS, tunnel establishment fails. After strict
tunnel authentication is configured, you can configure the RADIUS server to
deliver the Tunnel-Server-Auth-ID attribute or configure an LNS tunnel name in the
L2TP group view of the LAC based on site requirements.
e. Run tunnel password { simple | cipher } password [ lns-ip lns-ip-address ]
The password for tunnel authentication is set.

f. Run commit

l Remote authentication (RADIUS authentication)
If remote authentication is used, the LAC or LNS takes the L2TP tunnel as a user;
therefore, the format of the tunnel name must be username@domain. When the tunnel is
set up, the LAC or LNS sends the received user name and password of each other to the
AAA server (RADIUS server) for authentication. The AAA server must be configured
with the identical user name and password.
a. Run system-view


c. Run tunnel authentication
be enabled.
d. Run tunnel aaa-authentication
The AAA tunnel authentication is enabled.
AAA tunnel authentication indicates that the L2TP tunnel is not authenticated
locally, but authenticated on the AAA server (RADIUS server).

e. Run commit
l Forcible RADIUS tunnel authentication
a. Run system-view
c. Run tunnel radius-force
The forcible tunnel authentication is enabled.
Forcible RADIUS tunnel authentication indicates that the RADIUS server
determines whether tunnel authentication is performed. If the attributes delivered by
the RADIUS server contain the tunnel password, the tunnel password is used for
tunnel authentication; otherwise, tunnel authentication is not performed.
d. Run commit
----End
12.7.4 (Optional) Configuring User Authentication on the LNS

Generally, access L2TP users are authenticated on the LAC, and do not need to be
authenticated on the LNS again. If the LNS does not trust the LAC, the users need to be
authenticated again on the LNS after the connections between the users and the LNS are
established.
Context
Authentication on the LNS involves mandatory CHAP authentication and PPP LCP re-
authentication.
Procedure
Step 3 Run mandatory-lcp [ on-mismatch [ strict ] ]
The mandatory LCP re-negotiation is performed.
Step 4 Run mandatory-chap
The mandatory CHAP authentication is performed.
Step 5 Run commit

----End
12.7.5 Setting Tunnel Parameters on the LNS

Before establishing an L2TP tunnel, set parameters such as the source interface, tunnel board,
number of tunnels that can be established, and the function of re-marking the priorities of
packets after performing CAR.
Context
Each LNS group requires a source IP address (interface IP address) to communicate with the
LAC. The NE40E determines the LNS group that processes the request from a certain LAC
based on this IP address.
Procedure
Step 2 Run lns-group group-name
An LNS group is created and the LNS group view is displayed.
Step 3 (Optional) Run description description-information
A description is configured for an LNS group.
Step 4 Run bind slot slot-id
A tunnel board is bound to the LNS group.
Multiple tunnel boards can be configured on the NE40E. You can specify the tunnel board for
an LNS group. Multiple tunnel boards can be bound to an LNS group. The round robin load
balancing is performed among the tunnel boards based on tunnels.
Step 5 Run bind source interface-type interface-number
An interface is bound to the LNS group.
The configuration of the IP of the source interface bounded to the LNS groups, of the tunnel
source in the L2TP groups and of the RBS tunnel source of dual-device hot backup cannot be
the same.
Step 6 (Optional) Run tunnel load-balance by-tunnel
Tunnel load balancing based on the number of tunnels on tunnel boards bound to an LNS
group is enabled.
Step 7 (Optional) Run tunnel load-balance by-session
Tunnel load balancing based on the number of sessions on tunnel boards bound to an LNS
group is enabled.
Step 8 Run quit

Step 9 (Optional) Run l2tp tunnel-limit tunnel-number
Limit to the number of L2TP tunnels is configured.
When the NE40E functions as an LNS, the system performance is degraded if too many L2TP
tunnels are established. To prevent this, you can limit the number of L2TP tunnels.
Step 10 (Optional) Run l2tp slot slot-number block enable
The block function is enabled.
If the number of L2TP tunnels established on a tunnel board reaches the upper limit, you can
enable the block function for the tunnel board. Then, L2TP tunnels cannot be established on
the tunnel board.
Step 11 (Optional) Run l2tp lns fast-reply enable slot slot-id
The tunnel board of an LNS is enabled to send packets to the network-side outbound interface
board connected to an LAC based on hardware.
Step 12 (Optional) Run l2tp-group group-name
An L2TP group is created, and the L2TP group view is displayed.
Step 13 (Optional) Run lns schedule after car
The LNS is enabled to re-mark the priorities of service packets entering a tunnel after
performing CAR.
The configuration takes effect only for tunnels established after the command is run.
NOTE
When an LNS is configured to re-mark the priorities of packets entering a tunnel after performing CAR,
the LNS does not support last-mile QoS.
Step 14 (Optional) Run tunnel retrans-queue number
The maximum number of concurrent L2TP sessions allowed for an L2TP tunnel is
configured. Excess session requests are denied.
Step 15 Run commit
----End
12.7.6 Configuring AAA Schemes

Context
This configuration is used to authenticate the identity information (user name and password)
of a remote dial-in user using AAA. The LAC can initiate a tunnel establishment request only
after the user identity is authenticated. Otherwise, the LAC does not establish a tunnel for the
user.

Two AAA authentication modes are supported: local authentication and remote
authentication.
Procedure
Step 1 If the local authentication mode is used, you need to configure a local user name and
password on the LAC. The LAC authenticates a dial-in user by checking whether the user
name and password of the user are the same as the locally configured user name and
password.
Step 2 If the remote authentication mode is used, you need to configure a user name and password on
the RADIUS server. The LAC sends the user name and password of a dial-in user to the
RADIUS server, and the RADIUS server authenticates the user.
Step 3 For details about AAA operations, see Configuring AAA Schemes. For details about
RADIUS server operations, see Configuring a RADIUS.
----End
12.7.7 Configuring an Address Assignment Mode

This section describes how to configure an address assignment mode in L2TP access
scenarios so that users can access the network using dynamically assigned or statically
configured IP addresses.
Context
In L2TP access scenarios, the LAC is responsible for user access, and the LNS assigns IP
addresses to users.
Procedure
Step 2 Run aaa
Step 3 Run bgp over lns enable
BGP is enabled to iterate UNR routes so that the routes between devices attached to a CPE
and the BRAS are reachable.
Clients are attached to a CPE which is connected to an LNS through an LAC. The CPE uses
L2TP dial-up to obtain an IP address from the LNS functioning as a BRAS. After the LNS
learns the BGP route from the CPE, traffic cannot be forwarded through the BGP route
between clients, or other devices attached to the CPE and the BRAS. You can enable BGP to
dynamically learn and iterate UNR routes so that the CPE and the attached devices can
communicate with the LNS.
Step 4 For details about address management, see IPv4 Address management and IPv6 Address
Management.
----End

12.7.8 Verifying the LNS Configuration

This section describes how to check the configurations of the L2TP group, session
information, and the tunnel on the LNS after the LNS is configured and users go online.
Procedure
l Run the display l2tp-group [ group-name ] command to view configurations of the
L2TP group.
l Run the display lns-group { all | name lns-name } command to view configurations of
the LNS group.
l Run the display l2tp session lns slot slot-id [ session-item session-id | source-ip source-
ip-address | destination-ip destination-ip-address ] command to view information about
the current LNS session.
l Run the display l2tp tunnel-limit command to view the maximum number of L2TP
tunnels.
l Run the display l2tp blocked-slot command to view blocked tunnel boards.
l Run the display l2tp tunnel [ lns slot slot-id ] [ tunnel-item tunnel-id | tunnel-name
remote-name ] command to check information about the tunnel on the LNS.
l Run the display l2tp pim-sm tunnel [ slot slot-id | tunnel-item tunnel-id ] command to
check information about users for whom PIM-SM multicast is enabled based on a
specified tunnel or tunnel board.
----End
Example
After configurations are complete, run the display 12tp-group command. If the following is
displayed, it indicates that configurations succeed.
l In configurations of the L2TP group, GroupType is displayed as
ACCEPT_DIALIN_L2TP.
l If LCP re-negotiation is configured, LcpReg is 1 in configurations of the L2TP group.
l If CHAP re-authentication is configured, FroceChap is 1 in configurations of the L2TP
group.
<HUAWEI> display l2tp-group lns1
-----------------------------------------------
L2tp-index : 7
Group-Name : lns1
Description :
GroupType : ACCEPT_DIALIN_L2TP
Local tunnel name : R06
Encrypt : 0
avp-hidden : 0
Radius-auth : 0
Hello interval : 60
Retransmit : 5
Timeout : 2
Idle cut : 60
Used : 0

Source Ip : 255.255.255.255
VTNum : 15
RemoteName : dd1
DefaultDomain : dd1
TunnelAlarm : on
MTUFlag : Enable
MSSFlag : Enable
Tunnel per user : 0
Config Dscp : 255
ForceChap : 0
LcpReg : 0
LcpMisReg : 0
LnsNum : 0
LnsIPAddress : 0
LnsName : 0
LnsWeight :
1): 5
2): 5
3): 5
4): 5
5): 5
6): 5
7): 5
8): 5
UsedLnsNum : 0
UnLnsNum : 0
QOS-mode : tunnel
QOS-Profile In :
QOS-Profile Out :
RemoteUsed : 0
-----------------------------------------------
Run the display lns-group command and you can view loopback interfaces and tunnel boards
to which the LNS group is bound.
<HUAWEI> display lns-group name lns1
Description :
Slot : 1
Interface : LoopBack0
Run the display l2tp session command to view information about the current LNS session.
<HUAWEI> display l2tp session lns slot 1
LocalSID RemoteSID LocalTID RemoteTID UserID UserName
------------------------------------------------------------------------------
278 24768 13921 7958 62172 user5@hz
355 24769 4561 13818 62173 user9@hz
Total 2, 2 printed from slot 1
Run the display l2tp blocked-slot command, and you can view the blocked tunnel boards
where no new L2TP tunnel can be set up.
<HUAWEI> display l2tp blocked-slot
slot 1
slot 2
Run the display l2tp tunnel-limit command to view the maximum number of L2TP tunnels.
<HUAWEI> display l2tp tunnel-limit
Info: This syntax is applicable only to LNS.
tunnel-limit = 49152
used-tunnel = 6886
Run the display l2tp tunnel [ lns slot slot-id ] [ tunnel-item tunnel-id | tunnel-name remote-
name ] command. The command output shows LNS tunnel information.
<HUAWEI> display l2tp tunnel

---------------------------------------------------------
Such tunnel name does not exist !
---------------------------------------------------------
-----------tunnel information in LNS----------------------
The tunnel information of board 1
L2TPTunnelStartTime
------------------------------------------------------------------------------
3 2 40.40.40.1 1701 1 hhw
2011-12-15 17:00:48(Continuance:0 days 00 hours 04 mins)
------------------------------------------------------------------------------
Run the display l2tp statistics lns command. The command output shows global statistics on
the LNS.
<HUAWEI> display l2tp statistics lns
------------------LNS Statistics-----------------------
LNSCurrentUpTunnelNum : 10
LNSCurrentUpSessionNum : 10
LNSTotalEstablishedTunnelNum(H,L) : (1,100)
LNSTotalEstablishedSessionNum(H,L): (1,100)
LNSTotalTearDownTunnelNum(H,L) : (1,90)
LNSTotalTearDownSessionNum(H,L) : (1,90)
Run the display l2tp pim-sm tunnel command to check information about users for whom
PIM-SM multicast is enabled based on a specified tunnel or tunnel board.
<HUAWEI> display l2tp pim-sm tunnel
The slot 1:
-----------------------------------------------------------------------------
LocalTID RemoteAddress TotalSessions PimsmSessions RemoteName
----------------------------------------------------------------------------
50 10.1.1.1 3 3 lac@sqc
74 20.1.1.1 10 10 lac@sqc1
----------------------------------------------------------------------------
The slot 2:
----------------------------------------------------------------------------
LocalTID RemoteAddress TotalSessions PimsmSessions RemoteName
----------------------------------------------------------------------------
65 30.1.1.1 3 3 lac@sqc2
----------------------------------------------------------------------------
12.8 Configuring L2TP Tunnel Switching

Currently, the networking modes are diversified. If a user accesses the LNS across several
tunnels, configure L2TP tunnel switching on the intermediate devices.
Context
For details about the implementation principle of L2TP tunnel switching, see Configuring the
L2TP Tunnel Switching. When the NE40E functions as an LTS, you must configure L2TP
groups to function as the LAC and LNS, respectively. That is, enable the LTS feature on the
NE40E. On one hand, the LTS functions as an LNS to respond to tunnel connection requests
initiated by the LAC on the user side. On the other hand, the LTS functions as an LAC to
initiate tunnel connection requests to the LNS (or another LTS node) on the server side.
Therefore, you must create two L2TP groups when configuring the LTS. One functions as the
LNS to receive tunnel connection requests from the LAC, and the other functions as the LAC

to send tunnel connection requests to the LNS. When the LTS functions as the LNS, the L2TP
group responds to the LAC as the peer end of the tunnel. When the LTS functions as the LAC,
the L2TP group must be bound to the LTS domain to trigger tunnel establishment. In a
common L2TP scenario, if an address pool instead of an L2TP group is bound to the LTS
domain, the LTS terminates the tunnel and assigns IP addresses to users. However, tunnel
establishment is triggered to implement tunnel switching only when an L2TP group that
functions as the LAC is bound to the LTS domain.
The configuration of the LTS functioning as the LNS is the same as that of the LNS. For
details, see Configuring an LNS.
The configuration of the LTS functioning as the LAC is the same as that of the LAC. For
details, see Configuring an LAC.
NOTE
You must specify the LAC-side L2TP group for the LTS domain. The address pool, however, does not
need to be specified.
12.9 (Optional) Configuring L2TP HQoS

To control the L2TP service traffic in a refined manner, you can configure L2TP HQoS.
Usage Scenario
In the application scenario of L2TP service wholesale, the LAC works on only the service
wholesale, whereas the service control point is actually the LNS. An L2TP tunnel is set up
between the LAC and the LNS. Therefore, you need to control the traffic that enters the L2TP
tunnel and the service traffic in the tunnel on the LNS in a refined manner to minimize the
effect of the unnecessary competition for service traffic between the LAC and the LNS on the
service quality. In addition, carriers can control the traffic of different services that enter the
backbone network to limit the burst traffic of users in the tunnel.
L2TP HQoS performs QoS scheduling on users at the LNS side, which aims at carrying out a
comprehensive and detailed planning on the traffic that goes into the L2TP tunnel and the
service traffic in the tunnel.
Pre-configuration Task
Before configuring L2TP HQoS, complete the following tasks:
l Installing the tunnel board on the NE40E
l Configuring L2TP for L2TP users to go online

Figure 12-5 Flowchart for configuring L2TP HQoS
Configuring a QoS Profile
Applying the QoS Profile to

the Domain
Configuring the L2TP HQoS

Scheduling Mode
Mandatory procedure
Optional procedure
12.9.1 Configuring a QoS Profile

A QoS profile contains user queue parameters and scheduling parameters. Different QoS
applications can use the same QoS profile.
Context
Perform the following steps on the NE40E that functions as the LNS:
Procedure
Step 2 Run qos-profile qos-profile-name
A QoS profile is created and the QoS profile view is displayed.
Step 3 Run user-queue cir cir-value [ [ pir pir-value ] | [ flow-queue flow-queue-name ] | [ flow-
mapping mapping-name ] | [ user-group-queue group-name ] | [ service-template service-
template-name ] ] *[ inbound | outbound ]
Queue scheduling parameters are set for user queues.
Step 4 Run commit
----End
12.9.2 Applying the QoS Profile to the Domain

Before applying a QoS profile to a domain, ensure that the QoS profile has been created.
Context

Procedure
Step 2 Run aaa
The displayed view is of the domain where the L2TP users reside.
Step 4 Run qos-profile qos-profile { inbound | outbound } lns-gts
The QoS profile is applied to the domain and the scheduling mode is set to LNS scheduling.
Step 5 Run commit
----End
12.9.3 Configuring the L2TP HQoS Scheduling Mode

In the L2TP service wholesale, the actual service control point is the LNS. Therefore, the
L2TP HQoS scheduling mode should be configured on the LNS.
Context
Procedure
The L2TP group is created and the L2TP group view is displayed.
The L2TP group must be the L2TP group of the LNS.
Step 3 Run qos scheduling-mode { session | tunnel }
The L2TP HQoS scheduling mode is set.
L2TP HQoS has the following scheduling modes:
l Scheduling by tunnel: In this mode, user services are not differentiated. As a result,
tunnel traffic, not user traffic is scheduled into user queues.
l Scheduling by session: In this mode, user traffic is scheduled into user queues with
priorities ranging from 1 to 8 and tunnel traffic is scheduled into group queues. SP or
WFQ scheduling can be performed between any of the user queues.
Step 4 (Optional) Run user-group-queue user-group-queue-name [ inbound | outbound ]

The user-group-queue is specified.
NOTE
If the scheduling is set to be performed by session, this command must be run; otherwise, you do not
need to run this command.
Step 5 Run commit

----End
12.9.4 Verifying the L2TP HQoS Configuration

After configuring L2TP HQoS, you can view the QoS profile and scheduling mode of L2TP.
Context
All L2TP HQoS configurations are complete.
Procedure
l Run the display l2tp-group group-name command to check configurations of the L2TP
group.
----End
Example
Run the display l2tp-group group-name command, and you can view the name of the QoS
profile and scheduling mode configured for the L2TP group.
-----------------------------------------------
L2tp-index : 7
Group-Name : lns1
Description :
Encrypt : 0
avp-hidden : 0
Radius-auth : 0
Hello interval : 60
Retransmit : 5
Timeout : 2
Idle cut : 60
Used : 0
Source Ip : 255.255.255.255
VTNum : 15
RemoteName : dd1
DefaultDomain : dd1
TunnelAlarm : on
MTUFlag : Enable
MSSFlag : Enable
Tunnel per user : 0
Config Dscp : 255

ForceChap : 0
LcpReg : 0
LcpMisReg : 0
LnsNum : 0
LnsIPAddress : 0
LnsName : 0
LnsWeight :
1): 5
2): 5
3): 5
4): 5
5): 5
6): 5
7): 5
8): 5
UsedLnsNum : 0
UnLnsNum : 0
QOS-mode : tunnel
QOS-Profile In :
QOS-Profile Out :
RemoteUsed : 0
-----------------------------------------------
12.10 (Optional) Adjusting L2TP Connection Parameters

By adjusting L2TP connection parameters, you can flexibly control the establishment of
L2TP tunnels and the interconnection between Huawei devices and non-Huawei devices.
Usage Scenario
This section describes the optional configurations relevant to the L2TP connection. These
configurations can be used when the NE40E functions as an LAC, an LNS, or an LTS. In
most cases, default configurations are used.
Optional configurations of an L2TP connection include tunnel authentication, AVP hidden in
transmission, hello interval, control packet retransmission, and idle-cut timer of a tunnel.
Before tuning an L2TP connection, complete the following task:
Enabling L2TP

Figure 12-6 Flowchart for adjusting L2TP connections
Configuring AVP Attributes for L2TP Packets
Configuring the Hello Interval
Configuring Control Packet Retransmission
Configuring the Idle-Cut Timer of a Tunnel
Configuring the Default Invalid VLAN ID in

the calling-station-id Attribute
Mandatory procedure
Optional procedure
12.10.1 Configuring AVP Attributes for L2TP Packets

To tune an L2TP connection, you need to set the attribute value pair (AVP) attributes for
packets exchanged between the devices on both ends of an L2TP connection.
Context
Procedure
l Add attribute AVP 22 to L2TP packets.
In the scenario where the NE40E functions as an LAC, you can determine whether to
add attribute AVP 22 to the ICRQ packets sent by the LAC, when an L2TP user goes
online.
a. Run system-view
b. Run l2tp calling-number-avp enable
Attribute AVP 22 is added to L2TP packets.
c. Run l2tp-group group-name
d. Run calling-number-avp format { version1 | include [ delimiter delimiter ]
{ option82 [ delimiter delimiter ] | mac [ delimiter delimiter ] | interface
[ delimiter delimiter ] | domain [ delimiter delimiter ] | sysname [ delimiter

delimiter ] | vlan [ delimiter delimiter ] | pevlan [ delimiter delimiter ] | cevlan

[ delimiter delimiter ]| agent-circuit-id [ delimiter delimiter ] | agent-remote-id
[ delimiter delimiter ] }* }calling-number-avp format version1 include option82
Or run:
After the calling-number-avp format version1 command is run, attribute AVP 22

is encapsulated in the following format into an ICRQ packet to be sent by the LAC:
Encapsulation format: System name#Slot/Sub-slot/Port# Pvlan:Cvlan(Vpi:Vci)
Pvlan is an outer VLAN and Cvlan is an inner VLAN. If the interface to which
users are connected is an ATM interface, Pvlan:Cvlan is replaced with Vpi:Vci. If
the system name contains more than 30 characters, the first 30 characters are used.
After the calling-number-avp format version1 include option82 command is run,

the Option 82 information that begins with the number sign (#) is added to the end
of the original encapsulation format.
e. (Optional) Configure the LNS to encapsulate LLID information into the Calling-
Station-Id attribute of a RADIUS packet to be sent to the RADIUS server.
i. Run the radius-server calling-station-id include llid user-type { ppp | lns }
* command to construct the Calling-Station-Id attribute of RADIUS
authentication and accounting packets of PPP or L2TP users based on the

LLID information.
ii. Run the calling-number-avp format llid command to encapsulate LLID
information into the AVP22 attribute in an ICRQ packet to be sent to the LNS.
f. (Optional) Configure the LAC to encapsulate the Calling-Station-Id delivered by
the RADIUS server into the AVP22 attribute of an ICRQ message to be sent to the
LNS.
g. (Optional) Configure an offset for the CE-VLAN ID (inner VLAN ID) in ICRQ
packets.
If packets sent from different DSLAMs have the same CE-VLAN ID, and the CE-
VLAN ID must be identified in the ICRQ packets to be sent by the LAC, configure
an offset for the CE-VLAN ID.
NOTE
The calling-number-avp cevlan-offset command takes effect only after the CE-VLAN ID
to be encapsulated in ICRQ packets has been specified in the calling-number-avp format
include cevlan [ delimiter delimiter command.
i. Run the interface interface-type interface-number command to enter the

interface view.
ii. Run the bas command to enter the BAS interface view.
iii. Run the calling-number-avp cevlan-offset offset command to configure an
offset for the CE-VLAN ID in ICRQ packets.
h. (Optional) Run avp calling-number interface-format exclude sub-slot
The format for encapsulating BAS interface information into AVP 22 attributes
carried in L2TP packets is set to slot/port.
i. Run commit

l Hide the AVP in transmission.

The L2TP protocol uses the AVP to send and negotiate L2TP attributes. To ensure
security, you can hide the AVP in transmission.
a. Run system-view
c. Run tunnel avp-hidden
The AVP is hidden in transmission.
The AVP hidden function takes effect only when tunnel authentication is enabled on
both the LAC and LNS.
NOTE
After the AVP is hidden, if AAA authentication is used for the tunnel, the two ends must use
the same password.
d. Run commit
l Configure AVP46 for the tunnel.
After AVP46 is enabled, information about the tunnel deletion cause is added to the
STOPCCN packet that is sent from the NE40E to the peer when the tunnel is deleted.
a. Run system-view
c. Run tunnel avp46
AVP 46 is enabled for the tunnel.
d. Run commit
l Configure attribute AVP 47 for the tunnel.
After attribute AVP 47 is configured, the NE40E marks the DSCP value of the L2TP
control packets used to establish the L2TP tunnel, the packets with different DSCP
values have different priorities.
a. Run system-view
c. Run set-dscp-outer dscp
The NE40E marks the DSCP value of the L2TP control packets used to establish
the L2TP tunnel. The NE40E then negotiates with the peer device (LNS) for
attribute AVP 47.

d. Run commit
----End
12.10.2 Configuring the Hello Interval

An LAC and an LNS detect the connectivity of the tunnel established between them by
exchanging Hello packets.
Context
To check the connectivity of the tunnel, the LAC and the LNS send hello packets periodically
and the receiver of the hello packet returns a response.
If the LAC or LNS fails to receive hello response packets in the specified time period, the
packets are re-sent. If the response is not received after the packets are re-sent for a specified
number of times (see Configuring Control Packet Retransmission), the L2TP tunnel is
regarded disconnected, and all sessions on the tunnel are deleted.
Procedure
Step 3 Run tunnel timer hello hello-interval
The Hello interval is configured.
Step 4 (Optional) Run tunnel hello peer-check
The NE40E is configured to send Hello packets after a Hello interval from when it receives
Hello packets from the peer end.
Step 5 Run commit
----End
12.10.3 Configuring Control Packet Retransmission

After control packet retransmission is enabled, if a device on one end of the tunnel does not
receive any response packet from its peer when the device retransmits a control packet for the
specified number of times within a certain period, the device considers that the tunnel is torn
down.
Context
When setting up a tunnel, the LAC and LNS interact and negotiate with each other by
exchanging control packets. If one end fails to receive the response from the peer in a

specified period due to network congestion, the local end retransmits the control packet to the
peer. You can configure the interval at which control packets are retransmitted and the number
of retransmission times.
Procedure
Step 3 Run tunnel retransmit times
The number of retransmission times is configured.
Or run:
tunnel timeout interval
The interval at which control packets are retransmitted is configured.
If a large number of L2TP tunnels are established, it is recommended that the timeout period
for L2TP packet retransmission be set to 5 seconds.
Step 4 Run commit
----End
12.10.4 Configuring the Idle-Cut Timer of a Tunnel

To save bandwidth resources, you can set the idle-cut timer.
Context
The idle-cut timer specifies the period during which a tunnel exists after the number of
sessions in the tunnel reaches 0. When the timer expires, the tunnel is deleted.
Procedure
Step 3 Run tunnel idle-cut time
The idle-cut timer is configured.

If the idle-cut timer of the tunnel is set to 0, it indicates that the tunnel will not be deleted
automatically. However, if the remote end deletes the tunnel, it cannot be set up again.
Step 4 Run commit
----End
12.10.5 Configuring the Default Invalid VLAN ID in the calling-

station-id Attribute
To ensure the interconnection between a Huawei device and a non-Huawei device, you can
configure the default invalid VLAN IDs in the calling-station-id attributes for the devices.
Context
Some LNSs consider 0 as an invalid VLAN ID and some LNSs consider 4096 as an invalid
VLAN ID. You need to configure the invalid VLAN ID according to the specification of the
remote LNS.
Procedure
Step 2 Run l2tp calling-station-id vlan-0-invalid
The default invalid VLAN ID in the calling-station-id attribute delivered from the L2TP user
(LAC) to the LNS is configured to be 0.
Step 3 Run commit
----End
12.10.6 Verifying the L2TP Connection Parameter Configuration

After tuning an L2TP connection, you can view the L2TP group configuration on the devices
at both ends of an L2TP connection.
Prerequisites
The L2TP connection parameters are adjusted.
Procedure
l Run the display l2tp-group [ group-name ] command to check the L2TP group
configuration.
----End

Example
Run the display l2tp-group [ group-name ] command to view the L2TP group configuration.
l If tunnel authentication is enabled, TunnelAuth is displayed as Use tunnel
authentication, and TunnelPassword is displayed as the configured tunnel password.
l If RADIUS mandatory authentication is enabled for the tunnel, Radius-auth is
displayed as 1.
l If AAA authentication is enabled for the tunnel, Tunnel aaa Auth is displayed as Use
tunnel aaa-authentication.
l If AVP hidden in transmission is configured, avp-hidden is displayed as 1.
l Hello interval is displayed as the configured hello interval.
l Retransmit is displayed as the number of retransmission times of control packets.
l Timeout is displayed as the interval at which control packets are retransmitted.
l Idle cut is displayed as the idle-cut timer for the tunnel.
-----------------------------------------------
L2tp-index : 7
Group-Name : lns1
Description :
TunnelPassword : ******
Encrypt : 0
avp-hidden : 0
Radius-auth : 0
Hello interval : 60
Retransmit : 5
Timeout : 2
Idle cut : 60
Used : 0
Source Ip : 255.255.255.255
VTNum : 15
RemoteName : dd1
DefaultDomain : dd1
TunnelAlarm : on
MTUFlag : Enable
MSSFlag : Enable
Tunnel per user : 0
Config Dscp : 255
ForceChap : 0
LcpReg : 0
LcpMisReg : 0
LnsNum : 0
LnsIPAddress : 0
LnsName : 0
LnsWeight :
1): 5
2): 5
3): 5
4): 5
5): 5
6): 5
7): 5

8): 5
UsedLnsNum : 0
UnLnsNum : 0
QOS-mode : tunnel
QOS-Profile In :
QOS-Profile Out :
RemoteUsed : 0
-----------------------------------------------
12.11 Maintaining L2TP

L2TP maintenance can be performed by monitoring L2TP and clearing L2TP tunnels.
Context
By monitoring L2TP, you can know the L2TP operating status. You can run the associated
command to delete an L2TP tunnel only when there is no user, a network fault occurs, or a
device requests an L2TP tunnel to be torn down. In routine maintenance, you can run the
following commands in any view to check the L2TP operation. To clear an L2TP tunnel, run
the reset command. An L2TP tunnel cannot be restored after it is cleared. Exercise caution
when running the command.
Procedure
Step 1 Run the reset l2tp tunnel { lac | lns slot slot-id } { tunnel-item tunnel-id | tunnel-name
remote-name } command to forcibly clear an L2TP tunnel.
NOTE
After the l2tp tunnel auto-reset enable command is configured, an LAC or LNS automatically removes
an L2TP tunnel if no session control message is received from the remote end after 127 ICRQ or ICRP
messages are sent within 10 minutes. You do not need to run the reset l2tp tunnel command to forcibly
remove an L2TP tunnel.
----End
12.12 Configuration Examples for L2TP Access

This section provides several examples for configuring L2TP, including the networking
12.12.1 Example for Configuring L2TP Access in NAS-initiated

VPN Scenarios
This section provides an example for configuring L2TP access in NAS-initiated VPN
scenarios, including the networking requirements, configuration roadmap, configuration
As shown in Figure 12-7, PC1 is connected to the Public Switched Telephone Network
(PSTN) through a modem, and is then connected to the LAC, namely, NE40E A, across the
PSTN. PC2 is connected to NE40E A through a tunnel. The LAC and the LNS are connected
through the Internet. The LAC and the LNS communicate with each other through a tunnel.

Users access the tunnel by using domain names. On both the LAC and the LNS, the user
name and the password are authenticated by RADIUS.
Figure 12-7 Networking diagram of L2TP access in NAS-initiated VPN scenarios

NOTE
Interfaces1 is GE0/1/0.
Modem
PC1 PSTN Device

DeviceA
Internet
ISDN LAC LNS
Tunnel
PC2
A user intends to communicate with the server in the headquarters. The IP address of the
server is a private IP address. In this manner, the user cannot access the server directly
through the Internet. A VPN is needed to help the user access the data of the internal network.
The user is connected through the domain huawei.com and obtains an IP address from the
address pool of the LNS.
1. Configure corresponding parameters on the user side.

2. Configure an LAC.
– Assign an IP address to the interface and configure a reachable route to the LNS.
– Configure relevant tasks of PPPoX access services, including configuring the
virtual template interface, configuring the AAA scheme, specifying an interface as
the virtual template interface, and configuring the BAS interface.
– Enable basic L2TP functions.
– Configure tunnel connections on the LAC side.
– Configure the tunnel authentication mode.
– Configure L2TP user attributes.
3. Configure an LNS.
– Assign an IP address to the interface and configure a reachable route to the LAC.
– Configure a virtual template interface.
– Configure tunnel connections on the LNS side.
– Configure the user and tunnel authentication modes.

– Set parameters for the tunnel on the LNS side.

– Configure an address pool for allocating IP addresses to L2TP users.
– Configure domains for L2TP users and specify the address pool in each domain.
Data Preparation
l Consistent user name, domain name, and password of the NE40E on both the LAC side
and the LNS side
l The protocol used on the LNS side, tunnel authentication mode (CHAP is used),
password for the tunnel, tunnel name and remote peer name
l Number, IP address, and network mask of the virtual template
l L2TP group number
l Number, range, and address mask of the remote address pool
Procedure
Step 1 Configure the user side.
Create a dial-in connection, and an access number named huawei1. In addition, receive the
address assigned by the LNS server.
Enter the user name "vpdnuser@huawei.com" in the dial-up terminal window that pops up,
with the password being Hello. Note that the user name and password should have been
registered on the LNS server of the company.
Step 2 Configure NE40E A that functions as an LAC.
In this example, the IP address of GE 0/1/0 on the LAC that connects the tunnel is
202.38.160.1; the IP address of GE 0/1/0 on the LNS that connects the tunnel is 202.38.160.2.
# Configure IP addresses for GE 0/1/0.
[~Device] sysname DeviceA
[*DeviceA] interface gigabitethernet 0/1/0
# Enable Basic L2TP Functions and configure an L2TP connection on the LAC.
[~DeviceA] l2tp enable
[*DeviceA] l2tp-group 1
[*DeviceA-l2tp-1] tunnel name LAC
[*DeviceA-l2tp-1] start l2tp ip 202.38.160.2
[*DeviceA-l2tp-1] tunnel source gigabitethernet 0/1/0
[*DeviceA-l2tp-1] commit
[~DeviceA-l2tp-1] quit
# Enable tunnel authentication and set the tunnel passward.

[*DeviceA-l2tp-1] tunnel authentication
[*DeviceA-l2tp-1] tunnel password simple 1qaz#EDC
[*DeviceA-l2tp-1] commit
[~DeviceA-l2tp-1] quit
Configure relevant tasks of PPPoX access services.

# Configure the RADIUS server.

[~DeviceA] radius-server group radius1
[*DeviceA-radius-radius1] radius-server authentication 20.20.20.1 1812
[*DeviceA-radius-radius1] radius-server accounting 20.20.20.1 1813
[*DeviceA-radius-radius1] radius-server shared-key itellin
[*DeviceA-radius-radius1] commit
[~DeviceA-radius-radius1] quit
# Configure the domain.

[~DeviceA] aaa
[~DeviceA-aaa] domain huawei.com
[*DeviceA-aaa-domain-huawei.com] authentication-scheme default1
[*DeviceA-aaa-domain-huawei.com] accounting-scheme default1
[*DeviceA-aaa-domain-huawei.com] radius-server group radius1
[*DeviceA-aaa-domain-huawei.com] l2tp-group 1
[*DeviceA-aaa-domain-huawei.com] commit
[~DeviceA-aaa-domain-huawei.com] quit
[~DeviceA-aaa] quit
# Configure a virtual template and PPP authentication mode.

[~DeviceA] interface virtual-template 1
[*DeviceA-Virtual-Template1] ppp authentication-mode chap
[*DeviceA-Virtual-Template1] commit
[~DeviceA-Virtual-Template1] quit
# Bind virtual template 1 to GE 0/2/0.100.

[~DeviceA] interface gigabitethernet 0/2/0.100
[*DeviceA-GigabitEthernet0/2/0.100] pppoe-server bind virtual-template 1
[*DeviceA-GigabitEthernet0/2/0.100] user-vlan 1 100
[*DeviceA-GigabitEthernet0/2/0.100-vlan-1-100] commit
[~DeviceA-GigabitEthernet0/2/0.100-vlan-1-100] quit

[~DeviceA-GigabitEthernet0/2/0.100] bas
[*DeviceA-GigabitEthernet0/2/0.100-bas] access-type layer2-subscriber default-
domain authentication huawei.com
Step 3 Configure NE40E B (the LNS side)

# Assign an IP address to the interface that is connected to the tunnel.
[~Device] sysname DeviceB
[*DeviceB] interface gigabitethernet 0/1/0
[*DeviceB-gigabitethernet0/1/0] ip address 202.38.160.2 255.255.255.0
[*DeviceB-gigabitethernet0/1/0] commit
[~DeviceB-gigabitethernet0/1/0] quit
# Create and configure a virtual template.

[~DeviceB] interface virtual-template 1
[*DeviceB-Virtual-Template1] ppp authentication-mode chap
[*DeviceB-Virtual-Template1] commit
[~DeviceB-Virtual-Template1] quit
# Enable L2TP and configure an L2TP group.

[~DeviceB] l2tp enable
[~DeviceB] l2tp-group 1
# Set the name of local tunnel end on the LNS and the name of the peer tunnel end.
[*DeviceB-l2tp-1] tunnel name LNS
[*DeviceB-l2tp-1] allow l2tp virtual-template 1 remote LAC

# Enable tunnel authentication and set the tunnel passward.

[*DeviceB-l2tp-1] tunnel authentication
[*DeviceB-l2tp-1] tunnel password simple 1qaz#EDC
# Perform the mandatory CHAP authentication on the local end.

[*DeviceB-l2tp-1] mandatory-chap
[*DeviceB-l2tp-1] commit
[~DeviceB-l2tp-1] quit
# Create LNS group 1.

[~DeviceB] lns-group group1
# Bind tunnel board 1 to LNS group 1.

[*DeviceB-lns-group-group1] bind slot 1
# Bind GE 0/1/0 to LNS group 1.

[*DeviceB-lns-group-group1] bind source gigabitethernet 0/1/0
[*DeviceB-lns-group-group1] commit
[~DeviceB-lns-group-group1] quit
# Configure the address pool used to assign addresses to dialup users.

