ZXR10 M6000 (V2.00.20) Carrier-Class Router Configuration Guide (IPv4 BRAS)

ZXR10 M6000
Carrier-Class Router
Configuration Guide (IPv4 BRAS)
Version: 2.00.20
ZTE CORPORATION
No. 55, Hi-tech Road South, ShenZhen, P.R.China
Postcode: 518057
Tel: +86-755-26771900
Fax: +86-755-26770801
URL: http://support.zte.com.cn
E-mail: support@zte.com.cn
LEGAL INFORMATION
Copyright © 2014 ZTE CORPORATION.
The contents of this document are protected by copyright laws and international treaties. Any reproduction or
distribution of this document or any portion of this document, in any form by any means, without the prior written
consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by
contractual confidentiality obligations.
All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE
CORPORATION or of their respective owners.
This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions
are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,
title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the
use of or reliance on the information contained herein.
ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications
covering the subject matter of this document. Except as expressly provided in any written license between ZTE
CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter
herein.
ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice.
Users may visit the ZTE technical support website http://support.zte.com.cn to inquire for related information.
The ultimate right to interpret this product resides in ZTE CORPORATION.
Revision History
Revision No. Revision Date Revision Reason
R2.1 2014-10-15 Fourth edition.
Adds chapter “Relation Binding Between Domain Name and WEB

Server”.
R2.0 2014-02-15 Third edition.
R1.1 2013-08-30 Second edition.
“LEASED-LINE Configuration” is added.
“AC Separation Access Configuration” is added.
“L2VPN Access Configuration” is added.
R1.0 2013-07-05 First edition.
Serial Number: SJ-20140211164601-022
Publishing Date: 2014-10-15 (R2.1)
SJ-20140211164601-022|2014-10-15 (R2.1) ZTE Proprietary and Confidential

Contents
About This Manual ......................................................................................... I
Chapter 1 BRAS Service Overview ........................................................... 1-1
Chapter 2 IPoEv4 Configuration ............................................................... 2-1
2.1 IPoEv4 Overview................................................................................................ 2-1
2.2 Authentication Access Modes ............................................................................. 2-4
2.3 Configuring IPoEv4 ............................................................................................ 2-7
2.4 IPoEv4 Configuration Examples ........................................................................ 2-13
2.4.1 Example: Option Authentication Configuration (Server Mode) ................... 2-13
2.4.2 Example: Circuit Authentication Configuration (Server Mode).................... 2-17
2.4.3 Example: DHCP+WEB Authentication Configuration (Server Mode) .......... 2-21
2.4.4 Option Authentication Configuration Example (Relay Mode)...................... 2-26
2.4.5 Circuit Authentication Configuration Instance (Relay Mode) ...................... 2-31
2.4.6 DHCP+WEB Authentication Configuration Instance (Relay Mode) ............. 2-37
Chapter 3 IP-HOSTv4 Configuration......................................................... 3-1

3.1 IP-HOSTv4 Overview ......................................................................................... 3-1
3.2 Configuring IP-HOSTv4 ...................................................................................... 3-3
3.3 Example: IP-HOSTv4 Configuration .................................................................... 3-6
Chapter 4 PPPoEv4 Configuration............................................................ 4-1

4.1 PPPoEv4 Overview ............................................................................................ 4-1
4.2 Configuring PPPoEv4 ......................................................................................... 4-3
4.3 PPPoEv4 Configuration Examples....................................................................... 4-6
4.3.1 Example: PPPoEv4 Configuration ............................................................. 4-6
4.3.2 Example: PPPoEoVv4 Configuration ....................................................... 4-10
4.3.3 Account Sharing Configuration Example .................................................. 4-14
4.3.4 Exact Binding Configuration Example ...................................................... 4-16
4.3.5 Example of the Multi-Level Domain Name Resolution Configuration .......... 4-20
Chapter 5 VPDN Configuration ................................................................. 5-1

5.1 VPDN Overview ................................................................................................. 5-1
5.2 Configuring VPDN .............................................................................................. 5-5
5.3 VPDN Configuration Examples.......................................................................... 5-10
5.3.1 LAC Configuration Example .................................................................... 5-10
5.3.2 Example: LTS Configuration ................................................................... 5-15
5.3.3 LNS Configuration Example .................................................................... 5-19

5.3.4 Configuration Example for CGN Flexible Protection Solution in L2TP
Mode ................................................................................................... 5-24
Chapter 6 BRAS AAA Configuration ........................................................ 6-1

6.1 BRAS AAA Overview.......................................................................................... 6-1
6.2 Configuring BRAS AAA ...................................................................................... 6-2
6.3 BRAS AAA Configuration Example...................................................................... 6-5
Chapter 7 BRAS RADIUS Configuration .................................................. 7-1

7.1 BRAS RADIUS Overview.................................................................................... 7-1
7.2 Configuring BRAS RADIUS................................................................................. 7-3
7.2.1 Configuring BRAS RADIUS Client ............................................................. 7-3
7.2.2 Configuring BRAS RADIUS PROXY .......................................................... 7-8
7.3 BRAS RADIUS Configuration Example .............................................................. 7-10
7.3.1 BRAS RADIUS Client Configuration Example .......................................... 7-10
7.3.2 BRAS RADIUS Proxy Server Configuration Example................................ 7-12
Chapter 8 Dynamic VLAN Configuration.................................................. 8-1

8.1 Dynamic VLAN Overview.................................................................................... 8-1
8.2 Configuring a Dynamic VLAN.............................................................................. 8-2
8.3 Example: Dynamic VLAN Configuration............................................................... 8-3
Chapter 9 Subscriber Management Configuration.................................. 9-1

9.1 Subscriber Management Overview ...................................................................... 9-1
9.2 Configuring User Management............................................................................ 9-4
9.3 Subscriber Management Configuration Examples................................................. 9-7
9.3.1 Example: Roaming Domain Configuration ................................................. 9-7
9.3.2 Example: Subscriber Offline Code Adjustment Configuration .....................9-11
9.3.3 Example: Authentication Frequency Control Configuration........................ 9-12
9.3.4 Example: Address Pool Usage Configuration ........................................... 9-13
9.3.5 Default Domain Configuration Example.................................................... 9-15
9.3.6 Example of the User Access Control Configuration................................... 9-18
Chapter 10 Page Push Configuration ..................................................... 10-1

10.1 Page Push Overview ...................................................................................... 10-1
10.2 Configuring Page Push ................................................................................... 10-3
10.3 Page Push Configuration Examples................................................................. 10-8
10.3.1 Example: PPPoX Advertisement Push Configuration .............................. 10-8
10.3.2 Example: Arrear Push Configuration.....................................................10-12
Chapter 11 BRAS SmartGroup Access Configuration.......................... 11-1

11.1 BRAS SmartGroup Access Overview ................................................................11-1
II

11.2 Configuring BRAS SmartGroup Access.............................................................11-2
11.3 BRAS SmartGroup Access Configuration Examples ..........................................11-3
11.3.1 Example: PPPoE-Mode QinQ Access Configuration ................................11-3
11.3.2 Example: IP-HOST-Mode QinQ Access Configuration .............................11-9
Chapter 12 ATM Access Configuration .................................................. 12-1

12.1 ATM Access Overview .................................................................................... 12-1
12.2 Configuring BRAS ATM Access ....................................................................... 12-2
12.3 Example: ATM Access Configuration ............................................................... 12-3
Chapter 13 Layer-3 Access Configuration ............................................. 13-1

13.1 Layer-3 Access Overview ............................................................................... 13-1
13.2 Configuring Layer-3 Access of DHCP Users..................................................... 13-6
13.3 Configuring Layer-3 Access of MHOX Static Users (Authorization Only) ...........13-12
13.4 Configuring Layer-3 Access of MHOX Static Users..........................................13-14
13.5 Configuring Layer-3 Access of MHOX Users (Web-Based Forced Push and
Stream-Triggered Authentication) ...................................................................13-17
13.6 Layer-3 Access Configuration Examples .........................................................13-20
13.6.1 Example: DHCP Option User Access Configuration...............................13-20
13.6.2 Example: DHCP WEB User Access Configuration.................................13-26
13.6.3 Example: Static User Access Configuration ..........................................13-30
13.6.4 Example: Stream User Access Configuration ........................................13-35
Chapter 14 User-Side Multicastv4 Configuration .................................. 14-1

14.1 User-Side Multicastv4 Overview ...................................................................... 14-1
14.2 Configuring User-Side Multicastv4 ................................................................... 14-2
14.3 User-Side Multicastv4 Cnfiguration Examples .................................................. 14-8
14.3.1 Example: IPoEv4 Subscriber Multicast Group Access Configuration ........ 14-8
14.3.2 Example: PPPoEv4 Subscriber Multicast Group Access
Configuration .......................................................................................14-15
Chapter 15 User-Side QoSv4 Configuration .......................................... 15-1