[~DeviceB] ip pool 1 bas local
[*DeviceB-ip-pool-1] gateway 192.168.0.2 255.255.255.0
[*DeviceB-ip-pool-1] section 0 192.168.0.10 192.168.0.100
[*DeviceB-ip-pool-1] commit
[~DeviceB-ip-pool-1] quit

[~DeviceB] radius-server group radius1
[*DeviceB-radius-radius1] radius-server authentication 20.20.20.1 1812
[*DeviceB-radius-radius1] radius-server accounting 20.20.20.1 1813
[*DeviceB-radius-radius1] radius-server shared-key itellin
[*DeviceB-radius-radius1] commit
[~DeviceB-radius-radius1] quit
# Configure the domain for user access.

[~DeviceB] aaa
[~DeviceB-aaa] domain huawei.com
[*DeviceB-aaa-domain-huawei.com] authentication-scheme default1
[*DeviceB-aaa-domain-huawei.com] accounting-scheme default1
[*DeviceB-aaa-domain-huawei.com] radius-server group radius1
[*DeviceB-aaa-domain-huawei.com] ip-pool 1
[*DeviceB-aaa-domain-huawei.com] commit
[~DeviceB-aaa-domain-huawei.com] quit
[~DeviceB-aaa] quit

# After VPN users log into the tunnel, run the display l2tp tunnel command. You can find
that the tunnel is set up. Take the display on the LNS as an example:
[~DeviceB] display l2tp tunnel
---------------------------------------------------------
Total 0,0 printed
---------------------------------------------------------
The tunnel information of k board 0
---------------------------------------------------------
13921 7958 202.38.160.1 57344 1
LAC
---------------------------------------------------------
Total 1,1 printed from slot 0

# Run the display l2tp session command. You can check whether the L2TP session is set up.
Take the display on the LNS side as an example.
[~DeviceB] display l2tp session lns slot 1
LocalSID RemoteSID LocalTID RemoteTID UserID
UserName
------------------------------------------------------------------------------
2036 1469 13921 7958 62172

vpdnuser@huawei.com
------------------------------------------------------------------------------
# In this manner, VPN users can access the server in the headquarters.
----End
Configuration Files
l Configuration file of Device A
#
sysname DeviceA
#
l2tp enable
#
radius-server group radius1
#
#
undo shutdown
#
undo shutdown
user-vlan 1 100
bas
access-type layer2-subscriber default-domain authentication huawei.com
#
interface gigabitethernet0/1/0
undo shutdown
ip address 202.38.160.1 255.255.255.0
#
l2tp-group 1
tunnel password simple 1qaz#EDC
tunnel name LAC
start l2tp ip 202.38.160.2
tunnel source gigabitethernet 0/1/0
#
aaa
domain huawei.com
l2tp-group 1
#
return
l Configuration file of Device B

#
sysname DeviceB

#
l2tp enable
#
#
interface gigabitethernet0/1/0
undo shutdown
ip address 202.38.160.2 255.255.255.0
#
#
interface LoopBack0
ip address 192.168.10.1 255.255.255.255
#
l2tp-group 1
mandatory-chap
allow l2tp virtual-template 1 remote LAC
tunnel name LNS
#
lns-group group1
bind slot 1
bind source gigabitethernet0/1/0
#
ip pool 1 bas local
gateway 192.168.0.2 255.255.255.0
section 0 192.168.0.10 192.168.0.100
#
aaa
domain huawei.com
ip pool 1
#
return
12.12.2 Example for Configuring L2TP Access in Client-initiated

VPN Scenarios
This section provides an example for configuring L2TP access in client-initiated VPN
scenarios, including the networking requirements, configuration roadmap, configuration
As shown in Figure 12-8, the process of a VPN user accessing the company headquarters is
as follows:
l The VPN user is connected to the NAS through the PSTN; the LNS at the company
headquarters is connected to the NAS. The VPN user needs to initiate a tunnel
connection request to the LNS.
l The LNS verifies the user name and password after receiving this connection request,
and assigns a private IP address to the VPN user.
l The VPN user communicates with the company headquarters by using the tunnel
between the VPN user and LNS.
l The VPN user accesses the Internet by using domain1 and obtains an IP address from
address pool pool1.

Figure 12-8 Networking diagram of L2TP access in client-initiated VPN scenarios
staff on errand NAS Device
PSTN Internet
VPN Client LNS Headquarter
L2TP tunnel
1. Install the client software on the user side and configure corresponding parameters.
2. Configure an LNS:
– Create a virtual template.
– Configure the L2TP group and attributes.
– Configure the address pool and domain.
– Configure the LNS group and attributes.
Data Preparation
l User name and password on client and LNS
l Loopback address
l Name, network segment, and gateway of the address pool
l Name of the domain that the client belongs to
NOTE
This section provides only the procedures relevant to L2TP.
Procedure
Step 1 Configure the devices on the user side.
# The host on the user side must be installed with the L2TP client software and connected to
the Internet using dial-up. Then, configure the host as follows (the configuration process is
related to the client software):
l Set the user name and password of the VPN on the user side to vpdnuser and
1qaz@WSX respectively.
l Set the IP address of the LNS as the IP address of the NE40E interface that connects to
the Internet (In this example, the IP address of the interface connected to the tunnel on
the LNS is 11.11.11.1).
l Modify attributes of the connection and use L2TP.

Step 2 Configure the NE40E that functions as an LNS.

# Create a virtual template and configure it.
[~Device] interface virtual-template 1
[*Device-Virtual-Template1] ppp authentication-mode chap
# Enable the L2TP service and create an L2TP group.

[~Device] l2tp enable
[~Device] l2tp-group lns1
# Configure the name of the LNS and the name of the peer end of the tunnel.
[*Device-l2tp-lns1] tunnel name LNS
[*Device-l2tp-lns1] allow l2tp virtual-template 1 remote vpdnuser
NOTE
Except the default LNS of the L2TP group, others must be configured with a remote lac-name.
default-lns is the default group of the LNS. When the NE40E functions as an LNS, if the tunnel name
sent by the LAC does not match the tunnel names configured in L2TP groups, the NE40E uses default-
lns as the L2TP group.
Run the tunnel name command to configure the remote lac-name on the LAC. By default, the remote
lac-name is the host name of the LAC.
# Enable tunnel authentication and set the password for tunnel authentication.
[*Device-l2tp-lns1] tunnel authentication
[*Device-l2tp-lns1] tunnel password simple 1qaz#EDC
[*Device-l2tp-lns1] commit
[~Device-l2tp-lns1] quit
# Configure the address pool used to assign addresses to dialup users.

[~Device] ip pool 1 bas local
[*Device-ip-pool-1] gateway 192.168.0.2 255.255.255.0
[*Device-ip-pool-1] section 0 192.168.0.10 192.168.0.100
[*Device-ip-pool-1] commit
[~Device-ip-pool-1] quit

[~Device] radius-server group radius1
[*Device-radius-radius1] radius-server authentication 20.20.20.1 1812
[*Device-radius-radius1] radius-server accounting 20.20.20.1 1813
[*Device-radius-radius1] radius-server shared-key itellin
[*Device-radius-radius1] commit
[~Device-radius-radius1] quit
# Configure a domain named domain1.

[~Device] aaa
[*Device-aaa] domain domain1
[*Device-aaa-domain-domain1] authentication-scheme default1
[*Device-aaa-domain-domain1] accounting-scheme default1
[*Device-aaa-domain-domain1] radius-server group radius1
[*Device-aaa-domain-domain1] ip-pool pool1
[*Device-aaa-domain-domain1] commit
[~Device-aaa-domain-domain1] quit
[~Device-aaa] quit
# Create a loopback interface.

[~Device] interface loopback 0
[*Device-LoopBack0] ip address 192.168.10.1 255.255.255.255
[*Device-LoopBack0] commit

[~Device-LoopBack0] quit
# Create an LNS group named group1, bind the tunnel board in slot 1 and loopback 0 to the
LNS group.
[~Device] lns-group group1
[*Device-lns-group-group1] bind slot 1
[*Device-lns-group-group1] bind source loopback 0
[*Device-lns-group-group1] commit
[~Device-lns-group-group1] quit

# After the VPN user logs in, run the display l2tp tunnel command on the LNS, and you can
find that the tunnel is set up.
[~Device] display l2tp tunnel lns slot
------------------------------------------------------------------------------
1 1 100.1.1.1 2134 1
vpdnuser
------------------------------------------------------------------------------
Total 1, 1 printed from slot
# Run the display l2tp session command on the LNS, and you can check whether the L2TP
session is set up.
<Device> display l2tp session lns slot
LocalSID RemoteSID LocalTID RemoteTID UserID UserName
------------------------------------------------------------------------------
278 24768 13921 7958 62172

vpdnuser@domain1
------------------------------------------------------------------------------
Total 1, 1 printed from slot
In this manner, the VPN user can access the LNS at the company headquarters.
----End
Configuration Files
Configuration file of the Device
#
sysname Device
#
l2tp enable
#
#
ppp authentication-mode auto
#
undo shutdown
ip address 11.11.11.1
#
interface LoopBack0

ip address 192.168.10.1 255.255.255.255

#
ospf 1
area 0.0.0.0
network 202.38.160.0 0.0.0.255
network 192.168.0.1 0.0.0.0
#
l2tp-group lns1
allow l2tp virtual-template 1 remote vpdnuser
tunnel name LNS
#
lns-group group1
bind slot 1
bind source LoopBack0
#
ip pool 1 bas local
gateway 192.168.0.2 255.255.255.0
section 0 192.168.0.10 192.168.0.100
#
aaa
domain domain1
ip-pool pool1
12.12.3 Example for Configuring Access to L3VPNs Through L2TP

Tunnels
This section provides an example for configuring access to L3VPNs through L2TP tunnels,
As shown in Figure 12-9, DeviceA functions as an LAC and DeviceB functions as an LNS;
the domain name of the headquarters of enterprise01 is isp1 and PC1 is a user of enterprise01;
the domain name of the headquarters of enterprise 02 is isp2 and PC2 is a user of
enterprise02.
Figure 12-9 Networking for configuring access to L3VPNs through L2TP tunnels
NOTE
Interfaces 1 through 3 in this example are GE0/2/0,GE0/1/1,GE0/3/0.

Headquarter01
Loopback0 Loopback0 vrf1
WAN
L2TP Tunnel isp1
interface1
PC1 interface1
Access interface2
user1@isp1
Network interface3 isp2
interface2
DeviceA DeviceB
L2TP Tunnel LNS
LAC vrf2
Headquarter02
PC2 Loopback1 Loopback1
user1@isp2
Device Interface IP Address
DeviceA GigabitEthernet0/1/1.1 11.11.11.1/24
GigabitEthernet0/1/1.2 12.12.12.1/24
GigabitEthernet0/2/0.100 -
LoopBack0 1.1.1.1/32
DeviceB GigabitEthernet0/1/1.1 11.11.11.2/24
GigabitEthernet0/1/1.2 12.12.12.2/24
Multiple enterprises share the same LNS, and users of different enterprises need to
communicate with their headquarters. The network addresses of the headquarters are private
addresses. Generally, users cannot directly access the Intranet server through the Internet. By
using VPNs and multi-instances, users can access the Intranet data.
NOTE
Addresses of different VPN instances can overlap.
1. Configure dial-up parameters at the user side.

2. Configure an LAC.
– Configure the PPPoX access service, including the virtual template, AAA scheme,
virtual template, and BAS interface.
– Enable basic L2TP functions.
– Configure tunnel connections on the LAC.
– Configure the tunnel authentication mode.
– Configure L2TP user attributes.
– Configure the routing protocol (static route in this case) to make the LAC and LNS
reachable.
– Create a VPN instance.
– Configure a virtual template.

– Configure tunnel connections on the LNS.

– Configure the user and tunnel authentication modes.
– Set parameters for the tunnel on the LNS side.
– Configure an address pool for allocating IP addresses to L2TP users and bind the
address pool to a VPN instance.
– Configure domains for L2TP users, then specify the address pool and the VPN
instance in each domain.
– Configure the routing protocol (static route in this case) to make the LAC and LNS
reachable.
– Assign an IP address to the interface that is connected to the enterprise network and
bind the interface to a VPN instance.
Data Preparation
l User names and passwords of PC1 and PC2
l Tunnel password, and local tunnel name and remote tunnel name on the LNS
l Names, RDs, and VPN targets of VPN instances
l Numbers of virtual templates and numbers of L2TP groups
l Number, range, and mask of the remote address pool
NOTE
Procedure
Step 1 Configure the devices at the user side.
To create a dial-in connection, dial the access number specified on DeviceA, and receive
addresses assigned by the LNS.
On PC1, input the user name user1@isp1 and password in the displayed dial-up terminal
window (The user name and password have been registered on the LNS).
On PC2, input the user name user1@isp2 and password in the displayed dial-up terminal
Step 2 Configure DeviceA that functions as an LAC.
# Configure virtual template 1.
<~Device> sysname DeviceA
[*DeviceA] interface virtual-template 1



[*DeviceA-GigabitEthernet0/2/0.100-bas] access-type layer2-subscriber
[*DeviceA-GigabitEthernet0/2/0.100-bas] authentication-method ppp
# Configure the LAC interface that connects to the LNS and create sub-interfaces for the
interface.
[~DeviceA] interface gigabitethernet0/1/1.1
[~DeviceA] interface gigabitethernet0/1/1.2
# Create loopback interfaces.

[~DeviceA] interface loopback0
[*DeviceA-LoopBack0] ip address 1.1.1.1 255.255.255.255
[*DeviceA-LoopBack0] commit
[~DeviceA-LoopBack0] quit
# Configure an L2TP group and attributes of the L2TP group.

[~DeviceA] l2tp-group lac1
[*DeviceA-l2tp-lac1] tunnel name lac1
[*DeviceA-l2tp-lac1] start l2tp ip 3.3.3.3
[*DeviceA-l2tp-lac1] tunnel authentication
[*DeviceA-l2tp-lac1] tunnel password simple 1qaz#EDC
[*DeviceA-l2tp-lac1] tunnel source loopback0
[*DeviceA-l2tp-lac1] commit
[~DeviceA-l2tp-lac1] quit

# Configure the domain to which users belong.

[~DeviceA] aaa
[*DeviceA-aaa] domain isp1
[*DeviceA-aaa-domain-isp1] l2tp-group lac1
[*DeviceA-aaa-domain-isp1] radius-server group radius1
[*DeviceA-aaa-domain-isp1] authentication-scheme default1

[*DeviceA-aaa-domain-isp1] accounting-scheme default1

[~DeviceA-aaa] quit
# Configure routes.
[~DeviceA] ip route-static 3.3.3.3 255.255.255.255 11.11.11.2
Step 3 Configure NE40EB that functions as an LNS.

# Create two VPN instances.
<~Device> sysname DeviceB
[*DeviceB] ip vpn-instance vrf1
[*DeviceB-vpn-instance-vrf1] route-distinguisher 100:1
[*DeviceB-vpn-instance-vrf1] vpn-target 100:1 both
[*DeviceB–vpn-instance-vrf1] commit
[~DeviceB–vpn-instance-vrf1] quit
[~DeviceB] ip vpn-instance vrf2
# Create sub-interfaces.
[~DeviceB] interface gigabitethernet0/1/1.1
[~DeviceB] interface gigabitethernet0/1/1.2

[~DeviceB] interface loopback0
[*DeviceB-LoopBack0] ip address 3.3.3.3 255.255.255.255
[*DeviceB-LoopBack0] commit
[~DeviceB-LoopBack0] quit
# Create virtual template 1.

# Enable L2TP and configure an L2TP group.

[~DeviceB] l2tp-group lns1
[*DeviceB-l2tp-lns1] tunnel name lns1

[*DeviceB-l2tp-lns1] allow l2tp virtual-template 1 remote lac1

[*DeviceB-l2tp-lns1] tunnel authentication
[*DeviceB-l2tp-lns1] tunnel password simple 1qaz#EDC
[*DeviceB-l2tp-lns1] commit
[~DeviceB-l2tp-lns1] quit
# Create LNS group 1, and bind the tunnel source interface to the tunnel board.
[*DeviceB-lns-group-group1] bind source loopback 0
# Configure the address pool used to assign addresses to users.

[~DeviceB] ip pool pool1 bas local
[*DeviceB-ip-pool-pool1] gateway 10.10.0.1 255.255.255.0
[*DeviceB-ip-pool-pool1] section 0 10.10.0.10 10.10.0.100
[*DeviceB-ip-pool-pool1] vpn-instance vrf1
[*DeviceB-ip-pool-pool1] commit
[~DeviceB-ip-pool-pool1] quit
[*DeviceB-ip-pool-pool2] vpn-instance vrf2

# Configure the domains to which users belong.

[~DeviceB] aaa
[*DeviceB-aaa-domain-isp1] radius-server group radius1
[*DeviceB-aaa-domain-isp1] authentication-scheme default1
[*DeviceB-aaa-domain-isp1] accounting-scheme default1
[*DeviceB-aaa-domain-isp1] ip-pool pool1
[*DeviceB-aaa-domain-isp1] vpn-instance vrf1
[*DeviceB-aaa-domain-isp2] vpn-instance vrf2
[~DeviceB-aaa] quit
# Configure routes.
[~DeviceB] ip route-static 1.1.1.1 255.255.255.255 11.11.11.1


[NE40EA] ping -vpn-instance vrf1 3.3.3.3
PING 3.3.3.3: 56 data bytes, press CTRL_C to break
Reply from 3.3.3.3: bytes=56 Sequence=1 ttl=255 time=12 ms
--- 3.3.3.3 ping statistics ---

4 packet(s) transmitted
4 packet(s) received
0.00% packet loss
round-trip min/avg/max = 5/8/12 ms
[NE40EA] ping -vpn-instance vrf2 4.4.4.4

0.00% packet loss
[NE40EA] test l2tp-tunnel l2tp-group lac1 ip-address 3.3.3.3
Testing L2TP tunnel connectivity now.......
Test L2TP tunnel connectivity success.
[NE40EA] test l2tp-tunnel l2tp-group lac2 ip-address 4.4.4.4
# VPN users can access the headquarters of enterprises.

PC1 can access Headquarter01 and PC2 can access Headquarter02.
If PC1 enters the user name user1@isp2 and the password, PC1 can access Headquarter02 as
a user of vrf2.
----End
Configuration Files
l Configuration file of DeviceA
#
sysname DeviceA
#
l2tp enable
#
#
#
undo shutdown
#
undo shutdown
user-vlan 1 100
bas

#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
l2tp-group lac1
tunnel name lac1
start l2tp ip 3.3.3.3
tunnel source LoopBack0
#
l2tp-group lac2
tunnel name lac2
#
aaa
domain isp1
l2tp-group lac1
domain isp2
l2tp-group lac2
#
undo shutdown
vlan-type dot1q 1
ip address 11.11.11.1 255.255.255.0
#
undo shutdown
vlan-type dot1q 2
ip address 12.12.12.1 255.255.255.0
#
ip route-static 3.3.3.3 255.255.255.255 11.11.11.2
ip route-static 4.4.4.4 255.255.255.255 12.12.12.2
#
return
l Configuration file of DeviceB
#
sysname DeviceB
#
l2tp enable
#
#
#
ip vpn-instance vrf1
#
#

interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
l2tp-group lns1
allow l2tp virtual-template 1 remote lac1
tunnel name lns1
#
l2tp-group lns2
tunnel name lns2
#
lns-group group1
bind slot 1
#
vpn-instance vrf1
gateway 10.10.0.1 255.255.255.0
section 0 10.10.0.10 10.10.0.100
#
vpn-instance vrf2
gateway 10.10.0.1 255.255.255.0
section 0 10.10.0.10 10.10.0.100
#
aaa
domain isp1
vpn-instance vrf1
ip-pool pool1
domain isp2
vpn-instance vrf2
ip-pool pool2
#
undo shutdown
vlan-type dot1q 1
ip address 11.11.11.2 255.255.255.0
#
undo shutdown
vlan-type dot1q 2
ip address 12.12.12.2 255.255.255.0
#
ip route-static 1.1.1.1 255.255.255.255 11.11.11.1
ip route-static 2.2.2.2 255.255.255.255 12.12.12.1
#
return
12.12.4 Example for Configuring LTS

This section provides an example for configuring L2TP tunnel switching (LTS), including the
files.

As shown in Figure 12-10, DeviceA, DeviceB, and DeviceC function as the LAC, LTS, and
LNS respectively.
l A user dials in through PPPoE by using user name user1@domain1 and password hello.
l DeviceB and DeviceC do not perform authentication or accounting for the user.
l DeviceC allocates an IP address to the user from the local address pool.
Figure 12-10 L2TP networking

NOTE
Interfaces 1 is GE0/1/0.1.
RADIUS
20.20.20.1
Loopback0 Loopback0
30.30.30.1 40.40.40.1
Headquarter
PSTN/ISDN
interface1 Tunnel1 Tunnel1
DeviceA DeviceB DeviceC
LAC LTS LNS

2. Configure the LAC.
3. Configure the LTS.
4. Configure the LNS.
Data Preparation
l IP address of Loopback0 on DeviceB

l IP address of Loopback0 on DeviceC
l Name of the domain that the user belongs to
NOTE

Procedure
Enter user1@domain1 as the user name and Hello as the password in the PPPoE dial-up
dialog box to dial in.
Step 2 Configure DeviceA (LAC).
<~Device> sysname DeviceA


# Configure an L2TP group and configure relevant attributes.


# Configure the domain to which the user belongs.

[~DeviceA] aaa
[*DeviceA-aaa] domain domain1
[*DeviceA-aaa-domain-domain1] l2tp-group lac1
[*DeviceA-aaa-domain-domain1] radius-server group radius1
[*DeviceA-aaa-domain-domain1] authentication-scheme default1
[*DeviceA-aaa-domain-domain1] accounting-scheme default1

[*DeviceA-aaa-domain-domain1] commit
[~DeviceA-aaa-domain-domain1] quit
[~DeviceA-aaa] quit
NOTE
The user name user1@domain1 and the password Hello must be configured on the RADIUS server.
Step 3 Configure DeviceB that functions as an LTS.

# Create virtual template 1 and configure relevant parameters.
<~Device> sysname DeviceB
[*DeviceB] interface virtual-template 1
# Configure loopback 0.
[~DeviceB] interface loopback 0
# Enable the L2TP service and configure an L2TP group to function as an LNS.
# Create an LNS group named group1, and bind the tunnel source interface to the tunnel
board.
# Configure an L2TP group to function as an LAC.

[~DeviceB] l2tp-group lac1
[*DeviceB-l2tp-lac1] tunnel name lac2
[*DeviceB-l2tp-lac1] start l2tp ip 40.40.40.1
[*DeviceB-l2tp-lac1] tunnel authentication
[*DeviceB-l2tp-lac1] tunnel password simple 1qaz#EDC2
[*DeviceB-l2tp-lac1] commit
[~DeviceB-l2tp-lac1] quit


[~DeviceB] aaa
[*DeviceB-aaa] domain domain1
[*DeviceB-aaa-domain-domain1] l2tp-group lac1

[*DeviceB-aaa-domain-domain1] radius-server group radius1

[*DeviceB-aaa-domain-domain1] authentication-scheme default1
[*DeviceB-aaa-domain-domain1] accounting-scheme default1
[*DeviceB-aaa-domain-domain1] commit
[~DeviceB-aaa-domain-domain1] quit
[~DeviceB-aaa] quit
Step 4 Configure DeviceC (LNS).

<~Device> sysname DeviceC
[*DeviceC] interface virtual-template 1
[*DeviceC-Virtual-Template1] ppp authentication-mode chap
[*DeviceC-Virtual-Template1] commit
[~DeviceC-Virtual-Template1] quit
[~DeviceC] interface loopback 0
[*DeviceC-LoopBack0] ip address 40.40.40.1 255.255.255.255
[*DeviceC-LoopBack0] commit
[~DeviceC-LoopBack0] quit

[~DeviceC] l2tp enable
[~DeviceC] l2tp-group lns1
[*DeviceC-l2tp-lns1] tunnel name LNS2
[*DeviceC-l2tp-lns1] allow l2tp virtual-template 1 remote lac2
[*DeviceC-l2tp-lns1] tunnel authentication
[*DeviceC-l2tp-lns1] tunnel password simple 1qaz#EDC2
[*DeviceC-l2tp-lns1] commit
[~DeviceC-l2tp-lns1] quit
# Create an LNS group named group1, and bind the tunnel source interface to the tunnel
board.
[~DeviceC] lns-group group1
[*DeviceC-lns-group-group1] bind slot 1
[*DeviceC-lns-group-group1] bind source loopback 0
[*DeviceC-lns-group-group1] commit
[~DeviceC-lns-group-group1] quit
# Configure the address pool to allocate IP address to the user.

[~DeviceC] ip pool pool1 bas local
[*DeviceC-ip-pool-pool1] gateway 10.10.0.1 255.255.255.0
[*DeviceC-ip-pool-pool1] section 0 10.10.0.2 10.10.0.100
[*DeviceC-ip-pool-pool1] commit
[~DeviceC-ip-pool-pool1] quit

[~DeviceC] radius-server group radius1
[*DeviceC-radius-radius1] radius-server authentication 20.20.20.1 1812
[*DeviceC-radius-radius1] radius-server accounting 20.20.20.1 1813
[*DeviceC-radius-radius1] radius-server shared-key itellin
[*DeviceC-radius-radius1] commit
[~DeviceC-radius-radius1] quit

[~DeviceC] aaa
[*DeviceC-aaa] domain domain1
[*DeviceC-aaa-domain-domain1] radius-server group radius1
[*DeviceC-aaa-domain-domain1] authentication-scheme default1
[*DeviceC-aaa-domain-domain1] accounting-scheme default1
[*DeviceC-aaa-domain-domain1] ip-pool pool1

[*DeviceC-aaa-domain-domain1] commit
[~DeviceC-aaa-domain-domain1] quit
[~DeviceC-aaa] quit
# Verify the configuration.
Check the status of the tunnel when the user gets online.
<HUAWEI> display l2tp tunnel
---------------------------------------------------------
Total 0,0 printed
---------------------------------------------------------
The tunnel information of K board 1
------------------------------------------------------------------------------
39 4 30.30.30.1 1701 1 user1@domain1
------------------------------------------------------------------------------
----End
Configuration Files
#
l2tp enable
#
#
#
undo shutdown
#
undo shutdown
user-vlan 1 100
bas
#
undo shutdown
ip address 100.100.100.1 255.255.255.0
#
l2tp-group lac1
tunnel name LAC1
#
aaa
domain domain1
l2tp-group lac1
#
ip route-static 30.30.30.1 255.255.255.255 100.100.100.2
#
return

l Configuration file of DeviceB

#
sysname NE40EB
#
l2tp enable
#
#
#
undo shutdown
ip address 100.100.100.2 255.255.255.0
#
undo shutdown
ip address 200.200.200.1 255.255.255.0
#
interface LoopBack0
ip address 30.30.30.1 255.255.255.255
#
l2tp-group lac1
tunnel password simple 1qaz#EDC2
tunnel name LAC2
#
l2tp-group lns1
allow l2tp virtual-template 1 remote LAC1
tunnel name LNS1
#
lns-group group1
bind slot 1
#
aaa
domain domain1
l2tp-group lac1
#
ip route-static 40.40.40.1 255.255.255.255 200.200.200.2
#
return
l Configuration file of DeviceC

#
sysname NE40EC
#
l2tp enable
#
#
#
undo shutdown
ip address 200.200.200.2 255.255.255.0
#
interface LoopBack0

ip address 40.40.40.1 255.255.255.255

#
l2tp-group lns1
allow l2tp virtual-template 1 remote LAC2
tunnel password simple 1qaz#EDC2
tunnel name LNS2
#
lns-group group1
bind slot 1
#
ip pool pool1 local
gateway 10.10.0.1 255.255.255.0
section 0 10.10.0.2 10.10.0.100
#
aaa
domain domain1
ip-pool pool1
#
ip route-static 30.30.30.1 255.255.255.255 200.200.200.1
#
return
12.12.5 Example for Configuring L2TP Tunnel-based QoS

Scheduling for User Access
This section provides an example for configuring L2TP tunnel-based QoS scheduling for user
access, including the networking requirements, configuration roadmap, configuration
Networking Requirement
As shown in Figure 12-11, the NE40E functions as the LNS of the L2TP tunnel. The process
of a VPN user accessing the company headquarters is as follows:
l The user dials up to access the Internet.
l The NAS authenticates the user and initiates a request for setting up a tunnel to the LNS
if it finds that the user is a VPN user.
l After a tunnel is set up between the NAS and the LNS, the NAS sends packets carrying
the contents negotiated between the NAS and the VPN user to the LNS.
l The LNS determines whether to accept the connection according to the negotiation.
l The user communicates with the company headquarters through the tunnel between the
NAS and the LNS.
l The user accesses the network by using the domain doma1 and obtains its IP address
from the address pool pool1.
L2TP QoS scheduling needs to be set for the LNS, ensuring that multiple users go online
using one tunnel and all users in the domain share a CIR of 100 Mbit/s and a PIR of 200
Mbit/s.

Figure 12-11 Networking for configuring L2TP tunnel-based QoS scheduling for user access
NAS
Internet
Access
Tunnel
Network
VPN Client LAC LNS Headquarter
2. Configure the LNS, with the NE40E functioning as the LNS.
3. Configure the scheduling profile and QoS profile.
4. Apply the QoS profile to the domain.
5. Configure L2TP QoS scheduling by tunnel for the L2TP group.
Data Preparation
l Loopback address
l Name of the domain to which users belong
l Names of the scheduling profile and QoS profile
Procedure
Enter vpdnuser@doma1 as the VPN user name, 1qaz@WSX as the password, and 170 as
the dial-in number in the dial-up window to dial in. In the displayed dial-up dialog box, enter
username as the user name and Userpass0 as the password for RADIUS authentication.
Step 2 Configure the NAS.
The configuration procedure is not provided here. For details, see the relevant manual.
Use the NAS as the LAC.
# Configure 170 as the dial-in number on the NAS.
# Create a VPN user on the RADIUS server with user name username and password
Userpass0, and configure the IP address for the LNS (In this case, the IP address of the LNS
is 192.168.0.1).
# Set the local device name to lac and perform tunnel authentication with the tunnel
authentication password being 1qaz#EDC.

Step 3 Configure the NE40E (LNS).


# Configure the L2TP connection on the LNS.

[*Device-l2tp-lns1] allow l2tp virtual-template 1 remote lac
# Configure tunnel authentication and set the password for tunnel authentication.
# Define an address pool and allocate IP addresses for the dial-in users.
[~Device] ip pool pool1 bas local

# Configure the domain named doma1.

[~Device] aaa
[*Device-aaa] domain doma1
[*Device-aaa-domain-doma1] authentication-scheme default1
[*Device-aaa-domain-doma1] accounting-scheme default1
[*Device-aaa-domain-doma1] ip-pool pool1
[*Device-aaa-domain-doma1] commit
[~Device-aaa-domain-doma1] quit
[~Device-aaa] quit
[~Device] interface loopback0
# Create an LNS group named group1.

# Specify the tunnel board in slot 1 for the LNS group.

[Device-lns-group-group1] bind slot 1

# Bind loopback 0 to the LNS group.

[*Device-lns-group-group1] bind source loopback0
Step 4 Configure the scheduling profile and QoS profile.

# Configure the QoS profile.
[~Device] qos-profile pro1
[*Device-qos-pro1] user-queue cir 100000 pir 200000 inbound
[*Device-qos-pro1] user-queue cir 100000 pir 200000 outbound
[*Device-qos-pro1] commit
[~Device-qos-pro1] quit
Step 5 Apply the QoS profile to the domain.

[~Device] aaa
[*Device-aaa-domain-doma1] qos-profile pro1 inbound lns-gts
[~Device-aaa] quit
Step 6 Set QoS scheduling by tunnel for the L2TP group.

[*Device-l2tp-lns1] qos scheduling-mode tunnel

Run the display l2tp-group command to check the scheduling mode configured for the L2TP
group.
-----------------------------------------------
L2tp-index : 3
Group-Name :
lns1
.........
QOS-mode : tunnel
.........
-----------------------------------------------
Run the display domain command to check the QoS profile configured for the L2TP group.
<HUAWEI> display domain doma1
------------------------------------------------------------------------------
Domain-name : doma1
...............
L2TP-QosProfile-inbound : pro1
...............
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname HUAWEI
#
l2tp enable
#


#
qos-profile pro1
user-queue cir 100000 pir 200000 inbound
user-queue cir 100000 pir 200000 outbound
#
#
undo shutdown
#
user-vlan 270 277
undo shutdown
bas
#
interface loopback0
ip address 192.168.0.1 255.255.255.255
#
l2tp-group lns1
allow l2tp virtual-template 1 remote lac
tunnel name LNS
qos scheduling-mode tunnel
#
lns-group group1
bind slot 1
bind source loopback0
#
gateway 10.10.10.1 255.255.255.0
section 0 10.10.10.2 10.10.10.100
#
aaa
domain doma1
ip-pool pool1
qos-profile pro1 inbound lns-gts
#
return
12.12.6 Example for Configuring L2TP Session-based QoS

Scheduling for User Access
This section provides an example for configuring L2TP session-based QoS scheduling for
user access, including the networking requirements, configuration roadmap, configuration
Networking Requirement
As shown in Figure 12-12, the NE40E functions as the LNS of the L2TP tunnel. The process
of a VPN user accessing the company headquarters is as follows:
l The user dials up to access the Internet.

l The NAS authenticates the user and initiates a request for setting up a tunnel to the LNS
if it finds that the user is a VPN user.
l After a tunnel is set up between the NAS and the LNS, the NAS sends packets carrying
the contents negotiated between the NAS and the VPN user to the LNS.

l The LNS determines whether to accept the connection according to the negotiation.
l The user communicates with the company headquarters through the tunnel between the
NAS and the LNS.
l The user accesses the network using the domain doma1 and obtains its IP address from
the address pool pool1.
L2TP QoS scheduling by session needs to be configured for the LNS, ensuring the following:
l Each user in the domain uses the CIR of 10 Mbit/s and the PIR of 20 Mbit/s.
l All users on the L2TP tunnel share the PIR of 100 Mbit/s.
Figure 12-12 Networking for configuring L2TP session-based QoS scheduling for user access
NAS
Internet
Access
Tunnel
Network
VPN Client LAC LNS Headquarter
2. Configure the LNS, with the NE40E functioning as the LNS.
3. Configure the scheduling profile and QoS profile.
4. Apply the QoS profile to the domain.
5. Configure L2TP QoS scheduling by session for the L2TP group.
Data Preparation
l Loopback address
l Name of the domain to which users belong
l Names of the scheduling profile and QoS profile
Procedure
Enter vpdnuser@doma1 as the VPN user name, 1qaz@WSX as the password, and 170 as
the dial-in number in the dial-up window to dial in. In the displayed dial-up dialog box, enter
username as the user name and Userpass0 as the password for RADIUS authentication.
Step 2 Configure the NAS.

The configuration procedure is not provided here. For details, see the relevant manual.
Use the NAS as the LAC.
# Configure 170 as the dial-in number on the NAS.
# Create a VPN user on the RADIUS server with user name username and password
Userpass0, and configure the IP address for the LNS (In this case, the IP address of the LNS
is 192.168.0.1).
# Set the local device name to lac and perform tunnel authentication with the tunnel
authentication password being 1qaz#EDC.
Step 3 Configure the NE40E (LNS).
# Enable the L2TP service and create a L2TP group.

# Configure the name of the LNS and the name of the peer end of the tunnel.
[*Device-l2tp-lns1] allow l2tp virtual-template 1 remote lac
# Configure tunnel authentication and set the password for tunnel authentication.
# Define an address pool and allocate IP addresses to dial-in users.

[~Device] ip pool pool1 bas local

# Configure the domain named doma1.

[~Device] aaa
[*Device-aaa-domain-doma1] authentication-scheme default1
[*Device-aaa-domain-doma1] accounting-scheme default1
[*Device-aaa-domain-doma1] ip-pool pool1
[~Device-aaa] quit

[~Device] interface loopback 0
# Create an LNS group named group1.

# Bind loopback 0 to the LNS group.

[*Device-lns-group-group1] bind slot 1
# Specify the tunnel board in slot 1 for the LNS group.

[*Device-lns-group-group1] bind source loopback 0
Step 4 Configure the scheduling profile and QoS profile.
# Configure the QoS profile.

[~Device] qos-profile pro1
[*Device-qos-pro1] user-queue cir 10000 pir 20000 inbound
[*Device-qos-pro1] user-queue cir 10000 pir 20000 outbound
[*Device-qos-pro1] commit
[~Device-qos-pro1] quit
[~Device] user-group-queue pro2 slot 1
[*Device-user-group-queue-pro2-slot-1] shaping 100000 inbound
[*Device-user-group-queue-pro2-slot-1] commit
[~Device-user-group-queue-pro2-slot-1] quit
Step 5 Apply the QoS profile to the domain.

[~Device] aaa
[*Device-aaa-domain-doma1] qos-profile pro1 inbound lns-gts
[~Device-aaa] quit
Step 6 Set QoS scheduling by session for the L2TP group, and apply user-group-queue pro2 to the
L2TP group.
[*Device-l2tp-lns1] qos scheduling-mode session
[*Device-l2tp-lns1] user-group-queue pro2 inbound
Run the display l2tp-group command to check the scheduling mode configured for the L2TP
group.
-----------------------------------------------
L2tp-index : 3
Group-Name :
lns1
.........
QOS-mode : session
.........
-----------------------------------------------
Run the display domain command to check the QoS profile configured for the L2TP group.