15.1 User-Side QoSv4 Overview............................................................................. 15-1
15.2 Configuring User-Side QoSv4 ......................................................................... 15-3
15.3 User-Side QoSv4 Configuration Examples ....................................................... 15-5
15.3.1 Input SUB-CAR Rate Limit Configuration Instance.................................. 15-5
15.3.2 Example: Output SUB-CAR Rate Limit Configuration.............................. 15-9
15.3.3 Rate Limit (VCC VLAN-Based) Configuration Example ..........................15-13
15.3.4 Example: Configuring a Downstream QoS Policy (PQ Rate Limit) ..........15-18
15.3.5 Example: Configuring a Downstream QoS Policy (WFQ Rate Limit) .......15-23
Chapter 16 LEASED-LINE Configuration ............................................... 16-1
III

16.1 LEASED-LINE Introduction ............................................................................. 16-1
16.2 Configuring the LEASED-LINE Function .......................................................... 16-3
16.3 LEASED-LINE Configuration Instance ............................................................. 16-5
Chapter 17 User-Side Policy Routing Configuration ............................ 17-1

17.1 User-Side Policy Routing Overview ................................................................. 17-1
17.2 Configuring User-Side Policy Routing .............................................................. 17-1
17.3 Example: User-Side Policy Routing Configuration ............................................ 17-2
Chapter 18 Dual Server Cluster Hot Standby Configuration................ 18-1

18.1 Dual-Server Cluster Hot Standby Overview ...................................................... 18-1
18.2 Configuring Hot Standby ................................................................................. 18-5
18.3 Hot Standby Configuration Example ................................................................ 18-9
Chapter 19 Cold Standby Configuration ................................................ 19-1

19.1 Cold Standby Overview .................................................................................. 19-1
19.2 Configuring Cold Standby ............................................................................... 19-2
19.3 Cold Standby Configuration Example............................................................... 19-4
Chapter 20 AC Separation Access Configuration ................................. 20-1

20.1 AC Separation Access .................................................................................... 20-1
20.2 Configuring AC Separation Access .................................................................. 20-2
20.3 AC Separation Access Configuration Instance.................................................. 20-5
Chapter 21 L2VPN Access Configuration .............................................. 21-1

21.1 L2VPN Access ............................................................................................... 21-1
21.2 Configuring L2VPN Access ............................................................................. 21-3
21.3 L2VPN Access Configuration Instance............................................................. 21-3
Chapter 22 Relation Binding Between Domain Name and WEB

Server .................................................................................................... 22-1
22.1 Overview ....................................................................................................... 22-1
22.2 Binding a Domain to a Web Server .................................................................. 22-1
22.3 Configuration Example for Binding a Domain to a Web Server........................... 22-2
Figures............................................................................................................. I
Glossary .........................................................................................................V
IV

About This Manual
Purpose
This manual describes functional principles, configuration commands, and examples
related to IPv4 BRAS on the ZXR10 M6000.
Intended Audience
This manual is intended for:
l Network planning engineers
l Commissioning engineers
l Maintaining engineers
What Is in This Manual

This manual contains the following chapters.
Chapter Summary
Chapter 1, BRAS Service Describes functions and principles related to BRAS services.
Overview
Chapter 2, IPoEv4 Configuration Describes IPoEv4 principles, configuration commands and exam-
ples.
Chapter 3, IP-HOSTv4 Describes IP-HOSTv4 principles, configuration commands and

Configuration examples.
Chapter 4, PPPoEv4 Describes PPPoEv4 principles, configuration commands and ex-

Configuration amples.
Chapter 5, VPDN Configuration Describes VPDN principles, configuration commands and exam-
ples.
Chapter 6, BRAS AAA Describes BRAS AAA principles, configuration commands and
Configuration examples.
Chapter 7, BRAS RADIUS Describes BRAS RADIUS principles, configuration commands

Configuration and examples.
Chapter 8, Dynamic VLAN Describes dynamic VLAN principles, configuration commands

Chapter 9, Subscriber Describes subscriber management principles, configuration com-

Management Configuration mands and examples.
Chapter 10, Page Push Configura- Describes the page push principles, configuration commands and
tion examples.

Chapter Summary
Chapter 11, BRAS SmartGroup Describes BRAS SmartGroup access principle, configuration
Access Configuration commands and examples.
Chapter 12, ATM Access Configu- Describes ATM access principle, configuration commands and
ration examples.
Chapter 13, Layer-3 Access Con- Describes the BRAS layer-3 access principles, configuration com-
figuration mands and examples.
Chapter 14, User-Side Multicastv4 Describes user-side multicastv4 principles, configuration com-
Configuration mands and examples.
Chapter 15, User-Side QoSv4 Describes user-side QoSv4 principles, configuration commands
Chapter 16, LEASED-LINE Con- Describes the principles, configuration commands and examples
figuration for LEASED-LINE.
Chapter 17, User-Side Policy Describes the principles, configuration commands and examples
Routing Configuration for user-side policy routing.
Chapter 18, Dual Server Cluster Describes dual-server cluster hot-standby functional principles,
Hot Standby Configuration configuration commands and examples.
Chapter 19, Cold Standby Config- Describes cold standby functional principles, configuration com-
uration mands and examples.
Chapter 20, AC Separation Ac- Describes separation access configuration functional principles,
cess Configuration configuration commands, and examples.
Chapter 21, L2VPN Access Con- Describes L2VPN access functional principles, configuration com-
figuration mands, and examples.
Chapter 22, Relation Binding Be-

Describes the principles, commands, and an instance used to
tween Domain Name and WEB
bind a domain to a Web server.
Server
Conventions
This manual uses the following conventions.
Typeface Meaning
Italics Variables in commands. It may also refer to other related manuals and documents.
Bold Menus, menu options, function names, input fields, option button names, check boxes,
drop-down lists, dialog box names, window names, parameters, and commands.
Constant Text that you type, program codes, filenames, directory names, and function names.
width
[] Optional parameters.
{} Mandatory parameters.
II

Typeface Meaning
| Separates individual parameters in a series of parameters.
Warning: indicates a potentially hazardous situation. Failure to comply can result in

serious injury, equipment damage, or interruption of major services.
Caution: indicates a potentially hazardous situation. Failure to comply can result in

moderate injury, equipment damage, or interruption of minor services.
Note: provides additional information about a certain topic.
III

This page intentionally left blank.
IV

Chapter 1
BRAS Service Overview
BRAS Service Introduction
The BRAS provides subscriber access, Digital Subscriber Line (DSL) subscriber
authentication, and back-end management. The BRAS device is connected to the
Remote Authentication Dial In User Service (RADIUS) server and the database server.
It provides a lot of subscriber accesses, and is easy to add new functions. The BRAS
device supports multiple access modes, such as Asymmetric Digital Subscriber Line
(ADSL), Local Area Network (LAN), and wireless access, meeting the demands of various
network service providers. The BRAS also supports easy, effective and unified BRAS
mode, providing various flexible modes of authentication, accounting, and management.
The BRAS supports the following key functions.
l Dynamic subscriber access (dynamic address allocation)
l Static subscriber access (static address allocation)
l Subscriber authentication, authorization and accounting
l Dynamic VLAN access
l Smartgroup interface access
l User-side multicast
l User-side QoS
Dynamic Subscriber Access

Dynamic subscribers refer to the subscribers whose addresses are allocated dynamically.
At present, the dynamic subscribers supported by BRAS services include Internet
Protocol over Ethernet (IPoE) subscribers (accessing the network through the Dynamic
Host Configuration Protocol), Point to Point Protocol over Ethernet (PPPoE) subscribers,
and Virtual Private Dialup Network (VPDN) subscribers. For details, refer to the "IPoEv4
Configuration", "PPPoEv4 Configuration", and "VPDN Configuration" chapters.
Static Subscriber Access

Static subscribers refer to the subscribers who use fixed IP addresses. The addresses are
configured manually instead of allocated dynamically. Subscribers can get various online
services after passing authentication. When the subscribers fall offline, the IP addresses
are reserved. In BRAS services, static subscribers are called IP-HOST subscribers. For
details, refer to the "IP-HOSTv4 Configuration" chapter.
1-1

ZXR10 M6000 Configuration Guide (IPv4 BRAS)
Subscriber Authentication, Authorization and Accounting

The modes of authentication, authorization and accounting for dynamic subscribers and
static subscribers consist of LOCAL and RADIUS. For details, refer to the "RADIUS
Configuration" and the "AAA Configuration" chapters.
Dynamic VLAN Access

Due to the various service applications, the Virtual Local Area Network (VLAN) planning
for Layer–2 access Ethernet is more and more complicated. So it is not flexible to
deploy interfaces (VLAN information) through manual static configurations. For a device,
static configurations waste a lot of memories. Therefore, deploying interfaces (VLAN
information) dynamically on user-side interfaces is considered to facilitate configurations
and management. For details, refer to the "Dynamic VLAN Configuration" chapter.
Smartgroup Interface Access