<HUAWEI> display domain doma1

------------------------------------------------------------------------------
Domain-name : doma1
...............
L2TP-QosProfile-inbound : pro1
...............
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname HUAWEI
#
l2tp enable
#
#
qos-profile pro1
user-queue cir 10000 pir 20000 inbound
user-queue cir 10000 pir 20000 outbound
#
user-group-queue pro2
shaping 100000 inbound
#
#
undo shutdown
#
user-vlan 270 277
undo shutdown
bas
#
interface LoopBack0
ip address 192.168.0.1 255.255.255.255
#
l2tp-group lns1
allow l2tp virtual-template 1 remote lac
tunnel name LNS
qos scheduling-mode session
user-group-queue pro2 inbound
#
lns-group group1
bind slot 1
#
gateway 10.10.10.1 255.255.255.0
section 0 10.10.10.2 10.10.10.100
#
aaa
domain doma1
ip-pool pool1
qos-profile pro1 inbound lns-gts
#

return
12.12.7 Example for Configuring L2TP Load Balancing

This section provides an example for configuring load balancing among L2TP tunnels,
including networking requirements, configuration roadmap, configuration procedure, and
As shown in Figure 12-13, a single LNS cannot transmit all L2TP services. In such a case,
you can enable LNS load balancing to load-balance L2TP services among multiple LNSs
based on LNS weights.
Figure 12-13 Networking for L2TP load balancing
DeviceB
Internet
DeviceA
L2TP
Access
Network Headquarter
L2TP
VPN Client LAC
DeviceC
LNS
1. Configure the dial-up connection at the user side.
2. Configure the LAC (when configuring the L2TP connection on the LAC, configure two
LNSs in the L2TP group and specify the IP addresses and weights of these LNSs).
Data Preparation
l User name and password of PC1
l Tunnel password, tunnel name on the LNS, and tunnel name on the LAC
l Number of the virtual template and the L2TP group number
NOTE
This section provides only the procedure relevant to L2TP.
Procedure

To create a dial-up connection, dial the access number specified on NE40E A, and receive IP
addresses assigned by the LNS server.
Enter the user name user1@isp1 and the password (already registered on the LNS) in the
displayed dial-up terminal window on PC1.
Step 2 Configure DeviceA that functions as an LAC.
[Device] sysname DeviceA


# Create Loopback 0.
# Assign IP addresses to physical interfaces on the tunnel.

[~DeviceA] interface gigabitethernet0/1/1
# Set up tunnels for L2TP load balancing and specify relevant attributes.
[*DeviceA-l2tp-lac1] start l2tp ip 3.3.3.3 ip 4.4.4.4
[*DeviceA-l2tp-lac1] tunnel load-sharing




[~DeviceA] aaa
# Configure routes.
Step 3 Configure DeviceB (LNS)


[~DeviceB] interface gigabitethernet0/1/1

# Enable L2TP and configure L2TP groups.

# Create LNS group 1 and configure it.





[~DeviceB] aaa
[~DeviceB-aaa] quit
# Configure routes.
Step 4 Configure DeviceC (LNS).

# Create a loopback interface.
[~DeviceC] interface loopback1

[~DeviceC] interface gigabitethernet0/1/1
[~DeviceC--GigabitEthernet0/1/1] ip address 12.12.12.2 255.255.255.0

[~DeviceC] interface virtual-template 1

[~DeviceC] l2tp-group lns1
[*DeviceC-l2tp-lns1] tunnel name lns1
[*DeviceC-l2tp-lns1] allow l2tp virtual-template 1 remote lac1
[*DeviceC-l2tp-lns1] tunnel authentication
[*DeviceC-l2tp-lns1] tunnel password simple 1qaz#EDC
[*DeviceC-l2tp-lns1] commit
[~DeviceC-l2tp-lns1] quit
# Create LNS group 1 and configure it.

[~DeviceC] lns-group group1
[*DeviceC-lns-group-group1] bind slot 1
[*DeviceC-lns-group-group1] bind source loopback 1
[*DeviceC-lns-group-group1] commit
[~DeviceC-lns-group-group1] quit

[~DeviceC] ip pool pool1 bas local
[*DeviceC-ip-pool-pool1] gateway 10.10.0.101 255.255.255.0
[*DeviceC-ip-pool-pool1] section 0 10.10.0.102 10.10.0.200

[*DeviceC-ip-pool-pool1] commit
[~DeviceC-ip-pool-pool1] quit


[~DeviceC] aaa
[*DeviceC-aaa] domain isp1
[*DeviceC-aaa-domain-isp1] authentication-scheme default1
[*DeviceC-aaa-domain-isp1] accounting-scheme default1
[*DeviceC-aaa-domain-isp1] radius-server group radius1
[*DeviceC-aaa-domain-isp1] ip-pool pool1
[*DeviceC-aaa-domain-isp1] commit
[~DeviceC-aaa-domain-isp1] quit
[~DeviceC-aaa] quit
# Configure routes.
[~DeviceC] ip route-static 1.1.1.1 255.255.255.255 12.12.12.1

[~DeviceA] test l2tp-tunnel l2tp-group lac1 ip-address 3.3.3.3
----End
Configuration Files
l Configuration file of ~DeviceA
#
sysname ~DeviceA
#
l2tp enable
#
#
#
undo shutdown
user-vlan 1 100
bas
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
l2tp-group lac1
tunnel name lac1
start l2tp ip 3.3.3.3 ip 4.4.4.4 weight 5

tunnel load-sharing
#
aaa
domain isp1
l2tp-group lac1
#
undo shutdown
ip address 11.11.11.1 255.255.255.0
#
undo shutdown
ip address 12.12.12.1 255.255.255.0
#
ip route-static 3.3.3.3 255.255.255.255 11.11.11.2
ip route-static 4.4.4.4 255.255.255.255 12.12.12.2
#
return
l Configuration file of ~DeviceB
#
sysname ~DeviceB
#
l2tp enable
#
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
l2tp-group lns1
tunnel name lns1
#
lns-group group1
bind slot 1
#
gateway 10.10.0.1 255.255.255.0
section 0 10.10.0.2 10.10.0.100
#
aaa
domain isp1
ip-pool pool1
#
undo shutdown
ip address 11.11.11.2 255.255.255.0
#
ip route-static 1.1.1.1 255.255.255.255 11.11.11.1
#
return
l Configuration file of ~DeviceC
#
sysname ~DeviceC
#
l2tp enable
#

#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
l2tp-group lns1
tunnel name lns1
#
lns-group group1
bind slot 1
#
gateway 10.10.0.101 255.255.255.0
section 0 10.10.0.102 10.10.0.200
#
aaa
domain isp1
ip-pool pool1
#
undo shutdown
ip address 12.12.12.2 255.255.255.0
#
ip route-static 1.1.1.1 255.255.255.255 12.12.12.1
#
return
12.12.8 Example for Configuring an L2TP Tunnel on a VPN for

User Access
This section provides an example for configuring an L2TP tunnel on a VPN for user access,
The network is shown in Figure 12-14. To save public network addresses, the carrier expects
to use private network addresses but not public network addresses to establish L2TP tunnels.
Figure 12-14 Networking for configuring an L2TP tunnel on a VPN for user access
NOTE
Interfaces 1 through 3 in this example are GE0/1/1,GE0/2/0.100,GE0/1/2.

interface2
Access interface1
Network vr f 1
PC1 L2T interface1
DeviceA PT DeviceB
user1@isp1 u nne isp1
l
WAN Headquarter01
n e l
DeviceC T un LNS
Access L 2TP interface3
PC2 vr f 2
Network
Headquarter02
interface1
isp2
interface2
user1@isp2
Device Tunnel Interface IP Address Loopback Interface IP Address
DeviceA GE 0/1/1 10.0.0.1/24 Loopback 0 1.1.1.1
DeviceB GE 0/1/1 10.0.0.2/24 Loopback 0 3.3.3.3
DeviceB GE 0/1/2 10.10.0.2/24 Loopback 1 4.4.4.4
DeviceC GE 0/1/1 10.10.0.1/24 Loopback 1 2.2.2.2
1. Configure the dial-up connection at the user side.
Data Preparation
l User names and passwords of PC1 and PC2
l Tunnel password, tunnel name on the LNS, and tunnel name on the LAC
l VPN instance name
l Numbers of virtual templates and L2TP groups
Procedure
To create a dial-up connection, dial the access number specified on Device A, and receive
Enter the user name user1@isp1 and the password (already registered on the LNS) in the
Enter the user name user1@isp2 and password (already registered on the LNS) in the

Step 2 Configure Device A (LAC).



# Create a VPN instance.

[~DeviceA] ip vpn-instance vrf1
[*DeviceA-vpn-instance-vrf1] route-distinguisher 100:1
[*DeviceA-vpn-instance-vrf1] vpn-target 100:1 both
[*DeviceA–vpn-instance-vrf1] commit
[~DeviceA–vpn-instance-vrf1] quit
# Bind the LAC interface connected to the LNS to the VPN instance.
[*DeviceA-GigabitEthernet0/1/1] ip binding vpn-instance vrf1
[*DeviceA--GigabitEthernet0/1/1] ip address 10.0.0.1 255.255.255.0
[*DeviceA--GigabitEthernet0/1/1] commit
[~DeviceA--GigabitEthernet0/1/1] quit
[*DeviceA-LoopBack0] ip binding vpn-instance vrf1
# Configure an L2TP group and related attributes of the L2TP group.

# Configure the RADIUS server on LAC 1.


# Configure the domain to which the user belongs on LAC 1.

[~DeviceA] aaa
[* DeviceA-aaa-domain-isp1] commit
[~DeviceA-aaa] quit
# Configure routes.
[~DeviceA] ip route-static vpn-instance vrf1 3.3.3.3 255.255.255.255 10.0.0.2
Step 3 Configure Device C (LAC).

[~Device] sysname DeviceC
[*DeviceC] interface virtual-template 1

[~DeviceC] interface gigabitethernet 0/2/0.100
[*DeviceC-GigabitEthernet0/2/0.100] pppoe-server bind virtual-template 1


[DeviceC] ip vpn-instance vrf2
[~DeviceC] ip vpn-instance vrf2
[*DeviceC-vpn-instance-vrf2] route-distinguisher 100:2
[*DeviceC-vpn-instance-vrf2] vpn-target 100:2 both
[*DeviceC–vpn-instance-vrf2] commit
[~DeviceC–vpn-instance-vrf2] quit
# Bind the LAC interface connected to the LNS to the VPN instance.
[DeviceC] interface gigabitethernet0/1/1
[~DeviceC] interface gigabitethernet0/1/1
[*DeviceC-GigabitEthernet0/1/1] ip binding vpn-instance vrf2
[*DeviceC-GigabitEthernet0/1/1] ip address 10.10.0.1 255.255.255.0
[*DeviceC-GigabitEthernet0/1/1] commit
[~DeviceC-GigabitEthernet0/1/1] quit
[~DeviceC] interface loopback1
[*DeviceC-LoopBack1] ip binding vpn-instance vrf2


[~DeviceC] l2tp-group lac2
[*DeviceC-l2tp-lac2] tunnel name lac2
[*DeviceC-l2tp-lac2] start l2tp ip 4.4.4.4
[*DeviceC-l2tp-lac2] tunnel authentication
[*DeviceC-l2tp-lac2] tunnel password simple 1qaz#EDC
[*DeviceC-l2tp-lac2] tunnel source loopback1
[*DeviceC-l2tp-lac2] commit
[~DeviceC-l2tp-lac2] quit


[~DeviceC] aaa
[*DeviceC-aaa] domain isp2
[*DeviceC-aaa-domain-isp2] l2tp-group lac2
[*DeviceC-aaa-domain-isp2] radius-server group radius1
[*DeviceC-aaa-domain-isp2] authentication-scheme default1
[*DeviceC-aaa-domain-isp2] accounting-scheme default1
[*DeviceC-aaa-domain-isp2] commit
[~DeviceC-aaa-domain-isp2] quit
[~DeviceC-aaa] quit
# Configure routes.
[~DeviceC] ip route-static vpn-instance vrf2 4.4.4.4 255.255.255.255 10.10.0.2
Step 4 Configure Device B (LNS)

# Create two interfaces.

[*DeviceB-GigabitEthernet0/1/1] ip binding vpn-instance vrf1
[*DeviceB--GigabitEthernet0/1/1] ip address 10.0.0.2 255.255.255.0
[*DeviceB--GigabitEthernet0/1/1] commit
[~DeviceB--GigabitEthernet0/1/1] quit
[*DeviceB-GigabitEthernet0/1/2] ip binding vpn-instance vrf2


[*DeviceB-LoopBack0] ip binding vpn-instance vrf1


# Create LNS group 1, and bind the tunnel board and the interfaces to the LNS group.
[*DeviceB-lns-group-group1] bind source LoopBack0



[~DeviceB] aaa


[~DeviceB-aaa] quit
# Configure routes.
[~DeviceB] ip route-static vpn-instance vrf1 1.1.1.1 255.255.255.255 10.0.0.1
[~DeviceB] ip route-static vpn-instance vrf2 2.2.2.2 255.255.255.255 10.10.0.1

[~DeviceA] ping -vpn-instance vrf1 3.3.3.3

0.00% packet loss
[~DeviceC] ping -vpn-instance vrf2 4.4.4.4

0.00% packet loss
[~DeviceC] test l2tp-tunnel l2tp-group lac2 ip-address 4.4.4.4
----End
Configuration Files
#
sysname DeviceA
#
l2tp enable
#
#

#
undo shutdown
user-vlan 1 100
bas
#
#
interface LoopBack0
ip binding vpn-instance vrf1
ip address 1.1.1.1 255.255.255.255
l2tp-group lac1
tunnel name lac1
#
aaa
domain isp1
l2tp-group lac1
#
undo shutdown
ip address 10.0.0.1 255.255.255.0
#
ip route-static vpn-instance vrf1 3.3.3.3 255.255.255.255 10.0.0.2
#
return
l Configuration file of Device C
#
sysname DeviceC
#
l2tp enable
#
#
#
undo shutdown
user-vlan 1 100
bas
#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
l2tp-group lac2


tunnel name lac2
#
aaa
domain isp2
l2tp-group lac2
#
undo shutdown
ip address 10.10.0.1 255.255.255.0
#
#
return
#
sysname DeviceB
#
l2tp enable
#
#
#
#
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
l2tp-group lns1
tunnel name lns1
#
l2tp-group lns2
tunnel name lns2
#
lns-group group1
bind slot 1
#
gateway 210.10.0.1 255.255.255.0

section 0 210.10.0.10 10.10.0.100

#
gateway 155.10.0.1 255.255.255.0
section 0 155.10.0.10 10.10.0.100
#
aaa
domain isp1
ip-pool pool1
domain isp2
ip-pool pool2
#
undo shutdown
ip address 10.0.0.2 255.255.255.0
#
undo shutdown
ip address 10.10.0.2 255.255.255.0
#
#
return
12.12.9 Example for Configuring an L2TP Tunnel on an L3VPN

for User Access
This section provides an example for configuring an L2TP tunnel on an L3VPN for user
access. This configuration example consists of networking requirements, configuration
roadmap, configuration procedure, and configuration files.
As shown in Figure 12-15, the NE40E A and NE40E B function as the PE on the MPLS
backbone; NE40E A functions as the LAC; NE40E B functions as the LNS; an L2TP tunnel is
set up on the VPN. Loopback 0 belongs to VRF 1, loopback 1 also belongs to VRF 2.
Figure 12-15 Networking diagram for establishing an L2TP Tunnel on an L3VPN for user
access
NOTE
Interfaces 1 through 2 are GE 0/2/0.100,GE0/3/0.

LoopBack0 LoopBack0
VRF1 L2TP Tunnel
MPLS isp1
PC1 interface1 interface2
Access Headquarter01
DeviceA interface2
user1@isp2 Network DeviceB
PC2 VRF2 L2TP Tunnel isp2
user1@isp2 LoopBack1 LoopBack1 Headquarter02
Device Interface IP address

DeviceA GigabitEthernet 0/3/0 172.16.1.1/24
LoopBack 0 10.1.1.3/24
LoopBack 1 10.2.1.3/24
LoopBack 2 1.1.1.9/32
lsr-id 1.1.1.9
DeviceB GigabitEthernet 0/3/0 172.16.1.2/24
LoopBack 0 10.3.1.3/24
LoopBack 1 10.4.1.3/24
LoopBack 2 2.2.2.9/32
lsr-id 2.2.2.9
1. Set up an MPLS VPN on the backbone network.
2. Bind the interface of the L2TP tunnel to the VPN instance.
4. Configure a LAC.
Data Preparation
l MPLS LSR ID of each PE, which is the IP address of Loopback 2
l Usernames and passwords of PC1 and PC2
l Tunnel password, the tunnel name on the LNS, and the tunnel name on the LAC
l VPN instance
l Numbers of two VT interfaces and numbers of two L2TP groups
Procedure
Step 1 Configure the devices on the user side.
To create a dialup connection, dial the access number specified on Device A, and receive

Regarding PC1, input the user name user1@isp1 and password in the ejected dial-up terminal
Regarding PC2, input the user name user1@isp2 and password in rejected dial-up terminal
Step 2 Configure DeviceA (the LAC side).
# Configure VT interface 1.
# Bind VT interface 1 to GE 0/2/0.100.



[*DeviceA-vpn-instance-vrf1] commit
[~DeviceA-vpn-instance-vrf1] quit
[*DeviceA-vpn-instance-vrf2] commit
[~DeviceA-vpn-instance-vrf2] quit
# Create the loopback interface.





[~DeviceA] aaa
[~DeviceA-aaa] quit
Step 3 Configure DeviceB (the LNS side).

[*DeviceB-vpn-instance-vrf1] commit
[~DeviceB-vpn-instance-vrf1] quit
[*DeviceB-vpn-instance-vrf2] commit
[~DeviceB-vpn-instance-vrf2] quit
# Create the loopback interface.

[*DeviceB] interface loopback1
# Create VT interface 1.



# Create LNS group 1, and bind the tunnel board and the interfaces to the LNS group.



[~DeviceB] aaa

[~DeviceB-aaa] quit
Step 4 Verify the configuration

# The route for the interface of the tunnel linking the LAC to the LNS must be reachable.

0.00% packet loss

0.00% packet loss
# The L2TP user can go online normally.
----End
Configuration Files
#
sysname DeviceA
#
mpls lsr-id 1.1.1.9
mpls
lsp-trigger all
#
mpls ldp
#
#
#
#
l2tp-group lac1
tunnel name lac1
l2tp-group lac2


tunnel name lac2
#
aaa
domain isp1
l2tp-group lac1
domain isp2
l2tp-group lac2
#
#
undo shutdown
#
undo shutdown
user-vlan 1 100
bas
#
undo shutdown
ip address 172.16.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 10.1.1.3 255.255.255.0
#
interface LoopBack1
ip address 10.2.1.3 255.255.255.0
#
interface LoopBack2
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack2
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vrf1
import-route direct
import-route unr
#
import-route direct
import-route unr
#
ospf 1
area 0.0.0.0

network 172.16.1.0 0.0.0.255

network 1.1.1.9 0.0.0.0
#
return
#
sysname DeviceB
#
mpls lsr-id 2.2.2.9
mpls
lsp-trigger all
#
mpls ldp
#
#
#
#
l2tp-group lns1
tunnel name lns1
#
l2tp-group lns2
tunnel name lns2
#
lns-group group1
bind slot 1
#
gateway 192.168.0.1 255.255.255.0
section 0 192.168.0.10 10.10.0.100
#
gateway 172.30.0.1 255.255.255.0
section 0 172.30.0.10 10.10.0.100
#
aaa
domain isp1
ip-pool pool1
domain isp2
ip-pool pool2
#
interface LoopBack0
ip address 10.3.1.3 255.255.255.0
#
interface LoopBack1


ip address 10.4.1.3 255.255.255.0
#
interface LoopBack2
ip address 2.2.2.9 255.255.255.255
#
#
undo shutdown
ip address 172.17.1.2 255.255.255.0
mpls
mpls ldp
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack2
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
import-route unr
#
import-route direct
import-route unr
#
ospf 1
area 0.0.0.0
network 172.17.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return

Configuration Guide - User Access 13 User Access Multi-Device Backup Configuration
13 User Access Multi-Device Backup

Configuration
About This Chapter
Multi-device backup can be configured to back up user information, improving service

reliability.
NOTE
13.1 Overview
In multi-device backup, a VRRP backup group can be created to achieve BRAS user
information backup. In this manner, services can be flexibly controlled and managed.
13.2 Licensing Requirements and Limitations for User Access Multi-Device Backup--M2E
13.3 Licensing Requirements and Limitations for User Access Multi-Device Backup--M2F
13.4 Licensing Requirements and Limitations for User Access Multi-Device Backup--M2H
13.5 Licensing Requirements and Limitations for User Access Multi-Device Backup--M2K
13.6 Configuring Multi-Device Backup for IPv4 User Information
After multi-device backup of IPv4 user information is enabled, users do not need to re-dial up,
QoS scheduling remains unchanged, accounting information is not lost, and users can go
online through new locations after a master/backup switchover.
13.7 Configuring Multi-Device Backup for IPv6 BRAS User Information
After multi-device backup of BRAS user information is enabled on IPv6 networks, users do
not need to re-dial up, QoS scheduling remains unchanged, accounting information is not lost,
and users can go online through new locations after a master/backup switchover.
13.8 Configuring Multicast Two-node Hot Backup
Configuring multicast two-node hot backup improves reliability for networks that bear
multicast services. This feature ensures multicast service continuity in case of a BRAS failure.
13.9 Configuring L2TP Two-node Hot Backup
L2TP two-node hot backup can be configured on LACs, improving L2TP access reliability.
L2TP two-node hot backup allows users to get online again without re-dialing up if a network
fault occurs.

13.10 Maintaining Multi-System Backup

By running the monitoring and statistics clearing commands, you can view backup
information and check the configuration.
13.11 Configuration Examples
This section provides configuration examples of multi-device backup. Each configuration
example consists of information such as the networking requirements, configuration
precautions, and configuration roadmap.
13.1 Overview
In multi-device backup, a VRRP backup group can be created to achieve BRAS user
information backup. In this manner, services can be flexibly controlled and managed.
BRAS User Information Backup
Currently, information about IPoE dynamic users, PPPoE users, web authentication users, and
static users can be backed up on Ethernet sub-interfaces, QinQ sub-interfaces, and Eth-trunk
interfaces whose members reside on the same board.
Information to be backed up includes:
l Basic user information, including the user MAC address, session ID, IP address, user
name, authentication information, and Option 60.
l Accounting information, including the accounting ID, traffic information, and duration.
l QoS information, including the user priority and QoS profiles.
l Physical location information, including the inner and outer VLAN IDs and Option 82.
The backup information has the following functions:
l Authentication and authorization information: Users do not need to re-dial for
authentication.
l Accounting information: The Service Detailed Records (SDRs) is not lost after a master/
backup BRAS switchover.
l Access location information: Binding users can go online at a new location.
l QoS information: QoS scheduling remains unchanged before and after a master/backup
BRAS switchover.
13.2 Licensing Requirements and Limitations for User

Access Multi-Device Backup--M2E


RBS supports three backup None None

modes, and the backup
modes support different
services.
Hot backup: All services are
supported.
Warm backup: All services
are not supported.
Virtual backup: Only BRAS
services are supported.
Mutual exclusion between
some services and a backup
mode is implemented using
a command, whereas mutual
exclusion between other
services and a backup mode
is not implemented. For
example, virtual backup is
not displayed in the current
configuration, but does not
take effect for other services
except BRAS services. This
does not affect functions.

Access Multi-Device Backup--M2F


Restrictions on L2TP hot Do not deploy features that The function does not take
backup: conflict with LAC hot effect on the backup device.
l Only LAC hot backup is backup after deploying LAC
supported. hot backup.
l The master and backup

devices together support
16k L2TP tunnels and
128k sessions in 1:1 hot
backup scenarios.
l The LAC's IP address
applies only to L2TP
services.
l Only the loopback
interface's IP address can
be used as the LAC's
source IP address to
interact with the LNS.
l The IP core cannot use
static routes to the LAC's
IP address.
l The set l2tp tunnel
base-id base-id
command must be run on
the backup device to
change the base value for
allocating L2TP tunnel
IDs on the backup
device, so that different
base values are used on
the master and backup
devices.
l The RADIUS-delivered
No. 66 attribute Tunnel-
Client-Endpoint is not
supported.
l The switchback delay for
VRRP on the master
device must be
configured using the
vrrp vrid virtual-router-
id preempt-mode timer
delay delay-value
command. Configuring a
switchback delay of 30
minutes is
recommended.

l The interval for sending

Hello packets for the
L2TP tunnel (configured
using the tunnel timer
hello interval command)
must use the default
value 60s, and the Hello
function cannot be
disabled.
In multi-device hot backup None The redirection function

scenarios, the function to does not take effect on the
redirect users to a specified backup device.
domain upon quota
exhaustion is supported only
on the master device or the
device switched to the
master device.
Multi-device hot backup None The function does not take

does not support one-to- effect on the backup device.
many mapping between one
MAC address and many
sessions for PPPoE users.
ARP fast reply is not
supported in multi-device
hot backup scenarios.
The backup of messages
indicating successful
redirection of users to a
specified portal web page is
not supported. After the
captive portal function is
enabled and users are
redirected to a specified
portal web page on the
master device, the users are
redirected to the portal web
page again after a master/
backup switchover is
performed.
A maximum of 4:1 backup Do not establish backup Multi-device backup is

is supported, that is, a relationships with more than affected.
device can establish backup four devices.
relationships with up to four
devices.

When traffic is forwarded Do not deploy URPF on the Traffic fails to be forwarded.
through the protection network side in RUI
tunnel, enabling URPF on a scenarios.
network-side interface may
cause a URPF check failure.
Therefore, you are advised
to disable URPF on a
network-side interface based
on the actual deployment
scenario. Forwarded traffic
includes IPoE/PPP/L2TP
user traffic passing through
the protection tunnel.
The backup device fails to Do not ping users on the Users cannot be pinged on
ping users (users on the backup device. the backup device.
backup device are in the
slave state and cannot be
pinged but the users can be
pinged on the master
device).
In user access scenarios None A service switchover is

where inter-board Eth-Trunk performed.
interfaces are deployed,
VRRP and BFD are
operated on Eth-Trunk
interfaces. If a fault occurs
on the board where Eth-
Trunk member interfaces
reside and to which BFD is
bound, the BFD session may
go Down. As a result, a
VRRP switchover is
triggered, causing a service
switchover.
On a BNG, the master/slave N/A Related configurations are

status of the interface required. Otherwise,
functioning as a RADIUS RADIUS proxy cannot
proxy must be the same as support dual-device hot
that of a RADIUS proxy backup.
user's access interface.

When an RUI master/ None RADIUS proxy users cannot

backup switchover occurs go online in RUI scenarios.
during user access, the user
fails to go online in the
following scenarios: The
user completes RADIUS
proxy authentication on the
original master device, but a
master/backup switchover
occurs when the user does
not complete subsequent
access. The user's
subsequent access packets
are sent to the new master
device. The new master
device determines that the
user is not authenticated and
denies the user's access. The
affected period is related to
the interval between
completing RADIUS proxy
authentication and
subsequent access
processing. The typical
period is hundreds of
milliseconds (the maximum
value is not more than 2
minutes). After the user fails
to dial up, the user cannot
go online through automatic
re-dialup. Manual re-dialup
is required.

Restrictions on IPv6 hot Do not deploy features that The function does not take
backup: conflict with IPv6 hot effect on the backup device.
l Multi-device hot backup backup after deploying IPv6
for static IPv6 users is hot backup.
not supported.
l In ND mode, only the
unshared prefix
assignment is supported.
l IPv6 services' protection
tunnels support only the
MPLS LSP mode (6PE
and 6VPE models).
l IPv6 address pools do
not support inter-chassis
borrowing (local RUI-
slave address pools
cannot be used to assign
IP addresses to the
master device).
l IPv6 hot backup does not
support exclusively used
address pools.
support the mapping of
RADIUS authorization
address pool names to
the local device.
l IPv6 multicast does not
support hot backup.


services.
supported.
are not supported.

Access Multi-Device Backup--M2H



backup scenarios.
services.
l Only the loopback
IP address.
base-id base-id
IDs on the backup
devices.
supported.
VRRP on the master
device must be
delay delay-value
minutes is
recommended.


function cannot be
disabled.

domain upon quota
master device.

performed.

devices.

device).

VRRP and BFD are
VRRP switchover is
switchover.



access. The user's
authentication and
subsequent access
is required.

not supported.
unshared prefix
MPLS LSP mode (6PE
and 6VPE models).
slave address pools
IP addresses to the
master device).
address pools.
the local device.
support hot backup.


services.
supported.
are not supported.

Access Multi-Device Backup--M2K



backup scenarios.
services.
l Only the loopback
IP address.
base-id base-id
IDs on the backup
devices.
supported.
VRRP on the master
device must be
delay delay-value
minutes is
recommended.


function cannot be
disabled.

domain upon quota
master device.

performed.

devices.

device).

VRRP and BFD are
VRRP switchover is
switchover.



access. The user's
authentication and
subsequent access
is required.

not supported.
unshared prefix
MPLS LSP mode (6PE
and 6VPE models).
slave address pools
IP addresses to the
master device).
address pools.
the local device.
support hot backup.


services.
supported.
are not supported.
13.6 Configuring Multi-Device Backup for IPv4 User

Information
After multi-device backup of IPv4 user information is enabled, users do not need to re-dial up,
QoS scheduling remains unchanged, accounting information is not lost, and users can go
online through new locations after a master/backup switchover.
Perform one or more of the following configurations as required.
13.6.1 Establishing a Multi-Device Backup Platform

A multi-device backup platform can be established to back up user information between
multiple devices. If a node or link between devices becomes abnormal, this function rapidly
switches user services to a standby link, improving service reliability.
Prerequisites
Before establishing a multi-device backup platform, complete the following tasks:
l Configure peer BFD, link BFD, or Ethernet OAM on the user side.

l Configure peer BFD on the network side.

l Configure a local or remote address pool. The same address pool must be configured on
devices that back up one another.
Background
Based on a VRRP backup group, a multi-device backup platform runs the Huawei-proprietary
Redundancy User Information (RUI) protocol to back up user information between devices,
which allows for more flexible user service management and improves service reliability.
Establishing a multi-device backup platform involves configuring basic functions of a VRRP
backup group, a remote backup service (RBS), and a remote backup profile (RBP).
Perform the following steps on each of devices that back up one another:
Procedure
l Configure basic functions of a VRRP backup group.
a. Run system-view
b. Run interface interface-type interface-number [.subinterface-number ]
The view of the interface on which a VRRP backup group is configured is
displayed.
c. Run vrrp vrid virtual-router-id virtual-ip virtual-address
A VRRP backup group is created, and a virtual IP address is assigned to the VRRP
backup group.
NOTE
The same VRID and virtual IP address must be set on each of devices that back up one
another.
d. Run admin-vrrp vrid virtual-router-id [ ignore-if-down ]
This VRRP backup group is configured as an mVRRP backup group.
e. Run vrrp vrid virtual-router-id priority priority-value
The priority of a device in the VRRP backup group is configured.
The devices in the VRRP backup group must be assigned different VRRP priorities.
The device with a higher priority serves as the master one.
f. Run vrrp vrid virtual-router-id preempt-mode timer delay delay-value
The preemption delay is set in a VRRP backup group.
Run this command on the master VRRP device so that the backup VRRP device
becomes the master one only after the fault is rectified and services are restored.
The preemption delay is related to service types in the following scenarios:
n In an IPv4 single-stack scenario, the minimum preemption delay is 10 minutes.
Increase the value by 1 for every 6K users. If 256K users get online through a
device, setting the value to 40 minutes is recommended.
n In an IPv4 and IPv6 dual-stack scenario, the minimum preemption delay is 10
minutes. Increase the value by 1 for every 6K users. If 128K users get online
through a device, setting the value to 40 minutes is recommended.

n When the IPv4 single-stack and EDSG services are configured, the minimum
preemption delay is 15 minutes. Increase the value by 1 for every 4K users. If
256K users get online through a device, setting the value to 60 minutes is
recommended.
n When the IPv4 and IPv6 dual-stack and EDSG services are configured, the
minimum preemption delay is 15 minutes. Increase the value by 1 for every
4K users. If 128K dual-stack users get online through a device, setting the
value to 60 minutes is recommended.
g. Run commit
l Configure an RBP.
a. (Optional) Run peer-backup batch access enable
The device is configured to allow users to get online when performing batch
backup.
b. Run system-view
c. Run remote-backup-profile profile-name
An RBP is created, and the RBP view is displayed.
d. Run peer-backup hot
Inter-device hot backup is enabled.
e. Run vrrp-id vrid interface interface-type interface-number
The RBP is bound to the VRRP backup group.
n In multi-device backup networking, using load balancing improves link usage.
To load-balance traffic, use either of the following parameters:
○ odd-mac: user packets with odd MAC addresses
○ even-mac: user packets with even MAC addresses
n If odd-mac or even-mac is not configured, the vrrp-id command only binds a
single VRRP backup group ID to an RBP and associates the RBP with a single
VRRP sub-interface. If load balancing is required, run the vrrp-id command
twice, with odd-mac and even-mac configured, respectively. Two VRRP
backup group IDs must be bound to the same RBP and be associated with
different VRRP sub-interfaces. In addition, odd-mac and even-mac must be
configured for different VRRP backup groups with specific IDs. The two
devices that load-balance traffic must have the same configuration, including
the binding between the VRRP backup group ID and even or odd MAC
address type.
n Before modifying the setting of odd-mac or even-mac, run the undo vrrp-id
vrid command to delete the configuration. Then run the vrrp-id vrid command
to reconfigure the setting.
f. Run backup-id backup-id remote-backup-service service-name
The RBP is associated with the RBS, and the user backup ID in the RBP is set.
backup-id sets a user backup ID. The RBP to which a user belongs can be
determined based on the backup-id and RBS. Note that the same backup-id value

must be set for devices that back up one another in the same RBP, and different
backup-id values must be set in other RBPs.
g. Run service-type { arp | l2tp | bras | multicast | igmp | igmp-snooping | no-host-
multicast | dhcp-server }
Remote backup for user services is enabled.

h. (Optional) Run acct-session-id nas-logic-sysname host-name
A logic host name is configured to generate an RUI user accounting ID.

i. Run commit

l Configure an RBS.
a. Run system-view

b. Run remote-backup-service service-name
An RBS is created, and the RBS view is displayed.

c. (Optional) Run bind ssl-policy ssl-policy-name
An SSL policy is created and bound to a TCP connection.
NOTE
The RBS has no secure authentication mechanism by default. Binding the RBS to an SSL policy
to improve security is recommended.
d. Run peer peer-ip-address source source-ip-address port port-id
Parameters of a TCP connection for the RBS are set.
peer-ip-address sets the IP address of a remote device that backs up the local
device. source-ip-address sets the IP address of a local device. The remote IP
address must already exist on the remote device's main interface, sub-interface, or
logical interface (for example, loopback interface). The local IP address must
already exist on the local device's main interface, sub-interface, or logical interface.
The local and remote IP addresses must be pinged by each other.
port-id indicates the listening port number of a server. The same TCP port number
must be set on devices that back up one another.
e. (Optional) Run batch-backup service-type { arp | all | bras | l2tp | multicast |
igmp-snooping | dhcp-server } now
The device is enabled to immediately back up user services configured in the RBS.
f. (Optional) Run track interface interface-name [ weight weight ]
The RBS is configured to monitor the network-side interface status and check
whether the TCP connection for the RBS fails or recovers.
If devices have multiple uplinks with different bandwidth values, configure

different weights for the inbound interfaces based on the uplink bandwidths. If the
interfaces have different rates, set weights based on their rates. Set a greater weight
for a 10GE interface than a GE interface. For example, interface A is 10GE, and the
bandwidth planned for RUI is 5 Gbit/s; interface B is GE, and the bandwidth
planned for RUI is 1 Gbit/s; interface C is GE, and the bandwidth planned for RUI

is 0.5 Gbit/s. If you use interface B as a reference interface and set its weight to 10,
the weight of interface A is 50 and that of interface C is 5.
NOTE
The formula is as follows:

Fault rate = Total weight of faulty interfaces/Total weight of interfaces x 100%
If interfaces B and C fail, the fault rate is as follows:
(10 + 5)/(50 + 10 + 5) x 100% = 23%
If interface A fails, the fault rate is as follows:
50/(50 + 10 + 5) x 100% = 77%
g. (Optional) Run switchover uplink { failure-ratio failure-ratio | duration
duration } *
The threshold for a master/backup switchover due to uplink failures and the
duration before the switchover is complete are set.
When you run the track interface command, the weights specified must comply
with the rules of the master/backup VRRP switchover. If a master/backup
switchover is performed based on the fault rate of uplinks but a master/backup
VRRP switchover is not performed, the backup device forwards the network-side
traffic back to the master device for processing after receiving the traffic from the
master device. In this case, the master device is congested with traffic because the
master/backup switchover is not performed at the same time as the master/backup
VRRP switchover.
When you run the switchover uplink command to configure a master/backup

switchover to be performed based on the fault rate of uplinks, also run the peer-
backup route-cost auto-advertising command in the system view to enable both
devices to automatically generate address pool user network routes (UNRs). In this
situation, when a master/backup switchover is performed based on the fault rate of
uplinks, the priority of a UNR is reduced, but no UNRs are withdrawn. This
configuration prevents downstream traffic from being interrupted.
h. (Optional) Run track monitor-group group-name switchover failure-ratio
percent
The RBS is configured to track the interface group status.
If the track interface command is run in the RBS view, the device automatically
deletes the track interface and switchover uplink commands after the track
interface-group command is run. The device then determines a master/backup
switchover based on the track monitor-group command.
i. (Optional) Run track route-monitor-group group-name switchover failure-ratio
percent
A link fault threshold (in percentage) that triggers a master/backup switchover is set
for the route monitor group on the network side.
deletes the track interface command after the track route-monitor-group
switchover failure-ratio command is run. The device then determines a master/
backup switchover based on the track route-monitor-group switchover failure-
ratio command.
j. (Optional) Run track bfd-session bfd-session

The RBS tracks the BFD status so that the RBS can rapidly monitor the remote
device status.
NOTE
This step is recommended. Before running this command, ensure that a peer BFD session is
established between the master and backup devices on the network side.
k. (Optional) Run radius-authorization source same-as nas-logic-ip
The device is configured to reply to the RADIUS server with packets in which the
source IP address is the same as the NAS IP address.
l. Run commit
----End
13.6.2 (Optional) Disabling User Information Remote Backup in a

Specified Domain
User information remote backup can be disabled for users who get online from a specified
domain as required.
Context
User information remote backup is enabled by default for users who get online through an
AAA domain. To disable this function, run the undo peer-backup enable command.
Information about authenticated users will then not be backed up even if hot backup is
enabled on the user access interface.
Procedure
Step 2 Run aaa
Step 4 Run undo peer-backup enable
User information remote backup is disabled for users getting online from a specified domain.
NOTE
The user information remote backup configuration cannot be modified in the view of an AAA domain
where users have logged in. To be specific, if user information remote backup configuration is disabled,
the peer-backup enable command cannot be run. If user information remote backup configuration is
enabled, the undo peer-backup enable command cannot be run.
Step 5 Run commit

----End

13.6.3 Setting NAS Parameters

By setting NAS parameters, you can ensure that the master and backup servers send the same
information to the remote server.
Context
To allow users to log in through the backup device twice authentication, perform the
following operations on the devices that back up each other:
Procedure
Step 2 Run remote-backup-profile profile-name
The RBP view is displayed.
Step 3 Run service-type bras
The RBS of the BRAS user information is enabled.
Step 4 Run nas { logic-ip ip-address | logic-port [ interface-name | interface-type interface-number ]

| logic-sysname host-name }
The logic IP address, logic interface, and logic host name are configured. Ensure that the
devices that back up each other send the same information about NAS-IP-Address, NAS-Port,
NAS-Port-ID, and Option 82 contained in the packets to the RADIUS and DHCP servers.
By default, you are advised to set NAS-IP-Address on the master device to be the same as that
on the backup device. If you run the radius-authorization source same-as nas-logic-ip
command to set NAS-IP-Address to the source IP address of packets sent to the RADIUS
server, the master and backup devices must have different NAS-IP-Address values. If the
RASIUS server checks binding authentication, the master and backup devices must have the
same NAS-IP-Address value. In this case, NAS-IP-Address cannot be set to the source IP
address of packets sent to the RADIUS server.
Step 5 Run commit
----End
13.6.4 (Optional) Setting the Interval for Backing Up Traffic or the

Traffic Threshold
If the interval and traffic threshold are both set to 0, user traffic is not backed up.
Context
To ensure that user traffic can be backed up in real time, perform the following operations on
the devices that back up each other:

Procedure
Step 3 Run traffic backup { interval interval-value [ threshold threshold-value ] | threshold
threshold-value [ interval interval-value ] }
The interval for backing up traffic or the traffic threshold is set.
Step 4 Run commit
----End
13.6.5 Controlling Advertisement of Address Pool UNRs

If BRASs work in load balancing mode, the BRASs must be configured to control
advertisement of UNRs of configured address pools.
Context
In the dual-system hot backup scenario, BRASs control the advertisement of UNRs of
configured address pools in either of the following modes:
l Manual control: If two BRASs work in load balancing mode, each BRAS is configured
with two address pools. One is the primary address pool and the other is the secondary
address pool. The primary address pool on one BRAS is the secondary address pool on
the other BRAS. The cost value of the primary address pool must be smaller than that of
the secondary address pool on the same BRAS, allowing the primary address pool to be
preferentially used. The cost values can be set in a routing policy, which allows the UNR
of the primary address pool to have higher route precedence than that of the secondary
address pool. For information about how to configure a routing policy, see Configuring a
Routing Policy in HUAWEI NE40E-M2 Series Universal Service Router Configuration
Guide - IP Routing.
l Automatic route advertisement is easier to configure than manual route advertisement.
Automatic route advertisement prevents the problem that if a fault in a BRAS occurs and
a master/backup BRAS switchover is implemented, UNRs cannot be automatically
advertised after the BRAS recovers. The default route cost can be used to control route
preference. If dual-system hot backup is configured on BRASs, a routing protocol
imports UNRs and trusts UNR preference values. This allows the network segment route
of the primary address pool to have higher route precedence than that of the secondary
address pool.
Procedure
Step 2 Run peer-backup route-cost auto-advertising

The BRAS is configured to use default cost values of routes to control route preference when
the routes are generated. The route can be an address pool UNR or a route to a loopback
interface of the LAC on an L2TP tunnel.
NOTE
The address pool routes are not updated in real time whether or not the BRAS is configured to use
default cost values of routes to control route preference. The route control takes effect only when the
address pool is re-bound to the PBS.
Step 3 Run commit

----End
Follow-up Procedure
To use a routing policy to allow the UNR of the primary address pool to be the highest, run
the import-route unr route-policy route-policy-name command in the IS-IS, OSPF, or BGP
view:
l In the IS-IS view:
Run the import-route unr route-policy route-policy-name command.
l In the OSPF view:
l In the BGP view:
To persevere cost values of UNRs imported by a routing protocol, perform one of the
following steps based on the type of routing protocol:
Run the import-route unr inherit-cost command.
l In the OSPF view, run the following commands:
a. default cost inherit-metric
b. import-route unr
l In the BGP view:
Run the import-route unr command.
13.6.6 Configuring User Information Backup in Shared IP

Address Pool Mode
The sharing address pool mode needs additional links but the networking is flexible.
Context
If the exclusive IP address pool mode is used, a great number of address pools are needed.
This wastes addresses. The shared IP address pool mode resolves this problem. To use the
shared IP address pool mode:
l Do not bind address pools to the RBP.
l Both the master and backup devices must advertise their network segment routes to
address pools and be configured with a route policy to ensure that the route advertised by

the master device has a higher priority. This prevents load balancing on the network-side
devices.
l A protection tunnel, for example, an LSP, must be set up between the master and backup
devices. If the uplink of a user fails, the downstream traffic of the user is diverted to the
protection tunnel.
l Bind the address pool to the RBS by running the ip-pool pool-name in the RBS view.
This ensures that traffic at the network side can be forwarded through the protection
tunnel before the host route is generated.
NOTE
Only the primary address pool needs to be bound to the RBS. The secondary address pool does not
need to be bound to the RBS.
Perform the following steps on each of the devices that back up each other:
Procedure
l Configure the protection path in IP redirection mode for public users.
To configure the protection path in IP redirection mode, deploy a directly connected link
between the devices that back up each other.
a. Run system-view
The RBS view is displayed.
c. Run protect redirect ip-nexthop ip-address interface interface-type interface-
number
The protection path is configured to work in IP redirection mode for public users.
The peer IP address and local outbound interface must be specified.
d. Run ip-pool pool-name
The primary address pool is bound to the RBS.
e. Run commit
l Configure the protection path in tunnel mode for public users.
a. Run system-view
c. Run protect tnl-policy policy-name peer-ip ip-address [ interface interface-type
interface-number ]
The protection path is configured to be the label switched path (LSP), Multiprotocol
Label Switching (MPLS) Traffic Engineering (TE) tunnel, or Generic Routing
Encapsulation (GRE) tunnel for public users. The tunnel type is specified by the
tunnel policy, and the outbound interface is optional.

e. Run commit

l Configure the protection path for VPN users.
a. Run system-view


c. Run protect ip-vpn-instance vpn-instance-name peer-ip ip-address [ interface
interface-type interface-number ]
The protection tunnel is configured for VPN users. You need to specify the VPN
instance name. The peer IP address is the IP address of the loopback interface that
is bind to the VPN instance on the peer device. In this case, the tunnel type cannot
be specified. Instead, the tunnel is automatically selected by the device. The
outbound interface is optional.

e. Run commit

l Configure a public and VPN protection tunnel template.
a. Run system-view


c. Run protect lsp-tunnel for-all-instance peer-ip ip-address
A public and VPN protection tunnel template is configured.


e. Run commit

NOTE
The protect lsp-tunnel for-all-instance peer-ip command configures a protection tunnel template
for both the public network and VPNs. After the command is run, a public protection tunnel is
automatically created, and a VPN protection tunnel is triggered by user login, without needing to
configure a protection tunnel for each VPN. This function simplifies tunnel configuration.
To configure a specific public protection tunnel, run the protect tnl-policy policy-name peer-ip
ip-address [ interface interface-type interface-number ] command; to configure a specific VPN
protection tunnel, run the protect ip-vpn-instance vpn-instance-name peer-ip ip-address
[ interface interface-type interface-number ] command. These two commands can be configured
together with the protect lsp-tunnel for-all-instance peer-ip command. In this situation, the
protect lsp-tunnel for-all-instance peer-ip command takes precedence.
----End

13.6.7 Configuring an Address Pool on a Device Configured with

a Shared Address Pool
In BRAS multi-device backup scenarios, properly configuring an address pool allows
efficient use of addresses.
Context
The master and backup devices are configured with address pools in shared mode. If a link
fault triggers a master/backup device switchover, the backup device (now the master device)
can continue to assign addresses of the original master device (now the backup device) to
users by using a remote DHCP server. This prevents address pool resource wastes.
Procedure
Step 1 Configure address pools on the master and backup devices.
1. Run system-view

2. Run either of the following commands:
– To configure an IPv4 address pool and enter the address pool view, run the ip pool
pool-name [ bas { local | remote } rui-slave ] command.
– To configure an IPv6 address pool and the address pool view, run the ipv6 pool
pool-name [ bas { local | remote } [rui-slave ] command.
A local primary address pool and an rui-slave (local rui-slave) secondary address pool
are configured on the master or backup device.
NOTE
A remote DHCP server can be used to allocate addresses for users logging in to the master and
backup devices. If a remote DHCP server is used, a remote address pool must be configured on the
master device; a remote rui-slave address pool must be configured on the backup device; the
address pools must be associated with the DHCP server group on the remote DHCP server.
3. Run gateway ip-address mask
The gateway address of the address pool is set.
The gateway IP address and subnet mask are used to check whether an address segment
is in the same subnet as the gateway. Therefore, the gateway IP address and subnet mask
must be configured before the address segment.
The address range is configured for the address pool.
If both the master and backup devices have two address pools configured, the primary
and secondary address pools must use different address ranges on the master and backup
devices. The master device's primary address pool and the backup device's secondary
address pool share an address range. The master device's secondary address pool and the
backup device's primary address pool share an address range. This prevents address
conflict after a master/backup device switchover occurs.

NOTE
If an rui-slave address pool (configured using the local rui-slave parameter) is used, the remote
DHCP server and its parameters must be configured.
If an rui-slave address pool (configured using the local rui-slave parameter) is bound to an RBS,
the address pool automatically uses the peer IP address in the RBS as a DHCP server IP address,
without additional configuration.
Before performing the following step, ensure that the dhcp-server group group-name remote-
backup-service rbs-name command is run in the system view to specify the name of a DHCP
server group and associate the DHCP server group with a specified RBS.
5. (Optional) Run dhcp-server group group-name
A remote DHCP server is configured.
The remote DHCP server that is configured for the secondary address pool on the backup
device must be mapped to the master device. On a network where the master and backup
devices balance traffic, the remote DHCP server that is configured for the secondary
address pool on the master device must also be mapped to the backup device.
6. Run commit
Step 2 (Optional) Configure IP address pool mapping in the RBP.

1. Run system-view

2. Run remote-backup-profile profile-name

3. Run ip-pool src-name include tag-name [ node node-id ]
IP address pool mapping in the RBP is configured.
A source address pool can be mapped to multiple target address pools in ascending order
by node-id, which means that the mapping starts from the target address pool with the
smallest node-id.
This example assumes that a remote DHCP server is used to allocate addresses and if its
address resources are exhausted, the local address pool is used to allocate addresses. This
requires the secondary address pool on the backup device to have a higher priority than
the primary address pool. Assume that the local address pool is used to allocate
addresses, and if its address resources are exhausted, the remote DHCP server is used to
allocate addresses. This requires the primary address pool to have a higher priority than
the secondary address pool.
4. (Optional) Run frame-route metric metric-num
The preference of a route used by the RADIUS server to deliver an IP address is

configured.
NOTE
Only PPP leased line users are supported.
5. Run commit
----End

13.6.8 (Optional) Configuring IP Addresses for Web

Authentication and RADIUS Authorization Servers
The source IP address of the master and backup devices is the same as the BAS-IP address of
the web authentication server and the NAS-IP address of the RADIUS authorization server.
Context
In hot backup scenarios, the mapping between address pools and BAS-IP addresses must be
specified on the web authentication server for each pair of master and backup devices. An IP
address pool is shared only between the master and backup devices. Therefore, each pair of
master and backup devices must have a source IP address to communicate with the web
authentication server. The web-auth-server source [ vpn-instance vpn-instance-name ]
source-ip-address command specifies the source IP address of portal packets sent by the
router to the web authentication server as the BAS-IP address.
In CoA and DM applications, the RADIUS authorization server sends requests to the Router,
and the Router responds to the RADIUS authorization server. The RADIUS server then
checks the source IP address of reply packets for security. In N:1 hot backup scenarios, the
RADIUS authorization server determines the IP address of the Router to which authorization
packets are sent based on user's bill information. This IP address can be a NAS-IP address or
the address that the Router uses to exchange accounting-start packets with the RADIUS
server.
To ensure that the RADIUS authorization server sends authorization packets to the exact
Router, run the radius-authorization source command to specify a source IP address for
each pair of master and backup devices. To ensure that the source IP address in the packets
sent by the Router to the RADIUS server is the same as the NAS-IP address, run the radius-
authorization source same-as nas-logic-ip command. Alternatively, run the radius-
authorization source [ vpn-instance vpn-instance-name ] source-ip-address command to
specify a source IP address.
Perform the following operations on both routers that back up each other:
Procedure
l Configure the source IP address of portal packets sent by the Router to the web
authentication server as the BAS-IP address, which is used independently by the web
a. Run system-view
b. Run interface loopback loopBack interface number interface-number
A loopback interface is created, and the interface view is displayed.
c. Run ip address ip address { mask | mask-length }
An IP address is configured for the loopback interface.
d. Run quit
Exit the interface view.
e. Run remote-backup-service service-name
The remote backup service view is displayed.

f. Run web-auth-server source [ vpn-instance vpn-instance-name ] source-ip-

address
The loopback interface's IP address is configured as the BAS-IP address used
independently by the web authentication server.
g. Run commit
l Set the source IP address of the master and backup devices to be the same as the NAS-IP
address of the RADIUS authorization server.
a. Run system-view
An IP address is configured for the interface.
d. Run quit
f. Run radius-authorization source same-as nas-logic-ip or radius-authorization
source [ vpn-instance vpn-instance-name ] source-ip-address
The NAS IP address of the RADIUS authorization server is set to be the same as
the source IP address of the master and backup devices.
NOTE
If a NAS-IP address is specified in the RADIUS server template, run the radius-
authorization source same-as nas-logic-ip the command; otherwise, run the radius-
authorization source [ vpn-instance vpn-instance-name ] source-ip-address command.
g. Run commit
----End
13.6.9 Binding the RBP to a User Access Interface

The RBP bound to a user access interface must be created in the system view. Otherwise, the
binding fails.
Context
Procedure


The interface view is displayed. The interface is the user access interface.
The RBP is bound to the interface.
NOTE
An RBP can be bound to multiple sub-interfaces of the same main interface.
Step 4 Run commit

----End
13.6.10 (Optional) Enabling the Backup Device to Discard

DHCPv4 Release Messages in RUI Scenarios
This section describes how to enable the backup device to discard DHCPv4 Release messages
sent by users, so that the logout reasons recorded on the master and backup device are the
same.
Context
In RUI scenarios, if both the master and backup devices receive DHCPv4 Release messages,
the logout reason recorded on the master and backup device may be different due to a time
sequence problem. To enable the backup device to discard DHCPv4 Release messages
without processing, run the access packet dhcp release rui-slave discard command so that
the logout reasons are consistent on the master and backup device.
Procedure
Step 2 Run access packet dhcp release rui-slave discard
The backup device is enabled to discard DHCPv4 Release messages in RUI scenarios.
----End
13.6.11 (Optional) Configuring an Upper Threshold for the User

Access Rate on the Backup Device
This section describes how to configure an upper threshold for the user access rate on the
backup device in a dual-device hot backup scenario.
Context
In a dual-device hot backup scenario, after users access the master device, they will access the
backup device. When modifying the user access rate, you can perform the following steps to
modify the upper threshold for the rate. After the modification is complete, the system

dynamically adjusts the user access rate based on the CPU usage, with the rate never
exceeding the upper threshold.
Procedure
Step 2 Run peer-backup rui-trigger-speed trigger-speed
An upper threshold is configured for the user access rate on the backup device in a dual-
device hot backup scenario.
This command must be run on both the master and backup devices.
Step 3 Run commit
----End
13.6.12 (Optional) Binding a Static Route Tag to the RBS

In a dual-device hot backup scenario, if IP addresses are allocated using a RADIUS server
instead of an address pool, you need to bind a static route tag to the remote backup service
(RBS) to implement master/backup traffic switchover.
Context
instead of an address pool, you need to bind a static route tag to the RBS and specify a cost
for the static route. If an NNI on the master device fails, the outbound interface of the static
route can be directed to the protection tunnel to switch traffic to the backup device. This
reduces the impact of the fault on user services.
Procedure
Step 2 Run remote-backup-service service-name
Step 3 Run static-route if-match NULL interface-number tag tag-num [ metric metric-num ] [ rui-
slave ]
A static route tag is bound to the RBS, and a cost is specified for the static route.
This command must be run on both the master and backup devices. In addition, rui-slave
must be configured on the backup device. Otherwise, traffic flaps between the two devices.
If metric metric-num is configured, the cost configured on the master device must be less
than that configured on the backup device, so that the route on the master device is
preferentially selected.

Step 4 Run commit

----End
13.6.13 (Optional) Configuring a Session ID Range for PPPoE

Users
This section describes how to configure a range of session IDs that can be assigned to PPPoE
users to prevent hot backup failures due to session ID conflicts in RUI scenarios where one
MAC address maps to multiple sessions.
Context
In RUI scenarios where one MAC address maps to multiple sessions, users with the same
MAC address may go online from different devices and be assigned the same session ID. In
this case, if the master device backs up user entries to the backup device, the users may fail to
go online due to a session ID conflict. Therefore, configure different session ID ranges on the
master and backup devices to prevent the master and backup device from assigning the same
session ID to users.
Procedure
Step 2 Run pppoe-server rui remote-mac session-id start-session-id start-session-id end-session-
id end-session-id
A session ID range is configured for PPPoE users.
Step 3 Run commit
----End
13.6.14 Checking the Configurations

After the configuration is complete, you can view details about the remote server and the
remote backup service type, which is BRAS.
Context
Run the following commands to check the previous configuration.
Procedure
l Run the display remote-backup-profile [ profile-name ] command to check RBP
information.
l Run the display remote-backup-service [ service-name [ verbose ] ] command to check
RBS information.
l Run the display backup-user [ user-id user-id | username user-name ] command to
check backup user information.

l Run the display access-user interface interface-type interface-number [ normal | [ rui-

local | rui-remote ] [ master | slave ] ] command to check information about the access
users on a specified interface.
----End
Example
Run the display remote-backup-profile command to view RBP information, including the
name of the remote backup service, name of the interface bound to a Virtual Router
Redundancy Protocol (VRRP) backup group, name of the user access interface bound to the
RBP, protocol used to detect the link status, RBP status, and backup mode.
<HUAWEI>display remote-backup-profile profile1
--------------------------------------------
Profile-Index : 0x802
Profile-Name : profile1
Service : bras
Remote-backup-service: service1
Backup-ID : 10
track protocol : VRRP
VRRP-ID : 1
VRRP-Interface : GigabitEthernet0/1/0.2
Access-Control : Odd-Mac
State : Master
Peer State : Slave
VRRP-ID : 2
Access-Control : Even-Mac
State : Slave
Peer State : Master
Interface :
Backup mode : hot
Slot-Number : 1
Card-Number : 0
Port-Number : 0
Traffic interval : 10(minutes)
Run the display remote-backup-service command to view information about the RBS,
including the server index number, server name, TCP connection status, remote IP address,
local IP address, TCP port number, tunnel name, and IP address pool name.
<HUAWEI>display remote-backup-service rui
----------------------------------------------------------
Service-Index : 0
Service-Name : rui
TCP-State : Connected
Peer-ip : 10.0.0.1
Source-ip : 10.0.0.2
TCP-Port : 11111
Track-BFD : --
Track-interface0 : GigabitEthernet0/3/0
Weight :10
Weight :10
Last up time :2011-08-25 11:56:37
-----------------------------------------------------------------
ip pool: L2tp tunnel source:

loopback0
loopback1
poolv4_yyz metric 10
r3 metric 10

r4 metric 20
remotev4 metric 10
ipv6 pool:
1234 metric 10
iana_yyz metric 10
iapd_yyz metric 10
lo metric 10
loc_vpn metric 10
nd metric 10
pd metric 10
remote_del_yyz metric 10
remotev6_yyz metric 10 Failure ratio : 50%
Failure duration :0 min
Rbs-ID : 0
Protect-type : public(lsp)
Tunnel-policy : tp1
Peer-ip : 10.0.0.1
Vrfid : 0
Tunnel-state : UP
Tunnel-OperFlag: NORMAL
Spec-interface : Null
Total users : 100
Path 1:
Tunnel-index : 0xc000003
Out-interface : GigabitEthernet0/3/2
Vc-label : 0
User-number : 100
Run the display backup-user command to view information about backup users, including
the number of local and remote users.
<HUAWEI> display backup-user
Remote-backup-service: rbs2
Total Users Numer: 10
------------------------------------------------------------------------
100 101 102 103 104 105 106 107 108 109
------------------------------------------------------------------------
Local Users Number :10
Remote Users Number :0
Run the display access-user interface command to view information about the access users
on a specified interface.
<HUAWEI>display access-user interface GigabitEthernet 0/1/2.1
------------------------------------------------------------------------------
Vlan IPv6 address Access type
------------------------------------------------------------------------------
1 user1@huawei GE0/1/2.1 192.168.7.199 0016-ecb7-a879
-/- - PPPoE
------------------------------------------------------------------------------
2 user2@huawei GE0/1/2.1 - 0016-ecb7-a876
-/- - 99::/64 PPPoE
Normal users : 0
RUI Local users : 2
RUI Remote users : 0
Total users : 2
13.7 Configuring Multi-Device Backup for IPv6 BRAS

User Information
After multi-device backup of BRAS user information is enabled on IPv6 networks, users do
not need to re-dial up, QoS scheduling remains unchanged, accounting information is not lost,
and users can go online through new locations after a master/backup switchover.

Perform one or more of the following configurations (excluding checking the configuration)
as required.

Prerequisites
Background
Procedure
a. Run system-view
displayed.
backup group.
NOTE
another.

recommended.
g. Run commit
l Configure an RBP.
backup.
b. Run system-view


address type.
i. Run commit
l Configure an RBS.
a. Run system-view
NOTE


NOTE

(10 + 5)/(50 + 10 + 5) x 100% = 23%
50/(50 + 10 + 5) x 100% = 77%
duration } *
VRRP switchover.
percent


percent
ratio command.
device status.
NOTE
l. Run commit
----End
13.7.2 (Optional) Disabling User Information Remote Backup in a

Specified Domain
User information remote backup can be disabled for users who get online from a specified
domain as required.
Context
User information remote backup is enabled by default for users who get online through an
AAA domain. To disable this function, run the undo peer-backup enable command.
Information about authenticated users will then not be backed up even if hot backup is
enabled on the user access interface.
Procedure
Step 2 Run aaa


Step 4 Run undo peer-backup enable
User information remote backup is disabled for users getting online from a specified domain.
NOTE
The user information remote backup configuration cannot be modified in the view of an AAA domain
where users have logged in. To be specific, if user information remote backup configuration is disabled,
the peer-backup enable command cannot be run. If user information remote backup configuration is
enabled, the undo peer-backup enable command cannot be run.
Step 5 Run commit

----End
13.7.3 Setting NAS Parameters

By setting NAS parameters, you can ensure that the master and backup servers send the same
information to the remote server.
Context
To allow users to log in through the backup device twice authentication, perform the
following operations on the devices that back up each other:
Procedure
Step 3 Run service-type bras
The RBS of the BRAS user information is enabled.
Step 4 Run nas { logic-ip ip-address | logic-port [ interface-name | interface-type interface-number ]
| logic-sysname host-name }
The logic IP address, logic interface, and logic host name are configured. Ensure that the
devices that back up each other send the same information about NAS-IP-Address, NAS-Port,
NAS-Port-ID, and Option 82 contained in the packets to the RADIUS and DHCP servers.
By default, you are advised to set NAS-IP-Address on the master device to be the same as that
on the backup device. If you run the radius-authorization source same-as nas-logic-ip
command to set NAS-IP-Address to the source IP address of packets sent to the RADIUS
server, the master and backup devices must have different NAS-IP-Address values. If the
RASIUS server checks binding authentication, the master and backup devices must have the
same NAS-IP-Address value. In this case, NAS-IP-Address cannot be set to the source IP
address of packets sent to the RADIUS server.
Step 5 Run commit

----End
13.7.4 (Optional) Setting the Interval for Backing Up Traffic or the

Traffic Threshold
If the interval and traffic threshold are both set to 0, user traffic is not backed up.
Context
To ensure that user traffic can be backed up in real time, perform the following operations on
the devices that back up each other:
Procedure
Step 3 Run traffic backup { interval interval-value [ threshold threshold-value ] | threshold

threshold-value [ interval interval-value ] }
The interval for backing up traffic or the traffic threshold is set.
Step 4 Run commit
----End
13.7.5 Configuring User Information Backup in Shared IP

Address Pool Mode
The sharing address pool mode needs additional links but the networking is flexible.
Context
If the exclusive IP address pool mode is used, a great number of address pools are needed.
This wastes addresses. The shared IP address pool mode addresses this problem. To adopt the
shared IP address pool mode, the following conditions must be met:
l Address pools are not bound to an RBP.

l Both the master and backup devices need to advertise the address pool segment routes
and require route policy configuration. In this manner, the address pool segment route
advertised by the master device has a higher priority, preventing load balancing on
network-side devices.
l A protection tunnel, such as an LSP, needs to be set up between the master and backup
devices. When an uplink fails, the downstream traffic will be introduced to the protection
tunnel.

l The address pool is bound to an RBS, that is, the ip-pool pool-name [ metric metric-
num ] or ipv6-pool pool-name [ metric metric-value ] command is configured in the
RBS view. This ensures that network-side traffic can be forwarded through the protection
tunnel before the host route is generated.
NOTE
Only the primary address, not the secondary address pool, is bound to the RBS.
Perform the following configurations on the devices that back up each other:
Procedure
l Configure a protection tunnel template for public and private networks.
a. Run system-view


c. Run protect lsp-tunnel for-all-instance peer-ip ip-address
The protection tunnel template is configured for both public and private networks.
NOTE
The protect lsp-tunnel for-all-instance peer-ip command configures a protection tunnel

template for both the public network and VPNs. After the command is run, a public
protection tunnel is automatically created, and VPN protection tunnel creation is triggered
by user login. As a result, protection tunnels do not need to be created for each VPN,
simplifying tunnel configuration.
To configure a specific public protection tunnel, run the protect tnl-policy policy-name
peer-ip ip-address [ interface interface-type interface-number ] command. To configure a
specific private protection tunnel, run the protect ip-vpn-instance vpn-instance-name peer-
ip ip-address [ interface interface-type interface-number ] command. Manual tunnel
configuration takes effect only for IPv4. IPv6 still uses simplified tunnels for forwarding.
To configure a specific public protection tunnel, run the protect tnl-policy policy-name
peer-ip ip-address [ interface interface-type interface-number ] command. To configure a
specific private protection tunnel, run the protect ip-vpn-instance vpn-instance-name peer-
ip ip-address [ interface interface-type interface-number ] command. These two commands
can be configured together with the protect lsp-tunnel for-all-instance peer-ip command,
but take precedence over the latter and therefore take effect. Manual tunnel configuration
takes effect only for IPv4. IPv6 still uses simplified tunnels for forwarding.
d. Run ip-pool pool-name [ metric metric-num ] for an IPv4 useripv6-pool pool-name
[ metric metric-value ] for an IPv6 user
n For an IPv4 user, run the ip-pool pool-name [ metric metric-num ] command.
n For an IPv6 user, run the ipv6-pool pool-name [ metric metric-value ]
command.
e. (Optional) Run dhcpv6-server destination destination-ipv6-address source
source-ipv6-address [ vpn-instance vpn-instance ]
Inter-chassis borrowing of IPv6 addresses is configured.

f. Run commit


----End
13.7.6 Configuring User Information Backup in Exclusive Address

Pool Mode
In exclusive address pool mode, each RBP is bound to an address pool to control the
advertisement and withdrawal of network segment routes of the address pool.
Context
In exclusive address pool mode, an address pool is configured for each interface and bound to
an RBP. When an RBP is in the master state, the RBP advertises network segment routes of
the address pool to the network side. When an RBP is in the backup state, the RBP withdraws
network segment routes of the address pool. In this way, the RBP controls the advertisement
and withdrawal of network-side routes to ensure that network-to-user traffic is always
forwarded on the master device. The forwarding paths of network-to-user traffic are therefore
controlled based on interfaces.
Perform the following steps on an RBP backup group.
Procedure
l RADIUS-authorized address pool scenarios:
a. Run system-view
b. Run ipv6 pool pool-name bas local
A local IPv6 address pool is created and the IPv6 address pool view is displayed.
c. Run prefix
The IPv6 prefix pool view is displayed and prefixes are configured in the IPv6
prefix pool.
d. Run quit
Exit the IPv6 prefix pool view.
e. Run quit
Exit the IPv6 address pool view.
f. Run remote-backup-profile profile-name
The remote backup profile view is displayed.
g. Run ipv6-pool source-pool-name include destination-pool-name [ node node-id ]
A source IPv6 address pool is mapped to a destination address pool.
h. Run ipv6-pool destination-pool-name
An IPv6 address pool is configured.
The name of the IPv6 address pool is specified by destination-pool-name in the
preceding step.
i. Run commit


l Locally-authorized address pool scenarios:
– Divide domains based on links and bind each domain to an address pool:
a. Run system-view

A local IPv6 address pool is created.

c. Run prefix
Prefixes are configured in the IPv6 prefix pool.

d. Run aaa

e. Run domain

f. Run ipv6-pool pool-name
The IPv6 address pool is bound to a domain.

g. Run quit
Exit the AAA domain view.

h. Run quit
Exit the AAA view.

i. Run remote-backup-profile profile-name

j. Run ipv6-pool pool-name

k. Run commit

– Map a source IPv6 address pool to a destination address pool:
a. Run system-view


c. Run aaa

d. Run domain

e. Run ipv6-pool pool-name
The IPv6 address pool is bound to a domain.

f. Run quit
Exit the AAA domain view.
g. Run quit
Exit the AAA view.
h. Run ipv6 pool pool-name bas local
i. Run prefix
Prefixes are configured in the IPv6 prefix pool.
j. Run quit
Exit the IPv6 address pool view.
k. Run remote-backup-profile profile-name
l. Run ipv6-pool source-pool-name include destination-pool-name [ node node-id ]
A source IPv6 address pool is mapped to a destination address pool.
m. Run ipv6-pool destination-pool-name
The name of the IPv6 address pool is specified by destination-pool-name in the
preceding step.
n. Run commit
----End
13.7.7 (Optional) Configuring IP Addresses for Web

Authentication and RADIUS Authorization Servers
The source IP address of the master and backup devices is the same as the BAS-IP address of
the web authentication server and the NAS-IP address of the RADIUS authorization server.
Context
In hot backup scenarios, the mapping between address pools and BAS-IP addresses must be
specified on the web authentication server for each pair of master and backup devices. An IP
address pool is shared only between the master and backup devices. Therefore, each pair of
master and backup devices must have a source IP address to communicate with the web
authentication server. The web-auth-server source [ vpn-instance vpn-instance-name ]
source-ip-address command specifies the source IP address of portal packets sent by the
router to the web authentication server as the BAS-IP address.
In CoA and DM applications, the RADIUS authorization server sends requests to the Router,
and the Router responds to the RADIUS authorization server. The RADIUS server then
checks the source IP address of reply packets for security. In N:1 hot backup scenarios, the
RADIUS authorization server determines the IP address of the Router to which authorization
packets are sent based on user's bill information. This IP address can be a NAS-IP address or

the address that the Router uses to exchange accounting-start packets with the RADIUS
server.
To ensure that the RADIUS authorization server sends authorization packets to the exact
Router, run the radius-authorization source command to specify a source IP address for
each pair of master and backup devices. To ensure that the source IP address in the packets
sent by the Router to the RADIUS server is the same as the NAS-IP address, run the radius-
authorization source same-as nas-logic-ip command. Alternatively, run the radius-
authorization source [ vpn-instance vpn-instance-name ] source-ip-address command to
specify a source IP address.
Perform the following operations on both routers that back up each other:
Procedure
l Configure the source IP address of portal packets sent by the Router to the web
authentication server as the BAS-IP address, which is used independently by the web
a. Run system-view
b. Run interface loopback loopBack interface number interface-number
A loopback interface is created, and the interface view is displayed.
An IP address is configured for the loopback interface.
d. Run quit
f. Run web-auth-server source [ vpn-instance vpn-instance-name ] source-ip-
address
The loopback interface's IP address is configured as the BAS-IP address used
independently by the web authentication server.
g. Run commit
l Set the source IP address of the master and backup devices to be the same as the NAS-IP
address of the RADIUS authorization server.
a. Run system-view
An IP address is configured for the interface.
d. Run quit


f. Run radius-authorization source same-as nas-logic-ip or radius-authorization
source [ vpn-instance vpn-instance-name ] source-ip-address
The NAS IP address of the RADIUS authorization server is set to be the same as
the source IP address of the master and backup devices.
NOTE
If a NAS-IP address is specified in the RADIUS server template, run the radius-
authorization source same-as nas-logic-ip the command; otherwise, run the radius-
authorization source [ vpn-instance vpn-instance-name ] source-ip-address command.
g. Run commit
----End
13.7.8 Binding the RBP to a User Access Interface

The RBP bound to a user access interface must be created in the system view. Otherwise, the
binding fails.
Context
Procedure
The interface view is displayed. The interface is the user access interface.
The RBP is bound to the interface.
NOTE
An RBP can be bound to multiple sub-interfaces of the same main interface.
Step 4 Run commit

----End
13.7.9 (Optional) Configuring an Upper Threshold for the User

Access Rate on the Backup Device
This section describes how to configure an upper threshold for the user access rate on the
backup device in a dual-device hot backup scenario.

Context
In a dual-device hot backup scenario, after users access the master device, they will access the
backup device. When modifying the user access rate, you can perform the following steps to
modify the upper threshold for the rate. After the modification is complete, the system
dynamically adjusts the user access rate based on the CPU usage, with the rate never
exceeding the upper threshold.
Procedure
Step 2 Run peer-backup rui-trigger-speed trigger-speed
An upper threshold is configured for the user access rate on the backup device in a dual-
device hot backup scenario.
This command must be run on both the master and backup devices.
Step 3 Run commit
----End
13.7.10 (Optional) Binding a Static Route Tag to the RBS

instead of an address pool, you need to bind a static route tag to the remote backup service
(RBS) to implement master/backup traffic switchover.
Context
instead of an address pool, you need to bind a static route tag to the RBS and specify a cost
for the static route. If an NNI on the master device fails, the outbound interface of the static
route can be directed to the protection tunnel to switch traffic to the backup device. This
reduces the impact of the fault on user services.
Procedure
Step 3 Run static-route if-match NULL interface-number tag tag-num [ metric metric-num ] [ rui-
slave ]
A static route tag is bound to the RBS, and a cost is specified for the static route.
This command must be run on both the master and backup devices. In addition, rui-slave
must be configured on the backup device. Otherwise, traffic flaps between the two devices.