A SmartGroup interface is an aggregation interface. It aggregates several physical
interfaces into one interface. The interfaces aggregated can cross boards. The
SmartGroup function can provide customers with more flexible and effective solutions. It
provides much flexibility when customers use ZXR10 series products to plan and construct
networks. At the same time, it improves the stability of networks greatly, especially for
Ethernet environment and Ethernet interface environment. With SmartGroup function,
customers can enlarge bandwidth and improve network stability. The SmartGroup
function also makes the network construction cost more reasonable.
For details, refer to the "BRAS SmartGroup Access Configuration" chapter.
User-Side Multicast
Multicast consists of network-side multicast and user-side multicast. They differ each other
in route egress. The egress of user-side multicast is a VBUI interface. There may be
several multicast users on this interface. Therefore, it is necessary to make several copies
of a multicast flow. The egress of network-side multicast is a common Layer 3 interface.
There are no users on this interface. Therefore, there is only copy of a multicast flow at
most. For details, refer to the "User-Side Multicastv4 Configuration" chapter.
User-Side Qos
The user-side QoSv4 function in the ZXR10 M6000's BRAS services includes rate limit
and congestion management. For details, refer to the "User-Side QoSv4 Configuration"
chapter.
1-2

Chapter 2
IPoEv4 Configuration
Table of Contents
IPoEv4 Overview........................................................................................................2-1
Authentication Access Modes.....................................................................................2-4
Configuring IPoEv4 ....................................................................................................2-7
IPoEv4 Configuration Examples ...............................................................................2-13
2.1 IPoEv4 Overview

IPoEv4 Introduction
IPoEv4 is an access authentication service. The IPoEv4 service enables subscribers
to access the network through Ethernet physical links, and then obtain IP addresses
through the DHCP. There are three types of subscriber identity authentication, including
compulsory WEB authentication, Option60 authentication and circuit authentication.
For the IPoE service, an IP packet is encapsulated on the user access device, and then the
packet passes through the access network and reaches a BRAS device. Therefore, it can
be considered that a computer is connected to an Ethernet interface of a BRAS device with
a crossover cable directly in a basic IPoE network, see Figure 2-1. There may be some
Layer–2 devices (such as HUBs or LAN switches) between the PC and the BRAS device,
but the Layer-2 devices do not encapsulate or change the IPoE packet.
Figure 2-1 Basic IPoE Network Structure
According to the authentication modes, IPoEv4 service is classified into DHCP boot-strap
authentication access and DHCP+WEB authentication access. DHCP boot-strap
authentication access can be classified into DHCP Option60 authentication access and
DHCP circuit authentication access. The three access modes are DHCP-based.
According to the role that the ZXR10 M6000acts as (working as a DHCP server that is
responsible for assigning IP addresses, or working as a DHCP relay that is responsible
for forwarding packets) during subscriber access, there are two types of IPoEv4 service
network structures, as described below.
2-1

Network Structure When ZXR10 M6000 Works as a Server

Figure 2-2 shows the network structure when ZXR10 M6000 works as a server .
Figure 2-2 Network Structure When ZXR10 M6000 Works as a Server
When receiving a DHCP Discover message sent by the client, ZXR10 M6000 assigns an
idle IP address from the address pool, and then it sends a DHCP Offer message as a reply
according to the information in the DHCP Discover message.
When receiving a DHCP Request message sent by the client, ZXR10 M6000 searches
for the address assignment information of the subscriber according to the client hardware
address in the message and the current vpnid. If the address assignment information of
the subscriber is found, ZXR10 M6000 replies with a DHCP Ack message, and then the
client can obtain an IP address and comes online successfully. Otherwise, ZXR10 M6000
replies with a DHCP Nak message.
When receiving the DHCP Nak message, the client sends a DHCP Discover messages
again, and starts to request an address through the DHCP again.
If no lease time is configured, the default lease time of the address that ZXR10 M6000
assigns to the subscriber is 3600 seconds. After 50% of the lease time passes, the client
sends a unicast DHCP Request message automatically to renew the lease. If the lease
is renewed successfully, the lease time is extended. Otherwise, after 87.5% of the lease
term passes, the client sends a broadcast request message to renew the lease time. If the
lease is not renewed successfully, the client cannot use this address when the lease time
expires. The client needs to start to request an address through the DHCP again.
When receiving the DHCP Release message sent by the client, ZXR10 M6000 releases
the binding between the address and the client, and reclaims the IP address.
Figure 2-3 shows the interaction flow between a DHCP client and a DHCP server.
2-2

Chapter 2 IPoEv4 Configuration
Figure 2-3 Interaction Flow Between DHCP Client and DHCP Server
Network Structure When ZXR10 M6000 Works as a Relay

Figure 2-4 shows the network structure when ZXR10 M6000 works as a relay.
Figure 2-4 Network Structure When ZXR10 M6000 Works as a Relay
As DHCP messages are broadcast, they cannot go through several subnets. DHCP Relay
can solve this problem. It makes that a client and a server that are not on the same segment
can ping each other successfully. In this way, different clients can share the same DHCP
server.
Figure 2-5 shows the interaction flow between a DHCP client and a DHCP relay.
2-3

Figure 2-5 Interaction Flow Between DHCP Client and DHCP Relay
2.2 Authentication Access Modes

The IPoEv4 authentication access modes are classified as DHCP Boot-Strap
authentication access and DHCP+WEB authentication access.
DHCP Boot-Strap Authentication Access

DHCP boot-strap authentication means that only after a subscriber passes the
authentication in the course of getting online could the subscriber obtain an IP address
successfully. This access authentication mode is suitable for subscribers of fixed lines
and fixed services, such as monthly service subscribers. However, the subscribers cannot
carry valid information such as username, password and domain name like PPPoE, so
authentication check of subscriber validity cannot be implemented directly. As a result,
The information such as username, password and domain name is obtained in a flexible
way. Figure 2-6 shows a network topology of DHCP boot-strap authentication .
Figure 2-6 Network Topology of DHCP Boot-Strap Authentication
2-4

DHCP boot-strap authentication supports two subscriber authentication modes:

l Circuit-based subscriber authentication
l Option60–based extended subscriber authentication
The flow of circuit-based subscriber authentication is described below:
1. A subscriber logs onto the client, and sends a DHCP Discover message to request an
address through the DHCP.
2. When receiving the message, ZXR10 M6000 obtains the circuit information of the
port that receives the message. It searches for corresponding subscriber and domain
name according to the circuit information, and then searches for the authentication
mode of the subscriber according to the domain. If the local authentication mode
is configured, the ZXR10 M6000 triggers a local authentication flow. It compares
the subscriber information obtained with the local subscriber information configured
(including username, password and domain name). If the information is consistent,
the subscriber is considered to pass the authentication successfully. The server then
assigns an IP address, and replies a DHCP Offer message. If the information is not
consistent, the server does not assign an address or replies a DHCP Offer message.
If the authentication mode is RADIUS, it is necessary to configure the subscriber
authentication information that is consistent with the circuit information on the RADIUS
server. The flow is the same as that of local authentication after the subscriber passes
the authentication.
3. When receiving the DHCP Offer message sent by ZXR10 M6000, the client replies
a DHCP Request message. After ZXR10 M6000 receives the Request message, it
searches for the address assignment address information of the subscriber according
to the hardware address. If the information is found, the ZXR10 M6000 replies an
ACK message, and then the subscriber can come online successfully. Otherwise, the
subscriber replies a NAK message, and sends a DHCP Discover message again.
The flow of Option60–based subscriber authentication is described below.
1. A subscriber logs in to the client, and sends a DHCP Discover message to request an
address through the DHCP.
2. When receiving the message, the ZXR10 M6000 obtains the Option60 information
from the message. Then it resolves the information according to the Option60
resolution method that the subscriber configures to obtain the information such as
username, password and domain name. By default, the username is the Medium
Access Control (MAC) address, and then authentication type is optionparse (that
is, resolve Option60 by domain name/password). After that, the ZXR10 M6000
obtains the authentication mode according to the domain name. If it is local
authentication, the ZXR10 M6000 triggers a local authentication flow. It compares the
subscriber information obtained with the local subscriber information configured. If the
information is consistent, the subscriber is considered to passes the authentication
successfully. The server assigns an IP address, and replies a DHCP Offer message.
If the information is not consistent, the server does not assign an address, or replies
a DHCP Offer message.
2-5

If the authentication mode is RADIUS, it is necessary to configure subscriber

authentication information that is consistent with the circuit information on the RADIUS
server. The flow is the same as that of local authentication after the subscriber passes
the authentication.
3. When receiving the DHCP Offer message sent by the ZXR10 M6000, the client replies
a DHCP Request message. After the ZXR10 M6000 receives the Request message, it
searches for the address assignment address information of the subscriber according
to the hardware address. If the information is found, the ZXR10 M6000 replies an
ACK message, and then the subscriber can come online successfully. Otherwise, the
subscriber replies a NAK message, and sends a DHCP Discover message again.
DHCP+WEB Authentication Access

DHCP+ Web (WEB) authentication differs from DHCP boot-strap authentication in that it
implementsFigure 2-7 shows the network topology of DHCP+WEB authentication .
Figure 2-7 Network Topology of DHCP+WEB Authentication
The procedure of DHCP+WEB authentication access is described below.