If metric metric-num is configured, the cost configured on the master device must be less
than that configured on the backup device, so that the route on the master device is
preferentially selected.
Step 4 Run commit
----End
13.7.11 (Optional) Configuring a Session ID Range for PPPoE

Users
This section describes how to configure a range of session IDs that can be assigned to PPPoE
users to prevent hot backup failures due to session ID conflicts in RUI scenarios where one
MAC address maps to multiple sessions.
Context
In RUI scenarios where one MAC address maps to multiple sessions, users with the same
MAC address may go online from different devices and be assigned the same session ID. In
this case, if the master device backs up user entries to the backup device, the users may fail to
go online due to a session ID conflict. Therefore, configure different session ID ranges on the
master and backup devices to prevent the master and backup device from assigning the same
session ID to users.
Procedure
Step 2 Run pppoe-server rui remote-mac session-id start-session-id start-session-id end-session-
id end-session-id
A session ID range is configured for PPPoE users.
Step 3 Run commit
----End

After the configuration is complete, you can view details about the remote server and the
remote backup service type, which is BRAS.
Context
Procedure
information.

l Run the display remote-backup-service [ service-name [ verbose ] ] command to check

RBS information.
l Run the display backup-user [ user-id user-id | username user-name ] command to
check backup user information.
l Run the display access-user interface interface-type interface-number [ normal | [ rui-
local | rui-remote ] [ master | slave ] ] command to check information about the access
users on a specified interface.
----End
Example
Run the display remote-backup-profile command to view RBP information, including the
name of the remote backup service, name of the interface bound to a Virtual Router
Redundancy Protocol (VRRP) backup group, name of the user access interface bound to the
RBP, protocol used to detect the link status, RBP status, and backup mode.
<HUAWEI>display remote-backup-profile profile1
--------------------------------------------
Service : bras
Backup-ID : 10
VRRP-ID : 1
State : Master
Peer State : Slave
VRRP-ID : 2
State : Slave
Peer State : Master
Interface :
Backup mode : hot
Slot-Number : 1
Card-Number : 0
Port-Number : 0
Run the display remote-backup-service command to view information about the RBS,
including the server index number, server name, TCP connection status, remote IP address,
local IP address, TCP port number, tunnel name, and IP address pool name.
<HUAWEI>display remote-backup-service rui
----------------------------------------------------------
Service-Index : 0
Service-Name : rui
Peer-ip : 10.0.0.1
Source-ip : 10.0.0.2
TCP-Port : 11111
Track-BFD : --
Weight :10
Weight :10
Last up time :2011-08-25 11:56:37
-----------------------------------------------------------------

ip pool: L2tp tunnel source:

loopback0
loopback1
r3 metric 10
r4 metric 20
remotev4 metric 10
ipv6 pool:
1234 metric 10
iana_yyz metric 10
iapd_yyz metric 10
lo metric 10
loc_vpn metric 10
nd metric 10
pd metric 10
remotev6_yyz metric 10 Failure ratio : 50%
Failure duration :0 min
Rbs-ID : 0
Protect-type : public(lsp)
Tunnel-policy : tp1
Peer-ip : 10.0.0.1
Vrfid : 0
Tunnel-state : UP
Total users : 100
Path 1:
Tunnel-index : 0xc000003
Vc-label : 0
User-number : 100
Run the display backup-user command to view information about backup users, including
the number of local and remote users.
------------------------------------------------------------------------
100 101 102 103 104 105 106 107 108 109
------------------------------------------------------------------------
Run the display access-user interface command to view information about the access users
on a specified interface.
<HUAWEI>display access-user interface GigabitEthernet 0/1/2.1
------------------------------------------------------------------------------
------------------------------------------------------------------------------
1 user1@huawei GE0/1/2.1 192.168.7.199 0016-ecb7-a879
-/- - PPPoE
------------------------------------------------------------------------------
2 user2@huawei GE0/1/2.1 - 0016-ecb7-a876
-/- - 99::/64 PPPoE
Normal users : 0
RUI Local users : 2
Total users : 2

13.8 Configuring Multicast Two-node Hot Backup

Configuring multicast two-node hot backup improves reliability for networks that bear
multicast services. This feature ensures multicast service continuity in case of a BRAS failure.
Before configuring multicast two-node hot backup, complete the following tasks:
l Establish a multi-device backup platform.
l Configure multi-device backup for IPv4 BRAS user information.
Perform one or more of the following configurations (excluding checking the configuration)
as required.
13.8.1 Enabling a Multicast RBS

An RBS can be enabled to back up multicast services.
Context
Perform the following steps on both routers that back up each other:
Procedure
Step 3 Run service-type multicast
A multicast RBS is enabled.
NOTE
After the undo service-type multicast command is run, the system does not back up the IGMP packets
to be received, which does not affect the IGMP packets that have been backed up.
Step 4 Run commit

----End
13.8.2 (Optional) Configuring IGMP Packet Duplication

IGMP packet duplication can be configured to allow the master and backup routers to back up
information for each other. If a terminal is dual-homed to the master and backup routers,
IGMP message duplication can be disabled to reduce resource consumption.

Context
In the multicast two-node hot backup scenario, a DHCP STB connects to the master and
backup routers through Smart-link, E-Trunk, or VLL networking. If a fault occurs on the
network side, the standby link takes over traffic from the active link. However, the access
network does not detect the fault and continues to send IGMP packets to the master router
along the faulty link. In this case, IGMP packet duplication needs to be enabled by running
the dhcp-stb igmp-copy command, ensuring that the backup router receive the IGMP
packets.
If a DHCP STB is dual-homed to the master and backup routers, both routers can receive the
IGMP messages. In this case, the undo dhcp-stb igmp-copy command is used to disable
IGMP packet duplication, thereby reducing resource consumption.
The IGMP messages sent by a PPPoE terminal can arrive only at a single router. In this case,
the master and backup routers have to duplicate IGMP packets and send them to each other.
Neither the dhcp-stb igmp-copy nor undo dhcp-stb igmp-copy command needs to be
executed.
Procedure
Step 3 Run undo dhcp-stb igmp-copy
IGMP message duplication is disabled.
NOTE
After the undo dhcp-stb igmp-copy command is executed, the system stops backing up the IGMP
packets from a DHCP STB, which does not affect the IGMP packets that have been backed up.
Step 4 Run commit
----End
13.8.3 Checking the Configuration Result

After successfully configuring multicast two-node hot backup, you can view the configuration
result and statistics.
Prerequisites
Multicast two-node hot backup configuration is complete.
Procedure
l Run the display remote-backup-profile [ profile-name ] command to view RBP
information.

l Run the display multicast-rui statistic all command to view statistics about multicast
two-node hot backup of access users.
----End
Example
After multicast two-node hot backup configuration is complete, run the display remote-
backup-profile command. If the following information is displayed, the preceding
configurations are successful:
l The Service value is bras multicast.

l The DHCP user IGMP copy value is enable or disable.
<HUAWEI> display remote-backup-profile profile1
----------------------------------------------- Profile-Index : 0x800
Profile-Name : profile1 Service : bras multicast Remote-
backup-service: service1 Backup-ID : 10 track protocol : VRRP
VRRP-ID : 1 VRRP-Interface : Eth-Trunk1.2
Interface : Eth-Trunk1.1 State : Master Peer
State : Slave Backup mode : hot Slot-Number : -- Card-
Number : -- Port-Number : -- Traffic threshold : 50(MB)
Traffic interval : 10(minutes) DHCP user IGMP copy : enable
<HUAWEI> display multicast-rui statistic all
------------------Multicast RUI statistic------------------- Main board: Master
send to slave: 0 Slave receive: 0 Send fail: 0 Receive
fail: 0 Send success: 0 Receive success: 0
Master MPU receive from LPU: 0 Slave MPU send to LPU: 0 Receive fail:
0 Send fail: 0 Receive success: 0 Send
success: 0 ------------------------------------------------------------ IO board:
(Slot 2) Master LPU send to MPU: 0 Slave LPU receive from MPU: 0 Send fail:
0 Receive fail: 0 Send success: 0
Receive success: 0
13.9 Configuring L2TP Two-node Hot Backup

L2TP two-node hot backup can be configured on LACs, improving L2TP access reliability.
L2TP two-node hot backup allows users to get online again without re-dialing up if a network
fault occurs.
Context
NOTE
The RADIUS server cannot deliver the Tunnel-Client-Endpoint attribute during L2TP hot backup
configuration.

Prerequisites


Background
Procedure
a. Run system-view
displayed.
backup group.
NOTE
another.

recommended.
g. Run commit
l Configure an RBP.
backup.
b. Run system-view
address type.



i. Run commit

l Configure an RBS.
a. Run system-view


NOTE


NOTE

(10 + 5)/(50 + 10 + 5) x 100% = 23%
50/(50 + 10 + 5) x 100% = 77%
duration } *
VRRP switchover.

percent
percent
ratio command.

device status.
NOTE
l. Run commit
----End
13.9.2 Setting a Base Value for L2TP Tunnel IDs

The master and slave Routers carry out L2TP two-node hot backup in load balancing mode. A
based value can be set on either of Router for allocating L2TP tunnel IDs. This setting ensures
to a certain extent that tunnel IDs are unique on each Router.
Context
The Router assigns an integer value as an L2TP tunnel ID and the ID starts with 1. In the two-
node hot backup load balancing scenario, tunnel information is backed up between the master
and slave Routers. During backup, identical tunnel IDs may exist on a single Router. The set
l2tp tunnel base-id base-id command can be used to specify a base value that one Router
uses to allocate tunnel IDs (Tunnel ID = Base value + Index starting with 1). The other Router
uses the default base value of 0. The settings ensure to a certain extent that each tunnel ID is
unique on a single Router.
Perform the following steps on either of the master and slave Routers:
Procedure
Step 2 Run set l2tp tunnel base-id base-id
A base value for L2TP tunnel IDs is set.
NOTE
l If a tunnel ID carried in backup information is the same as a local tunnel ID, the Router deletes the
existing local tunnel information and accepts the backup tunnel information.
l The set l2tp tunnel base-id base-id command cannot be used on the Router that has established
L2TP tunnels and allocated tunnel IDs.
----End
13.9.3 Configuring an L2TP Tunnel

An L2TP tunnel can be used to provide access services for enterprises, small ISPs, and the
staff on business trips over a public network.

Context
For details, see L2TP Protocol Configuration in the HUAWEI NE40E-M2 Series Universal
Service Router Configuration Guide - User Access.
NOTE
The preference of the route from the LNS to the master LAC is higher than that of the route from the
LNS to the backup LAC. The LNS will switch traffic to the route destined for the backup LAC only
when a fault occurs on the network side of the master LAC.
In L2TP dual-device hot backup scenarios, if an L2TP tunnel is established on an L3VPN,

URPF is configured on the LACs' network side, and the master LAC's access side fails,
downstream traffic packets are discarded on the backup LAC.
13.9.4 Enabling an L2TP RBS

An RBS can be enabled to back up L2TP services.
Context
Perform the following steps on each of Routers that back up each other:
Procedure
Step 3 Run service-type l2tp
An L2TP RBS is enabled.
NOTE
If information about an L2TP tunnel, an L2TP session, or a PPPoE session has been backed up, the
undo service-type l2tp command cannot be run.
----End
13.9.5 Controlling Advertisement of L2TP Hot Backup Routes

If L2TP hot backup is configured on LACs that work in load balancing mode, the LACs must
be configured to control route advertisement.
Context
If L2TP hot backup is configured, the LACs can be configured to control route advertisement
in either of the following modes:

l Manual control: A LAC uses a loopback interface to establish an L2TP tunnel with an
LNS. Two LACs are configured with hot backup and work in load balancing mode. The
master LAC advertises the cost value of the route to the loopback IP address is smaller
than that the slave LAC advertises, allowing the route to the loopback address on the
master LAC to be preferentially used. The cost values can be set in a routing policy,
which allows the route to the loopback IP address of the master LAC to have higher
route precedence than that to the loopback IP address of the slave LAC. For information
about how to configure a routing policy, see Routing Policy Configuration in HUAWEI
NE40E-M2 Series Universal Service Router Configuration Guide - IP Routing.
l Automatic control: A routing policy can be configured to trust cost values of imported
routes to loopback IP addresses of the LACs. This control mode is easier to configure
than manual control. Automatic control prevents the problem that if a fault in a LAC
occurs and a mater/slave LAC switchover is implemented, the route to the loopback IP
address cannot be automatically advertised after the LAC recovers.
Procedure
Step 2 Run peer-backup route-cost auto-advertising
The LAC is enabled to trust cost values of imported routes to control route preference.
----End
Follow-up Procedure
To use a routing policy to allow the route to the loopback IP address of the master LAC be the
highest, run the import-route unr route-policy route-policy-name command in the IS-IS,
OSPF, or BGP view:

l In the OSPF view:
l In the BGP view:
To trust cost values of routes to loopback IP addresses imported by a routing protocol,

perform one of the following steps based on the type of routing protocol:
l If IS-IS imports direct routes, run the import-route direct inherit-cost command in the
IS-IS view.
l If OSPF imports direct routes, run the following commands in the OSPF view:
a. default cost inherit-metric
b. import-route direct
l If the network command is used to import routes into the OSPF routing table, run the
ospf cost inherit command in the view of a loopback interface view.
l If BGP imports direct routes, run the import-route direct command in the BGP view.

(Optional) Run the l2tp-tunnel_source loopback loopback-num command to configure a

source L2TP tunnel interface in the RBS view so that the source interface route bound to the
RBS is updated based on the link status on the network side.
13.9.6 (Optional) Setting the maximum number of users allowed

on an L2TP LAC
Setting the maximum number of users allowed on an L2TP LAC
Context
When deploying L2TP LAC 2:1 hot backup, you can run the l2tp lac session-limit command
to set the maximum number of users allowed on an L2TP LAC to 64K.
Procedure
Step 2 Run l2tp lac session-limit 64k
The maximum number of users allowed on an L2TP LAC is set to 64K.
----End
13.9.7 (Optional) Disabling the L2TP Traffic Protection

Mechanism
This section describes how to disable the L2TP traffic protection mechanism.
Context
In L2TP hot backup scenarios, if a customer has a small network bandwidth and a fault occurs
on the access side, traffic is forwarded to a backup device through an L2TP protection tunnel.
Traffic switching may sharpen network congestion and affect customer services, such as
fixed-line services. To prevent traffic switching, run the l2tp protect-tunnel disable
command to disable the L2TP traffic protection mechanism.
If a customer has a large network bandwidth, traffic switching does not affect customer
services. Therefore, you do not need to run the l2tp protect-tunnel disable command to
disable the L2TP traffic protection mechanism.
Procedure
Step 3 Run l2tp protect-tunnel disable

The L2TP traffic protection mechanism is disabled.
----End

After successfully configuring L2TP two-node hot backup, you can view L2TP two-node hot
backup configurations and statistics.
Context
Procedure
information.
l Run the display l2tp tunnel rui [ tunnel-item tunnel-id | tunnel-name remote-name |
bas-interface { interface-name | interface-type interface-number } | remote-backup-
profile profile-name | remote-backup-service service-name ] command to check L2TP
tunnel backup information.
l Run the display l2tp session rui [ session-item session-id | source-ip source-ip-address
| destination-ip destination-ip-address | bas-interface { interface-name | interface-type
interface-number } | remote-backup-profile profile-name | remote-backup-service
service-name ] command to check L2TP session backup information.
l Run the display l2tp statistics rui [ verbose ] command to check L2TP tunnel backup
statistics.
l Run the display l2tp lac abnormal-rui-users command to check information about
users that have abnormal online status on a device enabled with L2TP two-node hot
backup.
l Run the display access-user domain command to display information about the access
users in a specified domain.
----End
Example
After completing L2TP two-node hot backup configurations, run the display remote-backup-
profile command. If the following information is displayed, the preceding configurations are
successful:
l The value of the Service field is bras l2tp.
<HUAWEI> display remote-backup-profile profile1
-----------------------------------------------
Service : bras l2tp
Remote-backup-service : s1
Backup-ID : 10
VRRP-ID : 1
VRRP-Interface : Eth-Trunk1.2
Interface :
Eth-Trunk1.1
State : Master
Peer State : Slave

Backup mode : hot

Slot-Number : --
Card-Number : --
Port-Number : --
Traffic threshold : --
<HUAWEI> display l2tp tunnel rui
Tunnel ID base: 32768
LTID: local assigned tunnel ID , RTID: Remote assigned tunnel ID
RA: Remote Ip address, RN: Remote Name, RG: Register(L:local,R:remote)
Basic Info Redundant info
------------------------------------------------------------------------------
LTID RTID RA RN Sessions RG state Life(s)
------------------------------------------------------------------------------
34 22 8.8.8.8 HUA-241 1 L active 323s
------------------------------------------------------------------------------
Total 1, printed 1
<HUAWEI> display l2tp session rui
LSID: local assigned session ID , RSID: Remote assigned session ID
RG: Register(L:local,R:remote), FWS: Fowarding state(L:local interface,
P:protect path).
Basic Info Redundant info
------------------------------------------------------------------------------
LSID RSID LTID RTID UserID UserName RG state Life FWS
------------------------------------------------------------------------------
9 75 8 88 8 user#@domain1 L active 669510s L
----------------------------------------------------------------------------
Total 1, printed 1
<HUAWEI> display l2tp statistics rui
statistics of l2tp redundant:
Receive Send
------------------------------------------------------------------------------
Tunnel establish | 100 100
Tunnel teardown | 40 20
Session establish | 300 10
Session teardown | 300 50
Hello packet | 100 100 From remote peer: 100
ZLB packet | 30 30 From remote peer: 30
------------------------------------------------------------------------------
last receive backup message information:
[1] last drop %d tunnel establish backup message.
[2] last update %d tunnel backup message.
[3] last create %d tunnel backup message.
[4] last teardown %d tunnel backup message.
[5] last d% hello/ZLB backup message.
[6] last drop %d session establish backup message.
[7] last update %d session backup message.
[8] last create %d session backup message.
[9] last teardown %d session backup message.
------------------------------------------------------------------------------
<HUAWEI> display l2tp lac abnormal-rui-users
The upstream and downstream of following LAC users are all without increasing.
LTSD: local assigned session ID , RTSD: Remote assigned session ID
RG: Register(L:local,R:remote), FWS: Fowarding state(L:local interface,P:protect
path)
LSID RSID LTID RTID UserID UserName RG state MAC
------------------------------------------------------------------------------
27823 248 2 4 7958 user5@hz L active 0011-1111-2222
35523 2769 40000 5 13818 user9@hz R inactive 0011-3333-2222
------------------------------------------------------------------------------
Total 2, printed 2
Run the display access-user domain command. If the following information is displayed, the
preceding configurations are successful:
[HUAWEI] display access-user domain huawei
------------------------------------------------------------------------------

Vlan IPv6 address

Access type
------------------------------------------------------------------------------
1536 user@huawei Eth-Trunk123.100 - 4400-0049-24c3
100/1 - PPPoE
------------------------------------------------------------------------------
Normal users : 0
RUI Local users : 1
Total users : 1
13.10 Maintaining Multi-System Backup

By running the monitoring and statistics clearing commands, you can view backup
information and check the configuration.
13.10.1 Displaying Backup Information

You can run commands to view whether the configuration succeeds.
Context
After the preceding configurations are complete, run the following display commands to view
backup information and check the configurations. For details, see HUAWEI NE40E-M2 Series
Universal Service Router Command Reference.
Procedure
Step 1 Run display remote-backup-profile [profile-name | {slot slot-id [profile-name]} | {slave
[profile-name ] } ]
RBP information is displayed.
Step 2 Run display remote-backup-service [ service-name [ verbose ] ]
RBS information is displayed.
Step 3 Run display multicast-rui statistic all
Statistics about multicast two-node hot backup of access users are displayed.
----End
13.10.2 Clearing Backup Information

Clearing backup and information may interrupt services. This operation should be executed
with caution.
Context
Backup information cannot be restored after you clear it. Exercise caution when performing
this operation.

To clear the backup information, run the following reset commands in the system view.
Procedure
Step 1 Run reset remote-backup-service service-name statistic
RBS statistics are cleared.
Step 2 Run reset multicast-rui statistic all
Statistics about multicast two-node hot backup of access users are cleared.
This command is used to clear IGMP packet statistics on the Router.
----End
13.11 Configuration Examples

This section provides configuration examples of multi-device backup. Each configuration
example consists of information such as the networking requirements, configuration
precautions, and configuration roadmap.
13.11.1 Example for Configuring RUI in Exclusive Address Pool

Mode
This section provides an example for configuring Redundancy User Information (RUI) in
exclusive address pool mode.
Usage Scenario
With the rapid development of IP technologies, various value-added services are widely used
on the Internet. Carrier-class services, such as emerging IPTV, NGN, 4G, VIP customers'
leased line, and VPN interconnection, have high requirements for IP network reliability. IP
network reliability for carrier-class services includes device, link, and network reliability. On
a bearer network, the availability of a network device is required to reach 99.999%; that is, the
device downtime in a year must be less than 5 minutes. High reliability is a basic requirement
for carrier-class devices and must be considered by telecom carriers during network
construction.
The NE40E functions as an edge router that carries multiple services. It is connected to a core
network to implement Layer 3 routing functions and to the aggregation layer to terminate
Layer 2 user packets for user access. The NE40E can carry multiple services, such as triple
play services (HSI, VoIP, and IPTV). Therefore, The NE40E must have high reliability. The
NE40E provides service-level high-reliability technologies. Non-stop data flow forwarding
does not mean that user services are not interrupted. If a network node or link fails, user
traffic is switched to a backup device. If user information is not synchronized to a backup
device, user services are still interrupted. High reliability has been considered when the
NE40E is designed to function as a network edge service aggregation and control device,
which ensures that users' HSI, IPTV, and VoIP services are not interrupted if a network node
or link fault occurs. RUI is designed to meet the preceding reliability requirements.

Requirements on Software and Hardware

l Requirements on software: V800R010C00 or later
l Requirements on hardware: User access boards are installed
Requirements on Interconnected Devices

l Upstream device: There are no special requirements. The upstream device is generally a
CR for route switching and supports MPLS and MPLS L3VPN. It is recommended that
the upstream device be able to provide MPLS L2VPN capabilities. In multi-device
backup scenarios, protection tunnels must be established. If no direct link can be
deployed between NE40Es, a protection path must be established from the IP core
network. An MPLS tunnel is ideal.
NOTE
If the upstream device is a firewall, disable the IP spoofing attack defense function on the firewall.
l Downstream device: An aggregation switch is used as the downstream device to learn
MAC addresses from Layer 2 VLAN packets.
Solution Limitations
l An exclusive address pool is an address pool or address segment exclusively used by a
backup group or link. Generally, an exclusive address pool is used for services that can
be assigned private IP addresses, such as VoIP services. This address pool is not
recommended for services that use public IP addresses, such as HSI services, because IP
address resources are wasted.
l In exclusive address pool mode, the master and backup devices cannot advertise the
same network segment route. Advertising the same network segment route will cause
load balancing on the upstream CRs and network-to-user traffic forwarding errors.
On the network shown in Figure 13-1, the user logs in to Device A and Device B through a
LAN switch. The two Devices run VRRP to determine the master/backup status. Basic user
access functions are configured on Device A and Device B so that the user goes online
through the master device. If the master device or the link on the network or user side of the
master device fails, service traffic needs to be quickly switched to the backup device.
In exclusive address pool mode, each RBP must be bound to an address pool, though the
address pools bound to the RBPs of Device A and Device B must have the same address
segment. Network-side traffic is sent back through an advertised network-side route. If the
master/backup status of Device A and Device B changes, the network-side route of Device A
is withdrawn. Device B then advertises the network-side route.
Figure 13-1 Example for configuring RUI in exclusive address pool mode
NOTE
Interface 1 and interface 2 in this example are GE0/1/0 and GE0/2/2 , respectively.

CR1 CR2
Devcie A interface2 interface2 Devcie B
Eth-Trunk3 VRRP Eth-Trunk3
LanSwitch
User
Device A Eth-Trunk3.501 192.168.254.2/29
Loopback 0 172.20.1.1/32
Loopback 10 172.20.1.3/32
GE 0/1/0 172.20.0.33/30
GE 0/2/2 172.20.0.57/30
Device B Eth-Trunk3.501 192.168.254.3/29
Loopback 0 172.20.1.1/32
Loopback 10 172.20.1.2/32
GE 0/1/0 172.20.0.34/30
GE 0/2/2 172.20.0.58/30
1. Configure interfaces and assign IP addresses to them.

2. Establish a dual-device backup platform.

3. Configure IP address pool binding.

4. Bind an RBP to an interface from which the user goes online.
5. Configure routes to ensure IP connectivity between devices. For details, see HUAWEI
Data Preparation
l VRRP ID
l IP address of each interface on Routers that back up each other
l Backup ID, which works together with an RBS to identify an RBP to which the user
belongs
Procedure
Step 1 Configure interfaces for connecting Device A and Device B to the LAN switch, and assign IP
addresses to them.
The configuration on Device A is used in this example. The configuration on Device B is

similar to that on Device A.
[~DeviceA]interface GigabitEthernet0/1/3
[*DeviceA-GigabitEthernet0/1/3] description ToJiaohuanji
[*DeviceA-GigabitEthernet0/1/3]undo shutdown
[*DeviceA-GigabitEthernet0/1/3] eth-trunk 3
[~DeviceA]interface Eth-Trunk3
[*DeviceA-Eth-Trunk3] description ToJiaohuanji
[*DeviceA-Eth-Trunk3] commit
[~DeviceA-Eth-Trunk3] quit
[~DeviceA]interface Eth-Trunk3.4001
[*DeviceA-Eth-Trunk3.4001] control-vid 4001 dot1q-termination
[*DeviceA-Eth-Trunk3.4001]dot1q termination vid 4001
[*DeviceA-Eth-Trunk3.4001]ip address 192.168.254.2 255.255.255.248
[*DeviceA-Eth-Trunk3.4001] commit
[~DeviceA-Eth-Trunk3.4001] quit
Step 2 Configure IP addresses for loopback interfaces on Device A and Device B.

[~DeviceA]interface loopback10
[*DeviceA-loopback10]ip address 172.20.1.3 255.255.255.255
[*DeviceA-loopback10] commit
[~DeviceA-loopback10] quit
Step 3 Establish a dual-device backup platform. The configuration on Device A is used in this
example. The configuration on Device B is similar to that on Device A.
NOTE
In this example, only RUI-related configurations are described. For other configurations, see the
corresponding configuration guide.

# Configure a BFD session on the access side to rapidly detect faults in interfaces or links and
trigger a master/backup VRRP switchover. 192.168.254.3 is the IP address of Eth-Trunk
3.4001 on Device B.
[~DeviceA] bfd
[*DeviceA-bfd] quit
[*DeviceA]bfd eth-trunk3-peer bind peer-ip 192.168.254.3 source-ip 192.168.254.2
[*DeviceA-bfd-session-bfd] discriminator local 2
[*DeviceA-bfd-session-bfd] discriminator remote 3
[*DeviceA-bfd-session-bfd] commit
[~DeviceA-bfd-session-bfd] quit
# Configure a VRRP backup group on Eth-Trunk 3.4001, and configure the VRRP backup
group to track the BFD session and network-side interface.
[~DeviceA] interface interface Eth-Trunk3.4001
[*DeviceA-Eth-Trunk3.4001] vrrp vrid 3 virtual-ip 192.168.254.1
[*DeviceA-Eth-Trunk3.4001] admin-vrrp vrid 3
[*DeviceA-Eth-Trunk3.4001]vrrp vrid 3 priority 120
[*DeviceA-Eth-Trunk3.4001]vrrp vrid 3 preempt-mode timer delay 1200
[*DeviceA-Eth-Trunk3.4001]vrrp vrid 3 track interface GigabitEthernet0/1/0
reduced 30
[*DeviceA-Eth-Trunk3.4001]vrrp vrid 3 track bfd-session 2 peer
NOTE
Different priorities must be configured for devices in a VRRP backup group. The device with a high
priority is the master device.
# Configure an RBS.
[~DeviceA] remote-backup-service rbs_qhmd
[*DeviceA-rm-backup-rbs_qhmd] peer 172.20.1.2 source 172.20.1.3 port 2046
[*DeviceA-rm-backup-rbs_qhmd] track interface GigabitEthernet0/1/0
[*DeviceA-rm-backup-rbs_qhmd]track interface GigabitEthernet0/2/2
[*DeviceA-rm-backup-rbs_qhmd commit
[~DeviceA-rm-backup-rbs_qhmd] quit
NOTE
Ensure that the master and backup devices can ping each other.
# Configure an RBP.
[~DeviceA] remote-backup-profile rbp3
[*DeviceA-rm-backup-prf-rbp3] service-type bras
[*DeviceA-rm-backup-prf-rbp3] backup-id 3 remote-backup-service rbs_qhmd
[*DeviceA-rm-backup-prf-rbp3] peer-backup hot
[*DeviceA-rm-backup-prf-rbp3] vrrp-id 3 interface Eth-Trunk3.4001
[*DeviceA-rm-backup-prf-rbp3] nas logic-port Gigabitethernet 0/1/3
[*DeviceA-rm-backup-prf-rbp3] nas logic-sysname zhuji
[*DeviceA-rm-backup-prf-rbp3] nas logic-ip 172.20.1.1
[*DeviceA-rm-backup-prf-rbp3] commit
[~DeviceA-rm-backup-prf-rbp3] quit
Step 4 Configure IP address pool binding. The configuration on Device A is used in this example.
The configuration on Device B is similar to that on Device A.
[~HUAWEI] ip pool dmtjs_xi bas local
[*HUAWEI-ip-pool-dmtjs_xi] gateway 192.168.1.1 255.255.255.0
[*HUAWEI-ip-pool-dmtjs_xi] section 0 192.168.1.2 192.168.1.254
[*HUAWEI-ip-pool-dmtjs_xi] dns-server 192.168.1.1
[*HUAWEI-ip-pool-dmtjs_xi] commit
[~HUAWEI-ip-pool-dmtjs_xi] quit

# Bind the address pool to the RBP.

[*DeviceA-rm-backup-prf-rbp3] ip-pool dmtjs_xi
[~HUAWEI-backup-prf-rbp3] quit
Step 5 Configure authentication and accounting policies for user access. The configuration on
Device A is used in this example. The configuration on Device B is similar to that on Device
A.
[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme wu
[*HUAWEI-aaa-authen-wu] authentication-mode none
[*HUAWEI-aaa-authen-wu] commit
[~HUAWEI-aaa-authen-wu] quit
[*HUAWEI-aaa] accounting-scheme wu
[*HUAWEI-aaa-accounting-wu] accounting-mode none
[*HUAWEI-aaa-accounting-wu] commit
[~HUAWEI-aaa-accounting-wu] quit
[*HUAWEI-aaa] domain dmtjs_xi
[*HUAWEI-aaa-dmtjs_xi] authentication-scheme wu
[*HUAWEI-aaa-dmtjs_xi] accounting-scheme wu
[*HUAWEI-aaa-dmtjs_xi] ip-pool dmtjs_xi
Step 6 Bind the RBP to Eth-Trunk3.501 from which users go online. The configuration on Device A
is used in this example. The configuration on Device B is similar to that on Device A.
[~DeviceA] interface Eth-Trunk3.501
[*DeviceA-Eth-Trunk3.501] user vlan 1
[*DeviceA-Eth-Trunk3.501-vlan-1-1] remote-backup-profile rbp3
[*DeviceA-Eth-Trunk3.501-vlan-1-1] quit
[*DeviceA-Eth-Trunk3.501] bas
[*DeviceA-Eth-Trunk3.501-bas]access-type layer2-subscriber default-domain
authentication dmtjs_xi
[*DeviceA-Eth-Trunk3.501-bas] authentication-method bind
[*DeviceA-Eth-Trunk3.501-bas] commit
[~DeviceA-Eth-Trunk3.501-bas] quit
Step 7 Configure advertisement of address pool routes. The configuration on Device A is used in this
[~DeviceA] ospf 1
[*DeviceA-ospf-1] import-route unr
[*DeviceA-ospf-1] area 0
[*DeviceA-ospf-1-area-0.0.0.0] network 172.20.1.1 0.0.0.0
[*DeviceA-ospf-1-area-0.0.0.0] commit
[~DeviceA-ospf-1-area-0.0.0.0] quit
After successfully configuring the RBP, run the display remote-backup-profile command.
The RBS type is bras. The RBP named rbp3 is bound to Eth-Trunk3.501 from which users
go online. Device A is in the Master state.
<DeviceA> display remote-backup-profile rbp3
-----------------------------------------------
Profile-Name : rbp3
Service : bras
Backup-ID : 10

VRRP-ID : 3
Interface :
Eth-Trunk3.501
State : Master
Peer-state : Slave
Backup mode : hot
Slot-Number : 1
Card-Number : 0
Port-Number : 0
Nas logic-port : Gigabitethernet 0/1/3
Nas logic-ip : 172.20.1.1
Nas logic-sysname : zhuji
IP-Pool :
dmtjs_xi
After successfully configuring the RBS, run the display remote-backup-service command.
The TCP connection is in the Connected state.
<DeviceA> display remote-backup-service rbs3
----------------------------------------------------------
Service-Index : 0
Service-Name : rbp3
Peer-ip : 172.20.1.2
Source-ip : 172.20.1.3
TCP-Port : 2046
Track-BFD : --
Track-interface0 : 0/1/0
Last up time : 2016-06-02 16:15:8
Last down time : 2016-06-02 16:3:36
Last down reason : TCP closed for packet error.
--------------------------------------------------------
After users go online, run the display backup-user command to view user information that is
backed up.
<DeviceA> display backup-user
------------------------------------------------------------------------
100 101 102
------------------------------------------------------------------------
Run the display access-user interface command to view online user information on a
specified interface.
<DeviceA> display access-user interface Eth-Trunk.501
------------------------------------------------------------------------------
UserID Username Interface IP address
MAC IPv6 address
------------------------------------------------------------------------------
--------------------------------------------------------------------------
100 user1@dmtjs_xi Eth-Trunk.501 192.168.1.10
0002-0101-0101 -
0002-0101-0102 -
0002-0101-0103 -
--------------------------------------------------------------------------
Total users :3
----End

Configuration Files
#
sysname DeviceA
#
router id 172.20.1.3
#
vlan batch 2 to 9 11 to 504 506 to 3999 4001 to 4094
#
bfd
#
gateway 192.168.1.1 255.255.255.0
section 0 192.168.1.2 192.168.1.254
#
aaa
authentication-scheme wu
accounting-scheme wu
domain dmtjs_xi
ip-pool dmtjs_xi
#
bfd eth-trunk3-peer bind peer-ip 192.168.254.3 source-ip 192.168.254.2
discriminator local 2
discriminator remote 3
#
description ToJiaohuanji
undo shutdown
eth-trunk 3
interface Eth-Trunk3.4001
encapsulation dot1q-termination
ip address 192.168.254.2 255.255.255.248
vrrp vrid 3 virtual-ip 192.168.254.1
admin-vrrp vrid 3
vrrp vrid 3 priority 120
vrrp vrid 3 preempt-mode timer delay 1200
vrrp vrid 3 track bfd-session 2 peer
vrrp vrid 3 track interface GigabitEthernet0/1/0 reduced 30
#
interface LoopBack0
ip address 172.20.1.1 255.255.255.255
#
interface LoopBack10
ip address 172.20.1.3 255.255.255.255
#
undo shutdown
ip address 172.20.0.33 255.255.255.252
#
undo shutdown
ip address 172.20.0.57 255.255.255.252
#
remote-backup-service rbs_qhmd
peer 172.20.1.2 source 172.20.1.3 port 2046
track interface gigabitethernet 0/1/0
#
remote-backup-profile rbp3
service-type bras
backup-id 3 remote-backup-service rbs_qhmd
peer-backup hot

vrrp-id 3 interface Eth-Trunk3.4001

nas logic-port gigabitethernet0/1/3
nas logic-sysname zhuji
nas logic-ip 172.20.1.1
ip-pool dmtjs_xi
#
user-vlan 1
bas
access-type layer2-subscriber default-domain authentication dmtjs_xi
#
#
ospf 1
import-route unr
area 0.0.0.0
network 172.20.0.32 0.0.0.3
network 172.20.0.56 0.0.0.3
network 172.20.1.1 0.0.0.0
network 172.20.1.3 0.0.0.0
#
return
#
sysname DeviceB
#
#
#
bfd
#
gateway 192.168.1.1 255.255.255.0
section 0 192.168.1.2 192.168.1.254
#
aaa
domain dmtjs_xi
ip-pool dmtjs_xi
#
#
undo shutdown
eth-trunk 3
encapsulation dot1q-termination
ip address 192.168.254.3 255.255.255.248
admin-vrrp vrid 3
#
interface LoopBack0
ip address 172.20.1.1 255.255.255.255
#
ip address 172.20.1.2 255.255.255.255

#
undo shutdown
ip address 172.20.0.34 255.255.255.252
#
undo shutdown
ip address 172.20.0.58 255.255.255.252
#
peer 172.20.1.3 source 172.20.1.2 port 2046
#
service-type bras
peer-backup hot
ip-pool dmtjs_xi
#
user-vlan 501
bas
#
#
ospf 1
import-route unr
area 0.0.0.0
network 172.20.0.32 0.0.0.3
network 172.20.0.56 0.0.0.3
network 172.20.1.2 0.0.0.0
network 172.20.1.3 0.0.0.0
#
return
13.11.2 Example for Configuring RUI in Shared Address Pool

Mode
This section provides an example for configuring Redundancy User Information (RUI) in
shared address pool mode.
Usage Scenario
construction.