1. A subscriber obtains an address.
After being configured to obtain an IP address through the DHCP, the subscriber host
sends a DHCP Discover message.
When working as a DHCP server, the ZXR10 M6000 assigns an IP address to the
subscriber directly after it receives the DHCP Discover message. When working as
a DHCP relay, the ZXR10 M6000 forwards the message to the DHCP server. Then
the DHCP server acknowledges the message by assigning an IP address to the
subscriber.
The ZXR10 M6000 replies to the subscriber host according to the DHCP response
message or the local address assignment policy. After that, it forms the corresponding
relationship among the IP address, MAC address and Virtual Local Area Network
(VLAN) port. Before the subscriber passes the WEB authentication, it restricts the
access permissions of the subscriber host through Access Control Lists (ACLs). For
example, the subscriber can only access some free websites, including some portal
websites.
2-6

2. The WEB page is displayed compulsively for redirection.

The subscriber launches a browser on the Personal Computer (PC) and enters an IP
address to attempt to establish a Transfer Control Protocol (TCP) connection with the
ZXR10 M6000. After the connection is established successfully, the ZXR10 M6000
sends a Hypertext Transfer Protocol (HTTP) message to the portal client.
The portal client sends a new HTTP message which contains the link address
redirecting to the portal server to the subscriber. The subscriber accesses the portal
server after receiving the redirection address. After the portal server receives the
HTTP request, it returns a WEB authentication page to the subscriber.
3. WEB authentication
The subscriber enters the username and password on the WEB authentication page to
attempt to access the page. The username format is "username configured @ current
domain name".
After receiving the authentication request form the subscriber, if CHAP authentication
is used, the portal server sends a challenge request message to the portal client (it is
ZXR10 M6000 here). After the portal client replies a challenge code, the portal server
sends an authentication request message that contains the username and password
the subscriber enters.
At this time, the portal client searches for the authentication mode after receiving the
username and password. If it is local authentication, the ZXR10 M6000 triggers a
local authentication flow. If it is RADIUS authentication, ZXR10 M6000 sends the
information to the RADIUS server for authentication.
If the subscriber passes the authentication successfully, the ZXR10 M6000 modifies
the ACL of the subscriber, and allows the subscriber to come online. At the same
time, the ZXR10 M6000 informs the portal server that the subscriber has passed the
authentication, and the portal server notifies the subscriber of the authentication result.
If the subscriber does not pass the authentication, the ZXR10 M6000 informs the portal
server that the subscriber fails to pass the authentication, and then the portal server
notifies the subscriber of the authentication result.
2.3 Configuring IPoEv4

This procedure describes how to configure IPoEv4.
Steps
1. Configure a network-side interface.
Step Command Function
1 ZXR10#configuration terminal Enters global configuration

mode.
2-7

2 ZXR10(config)#interface <interface-name> Enters interface configuration

mode.
3 ZXR10(config-if-interface-name)#ip address Sets an IP address and a

<ip-address><net-mask> mask.
2. Configure a user-side interface.
1 ZXR10(config)#interface <vbui-interface-name> Enters vbui interface

configuration mode.

<ip-address><net-mask> mask for a VBUI interface.
3 ZXR10(config)#vbui-configuration Enters VBUI configuration

mode.
4 ZXR10(config-vbui)#interface <vbui-interface-name> Enters VBUI interface service

configuration mode.
5 ZXR10(config-vbui-if)#pre-domain <domain-name> Sets the default domain

before authentication.
6 ZXR10(config-vbui-if)#web-force authentication Enables WEB-page push

authentication.
7 ZXR10(config-vbui-if)#web-server <server-id> Specifies the WEB Server ID,

range: 1 to 4.
8 ZXR10(config-vbui-if)#web-acl <acl-name> Sets an ACL, and associates

it with the VBUI interface.
3. Configure a user-side circuit.
1 ZXR10(config)#vcc-configuration Enters VCC configuration

mode.
2 ZXR10(config-vcc)#interface<interface-name> Enters VCC interface service

configuration mode.
3 ZXR10(config-vcc-if)#pre-domain <domain-name> Sets the default domain

before authentication.
4 ZXR10(config-vcc-if)#encapsulation {multi | Sets an encapsulation type of

ip-over-ethernet} the interface through which
users access the BRAS
services.
2-8

5 ZXR10(config-vcc-if)#ipox authentication-type Sets the authentication type

{cir-map | option | web | option-web} of DHCP users.
cir-map: circuit authentication.
option: Option60
authentication.
web: WEB authentication.
option-web: option60+WEB
authentication. If a DHCP
user does not pass Option60
authentication, the system
starts a WEB authentication
flow.
6 ZXR10(config-vcc-if)#dhcp-v4 auth-on-up Sets the username type,

username-type {mac | mac-option82 | option60 | option82 | domain name type,
mac-option60 | default | option82-default} domain-type { and password type for
optionparse |{optionstring | option} passwordtype {config option60-authenticated users.
<password>| mac | optionstring}}
7 ZXR10(config-vcc-if)#ip-access-type {ipv4 | dual} Sets the access mode of the

interface, ipv4 access type or
dual-stack access type.
multi: Supports the IPoE encapsulation type and PPPoE encapsulation type. Both
DHCP users and PPPoE users are allowed to access the services.
ip-over-ethernet: When the encapsulation type is set to IPoE, only DHCP users are
allowed to access the BRAS services.
mac: Uses the MAC address of a user as the username.
option60: Uses the option60 text as the username.
mac-option82: Uses the MAC address and the option82 text as the username.
default: Uses the default self-defined format ("host name" + "-" + "3-digit slot number"
+ "1-digit card number" + "two-digit port number" + "four-digit outer VLAN ID" + "0" +
"4-digit inner VLAN ID") to encapsulate user names.
option82-default: Uses the option82 field as the username preferentially. If the
option82 field carried in a request packet is null or invalid, the default format is used.
option: Uses "option60" as the domain name.
optionstring: Uses the information in the option60 field as the domain name. The
username type must be "option60" in such a situation.
optionparse: Uses the information in the option60 field as the domain name and
password. It is not required to configure the password type in such a situation.
config: Specifies a password configuration action.
2-9

mac: Uses the MAC address as the password.

optionstring: Uses the Option 60 information as the password.
<password>: Specifies a password, range: 1–31 characters.
4. Configure an address pool.
1 ZXR10(config-vbui-if)#ip-pool pool-name Sets the name and ID of an

<pool-name> pool-id <pool-id> address pool, and enters VBUI
address pool configuration
mode.
2 ZXR10(config-vbui-if-ip-pool)#access-domain Sets the management domain

<domain-name> of the address pool.
3 ZXR10(config-vbui-if-ip-pool)#member Sets a member of the address

<member-id> pool, and enters VBUI address
pool member configuration
mode.
4 ZXR10(config-vbui-if-ip-pool-member)#start-ip Sets the address range of the

<ip-address> end-ip <ip-address> address pool member.
5 ZXR10(config-vbui-if-ip-pool)#ip dhcp instance Sets a DHCP server instance.

server <instance>
ZXR10(config-vbui-if-ip-pool)#ip dhcp instance Sets a DHCP relay instance.

relay <instance>
5. Configure a Web server.
1 ZXR10(config-submanage)#web-server <server-id> Creates a WEB Server, and

enters WEBSVR configuration
mode.
2 ZXR10(config-submanage-websvr)#ip-addr Sets an IP address and a port

<ip-address>[port <port-id>|backup] number for the WEB Server.
3 ZXR10(config-submanage-websvr)#url <url-string> Sets the URL address

redirecting to the WEB Server.
4 ZXR10(config-submanage-websvr)#uas-ip Sets an IP address of the

<ip-address>interface<interface name> interface that the ZXR10
M6000 uses to connect to the
WEB Server.
6. Configure an SAL.
2-10

1 ZXR10(config-submanage)#sal <sal-number> Enters SA configuration

mode, SAL number range: 1
to 256.
2 ZXR10(config-submanage-sal-number)#translate Translates the domain name

{src-domain <src-domain>| any} des-domain of a user to another domain
<dest-domain> name.
3 ZXR10(config-submanage-sal-number)#default Sets a default domain name.

domain <domain-name>
4 ZXR10(config-submanage-sal-number)#none domain Sets a roaming domain. For

<domain-name>[keep] a non-existing domain, the
corresponding users are
accessed from the roaming
domain.
5 ZXR10(config-submanage-sal-number)#permit Specifies the domain that can

{domain <domain-name>| any} access the network.
any: permits all domains to
access the network.
ZXR10(config-submanage-sal-number)#deny {domain Sets a domain that forbids

<domain-name>| any} network access.
6 ZXR10(config-submanage-sal-number)#change-dom Changes the user's domain

ain <change-domain> local-domain <local-domain> name to a local domain
name, and uses the
local domain name to
perform authentication and
management.
<src-domain>: The source domain name, 1 to 31 characters in length.

any: Translates any domain name to the specified domain name.
<dest-domain>: The destination domain name, 1 to 31 characters in length.
<domain-name>: The domain name, 1 to 31 characters in length.
<change-domain>: The change domain name, 1 to 31 characters in length.