NOTE
If the upstream device is a firewall, disable the IP spoofing attack defense function on the firewall.
l In shared address pool mode, an address pool (an IP network segment) is planned based
on services. A service (for example, Internet access or VoIP service) corresponds to a
domain's configuration. If terminals that go online through different access links have a
service (for example, Internet access service), the terminals share address pool resources
in a domain. This mode is called multi-link address pool sharing.
l During the actual deployment, planning address pools based on links is difficult, because
the number of public addresses is limited and dividing address pools causes address
resource waste. Address pools can be divided based on authentication domains, which
allows an address pool on the NE40E to be shared between links or backup groups. In
this situation, forwarding control cannot be performed by advertising or withdrawing a
network segment route of an address pool. To implement forwarding control, using a
shared address pool and tunnel protection is recommended.

Figure 13-2 Example for configuring RUI in shared address pool mode
NOTE
Interface 1 interface 2 and interface 3 in this example are GE0/1/0, GE0/2/2 and GE0/1/2, respectively.
CR1 CR2
Devcie A Devcie B
Eth-Trunk3 VRRP Eth-Trunk3
LanSwitch
User
Device A Eth-Trunk3.501 192.168.254.2/29
Loopback 0 172.20.1.1/32
Loopback 10 172.20.1.3/32
Eth-Trunk 2 172.20.0.41/30
GE 0/1/0 172.20.0.33/30
GE 0/2/2 172.20.0.57/30
Device B Eth-Trunk3.501 192.168.254.3/29
Loopback 0 172.20.1.1/32
Loopback 10 172.20.1.2/32
Eth-Trunk 2 172.20.0.42/30
GE 0/1/0 172.20.0.34/30
GE 0/2/2 172.20.0.58/30


Data Preparation
l VRRP ID
belongs
Procedure
addresses to them.

Step 2 Configure IP addresses for loopback and interconnection interfaces on Device A and Device
B.
Configure IP addresses for loopback interfaces. The configuration on Device A is used in this

Configure IP addresses for interconnection interfaces. The configuration on Device A is used

in this example. The configuration on Device B is similar to that on Device A.
[*DeviceA-GigabitEthernet0/1/2] description Beiji
[*DeviceA-Eth-Trunk2] description Beiji
[*DeviceA-Eth-Trunk2]ip address 172.20.0.41 255.255.255.252
NOTE
3.4001 on Device B.
[~DeviceA] bfd
[*DeviceA-bfd] quit
reduced 30
NOTE
# Configure an RBS.
[*DeviceA-rm-backup-rbs_qhmd]protect redirect ip-nexthop 172.20.0.42 interface
Eth-Trunk2
NOTE
# Configure an RBP.


[*DeviceA-rm-backup-prf-rbp3] nas logic-port Gigabitethernet 0/1/3
[*DeviceA-rm-backup-prf-rbp3] nas logic-sysname zhuji
[*DeviceA-rm-backup-prf-rbp3] nas logic-ip 172.20.1.1

[*DeviceA-rm-backup-service rbs_qhmd] ip-pool dmtjs_xi metric 10
[*DeviceA-rm-backup-service rbs_qhmd] commit
[~HUAWEI-backup-service rbs_qhmd] quit
A.
[~HUAWEI] aaa
Step 6 Bind the RBP to Eth-Trunk3.501 from which users go online. The configuration on Device A
[*DeviceA-Eth-Trunk3.501-vlan-1-1] quit
[*DeviceA-Eth-Trunk3.501] bas
[~DeviceA] ospf 1


The RBS type is bras. The RBP named rbp3 is bound to Eth-Trunk3.501 from which users
go online. Device A is in the Master state.
-----------------------------------------------
Profile-Name : rbp3
Service : bras
Backup-ID : 10
VRRP-ID : 3
Interface :
Eth-Trunk3.501
State : Master
Peer-state : Slave
Backup mode : hot
Slot-Number : 1
Card-Number : 0
Port-Number : 0
Nas logic-sysname : zhuji
<DeviceA> display remote-backup-service rbs_qhmd
----------------------------------------------------------
Service-Index : 0
Service-Name : rbs_qhmd
Peer-ip : 172.20.1.2
Source-ip : 172.20.1.3
TCP-Port : 2046
Track-BFD : --
Weight : 10
Weight : 10
SSL-Policy-Name : --
SSL-State : --
Uplink state : 2 (1:DOWN 2:UP)
Domain-map-list : --
----------------------------------------------------------
ip pool:
dmtjs_xi metric 10
ipv6 pool:
Failure ratio : 100%
Failure duration : 0 min
--------------------------------------------------------

backed up.
------------------------------------------------------------------------
100 101 102
------------------------------------------------------------------------
<DeviceA> display access-user interface Eth-Trunk.501
------------------------------------------------------------------------------
UserID Username Interface IP address
MAC IPv6 address
------------------------------------------------------------------------------
--------------------------------------------------------------------------
0002-0101-0101 -
0002-0101-0102 -
0002-0101-0103 -
--------------------------------------------------------------------------
Total users :3
----End
Configuration Files
#
sysname DeviceA
#
#
#
bfd
#
ip pool dmtjs_xi bas local
gateway 192.168.1.1 255.255.255.0
section 0 192.168.1.2 192.168.1.254
#
aaa
domain dmtjs_xi
ip-pool dmtjs_xi
#
#
undo shutdown
eth-trunk 3
encapsulation 4001 dot1q-termination

ip address 192.168.254.2 255.255.255.248

admin-vrrp vrid 3
#
interface LoopBack0
ip address 172.20.1.1 255.255.255.255
#
ip address 172.20.1.3 255.255.255.255
#
undo shutdown
ip address 172.20.0.33 255.255.255.252
#
undo shutdown
ip address 172.20.0.57 255.255.255.252
#
undo shutdown
eth-trunk 2
#
interface Eth-Trunk2
description Beiji
ip address 172.20.0.41 255.255.255.252
#
peer 172.20.1.2 source 172.20.1.3 port 2046
protect redirect ip-nexthop 172.20.0.42 interface Eth-Trunk2
ip-pool dmtjs_xi metric 10
#
service-type bras
peer-backup hot
#
user-vlan 501
bas
#
#
ospf 1
import-route unr
area 0.0.0.0
network 172.20.0.32 0.0.0.3
network 172.20.0.56 0.0.0.3
network 172.20.0.40 0.0.0.3
network 172.20.1.1 0.0.0.0
network 172.20.1.3 0.0.0.0
#
return
#
sysname DeviceB
#

#
#
bfd
#
ip pool dmtjs_xi bas local rui-slave
gateway 192.168.1.1 255.255.255.0
section 0 192.168.1.2 192.168.1.254
#
aaa
domain dmtjs_xi
ip-pool dmtjs_xi
#
#
undo shutdown
eth-trunk 3
control-vid 4001 dot1q-termination
ip address 192.168.254.3 255.255.255.248
admin-vrrp vrid 3
#
interface LoopBack0
ip address 172.20.1.1 255.255.255.255
#
ip address 172.20.1.2 255.255.255.255
#
undo shutdown
ip address 172.20.0.34 255.255.255.252
#
undo shutdown
ip address 172.20.0.58 255.255.255.252
#
undo shutdown
eth-trunk 2
#
description Zhuji
ip address 172.20.0.42 255.255.255.252
#
peer 172.20.1.3 source 172.20.1.2 port 2046
protect redirect ip-nexthop 172.20.0.41 interface Eth-Trunk2
ip-pool dmtjs_xi metric 20
#
service-type bras
peer-backup hot


#
user-vlan 501
bas
#
#
ospf 1
import-route unr
area 0.0.0.0
network 172.20.0.32 0.0.0.3
network 172.20.0.56 0.0.0.3
network 172.20.0.40 0.0.0.3
network 172.20.1.2 0.0.0.0
network 172.20.1.3 0.0.0.0
#
return
13.11.3 Example for Configuring User Information Backup with

Automatic Route Advertisement
This section describes an example for configuring RUI backup with automatic route
advertisement. The example includes the networking requirements, configuration roadmap,
In Figure 13-3, users connect to Device A and Device B through a LAN switch. The two
devices run VRRP to determine the master and backup status. The basic user access functions
are configured on Device A and Device B, allowing users to go online through the master
device.
Automatic route advertisement is easier to configure than manual route advertisement.
Automatic route advertisement prevents the problem that if a fault in a BRAS occurs after a
master/slave BRAS switchover is implemented, UNRs cannot be automatically advertised
after the BRAS recovers. The default route cost can be used to control route preference. If
dual-system hot backup is configured on BRASs, a routing protocol imports UNRs and trusts
UNR preference values. This allows the network segment route of the primary address pool to
have higher route precedence than that of the secondary address pool.
To improve link usage, allow a VRRP backup group to transmit user packets with odd MAC
addresses and another VRRP backup group to transmit user packets with even MAC
addresses to load-balance user packets between Device A and Device B.
Figure 13-3 User information backup with automatic route advertisement

NOTE
Interfaces 1 through 4 in this example are GE 0/1/0, GE 0/2/0, GE 0/3/0, GE 0/1/1, respectively.

IP/ MPLS
DeviceC
interface3
DeviceA DeviceB
10.0.1.1/24 10.0.1.2/24
Metro
Network

DeviceA GE0/1/0 10.0.1.1/24
GE0/2/0 10.0.0.1/24
GE0/3/0 10.1.1.6/24
Loopback0 1.1.1.1/32
Loopback1 22.22.22.22/32
DeviceB GE0/1/0 10.0.1.2/24
GE0/2/0 10.0.2.1/24
GE0/3/0 10.1.1.7/24
Loopback0 2.2.2.2/32
Loopback1 88.88.88.88/32
1. Configure basic user access functions and ensure that the two routers have the same
configuration. For details, see HUAWEI NE40E-M2 Series Universal Service Router
Guide - User Access.
2. Establish a multi-system backup platform.
3. Set NAS parameters, the interval for backing up traffic, or the traffic threshold.
4. Configure a protection path for returned network-side traffic.
5. Bind an RBP to an interface from which users get online.
6. Enable a routing protocol to trust UNR cost values.

Data Preparation
l VRRP ID
l the Routers that back up each other
l Backup ID, which is used together with the RBS to determine the RBP that the user
belongs to
Procedure
Step 1 Configure a multi-system backup platform. Device A is used as an example. The
configuration ofDevice B is similar to that of Device A.
NOTE
The example describes only the configurations related to user information backup.
# Configure BFD sessions named bfd and bfd2 at the access side to rapidly detect faults in
interfaces or links of two VRRP backup groups and trigger a master/backup VRRP
switchover if a fault occurs. Set the peer IP addresses for BFD sessions to 10.0.1.2 (IP address
of Device B's GE 0/1/0.2) and 101.0.0.2 (IP address of Device B's GE 0/1/0.3).
[~DeviceA] bfd
[*DeviceA-bfd] quit
[*DeviceA] bfd bfd bind peer-ip 10.0.1.2
[~DeviceA] bfd bfd2 bind peer-ip 101.0.0.2
[*DeviceA-bfd-session-bfd2] discriminator local 3
[*DeviceA-bfd-session-bfd2] discriminator remote 4
[*DeviceA-bfd-session-bfd2] commit
[~DeviceA-bfd-session-bfd2] quit
# Configure a VRRP backup group on GE 0/1/0.2 and another one on GE 0/1/0.3, and enable
each VRRP backup group to track a specific BFD session and the network-side interface
status.
[*DeviceA-GigabitEthernet0/1/0.2] vrrp vrid 1 virtual-ip 10.0.1.100
[*DeviceA-GigabitEthernet0/1/0.2] admin-vrrp vrid 1
[*DeviceA-GigabitEthernet0/1/0.2] vrrp vrid 1 priority 120
[*DeviceA-GigabitEthernet0/1/0.2] vrrp vrid 1 track bfd-session 1 peer
[*DeviceA-GigabitEthernet0/1/0.2] vrrp vrid 1 track interface gigabitethernet
0/2/0 reduced 50
[*DeviceA-GigabitEthernet0/1/0.3] vrrp vrid 2 preempt-mode timer delay 600
0/2/0 reduced 50

NOTE
VRRP priorities should be configured on both devices to determine the master and backup status. A
device with the higher priority functions as the master device.
# Configure a RBS.
[~DeviceA] remote-backup-service service1
[*DeviceA-rm-backup-srv-service1] peer 88.88.88.88 source 22.22.22.22 port 2046
[*DeviceA-rm-backup-srv-service1] track interface gigabitethernet 0/2/0
[*DeviceA-rm-backup-srv-service1] commit
NOTE
To monitor the network-side peer BFD sessions that are established on the two Routers, run the track
bfd-session command in the RBS view, which helps rapidly monitor the peer status. The configuration
details are not provided. For details, see the command reference.
# Configure a RBP.
[~DeviceA] remote-backup-profile profile1
[*DeviceA-rm-backup-prf-profile1] peer-backup hot
[*DeviceA-rm-backup-prf-profile1] vrrp-id 1 interface gigabitethernet 0/1/0.2
even-mac
[*DeviceA-rm-backup-prf-profile1] vrrp-id 2 interface gigabitethernet 0/1/0.3 odd-
mac
[*DeviceA-rm-backup-prf-profile1] backup-id 10 remote-backup-service service1
[*DeviceA-rm-backup-prf-profile1] service-type bras
[*DeviceA-rm-backup-prf-profile1] quit
[*DeviceA] remote-backup-profile profile2
[*DeviceA-rm-backup-prf-profile2] commit
[~DeviceA-rm-backup-prf-profile2] quit
Step 2 Set NAS parameters and the interval for backing up traffic. The Device A is used as an
example. The configuration of Device B is similar to that of Device A.
# Set NAS parameters.
[*DeviceA-rm-backup-prf-profile1] nas logic-ip 1.2.3.4
[*DeviceA-rm-backup-prf-profile1] nas logic-port gigabitethernet 0/1/0
[*DeviceA-rm-backup-prf-profile1] nas logic-sysname huawei
# Set an interval for backing up traffic.

[*DeviceA-rm-backup-prf-profile1] traffic backup interval 10
Step 3 Bind pool1 configured in the AAA domain to the RBS and configure a protection path for
returned network-side traffic. The Device A is used as an example. The configuration of
Device B is similar to that of Device A.
[*DeviceA-rm-backup-srv-service1] ip-pool pool1
[*DeviceA-rm-backup-srv-service1] protect redirect ip-nexthop 10.1.1.7 interface
gigabitethernet 0/3/0
[*DeviceA-rm-backup-srv-profile1] commit
Step 4 Bind the RBP to GE 0/1/0.1 through which users get online. The Device A is used as an
example. The configuration of Device B is similar to that of Device A.
[*DeviceA-GigabitEthernet0/1/0.1] remote-backup-profile profile1

Step 5 Enable each router to use the default cost values of imported routes to control address pool
route priorities.
[DeviceA] peer-backup route-cost auto-advertising
NOTE
Perform one of the following steps based on the type of routing protocol:
l Run the import-route unr inherit-cost command in the IS-IS view.
l In the OSPF view, run the following commands:
1. default cost inherit-metric
2. import-route unr
l Run the import-route unr command in the BGP view.

When the RBP is successfully configured, you can view that the backup service type is bras,
RBP profile1 is bound to user access interface GigabitEthernet0/1/0.1, and the status of
Device A is Master.
<DeviceA> display remote-backup-profile profile1
-----------------------------------------------
Service : bras
Backup-ID : 10
VRRP-ID : 1
State : Master
Peer-state : Slave
VRRP-ID : 2
State : Slave
Peer-state : Master
Interface :
Backup mode : hot
Slot-Number : 1
Card-Number : 0
Port-Number : 0
Nas logic-sysname : huawei
When the RBS is configured successfully, you can view that the TCP connection status is
Connected.
<DeviceA> display remote-backup-service service1
----------------------------------------------------------
Service-Index : 0
Service-Name : service1
Peer-ip : 88.88.88.88
Source-ip : 22.22.22.22
TCP-Port : 2046
Track-BFD : --

Track-interface1 : --
----------------------------------------------------------
IP Pool:
pool1
ip pool:
r3 metric 10
r4 metric 20
remotev4 metric 10
ipv6 pool:
1234 metric 10
iana_yyz metric 10
iapd_yyz metric 10
lo metric 10
loc_vpn metric 10
nd metric 10
pd metric 10
remotev6_yyz metric 10
NAT instance : nat1
----------------------------------------------------------
Rbs-ID : 0
Protect-type : ip-redirect
Next-hop : 10.1.1.7
Vlanid : 0
Peer-ip : 10.1.1.7
Vrfid : 0
Tunnel-index : 0x0
Tunnel-state : UP
Spec-interface : GigabitEthernet0/3/0
User-number : 0
After users go online, you can view the information about backup users. The information
includes the number of locally logged-in users and the number of remotely logged-in users
whose information is backed up.
------------------------------------------------------------------------
100 101 102 103 104 105 106 107 108 109
------------------------------------------------------------------------
The information about online users on a specific interface can be displayed. The information
includes the number of non-RUI users, the number of local RUI users, the number of remote
RUI users, and the total number of users
<HUAWEI> display access-user interface GigabitEthernet 0/1/0.1
------------------------------------------------------------------------------
------------------------------------------------------------------------------
120 user@lsh GE0/1/0.1 2.2.2.10 0002-0101-0101
50/- - IPoE
101 user@lsh GE0/1/0.1 2.2.2.9
0002-0101-0102 -
50/- - IPoE
102 user@lsh GE0/1/0.1 2.2.2.8
0002-0101-0103 -
50/- - IPoE
103 user@lsh GE0/1/0.1 2.2.2.7

0002-0101-0104 -
50/- - IPoE
104 user@lsh GE0/1/0.1 2.2.2.6
0002-0101-0105 -
50/- - IPoE
105 user@lsh GE0/1/0.1 2.2.2.5
0002-0101-0106 -
50/- - IPoE
106 user@lsh GE0/1/0.1 2.2.2.4
0002-0101-0107 -
50/- - IPoE
107 user@lsh GE0/1/0.1 2.2.2.3
0002-0101-0108 -
50/- - IPoE
108 user@lsh GE0/1/0.1 2.2.2.2
0002-0101-0109 -
50/- - IPoE
109 user@lsh GE0/1/0.1 2.2.2.11
0002-0101-0110 -
50/- - IPoE
--------------------------------------------------------------------------
Normal users : 0
RUI Local users : 10
Total users : 10
----End
Configuration Files
#
sysname DeviceA
#
gateway 16.0.0.1 255.255.255.0
section 0 16.0.0.2 16.0.0.100
#
aaa
domain userdomain1
ip-pool pool1
#
bfd bfd bind peer-ip 10.0.1.2
commit
#
bfd bfd2 bind peer-ip 101.0.0.2
commit
#
interface gigabitethernet 0/1/0.2
vlan-type dot1q 200
ip address 10.0.1.1 255.255.255.0
admin-vrrp vrid 1
vrrp vrid 1 track bfd-session session-name bfd peer
vrrp vrid 1 track interface gigabitethernet 0/2/0 reduced 50
#
vlan-type dot1q 201
ip address 101.0.0.1 255.255.255.0
admin-vrrp vrid 2


vrrp vrid 2 track bfd-session session-name bfd2 peer
#
remote-backup-service service1
peer 88.88.88.88 source 22.22.22.22 port 2046
ip-pool pool1
protect redirect ip-nexthop 10.1.1.7 interface gigabitethernet 0/3/0
#
remote-backup-profile profile1
service-type bras
backup-id 10 remote-backup-service service1
peer-backup hot
vrrp-id 1 interface gigabitethernet 0/1/0.2 even-mac
vrrp-id 2 interface gigabitethernet 0/1/0.3 odd-mac
nas logic-sysname huawei
traffic backup interval 10
#
service-type bras
peer-backup hot
vrrp-id 1 interface gigabitethernet 0/1/0.2
#
user-vlan 50
bas
#
user-vlan 70
bas
#
interface gigabitethernet 0/3/0
undo shutdown
ip address 10.1.1.6 255.255.255.0
#
peer-backup route-cost auto-advertising
return
#
sysname DeviceB
#
ip pool pool1 bas local rui-slave
gateway 16.0.0.1 255.255.255.0
section 0 16.0.0.2 16.0.0.100
#
aaa
domain userdomain1
#
commit
#

commit
#
vlan-type dot1q 200
ip address 10.0.1.2 255.255.255.0
admin-vrrp vrid 1
#
vlan-type dot1q 201
ip address 101.0.0.2 255.255.255.0
admin-vrrp vrid 2
#
peer 22.22.22.22 source 88.88.88.88 port 2046
#
service-type bras
peer-backup hot
vrrp-id 1 interface gigabitethernet 0/1/0.2 even-mac
vrrp-id 2 interface gigabitethernet 0/1/0.3 odd-mac
#
user-vlan 50
bas
#
undo shutdown
ip address 10.1.1.7 255.255.255.0
#
return
13.11.4 Example for Configuring Multicast Dual-Device Hot

Backup
This section provides an example for configuring multicast RUI.
Usage Scenario

construction.


l The VRRP switchback delay must be twice or three times the interval at which multicast
query packets are sent to ensure that entries on the master and backup devices are the
same. The default interval at which multicast query packets are sent is 60s.
l NE40Es function as multicast replication points, and the copy by session mode is used.
Figure 13-4 Example for configuring multicast RUI

NOTE
Interface 1 and interface 2 in this example are GE0/1/0 and GE0/2/2 , respectively.

CR1 CR2
Devcie A interface2 interface2 Devcie B
Eth-Trunk3 VRRP+BFD Eth-Trunk3
LanSwitch
User

Device A Eth-Trunk 3.4001 192.168.254.2/29
Loopback 0 172.20.1.1/32
Loopback 10 172.20.1.3/32
GE 0/1/0 172.20.0.33/30
GE 0/2/2 172.20.0.57/30
Device B Eth-Trunk 3.4001 192.168.254.3/29
Loopback 0 172.20.1.1/32
Loopback 10 172.20.1.2/32
GE 0/1/0 172.20.0.34/30
GE 0/2/2 172.20.0.58/30


6. Configure multicast.
Data Preparation
l VRRP ID
belongs
Procedure
addresses to them.

Step 2 Configure IP addresses for loopback interfaces on Device A and Device B.


NOTE
3.4001 on Device B.
[~DeviceA] bfd
[*DeviceA-bfd] quit
[~DeviceA] interface interface Eth-Trunk3.4001
reduced 30
NOTE
# Configure an RBS.
NOTE
# Configure an RBP.
[*DeviceA-rm-backup-prf-rbp3] service-type multicast



[*DeviceA-rm-backup-service rbs_qhmd] ip-pool dmtjs_xi
[*DeviceA-rm-backup-service rbs_qhmd] commit
[~HUAWEI-backup-service rbs_qhmd] quit
A.
[~HUAWEI] aaa
Step 6 Bind the RBP to Eth-Trunk 3.501 from which users go online. The configuration on Device A
[*DeviceA-Eth-Trunk3.501-vlan-501-501] bas
[*DeviceA-Eth-Trunk3.501-bas]multicast copy by-session
[~DeviceA] ospf 1
Step 8 Configure multicast.

# Enable multicast globally. The configuration on Device A is used in this example. The
configuration on Device B is similar to that on Device A.
[~DeviceA] multicast routing-enable
[*DeviceA] commit
# Enable PIM on the network-side interface. The configuration on Device A is used in this

[*DeviceA-GigabitEthernet0/1/0]ip address 172.20.0.33 255.255.255.252
[*DeviceA-GigabitEthernet0/1/0]pim sm
[*DeviceA-GigabitEthernet0/2/2]ip address 172.20.0.58 255.255.255.252
[*DeviceA-GigabitEthernet0/2/2]pim sm
# Enable IGMP and PIM on the access-side interface. The configuration on Device A is used
in this example. The configuration on Device B is similar to that on Device A.
[*DeviceA-Eth-Trunk3.501]pim sm
[*DeviceA-Eth-Trunk3.501]igmp enable
# Configure an RP.
[~DeviceA] pim
[*DeviceA-pim]static-rp 192.168.2.2
[*DeviceA-pim] commit

After completing the configurations, run the display vrrp command on Device A and Device
B to view the master/backup VRRP status. Device A is in the Master state and the BFD
session is UP. Device B is in the Backup state.
<DeviceA> display vrrp
Eth-Trunk3.4001 | Virtual Router 3
State : Master
Virtual IP : 192.168.254.1
Master IP : 192.168.254.2
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1200
TimerRun : 1 s
TimerConfig : 1 s
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Track IF : Eth-Trunk3.4001 Priority reduced : 30
IF State : UP
Config track link-bfd down-number : 0
Track BFD : 1 Type: peer
BFD-session state : UP
Create time : 2016-05-05 09:05:17
Last change time : 2016-05-05 09:14:38
<DeviceB> display vrrp
State : Backup
Virtual IP : 192.168.254.1
Master IP : 192.168.254.3
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth Type : NONE
Virtual Mac : 0000-5e00-0101

Check TTL : YES

Track IF : Eth-Trunk3.4001 Priority reduced : 30
IF State : UP
Track BFD : 2 Type: peer
Create time : 2016-05-05 09:11:48
Last change time : 2016-05-05 09:11:54
After successfully configuring multicast RUI, run the display remote-backup-profile

command on Device A and Device B. The RBS type is bras multicast; dhcp-stb igmp-copy
enable is displayed; Device A is in the Master state; Device B is in the Slave state.
-----------------------------------------------
Profile-Name : rbp3
Service : bras multicast
Remote-backup-service: rbs_qhmd
Backup-ID : 3
VRRP-ID : 3
Interface :
Eth-Trunk3.501
State : Master
Peer State : slave
Backup mode : hot
Slot-Number : 2
Card-Number : 1
Port-Number : 0
Traffic threshold : 50(MB)
dhcp-stb igmp-copy enable
<DeviceB> display remote-backup-profile rbp3
-----------------------------------------------
Profile-Name : rbp3
Service : bras multicast
Remote-backup-service: rbs_qhmd
Backup-ID : 3
VRRP-ID : 1
Interface :
Eth-Trunk3.501
State : Slave
Peer State : master
Backup mode : hot
Slot-Number : 2
Card-Number : 0
Port-Number : 0
dhcp-stb igmp-copy enable
----End
Configuration Files
#
sysname DeviceA
#
#

#
#
multicast routing-enable
#
pim
static-rp 192.168.2.2
#
bfd
#
gateway 192.168.1.1 255.255.255.0
section 0 192.168.1.2 192.168.1.254
#
aaa
domain dmtjs_xi
ip-pool dmtjs_xi
#
#
undo shutdown
eth-trunk 3
ip address 192.168.254.2 255.255.255.248
admin-vrrp vrid 3
#
interface LoopBack0
ip address 172.20.1.1 255.255.255.255
#
ip address 172.20.1.3 255.255.255.255
#
undo shutdown
ip address 172.20.0.33 255.255.255.252
pim sm
#
undo shutdown
ip address 172.20.0.57 255.255.255.252
pim sm
peer 172.20.1.2 source 172.20.1.3 port 2046
ip-pool dmtjs_xi
#
service-type bras
service-type multicast
peer-backup hot


#
user-vlan 501
pim sm
igmp enable
bas
#
#
ospf 1
import-route unr
area 0.0.0.0
network 172.20.0.32 0.0.0.3
network 172.20.0.56 0.0.0.3
network 172.20.0.40 0.0.0.3
network 172.20.1.1 0.0.0.0
network 172.20.1.3 0.0.0.0
#
return
#
sysname DeviceB
#
#
#
#
multicast routing-enable
#
pim
static-rp 192.168.2.2
#
bfd
#
ip pool pool1 bas local rui-slave
gateway 192.168.1.1 255.255.255.0
section 0 192.168.1.2 192.168.1.254
#
aaa
domain dmtjs_xi
ip-pool dmtjs_xi
#
#
undo shutdown
eth-trunk 3
ip address 192.168.254.3 255.255.255.248
admin-vrrp vrid 3
#

interface LoopBack0
ip address 172.20.1.1 255.255.255.255
#
ip address 172.20.1.2 255.255.255.255
#
undo shutdown
ip address 172.20.0.34 255.255.255.252
pim sm
#
undo shutdown
ip address 172.20.0.58 255.255.255.252
pim sm
#
peer 172.20.1.3 source 172.20.1.2 port 2046
#
service-type bras
service-type multicast
peer-backup hot
#
user-vlan 501
pim sm
igmp enable
bas
multicast copy by-session
#
#
ospf 1
import-route unr
area 0.0.0.0
network 172.20.0.32 0.0.0.3
network 172.20.0.56 0.0.0.3
network 172.20.0.40 0.0.0.3
network 172.20.1.2 0.0.0.0
network 172.20.1.3 0.0.0.0
#
return
13.11.5 Example for Configuring IPv6 Dual-Device Hot Backup

This section provides an example for configuring IPv6 dual-device hot backup. The example
provides the networking requirements, configuration roadmap, configuration procedure, and
Due to IPv4 address depletion, carriers deploy IPv6. To help services with IPv4 hot backup be
smoothly evolved to IPv6 and to support IPv4 and IPv6 protection, IPv6 dual-device hot
backup must be deployed.

Figure 13-5 IPv6 dual-device hot backup

NOTE
Interface 1 and interface 2 in this example are GE 0/2/0, GE 0/2/1, respectively.
DHCP
AAA
IP Core
BRAS 1 BRAS 2
VRRP
SW1
Device Name Interface Name IP Address

BRAS1 GE0/2/1.1 10.1.1.1/24 (on a VRRP-enabled interface)
GE 0/2/1.333 From which users get online
Loopback1 10.1.2.1/32 (on the RBS interface of BRAS1)
BRAS2 GE 0/2/1.1 10.1.1.2/24 (on a VRRP-enabled interface)
GE 0/2/1.332 From which users get online
Loopback1 10.1.2.2/32 (on the RBS interface of BRAS2)
1. Configure routes to implement IP connectivity between devices and PBR on both
BRASs. For details, see HUAWEI NE40E-M2 Series Universal Service Router
Configuration Guide - IP Routing.
2. Configure basic user access functions and ensure that the two devices have the same
Configuration Guide - User Access.
3. Establish a multi-device backup platform. Configure an RBS on the network side of the
master and backup BRASs (BRAS1 and BRAS2). BRAS1 is the master Router and
BRAS2 is the backup Router.
4. Configure a VRRP backup group on the access side of two Routers (BRAS1 and
BRAS2) to determine the master and backup status. Create a BFD session, and configure
the VRRP backup group to track the BFD session.

5. Configure an RBP for backing up BRAS user information and multicast services.
NOTE
The configuration on BRAS2 is similar to the configuration on BRAS1. The configuration procedure on
BRAS1 is used in this example. For details about configurations on BRAS2, see the Configuration Files.
Data Preparation
l VRRP parameters, such as a VRID and a preemption delay
l BFD parameters, such as the local and remote discriminators and expected minimum
interval at which BFD Control packets are sent and received
l IP address of each interface on BRAS1 and BRAS2
l Backup ID, which works together with an RBS to identify an RBP to which users belong
l User access parameters
Procedure
Step 1 Configure user access functions.
For configuration procedure, see configuration in HUAWEI NE40E-M2 Series Universal
Service Router Configuration Guide - User Access.
Step 2 Configure a VRRP backup group on the access side of two Routers (BRAS1 and BRAS2) to
determine the master and backup status. Create a BFD session and configure the VRRP
backup group to track the BFD session.
trigger a master/backup VRRP switchover.
[~BRAS1] bfd
[*BRAS1] quit
[*BRAS1] bfd bfd1 bind peer-ip 10.1.1.2
[*BRAS1-bfd-session-bfd1] discriminator local 8
[*BRAS1-bfd-session-bfd1] discriminator remote 6
[*BRAS1-bfd-session-bfd1] commit
[~BRAS1-bfd-session-bfd1] quit
# Create a VRRP backup group on GE 3/1/10.1, and configure the VRRP backup group to
track the BFD session and a network-side interface.
[~BRAS1] interface GigabitEthernet 0/2/1.1
[*BRAS1-GigabitEthernet0/2/1.1] vlan-type dot1q 200
[*BRAS1-GigabitEthernet0/2/1.1] ip address 10.1.1.1 255.255.255.0
[*BRAS1-GigabitEthernet0/2/1.1] vrrp vrid 1 virtual-ip 10.1.1.100
[*BRAS1-GigabitEthernet0/2/1.1] admin-vrrp vrid 1
[*BRAS1-GigabitEthernet0/2/1.1] vrrp vrid 1 priority 180
[*BRAS1-GigabitEthernet0/2/1.1] vrrp vrid 1 preempt-mode timer delay
60
[*BRAS1-GigabitEthernet0/2/1.1] vrrp vrid 1 track interface GigabitEthernet 0/2/0
reduced 50
[*BRAS1-GigabitEthernet0/2/1.1] vrrp vrid 1 track bfd-session 8 peer
[*BRAS1-GigabitEthernet0/2/1.1] commit
[~BRAS1-GigabitEthernet0/2/1.1] quit
Step 3 Configure an RBS and an RBP.

[~BRAS1] interface loopback1
[*BRAS1-loopback1] ip address 10.1.2.1 32

[*BRAS1-loopback1] commit
[~BRAS1-loopback1] quit
# Configure an RBS.
[~BRAS1] remote-backup-service rui
[*BRAS1-rm-backup-srv-rui] peer 10.1.2.2 source 10.1.2.1 port 6001
[*BRAS1-rm-backup-srv-rui] track interface GigabitEthernet0/2/0
[*BRAS1-rm-backup-srv-rui] commit
[~BRAS1-rm-backup-srv-rui] quit
# Configure an RBP.
[~BRAS1] remote-backup-profile p1
[*BRAS1-rm-backup-prf-p1] service-type bras
[*BRAS1-rm-backup-prf-p1] backup-id 101 remote-backup-service rui
[*BRAS1-rm-backup-prf-p1] peer-backup hot
[*BRAS1-rm-backup-prf-p1] vrrp-id 1 interface gigabitethernet 0/2/1.1
[*BRAS1-rm-backup-prf-p1] commit
[~BRAS1-rm-backup-prf-p1] quit
# Bind the RBP to the interface from which users get online.
[~BRAS1] interface gigabitethernet 0/2/1.333
[*BRAS1-GigabitEthernet0/2/1.333] remote-backup-profile p1
[*BRAS1-GigabitEthernet0/2/1.333] commit
[~BRAS1-GigabitEthernet0/2/1.333] quit
Step 4 Create a protection channel between the master and backup BRASs.
[~BRAS1] remote-backup-service rui
[*BRAS1-rm-backup-srv-rui] protect lsp-tunnel for-all-instance peer-ip 10.1.2.2
[*BRAS1-rm-backup-srv-rui] commit
[~BRAS1-rm-backup-srv-rui] quit

After completing the configurations, run the display remote-backup-profile command on a
device to view the master and backup VRRP status. BRAS1 is in the Master state, and
BRAS2 is in the Backup state.
<BRAS1> display remote-backup-profile p1
-----------------------------------------------
Profile-Name : p1
Service: bras
Remote-backup-service : rui
Backup-ID : 101
VRRP-ID: 1
VRRP-Interface : Gigabitethernet 0/2/1.1
Access-conctrol: --
State : Master
Peer State : Slave
Interface:
Backup mode : hot
Slot-Number : 3
Card-Number : 1
Port-Number : 10
<BRAS2> display remote-backup-profile p2
-----------------------------------------------
Profile-Name : p2
Service: bras
Remote-backup-service : rui

Backup-ID : 101
VRRP-ID: 1
Access-conctrol: --
State : Slave
Peer State : Master
Interface:
Backup mode : hot
Slot-Number : 1
Card-Number : 0
Port-Number : 10
----End
Configuration Files
l BRAS1 configuration file
#
sysname BRAS1
#
ipv6
#
bfd
#
mpls
#
mpls ldp
#
prefix 2013::/64
#
prefix prefix1
#
aaa
domain huawei
ipv6-pool pool1
#
remote-backup-service rui
peer 10.1.2.2 source 10.1.2.1 port 6001
protect lsp-tunnel for-all-instance peer-ip 10.1.2.2
track interface GigabitEthernet0/2/0
ipv6-pool pool1
#
remote-backup-profile p1
service-type bras
backup-id 101 remote-backup-service rui
peer-backup hot
vrrp-id 1 interface GigabitEthernet0/2/1.1
#
vlan-type dot1q 1
ip address 10.1.1.1 255.255.255.0
admin-vrrp vrid 1
vrrp vrid 1 track interface GigabitEthernet0/2/0 reduced
50
#

ipv6 enable
user-vlan 2
bas
#
interface LoopBack1
ip address 10.1.2.1 255.255.255.255
#
commit
#
ospf 1
import-route direct
area 0.0.0.0
network 10.1.2.1 0.0.0.0
#
return
l BRAS2 configuration file
#
sysname BRAS2
#
ipv6
#
bfd
#
mpls
#
mpls ldp
#
prefix 2013::/64
#
prefix prefix1
#
aaa
domain huawei
ipv6-pool pool1
#
remote-backup-service rui
peer 10.1.2.1 source 10.1.2.2 port 6001
protect lsp-tunnel for-all-instance peer-ip 10.1.2.1
#
service-type bras
backup-id 101 remote-backup-service rui
peer-backup hot
vrrp-id 1 interface GigabitEthernet0/2/1.1
#
vlan-type dot1q 1
ip address 10.1.1.2 255.255.255.0
admin-vrrp vrid 1
vrrp vrid 1 track interface GigabitEthernet0/2/0 reduced
50
#

interface GigabitEthernet 0/2/1.332

ipv6 enable
user-vlan 2
bas
#
interface LoopBack1
ip address 10.1.2.2 255.255.255.255
#
commit
#
ospf 1
import-route direct
area 0.0.0.0
network 10.1.2.2 0.0.0.0
#
return
13.11.6 Example for Configuring L2TP Two-Node Hot Backup

This section provides an example for configuring L2TP two-node hot backup, including
files.
L2TP tunnels can be used to provide enterprise user access services and wholesale services.
As these services are the major services that operators provide and have high user experience
requirements, L2TP tunnels must support high reliability. L2TP two-node hot backup, in
addition to BRAS user information backup, is required on the master and slave Routers.
On the network as shown in Figure 13-6, users access LAC1 and LAC2 through a LAN
switch (LSW). The two LACs run VRRP to determine the master and backup status. Both
LACs are configured so that users get online through the master LAC. Each of LACs sets up
an L2TP tunnel with the LNS. L2TP two-node hot backup is configured on LAC1 and LAC2
so that users rapidly can restore services without re-dialing up if a fault occurs on the access
or network side.
Figure 13-6 L2TP two-node hot backup

NOTE
Interface 1 and interface 2 in this example are GE 0/1/0, GE 0/2/0, respectively.