<local-domain>: The local domain name, 1 to 31 characters in length.
7. Configure a domain.
1 ZXR10(config-submanage)#domain <domain-number> Enters DOMAIN configuration

mode.
2-11

2 ZXR10(config-submanage-domain)#bind Binds an authentication

authentication-template <authen-template-name> template to a domain. Only
one authentication template
can be bound to a domain.
3 ZXR10(config-submanage)#circuit-map eth-cir Sets a mapping relationship

external-vlan <vlan-number> internal-vlan-range for the Ethernet circuit-based
<second-vlan-number> interface <interface-name><user-n accounts.
ame><domain-name><password>
4 ZXR10(config-submanage)#local-subscriber <sub-name> Sets a local subscriber ID, and

domain-name <domain-name> password <password> enters BRAS_LOCALSUB
configuration mode.
<vlan-number>: The outer-layer VLAN number, range: 0 to 4094.

<second-vlan-number>: The inner-layer VLAN number, range: 0 to 4094.
<interface-name>: The interface name. The fei, gei, ulei and smartgroup interfaces are
supported.
<user-name>: The username, 1 to 127 characters in length.
<domain-name>: The domain name, 1 to 31 characters in length.
<password>: The password, 1 to 31 characters in length.
<sub-name>: The local subscriber ID, 1 to 127 characters in length.

<password>: The password, 1 to 31 characters in length.
8. Verify the configurations.
Command Function
ZXR10#show running-config am Shows the address information.
ZXR10#show running-config uim Shows the user interface information.
ZXR10#show running-config dhcp Shows the DHCP information.
ZXR10#show running-config aim Shows the information relating to the domain

configuration, authentication template,
authorization template and accounting template.
ZXR10#show running-config portal Shows the WEB Server information.
– End of Steps –
2-12

2.4 IPoEv4 Configuration Examples

2.4.1 Example: Option Authentication Configuration (Server Mode)
Overview
As shown in Figure 2-8, the ZXR10 works as a BRAS, and the PC serves as an Option
user. The user obtains an address automatically through an VBUI5 interface, and then
comes online.
Figure 2-8 Network Topology of Option Authentication Configuration (Server Mode)
Flow
1. Configure a domain and related authentication information. Here, local authentication
is used.
2. Configure a VBUI to be a virtual BRAS user-side interface. Configure an address pool
in VBUI configuration mode, and set the access domain to the domain created in Step
1.
3. Configure an interface in VCC configuration mode. Common users can come online
without any other configuration. For Option users, it is required to enable Option
authentication.
4. Enable the DHCP function in DHCP configuration mode, and set the DHCP server
mode in VBUI-ip-pool configuration mode.
Commands
Run the following commands on the ZXR10 M6000.
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type local
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#domain option60
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)#dhcp-mode server
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#local-sub 00-69-96-00-00-01 domain-name
option60 password 123
ZXR10(config-submanage-local-sub)#exit
ZXR10(config-submanage)#exit
2-13

ZXR10(config)#interface vbui5
ZXR10(config-if-vbui5)#ip address 10.1.1.1 255.255.255.0
ZXR10(config-if-vbui5)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui5
ZXR10(config-vbui-if)#ip-pool pool-name dhcppool pool-id 5
ZXR10(config-vbui-if-ip-pool)#access-domain option60
ZXR10(config-vbui-if-ip-pool)#ip dhcp instance server 256
ZXR10(config-vbui-if-ip-pool)#member 1
ZXR10(config-vbui-if-ip-pool-member)#start-ip 10.1.1.1 end-ip 10.1.1.255
ZXR10(config-vbui-if-ip-pool-member)#exit
ZXR10(config-vbui-if-ip-pool)#exit
ZXR10(config-vbui-if)#exit
ZXR10(config-vbui)#exit
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface fei-0/4/0/4
ZXR10(config-vcc-if)#encapsulation ip-over-ethernet
ZXR10(config-vcc-if)#ipox authentication-type ipv4 dhcpv4 option
ZXR10(config-vcc-if)#dhcp-v4 auth-on-up username-type mac domain-type optionparse
/*For normal subscribers, the above two commands are not required*/
ZXR10(config-vcc-if)#exit
ZXR10(config-vcc)#exit
ZXR10(config)#ip dhcp server instance 256

ZXR10(config-dhcps-instance)#dhcp-pool zte
ZXR10(config-dhcps-instance)#exit
ZXR10(config)#dhcp
ZXR10(config-dhcp)#enable
ZXR10(config-dhcp)#exit
Verification
Check the BRAS domain configuration on the ZXR10 M6000, as shown below.
ZXR10#show running-config aim
! <AIM>
subscriber-manage
authentication-template zte
authentication-type local
$
domain option60
bind authentication-template zte
$
2-14

local-subscriber 00-69-96-00-00-01 domain-name option60 password 123

$
$
! </AIM>
Check the configuration of the BRAS address pool, as shown below.

ZXR10#show running-config am
! <AM>
vbui-configuration
interface vbui5
ip-pool pool-name dhcppool pool-id 5
access-domain option60
ip dhcp instance server 256
member 1
start-ip 10.1.1.0 end-ip 10.1.1.255
$
$
$
! </AM>
Check the configuration of the BRAS VCC interface and DHCP, as shown below.
ZXR10#show running-config uim
! <UIM>
vbui-configuration
interface vbui5
$
!
vcc-configuration
interface fei-0/4/0/4
ipox authentication-type ipv4 dhcpv4 option
encapsulation ip-over-ethernet
$
!
! </UIM>
ZXR10#show running-config dhcp

! <DHCP>
ip dhcp server instance 256
dhcp-pool zte
!
dhcp
enable
$
! </DHCP>
ZXR10#
2-15

Run the show subscriber ipox command, and verify that the subscriber is on line.
ZXR10(config)#show subscriber ipox
*******************************************************************************
Subscriber Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type :IPv4
user-identify :12
user-name :00-69-96-00-00-01
domain-name :option60
local-domain-name :option60
authorize-domain-name :option60
mac-address :0069.9600.0001
session-id :0
access-interface :fei-0/4/0/4
internal-vlan :0
external-vlan :0
authentication-mode :LOCAL
authentication-status :ACCEPT
record-status :CREATED
eap-type :FALSE
sibprofileid :0
hot-bak-status :NONE
authentication-time :2012/05/18 12:06:43
create-time :2012/05/18 12:06:43
online-time :13
limited-status :UNLIMITED
restTimeType :ABSOLUTE
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :IPv4 DHCP SERVER
ipv4-address :10.1.1.2
vrf-name :
vpn-id :0
gateway :10.1.1.1
primary-dns :
second-dns :
*******************************************************************************
2-16

-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
The above output indicates that the user is on line.
2.4.2 Example: Circuit Authentication Configuration (Server Mode)

Overview
As shown in Figure 2-9, the IP address of the VBUI on the ZXR10 M6000 is 40.0.0.1. and
the ZXR10 M6000 is connected to a PC.
Figure 2-9 Network Topology of Circuit Authentication Configuration
Flow
1. Configure the DHCP, a domain (including an alias, authentication mode and
accounting mode), a VBUI (including a gateway address, an address pool) and a
Virtual Channel Connection (VCC) (including the encapsulation mode).
2. Set the boot-strap authentication mode to circuit authentication.
3. For local authentication and RADIUS authentication, configure the usernames and
passwords on the local PC and RADIUS Server.
4. In BRAS configuration mode, configure the user circuit information and the
relationships between usernames, passwords and domain names. For RADIUS
authentication, it is unnecessary to configure the information on the local PC.
Commands
Configuration on ZXR10:
l Enable the DHCP function globally, and configure the DHCP server.
2-17

ZXR10(config)#dhcp
l Configure a domain.
ZXR10(config-manage)#authentication-template zte
ZXR10(config-manage-authen-template)#authentication-type local
ZXR10(config-manage-authen-template)#exit
ZXR10(config-manage)#domain domain1
ZXR10(config-manage-domain)#dhcp-mode server
/*Configure a alias for VBUI binding, and set DHCP mode.*/
ZXR10(config-manage-domain)#bind authentication-template zte
/*Bind BARS authentication*/
ZXR10(config-manage-domain)#exit
ZXR10(config-manage)#local-subscriber wx domain-name domain1 password 123
/*Configure the username, password and domain name for the local PC*/
ZXR10(config-manage)#circuit-map eth-cir external-vlan 0 internal-vlan-range 0
interface fei-0/4/0/15 wx domain1 123
/*Configure the user circuit information and the relationship between the username,
password and domain name*/
l Configure a user interface address.
ZXR10(config)#interface vbui200 /*Create a VBUI*/
/*Configure an IP address*/
l Configure the VBUI parameters and an IP pool in VBUI configuration mode, and
configure the DHCP server in the IP pool.
ZXR10(config)#vbui-configuration /*VBUI configuration mode*/
ZXR10(config-vbui-if)#ip-pool pool-name 200 pool-id 200
ZXR10(config-vbui-if-ip-pool)#access-domain domain1
/*Create an address pool*/
ZXR10(config-vbui-if-ip-pool)#pool-type dhcp
l Configure a VCC in circuit interface configuration mode, and set the encapsulation
type to IPoE on the interface connecting to the user.
2-18

ZXR10(config-vcc)#interface fei-0/4/0/15 /*Enter a VCC interface*/
ZXR10(config-vcc-if)#encapsulation ip-over-ethernet /*Encapsulate IPoE*/
ZXR10(config-vcc-if)#ipox authentication-type ipv4 dhcpv4 cir-map
/*Enable circuit authentication for users accessing the network through DHCP*/
Verification
Check the configuration of circuit authentication, as shown below.
! <UIM>
vbui-configuration
interface vbui200
$
vcc-configuration
ipox authentication-type ipv4 dhcpv4 cir-map
/*The circuit authentication switch is enabled*/
$
$
! </UIM>

! <AIM>
subscriber-manage
$
domain domain1
alias domain1
$
local-subscriber wx domain-name domain1 password 123
$
circuit-map eth-cir external-vlan 0 internal-vlan-range 0-0 interface
fei-0/4/0/15 wx domain1 123
! </AIM>
Run the show subscriber ipox command, and verify that the subscriber is on line.
ZXR10#show subscriber ipox

*******************************************************************************
2-19

-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify :11
user-name :wx
domain-name :domain1
local-domain-name :domain1
authorize-domain-name :domain1
mac-address :003a.96ab.0001
session-id :0
internal-vlan :0
external-vlan :0
eap-type :FALSE
sibprofileid :0
create-time :2012/05/18 11:56:33
online-time :17
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
vrf-name :
vpn-id :0
gateway :40.0.0.1
primary-dns :
second-dns :
*******************************************************************************
-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
2-20


ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
2.4.3 Example: DHCP+WEB Authentication Configuration (Server

Mode)
Overview
As shown in Figure 2-10, the address of the VBUI interface on the ZXR10 is 6.6.1.1. The
ZXR10 connects to the WEB server through the fei-0/1/0/11 interface. It is necessary to
implement a DHCP+WEB authentication when PC1 sends an access attempt.
Figure 2-10 Network Topology of DHCP+WEB Authentication Configuration
Configuration Flow
1. Configure the ordinary DHCP access.
2. Configure WEB authentication on a VCC.
3. Configure related attributes of the portal services. Configure a WEB Server, a WEB
ACL, and Web-web-force authentication, and bind them to the VBUI interface.
Configuration Commands
1. Configure an ordinary DHCP on the ZXR10:
ZXR10(config-submanage)#domain domain1
2-21


ZXR10(config-vcc-if)#pre-domain domain1
ZXR10(config-vcc-if)#ipox authentication-type ipv4 dhcpv4 web

ZXR10(config)#dhcp
ZXR10(config)#interface fei-0/1/0/11
/*Configure an address for the interface connecting to the WEB Server.*/
ZXR10(config-if-fei-0/1/0/11)#no shutdown
ZXR10(config-if-fei-0/1/0/11)#ip address 172.16.1.2 255.255.255.0
ZXR10(config-if-fei-0/1/0/11)#exit
2. Configure the attributes of the WEB server.
ZXR10(config)#subscriber-manag
ZXR10(config-submanage)#web-server 1
ZXR10(config-submanage-websvr-1)#http-param uas-id 1234
ZXR10(config-submanage-websvr-1)#http-param uas-name zte
ZXR10(config-submanage-websvr-1)#http-param user-name msg
ZXR10(config-submanage-websvr-1)#ip-add 172.16.1.1
/*The address of the WEB server*/
ZXR10(config-submanage-websvr-1)#url http://172.16.1.1:88/LoginOn.jsp
2-22

/*URL of the redirect page */

ZXR10(config-submanage-websvr-1)#uas-ip 172.16.1.2 interface fei-0/1/0/11
/*Configure the address of the interface for the ZXR10 M6000 connecting to
the WEB server*/
ZXR10(config-submanage-websvr-1)# version v2 key zte
3. Configure an ACL for WEB-page push authentication to forward packets.
ZXR10(config)#ipv4-access-list zte
ZXR10(config-ipv4-acl)#rule 10 permit ip any 172.16.1.1 0.0.0.0
ZXR10(config-ipv4-acl)#exit
ZXR10(config-vbui-if)#web-server 1 /*Bind the WEB Server*/
ZXR10(config-vbui-if)#web-force authentication /*WEB-page push authentication*/
ZXR10(config-vbui-if)#web-acl zte
/*Configure the ACL to define the criteria of receiving and sending packets*/
4. Configure WEB authentication.
ZXR10(config-submanage)#local-subscriber zte domain-name domain1 password
123
ZXR10(config-submanage)#end
Verification
Run the show running-config portal command to view the WEB server configuration.
ZXR10 (config)# show running-config portal

! <PORTAL>
!
subscriber-manage
web-server 1
http-param uas-name zte
http-param user-name msg
http-param uas-id 1234
ip-addr 172.16.1.1
uas-ip 172.16.1.2 interface fei-0/1/0/11
url http://172.16.1.1:88
2-23

version v2 key zte

$
$
! </PORTAL>
Run the show configuration submanage web-server command to check the status and
attributes of the WEB server configuration, as shown below.
ZXR10(config)#show configuration submanage web-server
Portal server-id 1:
ip-addr : 172.16.1.1
backupIp 1: 0.0.0.0
backupIp 2: 0.0.0.0
backupIp 3: 0.0.0.0
backupIp 4: 0.0.0.0
backupIp 5: 0.0.0.0
vbui-bind-counter : 3
version : 2 key : zte
udp-port : 50100
main listening-port : 2000
second listening-port 1 : 0
uas-ip: 172.16.1.2 uas-ifindex: 108
url : http://172.16.1.1
http-para:
uas-name : zte
user-name : msg
uas-id : 1234
user-mac-key :
Run the show configuration submanage listening-port command to check the status of the
listening port for the WEB server, as shown below.
ZXR10(config)#show configuration submanage listening-port
listening-port: 2000 regedit-flag: TRUE
Run the show subscriber ipox interface command, and verify that the subscriber is on line.
ZXR10(config)#show subscriber ipox interface fei-0/1/0/10
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify :25843
user-name :zte
2-24

mac-address :001d.0f1d.ae83
session-id :0
internal-vlan :0
external-vlan :10
sibprofileid :0
create-time :2011/08/08 14:08:26
online-time :24
charge-status :NORMAL
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
vrf-name :
vpn-id :0
gateway :6.6.1.1
primary-dns :0.0.0.0
second-dns :0.0.0.0
*******************************************************************************
-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
2-25

2.4.4 Option Authentication Configuration Example (Relay Mode)

Scenario Description
As shown in Figure 2-11, the ZXR10–Relay works as a DHCP relay server, and the PC
serves as an Option user. The user obtains an address automatically through the VBUI5
interface to come online. The address of the interface on the Server is 1.1.1.1/24.
Figure 2-11 Option Authentication Configuration Example (Relay Mode)
Configuration Flow
1. Configure a domain and related authentication information. Here, local authentication
is used.
2. Configure a VBUI to be a virtual BRAS user-side interface. Set the access domain to
the domain created in Step 1.
3. Configure an interface in VCC configuration mode. Ordinary users can come online
without any other configuration. For Option users, it is necessary to enable Option
authentication.
4. Configure an IP DHCP relay server group, specify a relay agent, and bind the relay
server group.
5. Enable DHCP function in DHCP configuration mode, and set DHCP relay mode in
VBUI ip pool configuration mode.
Configuration on the ZXR10 M6000 relay:
ZXR10(config-submanage-domain)#dhcp-mode relay
ZXR10(config-submanage)#local-subscriber 00-69-96-00-00-01 domain-name
2-26


ZXR10(config-vbui-if-ip-pool)#ip dhcp instance relay 1
ZXR10(config-vcc-if)#dhcp-v4 auth-on-up username-type mac domain-type
optionparse /*The two commands are not required for normal users.*/
ZXR10(config)#ip dhcp relay server group 1

ZXR10(config-dhcpr-server-group)#server 1 1.1.1.1 security
/*IP address of the interface that the DHCP server uses to connect to the DHCP relay*/
ZXR10(config-dhcpr-server-group)#exit
ZXR10(config)#ip dhcp relay instance 1

ZXR10(config-dhcpr-instance)#relay server group 1
ZXR10(config-dhcpr-instance)#relay agent 10.1.1.1
/*IP address of the vbui interface on the DHCP relay*/
ZXR10(config-dhcpr-instance)#exit
ZXR10(config)#dhcp
ZXR10(config)#interface gei-0/1/1/1
ZXR10(config-if-gei-0/1/1/1)#no shutdown
ZXR10(config-if-gei-0/1/1/1)#ip address 1.1.1.2 255.255.255.0
ZXR10(config-if-gei-0/1/1/1)#exit
Configuration on the ZXR10 M6000 server.