Loopback
10.0.1.1/24 10.0.2.1/24
L2
LAC1 TP
Tu
nn
el
User VRRP+BFD 备份通道
Internet LNS
Network 保护隧道
l
n ne
LAC2 Tu
TP
L2
10.0.1.2/24 10.0.3.1/24
Loopback
Device Name Interface Name IP Address
LAC1 GE0/1/0.2 10.0.1.1/24 (IP address of the interface running VRRP)
GE0/2/0 10.0.2.1/24
Loopback1 7.7.7.7/32 (source IP address for LAC1 to establish a tunnel)
Loopback3 10.0.0.1/32 (IP address of the data backup channel between LACs)
LAC2 GE0/1/0.2 10.0.1.2/24 (IP address of the interface running VRRP)
GE0/2/0 10.0.3.1/24
Loopback3 10.0.0.2/32 (IP address of the data backup channel between LACs)
1. Configure routes to ensure IP connectivity between devices, then configure the route
policy on LAC1 and LAC2. For details, see HUAWEI NE40E-M2 Series Universal
Service Router Configuration Guide - IP Routing.
2. Configure basic user access functions and ensure that the two LACs have the same
3. Each of LACs sets up an L2TP tunnel with the LNS.
4. Establish a multi-node backup platform. Configure an RBS on the network side of the
master and backup Routers (LAC1 and LAC2). LAC1 is the master and LAC2 is the
backup.
5. Configure a VRRP backup group on the access side of two Routers (LAC1 and LAC2)
to determine the master and backup status. Create a BFD session, and configure the
VRRP backup group to track the BFD session.
6. Configure an RBP for backing up BRAS user information and L2TP services, and enable
remote backup service for BRAS user information and L2TP services.


NOTE
The configuration on LAC2 is similar to the configuration on LAC1. The configuration procedure on
LAC1 is used in this example. For details about configurations on LAC2, see the configuration file of
LAC2.
Data Preparation
l VRRP parameters such as a VRID and a preemption delay

l BFD parameters such as the local and remote discriminators and expected minimum
interval at which BFD Control packets are sent and received
l IP address of each interface on LAC1 and LAC2
l L2TP group parameters such as an authentication password and an interval at which
Hello packets are sent
Procedure
Step 1 Assign an IP address to each loopback interface and configure a VT interface and a BAS
interface.
[Device] sysname LAC1
# Assign an IP address to a loopback interface directly connecting LAC1 to the LNS so that
the route to the loopback interface can be advertised.
[LAC1] interface loopback1
[LAC1-loopback1] ip address 7.7.7.7 32
[LAC1-loopback1] quit
# Assign an IP address to a loopback interface directly connecting LAC1 to the LAC2 so that
# Configure VT interface 1.
[LAC1] interface virtual-template 1
[LAC1-Virtual-Template1] ppp authentication-mode chap
[LAC1-Virtual-Template1] quit
# Bind VT interface 1 to GE 1/0/0.1 and configure a user VLAN.

[LAC1] interface gigabitethernet 0/1/0.1
[LAC1-GigabitEthernet0/1/0.1] pppoe-server bind virtual-template 1
[LAC1-GigabitEthernet0/1/0.1] user-vlan 1 100
[LAC1-GigabitEthernet0/1/0.1-vlan-1-100] quit

[LAC1-GigabitEthernet0/1/0.1] bas
[LAC1-GigabitEthernet0/1/0.1-bas] access-type layer2-subscriber
[LAC1-GigabitEthernet0/1/0.1-bas] authentication-method ppp

[LAC1-GigabitEthernet0/1/0.1-bas] access-delay 500 even-mac

[LAC1-GigabitEthernet0/1/0.1-bas] quit
[LAC1-GigabitEthernet0/1/0.1] quit
Step 2 Set up an L2TP tunnel between LAC1 and the LNS.

NOTE
In the two-node hot backup scenario, run the set l2tp tunnel base-id base-id command on either of
LACs to set a base value used by the LAC to allocate L2TP tunnel IDs. The other LAC uses the default
base value of 0. The settings ensure to a certain extent that each tunnel ID is unique on a single Router.
# Assign an IP address to a loopback interface directly connecting LAC1 to the LNS so that
[LAC1] interface gigabitethernet 0/2/0
[LAC1-GigabitEthernet0/2/0] ip address 10.0.2.1 255.255.255.0
[LAC1-GigabitEthernet0/2/0] quit
# Configure an L2TP group and its attributes.

[LAC1] l2tp enable
[LAC1] l2tp-group lac1
[LAC1-l2tp-lac1] tunnel name lac1
[LAC1-l2tp-lac1] start l2tp ip 3.3.3.3
[LAC1-l2tp-lac1] tunnel authentication
[LAC1-l2tp-lac1] tunnel password simple Huawei-123
[LAC1-l2tp-lac1] tunnel source loopback1 rui
[LAC1-l2tp-lac1] tunnel timer hello 200
[LAC1-l2tp-lac1] quit
# Configure a RADIUS server.

[LAC1] radius-server group radius1
[LAC1-radius-radius1] radius-server authentication 20.20.20.1 1812
[LAC1-radius-radius1] radius-server accounting 20.20.20.1 1813
[LAC1-radius-radius1] radius-server shared-key itellin
[LAC1-radius-radius1] quit
# Configure a domain to which users belong.

[LAC1] aaa
[LAC1-aaa] domain domain1
[LAC1-aaa-domain-domain1] l2tp-group lac1
[LAC1-aaa-domain-domain1] radius-server group radius1
[LAC1-aaa-domain-domain1] authentication-scheme default1
[LAC1-aaa-domain-domain1] accounting-scheme default1
[LAC1-aaa-domain-domain1] quit
[LAC1-aaa] quit
Step 3 Configure a VRRP backup group on the access side of two Routers (LAC1 and LAC2) to
determine the master and backup status. Create a BFD session, and configure the VRRP
backup group to track the BFD session.
# Configure a VRRP link BFD session to rapidly detect faults in interfaces or links and trigger
a master/backup VRRP switchover.
[LAC1] bfd bfd-acc bind peer-ip 10.0.1.2
[LAC1-bfd-session-bfd-acc] discriminator local 1
[LAC1-bfd-session-bfd-acc] discriminator remote 1
[LAC1-bfd-session-bfd-acc] commit
[LAC1-bfd-session-bfd-acc] quit
# Configure a VRRP peer BFD session to rapidly detect network-side faults.

[LAC1] bfd bfd-net bind peer-ip 10.0.0.2
[LAC1-bfd-session-bfd-net] discriminator local 3
[LAC1-bfd-session-bfd-net] discriminator remote 3

[LAC1-bfd-session-bfd-net] commit
[LAC1-bfd-session-bfd-net] quit
# Configure a VRRP backup group on GE 1/0/0.2, and configure the VRRP backup group to
track the BFD session and a network-side interface. Enable the original master VRRP device
to preempt the Master state after 30 minutes.
[LAC1-GigabitEthernet0/1/0.2] vlan-type dot1q 200
[LAC1-GigabitEthernet0/1/0.2] ip address 10.0.1.1 255.255.255.0
[LAC1-GigabitEthernet0/1/0.2] vrrp vrid 1 virtual-ip 10.0.1.100
[LAC1-GigabitEthernet0/1/0.2] admin-vrrp vrid 1
[LAC1-GigabitEthernet0/1/0.2] vrrp vrid 1 priority 120
[LAC1-GigabitEthernet0/1/0.2] vrrp vrid 1 preempt-mode timer delay 1800
[LAC1-GigabitEthernet0/1/0.2] vrrp vrid 1 track bfd-session 1 link
[LAC1-GigabitEthernet0/1/0.2] vrrp vrid 1 track bfd-session 1 peer
[LAC1-GigabitEthernet0/1/0.2] vrrp vrid 1 track interface gigabitethernet 2/0/0
reduced 50
Step 4 Configure an RBS and an RBP.

# Configure an IP address for an RBS.
# Configure an RBS.
[LAC1] remote-backup-service s1
[LAC1-rm-backup-srv-s1] peer 10.0.0.2 source 10.0.0.1 port 4500
[LAC1-rm-backup-srv-s1] quit
# Configure an RBP for backing up BRAS user information and L2TP services.
[LAC1] remote-backup-profile p1
[LAC1-rm-backup-prf-p1] peer-backup hot
[LAC1-rm-backup-prf-p1] vrrp-id 1 interface gigabitethernet 0/1/0.2
[LAC1-rm-backup-prf-p1] backup-id 10 remote-backup-service s1
[LAC1-rm-backup-prf-p1] service-type bras
[LAC1-rm-backup-prf-p1] service-type l2tp
[LAC1-rm-backup-prf-p1] quit
# Bind the RBP to the interface from which users get online.
[LAC1-GigabitEthernet0/1/0.1] remote-backup-profile p1
Step 5 Configure a policy to filter OSPF routes to be advertised.

# Configure a policy to filter OSPF routes to be advertised on Device LAC1.
[LAC1] system view
[LAC1-ospf-1] ospf 1
[LAC1-ospf-1] preference 100
[LAC1-ospf-1] default cost inherit-metric
[LAC1-ospf-1] import-route direct
[LAC1-ospf-1] area 0.0.0.0
[LAC1-ospf-1-area-0.0.0.0] network 10.0.0.0 0.0.0.255
# Configure a policy to filter OSPF routes to be advertised on Device LAC2.

[LAC2] system view
[LAC2-ospf-1] ospf 1
[LAC2-ospf-1] default cost inherit-metric

[LAC2-ospf-1] import-route direct

[LAC2-ospf-1] preference 100
[LAC2-ospf-1] area 0.0.0.0

After completing the configurations, run the display vrrp command on each LAC to view the
master and backup VRRP status. LAC1 is in the Master state; its BFD session is UP; the
preemption delay is 300. LAC2 is in the Backup state.
<lac1> display vrrp
State : Master
Virtual IP : 10.0.1.100
Master IP : 10.0.1.1
PriorityRun : 120
TimerRun : 5 s
TimerConfig : 5 s
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
Track IF : GigabitEthernet0/2/0 Priority reduced : 100
IF State : UP
Track BFD : 1 type: link
Track BFD : 3 type: peer
Create time : 2000-05-11 17:38:16
Last change time : 2000-05-13 12:58:20
<lac2> display vrrp
State : Backup
Virtual IP : 10.0.1.100
Master IP : 10.0.1.1
PriorityRun : 100
TimerRun : 5 s
TimerConfig : 5 s
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
Track BFD : 1 type: link
Track BFD : 3 type: peer
Create time : 2011-08-02 16:13:43
Last change time : 2011-08-04 12:01:58
After successfully configuring L2TP two-node hot backup, run the display remote-backup-
profile command on each LAC. The RBS type is bras l2tp; LAC1 is in the Master state;
LAC2 is in the Slave state.
<lac1> display remote-backup-profile p1
-----------------------------------------------
Profile-Name : p1

Service : bras l2tp

Remote-backup-service : s1
Backup-ID : 10
VRRP-ID : 1
Interface :
Gigabitethernet 0/1/0.1
State : Master
Peer State : Slave
Backup mode : hot
Slot-Number : --
Card-Number : --
Port-Number : --
<lac2> display remote-backup-profile p1
-----------------------------------------------
Profile-Name : p1
Service : bras l2tp
Remote-backup-service: s1
Backup-ID : 10
VRRP-ID : 1
Interface :
Gigabitethernet 0/1/0.1
State : Slave
Peer State : Master
Backup mode : hot
Slot-Number : --
Card-Number : --
Port-Number : --
----End
Configuration Files
l Configuration file of LAC1
#
sysname LAC1
#
#
#
aaa
local-user a password cipher 1qaz@WSX
local-user a service-type ftp
local-user a ftp-directory cfcard:
local-user b password cipher abcd@EFG
local-user b service-type ftp
local-user c password simple Huawei-123
local-user c service-type ftp
#
domain domain1
l2tp-group lac1

#
remote-backup-service s1
peer 10.0.0.2 source 10.0.0.1 port 4500
#
service-type bras
service-type l2tp
peer-backup hot
backup-id 10 remote-backup-service s1
#
interface virtual-template 1
#
speed auto
duplex auto
undo shutdown
ip address 128.3.150.242 255.255.0.0
#
pppoe-server bind virtual-template 1
user-vlan 1 100
#
bas
#
#
vlan-type dot1q 200
ip address 10.0.1.1 255.255.255.0
admin-vrrp vrid 1
vrrp vrid 1 track bfd-session 1 link
#
ip address 10.0.2.1 255.255.255.0
quit
#
interface LoopBack1
ip address 7.7.7.7 255.255.255.255
#
interface LoopBack2
ip address 8.8.8.8 255.255.255.255
#
interface LoopBack3
ip address 10.0.0.1 255.255.255.255
#
l2tp enable
l2tp-group lac1
tunnel name lac1
tunnel authentication
tunnel password simple Huawei-123
tunnel source loopback1 rui
tunnel timer hello 200
#
bfd bfd-net bind peer-ip 10.0.0.2
commit
#
ospf 1

preference 100
default cost inherit-metric
import-route direct
area 0.0.0.0
network 10.0.0.0 0.0.0.255
network 10.0.2.0 0.0.0.255
network 10.0.3.0 0.0.0.255
#
l Configuration file of LAC2
#
sysname LAC2
#
#
#
aaa
local-user a password cipher rere@ERS
local-user a service-type ftp
local-user a ftp-directory cfcard:
local-user b password cipher oipo@TRT
local-user b service-type ftp
local-user c password simple Huawei-123
local-user c service-type ftp
#
domain domain1
l2tp-group lac1
#
peer 10.0.0.1 source 10.0.0.2 port 4500
#
service-type bras
service-type l2tp
peer-backup hot
#
interface virtual-template 1
#
speed auto
duplex auto
undo shutdown
ip address 128.3.150.241 255.255.0.0
#
pppoe-server bind virtual-template 1
user-vlan 1 100
#
bas
#
#
vlan-type dot1q 200
ip address 10.0.1.2 255.255.255.0

admin-vrrp vrid 1
#
ip address 10.0.2.2 255.255.255.0
quit
#
interface LoopBack1
ip address 7.7.7.7 255.255.255.255
#
interface LoopBack2
ip address 8.8.8.8 255.255.255.255
#
interface LoopBack3
ip address 10.0.0.2 255.255.255.255
#
l2tp enable
l2tp-group lac1
tunnel name lac1
tunnel authentication
tunnel password simple Huawei-123
tunnel source loopback2 rui
tunnel timer hello 200
#
bfd bfd-net bind peer-ip 10.0.0.1
commit
#
ospf 1
import-route direct
preference 100
area 0.0.0.0
network 10.0.0.0 0.0.0.255
network 10.0.2.0 0.0.0.255
network 10.0.3.0 0.0.0.255
#
13.11.7 Example for Configuring RUI+EDSG in Exclusive

Address Pool Mode
This section provides an example for configuring Redundancy User Information (RUI)
+enhanced dynamic service gateway (EDSG) in exclusive address pool mode.
Usage Scenario
construction.



l An exclusive address pool is an address pool or address segment exclusively used by a
backup group or link. Generally, an exclusive address pool is used for services that can
be assigned private IP addresses, such as VoIP services. This address pool is not
recommended for services that use public IP addresses, such as HSI services, because IP
address resources are wasted.
l In exclusive address pool mode, the master and backup devices cannot advertise the
same network segment route. Advertising the same network segment route will cause
load balancing on the upstream CRs and network-to-user traffic forwarding errors.
Carriers can divide networks accessed by users into different subnets based on traffic
destination addresses. When different users access the subnets, different rate limit and
accounting are performed for the users. EDSG implements subnet division, rate limit, and
accounting management on NE40Es. As applications accessed by users become diversified,
high reliability is required for EDSG services. To meet this requirement, deploy RUI so that
EDSG service traffic is smoothly switched to the backup device if the master device fails.
RUI ensures normal traffic accounting without the need of users' re-dialup.
On the network shown in Figure 13-7, the user goes online from Device A (master device)
through PPPoE dialup. Device A and Device B implement RUI over VRRP and BFD. Device
A backs up EDSG services to Device B (backup device). If Device A fails, service traffic is
switched to Device B. Traffic statistics on Device A and Device B remain consistent.
Figure 13-7 Example for configuring RUI+EDSG in exclusive address pool mode
NOTE
Interface 1 and interface 2 in this example are GE0/1/0 and GE0/2/0, respectively.

AAA Server
VOD Server
DeviceC
EDSG Service
Backup
DeviceA DeviceB
VRRP+BGD
Switch
Device A GE0/1/0 10.0.1.1/24
GE0/2/0 10.0.0.1/24
Loopback 1 22.22.22.22/32
Device B GE0/1/0 10.0.1.2/24
GE0/2/0 10.2.0.1/24
Loopback 1 88.88.88.88/32

1. Configure basic user access functions and ensure that the two NE40Es have the same
4. Configure NAS parameters and the interval at which traffic is backed up or the traffic
threshold.
7. Configure EDSG services on Device A and Device B. For details, see HUAWEI NE40E-
M2 Series Universal Service Router Multiservice Control Gateway Configuration Guide
- Value-added Service.
NOTE
The configuration on Device A is used in this example. The configuration on Device B is similar to that
on Device A.
Data Preparation
l VRRP ID
l BFD parameters, such as the local and remote discriminators and expected minimum
intervals at which BFD control packets are sent and received
l IP addresses of interfaces on Device A and Device B
belongs
l EDSG-related parameters
Procedure
NOTE
trigger a master/backup VRRP switchover. 10.0.1.2 is the IP address of GE 0/1/0.2 on Device
B.
[~DeviceA] bfd
[*DeviceA-bfd] quit
track the BFD session and network-side interface.


0/2/0 reduced 50
NOTE
# Configure an RBS.
[~DeviceA-rm-backup-srv-service1] quit
NOTE
Run the track bfd-session command in the RBS view to monitor the peer BFD sessions that are
established on the network side on Device A and Device B, rapidly monitoring the peer status. For
configuration details, see track bfd-session in HUAWEI NE40E-M2 Series Universal Service Router
Command Reference - Reliability.
# Configure an RBP.
Step 2 Configure NAS parameters and an interval at which traffic information is backed up. The
configuration on Device A is used in this example. The configuration on Device B is similar
to that on Device A.
# Configure NAS parameters.

[*DeviceA-rm-backup-prf-profile1] nas logic-ip 1.2.3.4
[*DeviceA-rm-backup-prf-profile1] nas logic-port gigabitethernet 0/1/0
[*DeviceA-rm-backup-prf-profile1] nas logic-sysname huawei
# Configure an interval at which traffic information is backed up

[*DeviceA-rm-backup-prf-profile1] traffic backup interval 10
[*DeviceA-rm-backup-prf-profile1] ip-pool pool1

NOTE
The bound address pool named pool1 has been configured using the ip pool command in the AAA
domain view.
Step 4 Bind the RBP to GE 0/1/0.1 from which users go online. The configuration on 0/1/0 A is used
in this example. The configuration on 0/1/0 B is similar to that on 0/1/0 A.
Step 5 Configure EDSG services.

1. Enable the value-added service function.
[~DeviceA] value-added-service enable
2. Configure a policy server.

# Set parameters as follows:
– RADIUS server group name: rad_group1
– RADIUS authentication server's IP address: 10.10.10.2
– RADIUS authentication server's interface number: 1812
– RADIUS accounting server's IP address: 10.10.10.2
– RADIUS accounting server's interface number: 1813
– Shared key for the RADIUS authentication and accounting servers: huawei@123
[~DeviceA] radius-server group rad_group1
[*DeviceA-radius-rad_group1] radius-server authentication 10.10.10.2 1812
[*DeviceA-radius-rad_group1] radius-server accounting 10.10.10.2 1813
[*DeviceA-radius-rad_group1] radius-server shared-key-cipher-cipher huawei@123
[*DeviceA-radius-rad_group1] commit
[~DeviceA-radius-rad_group1] quit
NOTE
For details about how to configure a RADIUS server group, see Configuring a RADIUS Server
in HUAWEI NE40E-M2 Series Configuration Guide - User Access.
3. Configure an EDSG traffic policy.
a. Create service groups.
# Create a service group named s_1m.
[~DeviceA] service-group s_1m

NOTE
You must run the service-group command to create service groups regardless of whether the
NE40E obtains an EDSG service policy from local configurations or a RADIUS server.
b. Configure an ACL and define ACL rules for each service group.
# Configure ACL 6020 and define ACL rules for the service group named s_1m.
[~DeviceA] acl number 6020
[*DeviceA-acl-ucl-6020] rule 10 permit ip source service-group s_1m
destination ip-address 192.168.100.0 0.0.0.255
[*DeviceA-acl-ucl-6020] rule 20 permit ip source ip-address
192.168.100.0 0.0.0.255 destination service-group s_1m
[*DeviceA-acl-ucl-6020] commit
[~DeviceA-acl-ucl-6020] quit


c. Define traffic classifiers.

# Define a traffic classifier named c1.
[~DeviceA] traffic classifier c1 operator or
[*DeviceA-classifier-c1] if-match acl 6020
[*DeviceA-classifier-c1] commit
[~DeviceA-classifier-c1] quit

d. Define traffic behaviors.

# Define a traffic behavior named b1.
[~DeviceA] traffic behavior b1
[*DeviceA-behavior-b1] commit
[~DeviceA-behavior-b1] quit
# Define a traffic behavior b2.

e. Configure an EDSG traffic policy.

# Configure an EDSG traffic policy named traffic_policy_edsg, and associate c1
and c2 with b1 and b2, respectively.
[~DeviceA] traffic policy traffic_policy_edsg
[*DeviceA-policy-traffic_policy_edsg] share-mode
[*DeviceA-policy-traffic_policy_edsg] classifier c1 behavior b1
[*DeviceA-policy-traffic_policy_edsg] commit
[~DeviceA-policy-traffic_policy_edsg] quit
f. Apply the EDSG traffic policy globally.

[~DeviceA] traffic-policy traffic_policy_edsg inbound
[~DeviceA] traffic-policy traffic_policy_edsg outbound
[~DeviceA] commit
4. Configure an AAA authentication scheme and accounting scheme.

# Configure an AAA authentication scheme named auth1 and specify RADIUS
authentication as the authentication mode.
[~DeviceA] aaa
[*DeviceA-aaa] authentication-scheme auth1
[*DeviceA-aaa-authen-auth1] authentication-mode radius
[*DeviceA-aaa-authen-auth1] commit
[~DeviceA-aaa-authen-auth1] quit
# Configure an AAA accounting scheme named acct1 and specify RADIUS accounting
as the accounting mode.
[~DeviceA-aaa] accounting-scheme acct1
[*DeviceA-aaa-accounting-acct1] accounting-mode radius
[*DeviceA-aaa-accounting-acct1] quit
[*DeviceA-aaa] commit
[~DeviceA-aaa] quit

5. Configure a mode in which EDSG service policies are obtained.

# Configure the mode "first from local configurations and then from an RADIUS server."
In this mode, the NE40E first attempts to obtain an EDSG service policy from local
configurations. If no EDSG service policy is locally configured, the NE40E obtains an
EDSG service policy from an RADIUS server.
[~DeviceA] service-policy download local radius rad_group1 password cipher
huawei@123
[~DeviceA] commit
6. Configure EDSG service policies.

a. Configure an EDSG service policy for traffic over network 1.
# Create an EDSG service policy named service_edsg1.
[~DeviceA] service-policy name service_edsg1 edsg
# Bind s_1m to service_edsg1.

[*DeviceA-service-policy-service_edsg1] service-group s_1m
# Bind rad_group1 to service_edsg1.

[*DeviceA-service-policy-service_edsg1] radius-server group rad_group1
# Bind auth1 to service_edsg1.

[*DeviceA-service-policy-service_edsg1] authentication-scheme auth1
# Bind acct1 to service_edsg1.

[*DeviceA-service-policy-service_edsg1] accounting-scheme acct1
# Set the bandwidth for uplink traffic rate limit for service_edsg1 to 1 Mbit/s.
[*DeviceA-service-policy-service_edsg1] rate-limit cir 1000 inbound
# Set the bandwidth for downlink traffic rate limit for service_edsg1 to 1 Mbit/s.
[*DeviceA-service-policy-service_edsg1] rate-limit cir 1000 outbound
[*DeviceA-service-policy-service_edsg1] commit
[~DeviceA-service-policy-service_edsg1] quit
b. Configure an EDSG service policy for traffic over network 2.





7. Bind the local address pool and RADIUS server group to an AAA domain.
# Bind edsg_pool and rad_group1 to an AAA domain.
[~DeviceA] aaa


[*DeviceA-aaa-domain-domain1] ip-pool edsg_pool
[*DeviceA-aaa-domain-domain1] radius-server group rad_group1
[*DeviceA-aaa-domain-domain1] quit
[~DeviceA-aaa] quit
8. Configure the prepaid function.

a. Configure a prepaid profile for traffic over network 1.
# Create a prepaid profile named prepaid1.
[~DeviceA] prepaid-profile prepaid1
# Bind rad_group1 to prepaid1.

[~DeviceA-prepaid-profile-prepaid1] radius-server group rad_group1
# Bind auth1 to prepaid2.

[~DeviceA-prepaid-profile-prepaid1] authentication-scheme auth1
# Bind acct1 to prepaid2.

[~DeviceA-prepaid-profile-prepaid1] accounting-scheme acct1
# Configure a password used for the NE40E to apply for an EDSG service quota
from the RADIUS server group.
[~DeviceA-prepaid-profile-prepaid1] password cipher huawei@123
# Set the time threshold for the NE40E to reapply for a time quota for EDSG
services from the RADIUS server to 60s.
[~DeviceA-prepaid-profile-prepaid1] threshold time 60 seconds
# Set the traffic volume threshold for the NE40E to reapply for a traffic volume
quota for EDSG services from the RADIUS server to 10 Mbytes.
[~DeviceA-prepaid-profile-prepaid1] threshold volume 10 mbytes
[~DeviceA-prepaid-profile-prepaid1] commit
[~DeviceA-prepaid-profile-prepaid1] quit
b. Configure a prepaid profile for traffic over network 2.




c. Apply the prepaid profiles in the EDSG service policy view.

# Apply prepaid1 to service_edsg1.


[~DeviceA-service-policy-service_edsg1] prepaid-profile prepaid1
[~DeviceA-service-policy-service_edsg1] commit

a. Create a virtual template.
[~DeviceA] interface Virtual-Template 1
b. Configure a BAS interface.

[~DeviceA] interface GigabitEthernet0/1/2.1
[*DeviceA-GigabitEthernet0/1/2.1] user-vlan 1 1000 qinq 100
[*DeviceA-GigabitEthernet0/1/2.1] bas
default-domain pre-authentication domain1
[*DeviceA-GigabitEthernet0/1/2.1-bas] authentication-method ppp web
[*DeviceA-GigabitEthernet0/1/2.1-bas] quit
c. Configure an uplink interface.

d. Configure the interface connected to the policy server, AAA server, and portal
server.
10. Configure login users.
# Configure the AAA server to deliver the RADIUS attribute User-Password with a
value of huawei@123 for the PPPoE users (users 1 and 2).
NOTE
The shared key configured for a RADIUS server group determines the content of the User-
Password attribute.
# Configure the AAA server to deliver the RADIUS attribute HW-Account-Info

containing Aservice_edsg1 for user 1.


NOTE
The content of the HW-Account-Info attribute starts with "A" followed by a service name. This
attribute is used in user authentication response packets to deliver EDSG services that
automatically take effect (directly activated after delivery).

The RBS type is bras. The RBP named profile1 is bound to GigabitEthernet0/1/0.1 from
which users go online. Device A is in the Master state.
<DeviceA> display remote-backup-profile profile1
-----------------------------------------------
Service : bras
Backup-ID : 10
VRRP-ID : 1
Interface :
State : Master
Peer-state : Slave
Backup mode : hot
Slot-Number : 1
Card-Number : 0
Port-Number : 0
Nas logic-sysname : huawei
IP-Pool :
pool1
<DeviceA> display remote-backup-service service1
----------------------------------------------------------
Service-Index : 0
Peer-ip : 88.88.88.88
Source-ip : 22.22.22.22
TCP-Port : 2046
Track-BFD : --
Last up time : 2016-06-02 16:15:8
Last down time : 2016-06-02 16:3:36
Last down reason : TCP closed for packet error.
--------------------------------------------------------
backed up.
------------------------------------------------------------------------
100 101 102 103 104 105 106 107 108 109
------------------------------------------------------------------------

<DeviceA> display access-user interface GigabitEthernet 0/1/0.1

------------------------------------------------------------------------------
IPv6 address
------------------------------------------------------------------------------
--------------------------------------------------------------------------
100 user@lsh GE0/1/0.1 2.2.2.10
0002-0101-0101 -
101 user@lsh GE0/1/0.1 2.2.2.9
0002-0101-0102 -
102 user@lsh GE0/1/0.1 2.2.2.8
0002-0101-0103 -
103 user@lsh GE0/1/0.1 2.2.2.7
0002-0101-0104 -
104 user@lsh GE0/1/0.1 2.2.2.6
0002-0101-0105 -
105 user@lsh GE0/1/0.1 2.2.2.5
0002-0101-0106 -
106 user@lsh GE0/1/0.1 2.2.2.4
0002-0101-0107 -
107 user@lsh GE0/1/0.1 2.2.2.3
0002-0101-0108 -
108 user@lsh GE0/1/0.1 2.2.2.2
0002-0101-0109 -
109 user@lsh GE0/1/0.1 2.2.2.11
0002-0101-0110 -
--------------------------------------------------------------------------
Total users : 10
View the configuration of the EDSG service policy on Device A.

<DeviceA> display service-policy configuration name service_edsg1
------------------------------------------------
Service-policy-index : 0
Service-policy-name : service1
Service-policy-type : EDSG
Policy-storage-type : configuration
Reference-count : 0
Service-class-inbound :ef
Service-class-outbound :ef
Authentication-scheme-name : -
Radius-server-template : template1
Service-group-name : -
Service-group-priority : -
Inbound-cir : 100(kbps)
Inbound-pir : 100(kbps)
Inbound-cbs : 100(bytes)
Inbound-pbs : 3000(bytes)
Outbound-cir : 10000(kbps)
Outbound-pir : -
Outbound-cbs : -
Outbound-pbs : -
Prepaid-profile-name : -
Diameter monitor key : -
Inbound-match-usergroup : no
Outbound-match-usergroup : no
------------------------------------------------
----End
Configuration Files
Device A configuration file
#
sysname DeviceA
#

gateway 16.0.0.1 255.255.255.0

section 0 16.0.0.2 16.0.0.100
#
aaa
domain userdomain1
ip-pool pool1
#
commit
#
vlan-type dot1q 200
ip address 10.0.1.1 255.255.255.0
admin-vrrp vrid 1
#
peer 88.88.88.88 source 22.22.22.22 port 2046
#
service-type bras
peer-backup hot
ip-pool pool1
#
user-vlan 50
bas
vlan-type dot1q 1
ip address 192.168.100.1 255.255.255.0
#
interface LoopBack1
ip address 22.22.22.22 255.255.255.255#
ospf 1
import-route unr
area 0.0.0.0
network 10.0.0.0 0.0.0.255
network 22.22.22.22 0.0.0.0
#
value-added-service enable
#
radius-server group rad_group1
radius-server shared-key-cipher %^%#x*CgITP4C~;q,*+DEW'JBWe#)"Q&|7bX]b:Y<{w'%^
%#
#
ip pool edsg_pool bas local
gateway 172.32.0.0 255.255.0.0
section 0 172.32.0.0 172.32.255.255
#
aaa

domain domain1
ip-pool edsg_pool
#
service-group s_1m
service-group s_2m
#
acl number 6020
rule 10 permit ip source service-group s_1m destination ip-address 192.168.100.0
0.0.0.255
rule 20 permit ip source ip-address 192.168.100.0 0.0.0.255 destination service-
group s_1m
#
acl number 6021
0.0.0.255
group s_2m
#
if-match acl 6020
#
if-match acl 6021
#
traffic behavior b1
#
traffic behavior b2
#
traffic policy traffic_policy_edsg
share-mode
#
traffic-policy traffic_policy_edsg inbound
traffic-policy traffic_policy_edsg outbound
#
aaa
#
#
#
http-redirect-profile http_redirect_profile
web-server url http://
www.sample.com
web-server mode post
#
prepaid-profile prepaid1
password cipher huawei@123
radius-server group
rad_group1
threshold time 60 seconds
threshold volume 10 mbytes
#
radius-server group
rad_group1

quota-out redirect http_redirect_profile

#
service-policy download local radius rad_group1 password cipher huawei@123
#
service-policy name service_edsg1 edsg
service-group s_1m
rate-limit cir 1000 inbound
rate-limit cir 1000 outbound
#
service-group s_2m
#
user-vlan 1000 2000
bas
#
authentication-method ppp web
#
return
Device B configuration file

#
sysname DeviceB
#
gateway 16.0.0.1 255.255.255.0
section 0 16.0.0.2 16.0.0.100
#
aaa
domain userdomain1
ip-pool pool2
#
commit
#
vlan-type dot1q 200
ip address 10.0.1.2 255.255.255.0
admin-vrrp vrid 1
#
peer 22.22.22.22 source 88.88.88.88 port 2046
#
service-type bras
peer-backup hot


ip-pool pool2
#
user-vlan 50
bas
vlan-type dot1q 1
ip address 192.168.100.1 255.255.255.0
#
interface LoopBack1
ip address 88.88.88.88 255.255.255.255
#
ospf 1
import-route unr
area 0.0.0.0
network 11.0.0.0 0.0.0.255
network 88.88.88.88 0.0.0.0
#
#
radius-server shared-key-cipher %^%#x*CgITP4C~;q,*+DEW'JBWe#)"Q&|7bX]b:Y<{w'%^
%#
#
gateway 172.32.0.0 255.255.0.0
section 0 172.32.0.0 172.32.255.255
#
aaa
domain domain1
ip-pool edsg_pool
#
service-group s_1m
service-group s_2m
#
acl number 6020
0.0.0.255
group s_1m
#
acl number 6021
0.0.0.255
group s_2m
#
if-match acl 6020
#
if-match acl 6021
#
traffic behavior b1
#
traffic behavior b2
#

share-mode
#
#
aaa
#
#
#
http-redirect-profile http_redirect_profile
www.sample.com
web-server mode post
#
radius-server group
rad_group1
#
radius-server group
rad_group1
quota-out redirect http_redirect_profile
#
#
service-group s_1m
#
service-group s_2m
#
user-vlan 1000 2000
bas
#
#
return

13.11.8 Example for Configuring RUI+EDSG in Shared Address

Pool Mode
This section provides an example for configuring Redundancy User Information (RUI)
+enhanced dynamic service gateway (EDSG) in shared address pool mode.
Usage Scenario
construction.


l In shared address pool mode, an address pool (an IP network segment) is planned based
on services. A service (for example, Internet access or VoIP service) corresponds to a
domain's configuration. If terminals that go online through different access links have a
service (for example, Internet access service), the terminals share address pool resources
in a domain. This mode is called multi-link address pool sharing.

l During the actual deployment, planning address pools based on links is difficult, because
the number of public addresses is limited and dividing address pools causes address
resource waste. Address pools can be divided based on authentication domains, which
allows an address pool on the NE40E to be shared between links or backup groups. In
this situation, forwarding control cannot be performed by advertising or withdrawing a
network segment route of an address pool. To implement forwarding control, using a
shared address pool and tunnel protection is recommended.
Carriers can divide networks accessed by users into different subnets based on traffic
destination addresses. When different users access the subnets, different rate limit and
accounting are performed for the users. EDSG implements subnet division, rate limit, and
accounting management on NE40Es. As applications accessed by users become diversified,
high reliability is required for EDSG services. To meet this requirement, deploy RUI so that
EDSG service traffic is smoothly switched to the backup device if the master device fails.
RUI ensures normal traffic accounting without the need of users' re-dialup.
On the network shown in Figure 13-8, the user goes online from Device A (master device)
through PPPoE dialup. Device A and Device B implement RUI over VRRP and BFD. Device
A backs up EDSG services to Device B (backup device). If Device A fails, service traffic is
switched to Device B. Traffic statistics on Device A and Device B remain consistent.
Figure 13-8 Example for configuring RUI+EDSG in shared address pool mode
NOTE
Interface 1 interface 2 and interface 3 in this example are GE0/1/0, GE0/2/0 and GE0/3/0, respectively.

AAA Server
VOD Server
DeviceC
EDSG Service
Backup
DeviceA DeviceB
VRRP+BGD
Switch

Device A GE 0/1/0 10.0.1.1/24
GE 0/2/0 10.0.0.1/24
GE 0/3/0 10.1.1.6/24
Loopback 0 1.1.1.1/32
Loopback 1 22.22.22.22/32
Device B GE 0/1/0 10.0.1.2/24
GE 0/2/0 10.0.2.1/24
GE 0/3/0 10.1.1.7/24
Loopback 0 2.2.2.2/32
Loopback 1 88.88.88.88/32

1. Configure basic user access functions and ensure that the two NE40Es have the same
4. Configure an RBS, address pool, and RBP.
5. Configure a protection path for returned network-side traffic.
7. Configure EDSG services on Device A and Device B. For details, see HUAWEI NE40E-
M2 Series Universal Service Router Multiservice Control Gateway Configuration Guide
- Value-added Service.
Data Preparation
l VRRP ID
belongs
l Name of a hybrid address pool
l EDSG-related parameters
Procedure
NOTE
In this example, only RUI-related settings are described.
trigger a master/backup VRRP switchover. 10.0.1.2 is the IP address of GE 0/1/0.2 on Device
B.
[*DeviceA] bfd
[*DeviceA] commit
[~DeviceA-bfd] quit
track the BFD session and network-side interface.
[*DeviceA] interface gigabitethernet 0/1/0.2


2/0/0 reduced 50
NOTE
Step 2 Configure an RBS, address pool, and RBP.

# Configure an RBS.
[*DeviceA] remote-backup-service service1
[~DeviceA-rm-backup-srv-service1] quit
NOTE
Run the track bfd-session command in the RBS view to monitor the peer BFD sessions that are
established on the network side on Device A and Device B, rapidly monitoring the peer status. For
configuration details, see track bfd-session in HUAWEI NE40E-M2 Series Universal Service Router
Command Reference - Reliability.
# Configure a local address pool and backup address pool on Device A (master device).
[*DeviceA] ip pool hsi bas local
[*DeviceA-ip-pool-hsi] gateway 1.1.1.1 24
[*DeviceA-ip-pool-hsi] section 0 1.1.1.2 1.1.1.254
[*DeviceA-ip-pool-hsi] commit
[~DeviceA-ip-pool-hsi] quit
[*DeviceA] ip pool hsi-main-bak bas local
[*DeviceA-ip-pool-hsi-main-bak] gateway 2.2.2.2 24
[*DeviceA-ip-pool-hsi-main-bak] section 0 2.2.2.3 2.2.2.254
[*DeviceA-ip-pool-hsi-main-bak] commit
[~DeviceA-ip-pool-hsi-main-bak] quit
# Configure an address pool named hsi-main on Device B and configure it as a local address
pool.
[*DeviceB] ip pool hsi-main bas local
[*DeviceB-ip-pool-hsi-main] gateway 2.2.2.2 24
[*DeviceB-ip-pool-hsi-main] section 0 2.2.2.3 2.2.2.254
[*DeviceB-ip-pool-hsi-main] commit
[~DeviceB-ip-pool-hsi-main] quit
# Configure a backup address pool named hsi-bak and configure it as an RUI-slave address
pool.
[*DeviceB] ip pool hsi-bak bas local rui-slave
[*DeviceB-ip-pool-hsi-bak] gateway 1.1.1.1 24
[*DeviceB-ip-pool-hsi-bak] section 0 1.1.1.2 1.1.1.254
[*DeviceB-ip-pool-hsi-bak] commit
[~DeviceB-ip-pool-hsi-bak] quit
# Configure an RBP on Device A and Device B.

[*DeviceA] remote-backup-profile profile1
[*DeviceB] remote-backup-profile profile1

[*DeviceB-rm-backup-prf-profile1] peer-backup hot

[*DeviceB-rm-backup-prf-profile1] vrrp-id 1 interface gigabitethernet 0/1/0.2

[*DeviceB-rm-backup-prf-profile1] backup-id 10 remote-backup-service service1
[*DeviceB-rm-backup-prf-profile1] service-type bras
[*DeviceB-rm-backup-prf-profile1] ip-pool hsi include hsi-bak node 5
[*DeviceB-rm-backup-prf-profile1] ip-pool hsi-main include hsi-main-bak node 10
[*DeviceB-rm-backup-prf-profile1] commit
[~DeviceB-rm-backup-prf-profile1] quit
Step 3 Bind the configured address pools to the RBS and configure a protection path for returned
network-side traffic.
[*DeviceA] remote-backup-service service1
[*DeviceA-rm-backup-srv-service1] ip-pool hsi
[*DeviceA-rm-backup-srv-service1] ip-pool hsi-bak
[*DeviceA-rm-backup-srv-service1] protect redirect ip-nexthop 10.1.1.7 interface
[*DeviceB] remote-backup-service service1

[*DeviceB-rm-backup-srv-service1] ip-pool hsi-main
[*DeviceB-rm-backup-srv-service1] ip-pool hsi-bak
[*DeviceB-rm-backup-srv-service1] protect redirect ip-nexthop 10.1.1.6 interface
Step 4 Bind the RBP to GE 0/1/0.1 from which users go online. The configuration on Device A is
used in this example. The configuration on Device B is similar to that on Device A.
[~DeviceA] interface gigabitethernet 0/1/0
[*A-GigabitEthernet0/1/0.1] remote-backup-profile profile1
[~A-GigabitEthernet0/1/0.1] quit
Step 5 Configure EDSG services.

1. Enable the value-added service function.
[~DeviceA] value-added-service enable
2. Configure a policy server.

# Set parameters as follows:
– RADIUS server group name: rad_group1
– RADIUS authentication server's IP address: 10.10.10.2
– RADIUS authentication server's interface number: 1812
– RADIUS accounting server's IP address: 10.10.10.2
– RADIUS accounting server's interface number: 1813
– Shared key for the RADIUS authentication and accounting servers: huawei@123
[~DeviceA] radius-server group rad_group1
[*DeviceA-radius-rad_group1] radius-server authentication 10.10.10.2 1812
[*DeviceA-radius-rad_group1] radius-server accounting 10.10.10.2 1813
[*DeviceA-radius-rad_group1] radius-server shared-key-cipher-cipher huawei@123
[*DeviceA-radius-rad_group1] commit
[~DeviceA-radius-rad_group1] quit
NOTE
For details about how to configure a RADIUS server group, see Configuring a RADIUS Server
in HUAWEI NE40E-M2 Series Configuration Guide - User Access.
3. Configure an EDSG traffic policy.
a. Create service groups.


NOTE
You must run the service-group command to create service groups regardless of whether the
NE40E obtains an EDSG service policy from local configurations or a RADIUS server.
b. Configure an ACL and define ACL rules for each service group.
c. Define traffic classifiers.


d. Define traffic behaviors.

# Define a traffic behavior named b1.
# Define a traffic behavior b2.

e. Configure an EDSG traffic policy.

# Configure an EDSG traffic policy named traffic_policy_edsg, and associate c1
and c2 with b1 and b2, respectively.
[~DeviceA] traffic policy traffic_policy_edsg
[*DeviceA-policy-traffic_policy_edsg] share-mode
[*DeviceA-policy-traffic_policy_edsg] commit
[~DeviceA-policy-traffic_policy_edsg] quit
f. Apply the EDSG traffic policy globally.

[~DeviceA] traffic-policy traffic_policy_edsg inbound
[~DeviceA] traffic-policy traffic_policy_edsg outbound
[~DeviceA] commit

4. Configure an AAA authentication scheme and accounting scheme.

# Configure an AAA authentication scheme named auth1 and specify RADIUS
authentication as the authentication mode.
[~DeviceA] aaa
[*DeviceA-aaa] authentication-scheme auth1
[*DeviceA-aaa-authen-auth1] authentication-mode radius
[*DeviceA-aaa-authen-auth1] commit
[~DeviceA-aaa-authen-auth1] quit
# Configure an AAA accounting scheme named acct1 and specify RADIUS accounting
as the accounting mode.
[~DeviceA-aaa] accounting-scheme acct1
[*DeviceA-aaa-accounting-acct1] accounting-mode radius
[*DeviceA-aaa-accounting-acct1] quit
[~DeviceA-aaa] quit
5. Configure a mode in which EDSG service policies are obtained.

# Configure the mode "first from local configurations and then from an RADIUS server."
In this mode, the NE40E first attempts to obtain an EDSG service policy from local
configurations. If no EDSG service policy is locally configured, the NE40E obtains an
EDSG service policy from an RADIUS server.
[~DeviceA] service-policy download local radius rad_group1 password cipher
huawei@123
[~DeviceA] commit
6. Configure EDSG service policies.

a. Configure an EDSG service policy for traffic over network 1.




b. Configure an EDSG service policy for traffic over network 2.






7. Bind the local address pool and RADIUS server group to an AAA domain.
# Bind edsg_pool and rad_group1 to an AAA domain.
[~DeviceA] aaa
[*DeviceA-aaa-domain-domain1] ip-pool edsg_pool
[*DeviceA-aaa-domain-domain1] radius-server group rad_group1
[*DeviceA-aaa-domain-domain1] quit
[~DeviceA-aaa] quit
8. Configure the prepaid function.

a. Configure a prepaid profile for traffic over network 1.



# Set the traffic volume threshold for the BRAS to reapply for a traffic volume
b. Configure a prepaid profile for traffic over network 2.




c. Apply the prepaid profiles in the EDSG service policy view.


a. Create a virtual template.
[~DeviceA] interface Virtual-Template 1
b. Configure a BAS interface.

[*DeviceA-GigabitEthernet0/1/2.1] user-vlan 1 1000 qinq 100
[*DeviceA-GigabitEthernet0/1/2.1] bas
default-domain pre-authentication domain1
[*DeviceA-GigabitEthernet0/1/2.1-bas] authentication-method ppp web
[*DeviceA-GigabitEthernet0/1/2.1-bas] quit
c. Configure an uplink interface.

d. Configure the interface connected to the policy server, AAA server, and portal
server.

10. Configure login users.

# Configure the AAA server to deliver the RADIUS attribute User-Password with a
value of huawei@123 for the PPPoE users (users 1 and 2).
NOTE
The shared key configured for a RADIUS server group determines the content of the User-
Password attribute.

NOTE
The content of the HW-Account-Info attribute starts with "A" followed by a service name. This
attribute is used in user authentication response packets to deliver EDSG services that
automatically take effect (directly activated after delivery).

The remote backup service type is bras. The RBP named profile1 is bound to
GigabitEthernet0/1/0.1 from which users attempt to get online. Device A is in the Master
state.
<~DeviceA> display remote-backup-profile profile1
-----------------------------------------------
Service : bras
Backup-ID : 10
VRRP-ID : 1
Interface :
State : Master
Peer-state : Slave
Backup mode : hot
Slot-Number : 1
Card-Number : 0
Port-Number : 0
IP-Pool : hsi
<~DeviceB> display remote-backup-profile profile1
-----------------------------------------------
Service : bras
Backup-ID : 10
VRRP-ID : 1
Interface :
State : Slave
Peer-state : Master
Backup mode : hot
Slot-Number : 1
Card-Number : 0

Port-Number : 0
IP-Pool : hsi
<~DeviceA> display remote-backup-service service1
----------------------------------------------------------
Service-Index : 0
Peer-ip : 88.88.88.88
Source-ip : 22.22.22.22
TCP-Port : 2046
Track-BFD : --
----------------------------------------------------------
ip pool:
hsi metric 10
hsi-bak metric 10
ipv6 pool:
NAT instance : nat1
----------------------------------------------------------
Rbs-ID : 0
Protect-type : ip-redirect
Next-hop : 10.1.1.7
Vlanid : 0
Peer-ip : 10.1.1.7
Vrfid : 0
Tunnel-index : 0x0
Tunnel-state : UP
Spec-interface : GigabitEthernet0/3/0
User-number : 0
backed up.
<~DeviceA> display backup-user
------------------------------------------------------------------------
100 101 102 103 104 105 106 107 108 109
------------------------------------------------------------------------
<~DeviceA> display access-user interface GigabitEthernet 0/1/0.1
------------------------------------------------------------------------------
------------------------------------------------------------------------------
120 user@lsh GE0/1/0.1 2.2.2.10 0002-0101-0101
50/- - IPoE
101 user@lsh GE0/1/0.1 2.2.2.9
0002-0101-0102 -
50/- - IPoE
102 user@lsh GE0/1/0.1 2.2.2.8
0002-0101-0103 -
50/- - IPoE
103 user@lsh GE0/1/0.1 2.2.2.7
0002-0101-0104 -
50/- - IPoE

104 user@lsh GE0/1/0.1 2.2.2.6

0002-0101-0105 -
50/- - IPoE
105 user@lsh GE0/1/0.1 2.2.2.5
0002-0101-0106 -
50/- - IPoE
106 user@lsh GE0/1/0.1 2.2.2.4
0002-0101-0107 -
50/- - IPoE
107 user@lsh GE0/1/0.1 2.2.2.3
0002-0101-0108 -
50/- - IPoE
108 user@lsh GE0/1/0.1 2.2.2.2
0002-0101-0109 -
50/- - IPoE
109 user@lsh GE0/1/0.1 2.2.2.11
0002-0101-0110 -
50/- - IPoE
--------------------------------------------------------------------------
Normal users : 0
RUI Local users : 10
Total users : 10
View the configuration of the EDSG service policy on Device A.

<DeviceA> display service-policy configuration name service_edsg1
------------------------------------------------
Service-policy-index : 0
Service-policy-name : service1
Service-policy-type : EDSG
Policy-storage-type : configuration
Reference-count : 0
Service-class-inbound :ef
Service-class-outbound :ef
Authentication-scheme-name : -
Radius-server-template : template1
Service-group-name : -
Service-group-priority : -
Inbound-cir : 100(kbps)
Inbound-pir : 100(kbps)
Inbound-cbs : 100(bytes)
Inbound-pbs : 3000(bytes)
Outbound-cir : 10000(kbps)
Outbound-pir : -
Outbound-cbs : -
Outbound-pbs : -
Prepaid-profile-name : -
Diameter monitor key : -
Inbound-match-usergroup : no
Outbound-match-usergroup : no
------------------------------------------------
----End
Configuration Files
#
sysname DeviceA
#
ip pool hsi bas local
gateway 1.1.1.1 255.255.255.0
section 0 1.1.1.2 1.1.1.254
#
ip pool hsi-main-bak bas local rui-slave
gateway 2.2.2.2 255.255.255.0

section 0 2.2.2.3 2.2.2.254

#
aaa
domain userdomain1
ip-pool hsi
ip-pool hsi-main-bak
#
commit
#
vlan-type dot1q 200
ip address 10.0.1.1 255.255.255.0
admin-vrrp vrid 1
#
peer 88.88.88.88 source 22.22.22.22 port 2046
ip-pool hsi
ip-pool hsi-main-bak
#
service-type bras
peer-backup hot
#
user-vlan 50
bas
vlan-type dot1q 1
ip address 192.168.100.1 255.255.255.0
#
undo shutdown
ip address 10.1.1.6 255.255.255.0
#
#
radius-server shared-key-cipher %^%#x*CgITP4C~;q,*+DEW'JBWe#)"Q&|
7bX]b:Y<{w'%^%#
#
gateway 172.32.0.0 255.255.0.0
section 0 172.32.0.0 172.32.255.255
#
aaa
domain domain1
ip-pool edsg_pool


#
service-group s_1m
service-group s_2m
#
acl number 6020
rule 10 permit ip source service-group s_1m destination ip-address
192.168.100.0 0.0.0.255
rule 20 permit ip source ip-address 192.168.100.0 0.0.0.255 destination
service-group s_1m
#
acl number 6021
192.168.200.0 0.0.0.255
service-group s_2m
#
if-match acl 6020
#
if-match acl 6021
#
traffic behavior b1
#
traffic behavior b2
#
share-mode
#
#
aaa
auth1
#
accounting-scheme
acct1
#
#
http-redirect-profile
http_redirect_profile
www.sample.com
web-server mode
post
#
prepaid-profile
prepaid1
auth1
accounting-scheme
acct1
radius-server group
rad_group1
threshold time 60
seconds
threshold volume 10
mbytes
#
prepaid-profile
prepaid2
auth1

accounting-scheme
acct1
radius-server group
rad_group1
threshold time 300
seconds
threshold volume 20
mbytes
quota-out redirect
#
#
service-group s_1m
#
service-group s_2m
#
user-vlan 1000 2000
bas
#
#
return
#
sysname DeviceB
#
ip pool hsi-main bas local
gateway 2.2.2.2 255.255.255.0
section 0 2.2.2.3 2.2.2.253
#
ip pool hsi-bak bas local rui-slave
gateway 1.1.1.1 255.255.255.0
# LOCAL
section 0 1.1.1.2 1.1.1.253
# REMOTE
dhcp-server group gm1
#
aaa
domain userdomain1
#
commit
#
vlan-type dot1q 200
ip address 10.0.1.2 255.255.255.0

admin-vrrp vrid 1
#
peer 22.22.22.22 source 88.88.88.88 port 2046
ip-pool hsi-main
ip-pool hsi-bak
#
peer-backup hot
service-type bras
peer-backup hot
ip-pool hsi include hsi-main node 5
ip-pool hsi include hsi-bak node 10
#
user-vlan 50
bas
vlan-type dot1q 1
ip address 192.168.100.1 255.255.255.0
#
undo shutdown
ip address 10.1.1.7 255.255.255.0 #
#
radius-server shared-key-cipher %^%#x*CgITP4C~;q,*+DEW'JBWe#)"Q&|
7bX]b:Y<{w'%^%#
#
gateway 172.32.0.0 255.255.0.0
section 0 172.32.0.0 172.32.255.255
#
aaa
domain domain1
ip-pool edsg_pool
#
service-group s_1m
service-group s_2m
#
acl number 6020
192.168.100.0 0.0.0.255
service-group s_1m
#
acl number 6021
192.168.200.0 0.0.0.255
service-group s_2m
#

if-match acl 6020

#
if-match acl 6021
#
traffic behavior b1
#
traffic behavior b2
#
share-mode
#
#
aaa
auth1
#
accounting-scheme
acct1
#
#
http-redirect-profile
www.sample.com
web-server mode
post
#
prepaid-profile
prepaid1
auth1
accounting-scheme
acct1
radius-server group
rad_group1
threshold time 60
seconds
threshold volume 10
mbytes
#
prepaid-profile
prepaid2
auth1
accounting-scheme
acct1
radius-server group
rad_group1
threshold time 300
seconds
threshold volume 20
mbytes
quota-out redirect
#
#
service-group s_1m


#
service-group s_2m
#
user-vlan 1000 2000
bas
#
#
return
13.11.9 Example for Configuring Dual-device Hot Backup for

Layer 3 Static IPv4 Users
This section provides an example for configuring dual-device hot backup for Layer 3 static
IPv4 users and a networking diagram for understanding usage scenarios and configuration
procedures.
Usage Scenario
leased line, and VPN interconnection, place higher requirements on IP network reliability. IP
for carrier-class devices.
The NE40E functions as an edge router that carries multiple services and plays a transitional
role on a network. It is connected to the core network to implement the Layer 3 routing
function and to the aggregation network to terminate the Layer 2 user packets so that users
can access the aggregation network. Additionally, the NE40E carries triple play services
including HSI, VoIP, and IPTV, which raises the bar for high reliability.NE40E The NE40E
provides service-level high-reliability technologies. Non-stop data flow forwarding does not
mean that user services are not interrupted. If a network node or link fails, user traffic is
switched to a backup device. However, if user information is not synchronized to a backup
device, user services will be interrupted. High reliability has been considered when the
or link fault occurs. Dual-device hot backup is designed to meet the preceding reliability
requirements.
As shown in Figure 13-9, users access PE1 and PE2 through the CE. An Eth-Trunk interface
is configured on each PE, and the two PEs are directly connected. A VRRP backup group is

configured on PE1 and PE2 to track the status of Eth-Trunk member interfaces. Access links
are bound together on the CE, and the LACP protocol is run to work with the PEs to select the
active and standby links. This ensures that services can be immediately switched to the
backup device if the master device fails after users go online.
Figure 13-9 Networking diagram for configuring dual-device hot backup for Layer 3 static
IPv4 users
NOTE
In this example, interface1, interface2, interface3, interface4, and interface5 represent GE0/1/0,
GE0/1/1, GE0/1/5, GE0/2/0, and GE0/2/3, respectively.
IP Core
interface3
PE1 PE2
interface1 VRRP interface1

PE1 GE0/1/0 Trunk member interface
GE0/1/1 10.1.1.1/24 (network-side interface)
GE0/1/5 193.1.2.2/24 (IP address of the interface running VRRP)
Loopback1 10.1.2.2/32 (IP address of PE1's interface with an RBS deployed)

PE2 GE0/1/2 Trunk member interface
GE0/1/3 11.1.1.2/24 (network-side interface)
GE0/1/5 193.1.2.1/24 (IP address of the interface running VRRP)
Loopback1 10.1.2.2/32 (IP address of PE2's interface with an RBS deployed)

1. Configure basic user access functions and ensure that the two devices working in master/
back mode have the same configuration. For configuration details, see HUAWEI
NE40E-M2 Series Universal Service Router Configuration Guide > User Access.
2. Configure Eth-Trunk interfaces to work in static LACP mode. For configuration details,
see HUAWEI NE40E-M2 Series Universal Service Router Configuration Guide > LAN
Access and MAN Access.
3. Configure a VRRP backup group on PE1 and PE2.
4. Configure VRRP to track the interface status.
5. Associate the Eth-Trunk interfaces working in static LACP mode on the PEs with the
VRRP backup group.
Data Preparation
l VRRP parameters (VRRP ID)
l IP address of each interface on PE1 and PE2
Procedure
Step 1 Configure user access.
For configuration details, see HUAWEI NE40E-M2 Series Universal Service Router
Configuration Guide > User Guide > AAA and User Management Configuration.
Step 2 Configure Eth-Trunk interfaces to work in static LACP mode, and add the member interfaces
GE0/2/0 and GE0/2/3 to the Eth-Trunk interfaces.
# Configure CE1.
[~HUAWEI] sysname CE1
[*HUAWEI] commit
[~CE1] interface Eth-Trunk 20
[*CE1-Eth-Trunk20] mode lacp-static
[*CE1-Eth-Trunk20] lacp timeout fast
[*CE1-Eth-Trunk20] trunkport gigabitethernet 0/2/0 to 0/2/3
[*CE1-Eth-Trunk20] commit
[~CE1-Eth-Trunk20] quit
# Configure PE1.
[*HUAWEI] commit
[~PE1] interface Eth-Trunk 10
[*PE1-Eth-Trunk10] mac-address 0000-0000-0001
[*PE1-Eth-Trunk10] mode lacp-static
[*PE1-Eth-Trunk10] lacp timeout fast
[*PE1-Eth-Trunk10] trunkport gigabitethernet 0/1/0
[*PE1-Eth-Trunk10] commit
[~PE1-Eth-Trunk10] quit
# Configure PE2.
[*HUAWEI] commit


[*PE2-Eth-Trunk12] mac-address 0000-0000-0001
[*PE2-Eth-Trunk12] mode lacp-static
[*PE2-Eth-Trunk12] lacp timeout fast
[*PE2-Eth-Trunk12] trunkport gigabitethernet 0/1/2
[*PE2-Eth-Trunk12] commit
[~PE2-Eth-Trunk12] quit
Step 3 Configure a VRRP backup group.

# Configure the IP address of the GE interface, and set the LACP priority of PE1 in the VRRP
backup group to 120 (as the master device).
[~PE1] interface Gigabitethernet 0/1/5
[~PE1-Gigabitethernet0/1/5] undo shutdown
[*PE1-Gigabitethernet0/1/5] ip address 193.1.2.2 255.255.255.0
[*PE1-Gigabitethernet0/1/5] vrrp vrid 120 virtual-ip 193.1.2.100
[*PE1-Gigabitethernet0/1/5] vrrp vrid 120 priority 120
[*PE1-Gigabitethernet0/1/5] admin-vrrp vrid 120 ignore-if-down
[*PE1-Gigabitethernet0/1/5] commit
# Configure the IP address of the GE interface, and set the LACP priority of PE2 in the VRRP
backup group to the default value (as the backup device).
[~PE2] interface Gigabitethernet 0/1/5
[*PE2-Gigabitethernet0/1/5] undo shutdown
[*PE2-Gigabitethernet0/1/5] ip address 193.1.2.1 255.255.255.0
[*PE2-Gigabitethernet0/1/5] vrrp vrid 120 virtual-ip 193.1.2.100
[*PE2-Gigabitethernet0/1/5] admin-vrrp vrid 120 ignore-if-down
Step 4 Configure the VRRP backup group to track the interface status.
# Configure VRRP on PE1 to track the interface status.
[~PE1-Gigabitethernet0/1/5] vrrp vrid 120 track interface Gigabitethernet 0/1/0
reduced 40
reduced 40
[~PE1-Gigabitethernet0/1/5] quit
# Configure VRRP on PE2 to track the interface status.

reduced 40
reduced 40
[~PE2-Gigabitethernet0/1/5] quit
Step 5 Associate the Eth-Trunk interfaces working in static LACP mode with the VRRP backup
group.
# Associate PE1's Eth-Trunk interface working in static LACP mode with the VRRP backup
group.
[*PE1-Eth-Trunk 10] lacp track vrrp vrid 120 interface Gigabitethernet 0/1/5
[*PE1-Eth-Trunk 10] commit
[~PE1-Eth-Trunk 10] quit
# Associate PE2's Eth-Trunk interface working in static LACP mode with the VRRP backup
group.
[*PE2-Eth-Trunk 12] lacp track vrrp vrid 1 interface Gigabitethernet 0/1/5
[*PE2-Eth-Trunk 12] commit

[~PE2-Eth-Trunk 12] quit
Step 6 Configure an IP address pool.
# Configure an address pool named ln.

[~PE1] ip pool ln bas local
[*PE1-ip-pool-ln] gateway 200.0.0.1 255.255.255.0
[*PE1-ip-pool-ln] section 200.0.0.2 200.0.0.255
[*PE1-ip-pool-ln] excluded-ip-address 200.0.0.2 200.0.0.254
[*PE1-ip-pool-ln] commit
[~PE1-ip-pool-ln] quit
Step 7 Configure an RBS, address pool, and RBP. Take the command output on PE1 as an example.
# Configure an RBS named s1.

[~PE1] remote-backup-service s1
[*PE1-rm-backup-srv-s1] peer 172.16.18.1 source 172.16.18.2 port 12012
[*PE1-rm-backup-srv-s1] track interface GigabitEthernet 0/1/1
[*PE1-rm-backup-srv-s1] commit
[~PE1-rm-backup-srv-s1] quit
Configure an RBP named pl.

[~PE1] remote-backup-profile p1
[*PE1-rm-backup-prf-p1] service-type bras
[*PE1-rm-backup-prf-p1] backup-id 1 remote-backup-service s1
[*PE1-rm-backup-prf-p1] peer-backup hot
[*PE1-rm-backup-prf-p1] vrrp-id 1 interface gigabitethernet 0/1/5
[*PE1-rm-backup-prf-p1] ip-pool ln
[*PE1-rm-backup-prf-p1] commit
[~PE1-rm-backup-prf-p1] quit
Step 8 Configure a user-side interface.
# Configure PE1.
# Configure Layer 3 static users to be triggered to go online through IP packets.

[~PE1] layer3-subscriber 200.0.0.1 200.0.0.254 domain-name test_hou
[*PE1] interface Eth-Trunk 10.1
[*PE1-Eth-Trunk 10.1] vlan-type dot1q 10
[*PE1-Eth-Trunk 10.1] ip address 20.0.0.1 255.255.255.0
[*PE1-Eth-Trunk 10.1] bas
[*PE1-Eth-Trunk 10.1-bas] access-type layer3-subscriber default-domain
authentication test_hou
[*PE1-Eth-Trunk 10.1-bas] commit
# Configure PE2.
# Configure Layer 3 static users to be triggered to go online through IP packets.

[~PE2] layer3-subscriber 200.0.0.1 200.0.0.254 domain-name test_hou
[*PE2] interface Eth-Trunk 12.1
[*PE2-Eth-Trunk 12.1] vlan-type dot1q 10
[*PE2-Eth-Trunk 12.1] ip address 20.0.0.1 255.255.255.0
[*PE2-Eth-Trunk 12.1] bas
[*PE2-Eth-Trunk 12.1-bas] access-type layer3-subscriber default-domain
[*PE2-Eth-Trunk 12.1-bas] commit
After completing the configurations, run the display remote-backup-profile command. The
command output shows that the status of PE1 is Master and that of PE2 is Slave.
<PE1> display remote-backup-profile p1

-----------------------------------------------
Profile-Name : p1
Service : bras
Remote-backup-service: s1
Backup-ID : 1
VRRP-ID : 120
VRRP-Interface : GigabitEthernet0/1/5
Access-Control : --
State : Slave
Peer State : Master
Interface :
Eth-Trunk12.2
Eth-Trunk12.111
Backup mode : hot
Slot-Number : --
Card-Number : --
Port-Number : --
IP-Pool :
ln
Forwarding Configured: Slave Forwarding
<PE1> display remote-backup-service S1
----------------------------------------------------------
Service-Index : 1
Service-Name : s1
Peer-ip : 172.16.18.2
Source-ip : 172.16.18.1
TCP-Port : 12012
Track-BFD : -
SSL-Policy-Name : --
SSL-State : --
Last up time : 2016-08-02 15:34:36
Weight : 10
Uplink state : 2 (1:DOWN 2:UP)
Domain-map-list : --
Send Q pkt count : 0
----------------------------------------------------------
ip pool:
ipv6 pool:
pool route status: 2
switch mark : 2
----------------------------------------------------------
Rbs-ID : 0
Protect-type : public(unknown)
Tunnel-policy : yhz
Peer-ip : 172.16.18.2
Vrfid : 0
Tunnel-state : DOWN
Total users : 0
----End
Configuration Files
l PE1 configuration file
#
sysname PE1
#

aaa
domain huawei
ip-pool ln
#
ip pool ln bas local
gateway 200.0.0.1 255.255.255.0
section 0 200.0.0.2 200.0.0.255
excluded-ip-address 200.0.0.2 200.0.0.254
#
peer 172.16.18.1 source 172.16.18.2 port 12012
#
service-type bras
peer-backup hot
vrrp-id 120 interface GigabitEthernet0/1/5
ip-pool ln
#
layer3-subscriber 200.0.0.2 200.0.0.254 domain-name test
#
mac-address 0000-0000-0001
mode lacp-static
lacp timeout fast
lacp track vrrp vrid 120 interface GigabitEthernet0/1/5
#
interface Eth-Trunk 10.1
vlan-type dot1q 10
ip address 50.0.0.1 255.255.255.0
bas
#
access-type layer3-subscriber default-domain pre-authentication test
#
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
dcn
#
undo shutdown
ip address 193.1.2.2 255.255.255.0
admin-vrrp vrid 120 ignore-if-down
dcn
#
undo shutdown
eth-trunk 10
dcn
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
dcn
#
#
ospf 1
import-route direct

import-route unr
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 12.1.1.0 0.0.0.255
#
l PE2 configuration file

#
sysname PE1
#
aaa
domain huawei
ip-pool ln
#
ip pool ln bas local
gateway 200.0.0.1 255.255.255.0
section 0 200.0.0.2 200.0.0.255
excluded-ip-address 200.0.0.2 200.0.0.254
#
peer 172.16.18.2 source 172.16.18.1 port 12012
#
mac-address 0000-0000-0001
mode lacp-static
lacp timeout fast
lacp track vrrp vrid 120 interface GigabitEthernet0/1/5
#
interface Eth-Trunk 12.1
vlan-type dot1q 10
ip address 193.1.2.1 255.255.255.0
bas
#
access-type layer3-subscriber default-domain pre-authentication test
#
#
undo shutdown
admin-vrrp vrid 120 ignore-if-down
vrrp vrid 120 track interface GigabitEthernet0/1/2
dcn
#
undo shutdown
ip address 11.1.1.2 255.255.255.0
#
undo shutdown
eth-trunk 12
dcn
#
#
ospf 1
import-route direct
import-route unr
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
network 12.1.1.0 0.0.0.255
#
interface Loopback1
undo shutdown

ip address 172.16.18.1 255.255.255.0

#

Configuration Guide - User Access 14 Configuring SAID for BRAS Services
14 Configuring SAID for BRAS Services
Manual fault diagnosis is time-consuming and locating fault points is difficult on networks
that have various types of users, large numbers of access users, and peripheral interworking
devices. The System of Active Immunization and Diagnosis (SAID) can therefore be used to
implement self-diagnosis and self-recovery of service nodes for user access.
Usage Scenario
The SAID is used to identify typical faults and automatically diagnose and rectify the faults.
The SAID function is enabled by default in typical BRAS scenarios to allow a device to
periodically detect whether the number of online users or traffic rates are abnormal. When a
large number of login failures or a sudden decrease in traffic is diagnosed and the time
condition for self-healing is met, the system generates a log and determines whether to trigger
self-healing (perform a master/slave switchover or restart a board/subcard).
None
Procedure
Step 2 Run aaa
Step 3 Run undo set said-node disable
The default SAID node configuration is restored.
NOTE
To check the status of SAID nodes, run the display said-node brief command (When OPERATE is set
to Enable, SAID nodes are enabled. When OPERATE is set to Disable, SAID nodes are disabled) .
Step 4 Run aaa-said check-rule rule1 online-fail-num increase increase-num

The login failure increment withwithin 10 minutes that can trigger fault detection on SAID
nodes is set.

Configuration Guide - User Access 14 Configuring SAID for BRAS Services
Step 5 Run aaa-said check-rule online-fail-reason exclude fail-code fail-code

Login failures with a specified cause code are excluded from being detected or diagnosed on
SAID nodes.
Step 6 Run aaa-said diag-rule online-fail-num increase fail-num user-num reduce user-num
online-success-ratio below succ-rate
The user login failure increment within 10 minutes, number of online users reduced, and login
success ratio reduced that can trigger fault diagnosis on SAID nodes are set.
Step 7 Run aaa-said recover interval-time interval-time
The interval between two same SAID recovery operations is set.
Step 8 Run aaa-said enable
The SAID function is enabled.
NOTE
Run the display aaa configuration command to check the enabling status of SAID. In the command
output, if the Said switch field is displayed as enable, SAID is enabled. If the Said switch field is
displayed as disable, SAID is not enabled.
Step 9 Run aaa-said check-rule user-number reduce-ratio reduce-ratio

The user reduction rate threshold over which fault diagnosis and self-healing are triggered on
SAID nodes is set.
Step 10 Run aaa-said check-rule flow-speed reduce-ratio reduce-ratio
The traffic reduction rate threshold over which fault diagnosis and self-healing are triggered
on SAID nodes is set.
----End
Follow-up Procedure
Run the display aaa configuration command to check the configuration of the SAID
function.

NE40E-M2 V800R010C10SPC500 Configuration Guide - User Access 01

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NE40E-M2 V800R010C10SPC500 Configuration Guide - User Access 01

Uploaded by

Copyright:

Available Formats

HUAWEI NE40E-M2 Series Universal Service

Configuration Guide - User Access

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. i

1 About This Document.................................................................................................................. 1

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. ii

6.6.13 (Optional) Setting the Status Parameters of a RADIUS Server.............................................................................. 44

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. iii

7 IPv4 Address Management Configuration...........................................................................124

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. iv

7.7 Adjusting DHCPv4 Service Parameters..................................................................................................................... 154

8 IPv6 Address Management Configuration...........................................................................176

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. v

8.8 (Optional) Adjusting DHCPv6 Service Parameters................................................................................................... 203

9 IPoE Access Configuration...................................................................................................... 247

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. vi

9.4 Licensing Requirements and Limitations for IPoE--M2K........................................................................................ 254

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. vii

10 PPPoE Access Configuration................................................................................................. 396

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. viii

11 802.1X Access Configuration................................................................................................. 475

12 L2TP Access Configuration................................................................................................... 489

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. ix

12.10.1 Configuring AVP Attributes for L2TP Packets................................................................................................... 530

13 User Access Multi-Device Backup Configuration............................................................ 595

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. x

14 Configuring SAID for BRAS Services................................................................................ 762

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. xi

1 About This Document

Product Name Version

NE40E-M2 Series V800R010C10

l Data configuration engineers

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 1

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 2

Indicates an imminently hazardous situation which, if not

Indicates a potentially hazardous situation which, if not

Indicates a potentially hazardous situation which, if not

Indicates a potentially hazardous situation which, if not

Calls attention to important information, best practices and

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 3

&<1-n> The parameter before the & sign can be repeated 1 to n

# A line starting with the # sign is comments.

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 4

2 License Requirements and Limitations for

Restrictions and Guidelines

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 5

3 License Requirements and Limitations for

82400206 NetEngine40E Controllable V800R009

Restrictions and Guidelines

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 6

4 License Requirements and Limitations for

82400206 NetEngine40E Controllable V800R009

Restrictions and Guidelines

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 7

5 License Requirements and Limitations for