R2(config)#interface gei-0/0/0/1
R2(config-if-gei-0/0/0/1)#no shutdown
R2(config-if-gei-0/0/0/1)#ip address 1.1.1.1 255.255.255.0
2-27

R2(config-if-gei-0/0/0/1)#exit
R2(config)#ip pool yq
R2(config-ip-pool)#range 10.1.1.1 10.1.1.254 255.255.255.0
R2(config-ip-pool)#exit
R2(config)#ip dhcp pool dhcppool

R2(config-dhcp-pool)#ip-pool yq
R2(config-dhcp-pool)#lease-time 0 1 0
R2(config-dhcp-pool)#exit
R2(config)#ip dhcp policy dhcppolicy 1

R2(config-dhcp-policy)#dhcp-pool dhcppool
R2(config-dhcp-policy)#relay-agent 10.1.1.1
/*IP address of the vbui interface of the DHCP relay*/
R2(config-dhcp-policy)#exit
R2(config)#dhcp
R2(config)#enable
R2(config-dhcp)#interface gei-0/0/0/1
R2(config-dhcp-if-gei-0/0/0/1)#mode server
R2(config-dhcp-if-gei-0/0/0/1)#policy dhcppolicy
R2(config-dhcp-if-gei-0/0/0/1)#exit
R2(config-dhcp)#exit
R2(config)#ip route 10.1.1.0 255.255.255.0 1.1.1.2
Configuration Verification
Check the BRAS domain configuration, as shown below:
! <AIM>
subscriber-manage
$
domain option60
dhcp-mode relay
$
local-subscriber 00-69-96-00-00-01 domain-name option60 password 123
$
$
! </AIM>
Check the configuration of the BRAS address pool, as shown below:
2-28

! <AM>
vbui-configuration
interface vbui5
ip-pool pool-name dhcppool pool-id 5
access-domain option60
ip dhcp instance relay 1
$
$
$
! </AM>
Check the configuration of the BRAS VCC interface and DHCP, as shown below:
! <UIM>
vbui-configuration
interface vbui5
$
$
vcc-configuration
ipox authentication-type ipv4 dhcpv4 option
$
$
! </UIM>

! <DHCP>
ip dhcp relay server group 1
server 1 1.1.1.1 security
$
ip dhcp relay instance 1
relay server group 1
relay agent 10.1.1.1
$
dhcp
enable
$
! </DHCP>
Check the DHCP configuration on the DHCP server, as shown below:
R2#show running-config dhcp

!<DHCP>
ip dhcp pool dhcppool
2-29

ip-pool yq
$
ip dhcp policy dhcppolicy 1
dhcp-pool dhcppool
relay-agent 10.1.1.1
$
dhcp
enable
interface gei-0/0/0/1
mode server
policy dhcppolicy
$
$
!</DHCP>
Run the show subscriber ipox command, and verify that the user is on line.
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify :13
user-name :00-69-96-00-00-01
domain-name :option60
local-domain-name :option60
authorize-domain-name :option60
mac-address :0069.9600.0001
session-id :
internal-vlan :0
external-vlan :0
eap-type :FALSE
sibprofileid :0
create-time :2012/05/18 16:04:52
online-time :32
2-30

vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :IPv4 DHCP RELAY
vrf-name :
vpn-id :0
gateway :10.1.1.1
primary-dns :
second-dns :
*******************************************************************************
-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
The output information indicates users have come online.
2.4.5 Circuit Authentication Configuration Instance (Relay Mode)

Overview
As shown in Figure 2-12, the ZXR10 M6000 works as a DHCP relay. The IP address of
the VBUI interface on the ZXR10 M6000 is 40.0.0.1. The ZXR10 M6000 is connected to
a PC. The address of the interface on the Server is 1.1.1.1/24.
Figure 2-12 Network Topology of Circuit Authentication (Relay Mode)
2-31

Configuration Flow
1. Configure DHCP, a domain (including an alias, authentication mode and accounting
mode), a VBUI (including a gateway address, an address pool) and a VCC (including
encapsulation mode).
2. Set the boot-strap authentication mode to circuit authentication.
3. If local authentication is used, configure the username and password on the ZXR10
M6000. If RADIUS authentication is used, configure the username and password on
the RADIUS server.
4. In BRAS configuration mode, configure the user circuit information and the relationship
between the username, password and domain name. For RADIUS authentication, it
is unnecessary to configure the information on the ZXR10 M6000.
5. Run the ip dhcp relay server group command, and run ip dhcp relay instance
command to specify a relay agent, and bind it to a relay server group. and bind the
relay server group.
6. Enable the DHCP function in DHCP configuration mode, and set a DHCP relay mode
in VBUI ip pool configuration mode.
Configuration on the ZXR10 M6000 relay:
/*Enable DHCP function globally, configure DHCP Relay.*/
ZXR10(config)#dhcp
/*Configure a domain*/
ZXR10(config-submanage)#domain domain1 /*Create a domain numbered 200*/
/*Configure a alias used for VBUI binding and set DHCP mode.*/
/*Configure a user interface address*/

ZXR10(config)#interface vbui200 /*Create a VBUI interface*/
ZXU10(config-if-vbui200)#ip address 40.0.0.1 255.255.255.0
ZXU10(config-if-vbui200)#exit
2-32

/*Configure VBUI parameters and an address pool in VBUI configuration

mode, and configure an IP address and an address pool on the VBUI interface*/
ZXR10(config-vbui-if-ip-pool)# exit
/*Enter VCC configuration mode,

and specify the encapsulation
type of the interface connecting
to the user to IPoE*/.
ZXR10(config-vcc)#interface fei-0/4/0/15 /*Enter the VCC interface*/
/*Encapsulate an IPoE packet*/
ZXR10(config-vcc-if)#ipox authentication-type ipv4 dhcpv4 cir-map
/*Enable circuit authentication for the user accessing the network through the DHCP*/
ZXR10(config-submanage)#circuit-map eth-cir external-vlan 0 internal-vlan-range 0
interface fei-0/4/0/15 wangxiang domain1 123
/*Configure the user circuit information and the relationship between the username,
ZXR10(config-submanage)#local-subscriber wangxiang domain-name domain1
password 123
/*For local authentication only, used to configure the username,
/*Bind BARS authentication*/

2-33


Configuration on the ZXR10 M6000 server:



R2(config)#dhcp
R2(config)#enable
R2(config-dhcp)#interface gei-0/0/0/1
R2(config-dhcp-if-gei-0/0/0/1)#mode server
R2(config-dhcp-if-gei-0/0/0/1)#policy dhcppolicy
R2(config-dhcp-if-gei-0/0/0/1)#exit
R2(config)#ip route 40.1.1.0 255.255.255.0 1.1.1.2
Verification
Check the configuration of circuit authentication, as shown below.

! <UIM>
vbui-configuration
interface vbui200
$
vcc-configuration
2-34

/*Circuit authentication is enabled.*/
$
$
! </UIM>

! <AIM>
subscriber-manage
$
domain domain1
dhcp-mode relay
$
local-subscriber wangxiang domain-name domain1 password 123
$
circuit-map eth-cir external-vlan 0 internal-vlan-range 0 interface

fei-0/4/0/15 wangxiang domain1 123
! </AIM>
Run the show running-config dhcp command, check the configuration of the DHCP server.
R2#show running-config dhcp
!<DHCP>
ip dhcp pool dhcppool
ip-pool yq
$
ip dhcp policy dhcppolicy 1
dhcp-pool dhcppool
$
dhcp
enable
mode server
policy dhcppolicy
$
!</DHCP>
Run the show subscriber ipox command, and verify that the user is on line.
2-35

R3(config)#show subscriber ipox

*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify :14
user-name :wangxiang
mac-address :0069.3a4b.0001
session-id :0
internal-vlan :0
external-vlan :0
eap-type :FALSE
sibprofileid :0
create-time :2012/05/18 16:58:48
online-time :277
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
vrf-name :
vpn-id :0
gateway :40.1.1.1
primary-dns :
second-dns :
*******************************************************************************
-------------------------------------------------------------------------------
2-36

IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
The above output indicates that the user is on line.
2.4.6 DHCP+WEB Authentication Configuration Instance (Relay

Mode)
Overview
As shown in Figure 2-13, the address of the VBUI interface on the ZXR10 M6000 is 6.6.1.1.
The ZXR10 M6000 connects to the WEB Server through the fei-0/1/0/11 interface. After
PC1 sends an access attempt, it is required to implement a DHCP+WEB authentication
as required.
Figure 2-13 Network Topology of DHCP+WEB Authentication (Relay Mode)
Configuration Flow
1. Configure ordinary DHCP access.
2. Enable WEB authentication on a VCC.
3. Configure related attributes of portal services, and configure a WEB Server, a WEB
ACL and WEB-page push authentication. Bind the configuration to the VBUI interface.
4. Configure authentication template (local authentication or RADIUS authentication).
5. Configure ip-pool, ip dhcp pool, ip dhcp policy on DHCP Server, and configure a static
route to the VBUI interface.
2-37

1. Configure ordinary DHCP on the ZXR10 M6000:
/*Configure the address of the interface connecting to the WEB Server*/

ZXR10(config)#dhcp
2-38

2. Configure attributes of the WEB Server.
ZXR10(config-submanage)#web-server 1
ZXR10(config-submanage-websvr-1)#http-param uas-id 1234
ZXR10(config-submanage-websvr-1)#http-param uas-name zte
ZXR10(config-submanage-websvr-1)#http-param user-name msg
/*The address of the WEB Server*/
ZXR10(config-submanage-websvr-1)#url http://172.16.1.1:88/LoginOn.jsp
/*URL of the redirect page*/
/*Configure an address of the interface for the ZXR10 M6000 connecting to the
WEB Server*/
ZXR10(config-submanage-websvr-1)#version v2 key zte
ZXR10(config-submanage-websvr-1)#exit
3. Configure an ACL for WEB-page push authentication to forward packets.
ZXR10(config-vbui-if)#web-server 1 /*Bind the WEB Server*/
ZXR10(config-vbui-if)#web-force authentication /*WEB-page push authentication*/
ZXR10(config-vbui-if)#web-acl zte
/*Configure an ACL to define the criteria for sending or receiving packets*/
4. Configure WEB authentication.
ZXR10(config-submanage)#local-subscriber zte domain-name domain1 password 123
ZXR10(config-submanage-local-sub)#end
2-39

5. Configure on ZXR10 M6000 Server:
R2(config)#interface fei-0/1/0/9
R2(config-if-fei-0/1/0/9)#ip address 1.1.1.1 255.255.255.0
R2(config-if-fei-0/1/0/9)#exit


R2(config)#dhcp
R2(config)#enable
R2(config-dhcp)#interface fei-0/1/0/9
R2(config-dhcp-if-fei-0/1/0/9)#mode server
R2(config-dhcp-if-fei-0/1/0/9)#policy dhcppolicy
R2(config-dhcp-if-fei-0/1/0/9)#exit
R2(config)#ip route 6.6.1.0 255.255.255.0 1.1.1.2
Verification
Check the DHCP+WEB authentication configuration.
Run the show running-config portal command to check the WEB Server configuration.
ZXR10 (config)# show running-config portal
! <PORTAL>
subscriber-manage
web-server 1
ip-addr 172.16.1.1.
url http://172.16.1.1:88
2-40

version v2 key zte

$
$
!</PORTAL>
Run the show configuration submanage web-server to check the status and attributes of the
WEB Server configuration, as shown below.
ZXR10#show configuration submanage web-server
Portal server-id 1:
ip-addr : 172.16.1.1
backupIp 1: 0.0.0.0
backupIp 2: 0.0.0.0
backupIp 3: 0.0.0.0
backupIp 4: 0.0.0.0
backupIp 5: 0.0.0.0
udp-port : 50100
url : http://172.16.1.1
http-para:
uas-name : zte
user-name : msg
uas-id : 1234
user-mac-key :
Run the show configuration submanage listening-port command to check the status of the
listening port for the WEB Server, as shown below.
Run the show subscriber ipox interface command, and verify that the user is on line.
ZXR10 (config)#show subscriber ipox interface fei-0/1/0/10
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-name :zte
2-41

session-id :0
internal-vlan :0
external-vlan :0
sibprofileid :0
create-time :2011/08/08 14:18:38
online-time :16
charge-status :NORMAL
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
vrf-name :
vpn-id :0
gateway :6.6.1.1
second-dns :0.0.0.0
*******************************************************************************
-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
2-42

Chapter 3
IP-HOSTv4 Configuration
Table of Contents
IP-HOSTv4 Overview .................................................................................................3-1
Configuring IP-HOSTv4..............................................................................................3-3
Example: IP-HOSTv4 Configuration ...........................................................................3-6
3.1 IP-HOSTv4 Overview

IP-HOSTv4 Introduction
With the development of network services, various applications are launched. The DHCP
can solve the problem of address resource assignment to a good extent. Therefore, there
are many DHCP-based services. However, in practical applications, many subscribes
require to use fixed addresses and configure addresses statically. For such requirements,
the IP-HOST access function is introduced.
In the situation when subscribers want to use fixed IP addresses and operators hope to
manage addresses, IP-HOST type is the best choice. IP-HOSTv4 subscribers only need to
configure fixed IP addresses, gateways and Domain Name Server (DNS), and they do not
need to dial in. This provides an easy and convenient way. For an IP-HOSTv4 subscriber,
an Address Resolution Protocol (ARP) message is sent by the host on its own initiative
during the host boot-strap, which triggers the IP-HOSTv4 subscriber to come online. After
passing the authentication, the subscriber is allowed to access the network. When the
subscriber falls offline, the address is kept for this subscriber so that the subscriber can
still use this address upon the next login.
Administrators can determine whether to configure authentication, authorization, active
detection and MAC binding according to different requirements.
IP-HOSTv4 Typical Network Structure

Figure 3-1 shows a typical network structure for IP-HOSTv4 services. Several static
subscribers can be accessed at the same time. At present, the entire ZXR10 M6000
supports a maximum of 32K IP-HOST subscribers. Each board supports up to 4K
IP-HOST subscribers.
3-1

Figure 3-1 Network Structure for IP-HOST Services
Before an IP-HOSTv4 subscriber comes online, it is necessary to configure an IP-HOSTv4

subscriber on the ZXR10 M6000 according to requirements. It is allowed to set a
subscriber in a certain address range to a static IP-HOSTv4 subscriber. When an
IP-HOSTv4 subscriber is set, a MAC address can be specified to be bound to this
subscriber. The IP addresses of the static subscriber should already exist in the
pre-configured address pool.
If the connection between a client and the device is working properly, the client sends
an ARP request when an IP-HOSTv4 subscriber attempts to access the network. After
receiving the request, the ZXR10 M6000 searches the matched record and, if a match is
found, it implements authentication, authorization and online handling on the subscriber.
There are two IP-HOSTv4 subscriber authentication modes, RADIUS authentication and
local authentication. The ZXR10 M6000 chooses the matching authentication mode
according to the domain name configuration information. If no domain name is configured,
authentication is not performed. The authentication and authorization flows are similar to
those of the IPoE.
IP-HOSTv4 Working Flow

According to the active/passive role that the subscribers take on in network access, there
are two modes. One mode is that subscribers send ARP requests on their own initiatives,
the other mode is that the ZXR10 M6000 sends ARP requests on its own initiative. The
working flows of the two modes are different, as described respectively.
A PC connects to an interface on the ZXR10 M6000 directly or through a switch, and then
connects to the Internet. In the scenario where the subscriber sends an ARP request on
his own initiative, the working flow is described below.
3-2

Chapter 3 IP-HOSTv4 Configuration
1. When receiving the ARP request from the subscriber, the ZXR10 M6000 determines
whether the subscriber has been configured, and then it compares whether the
subscriber information in the ARP request is the same as that stored on the device. If
a match is found, the subscriber is legal and allowed to come online.
2. The ZXR10 M6000 authenticates the subscriber, obtains related authorization
information, and then sends a reply to acknowledge the ARP request.
3. After related data is sent, the subscriber comes online.
The PC connects the an interface on ZXR10 M6000 directly or through a switch, and then
connects to the Internet. In the scenario where the ZXR10 M6000 device sends an ARP
request on its own initiative, the working flow is described below.
1. The active detection function should have been configured for the IP-HOSTv4
subscriber. The ZXR10 M6000 broadcasts an ARP request on its own initiative.
2. The subscriber receives the ARP request, and then sends a reply.
3. The ZXR10 M6000 receives the ARP reply. The procedure of coming online is the
same as that in the scenario where the subscriber sends an ARP request on his own
initiative.
4. If there is no reply within the permitted number of detections, the ZXR10 M6000 stops
sending the ARP requests. If the subscriber gets online before the detection timer
runs out, ZXR10 M6000 sends an ARP unicast message.
3.2 Configuring IP-HOSTv4

This procedure describes how to configure IP-HOSTv4.
Steps

mode.
2 ZXR10(config-if-interface-name)#ip address Sets an IP address and mask

<ip-address><net-mask> for the interface.
2. Configure the authentication template and authorization template.
1 ZXR10(config)#subscriber-manage Enters subscriber

management configuration
mode.
2 ZXR10(config-submanage)#authentication-template Creates an authentication

<authen-template-name> template.
3-3

3 ZXR10(config-submanage-authen-template)#aut Specifies the authentication

hentication-type {none | local | radius | local-radius | mode.
radius-local | radius-none}
4 ZXR10(config-submanage)#authorization-template Creates an authorization

<author-template-name> template.
5 ZXR10(config-submanage-author-template)#authori Specifies the authentication

zation-type {none | radius | mix-radius} type.

management mode.
2 ZXR10(config-submanage)#domain <domain-name> Creates a user domain (name:

domain-name).

authentication-template <authen-template-name> template.
4 ZXR10(config-submanage-domain)#bind Binds an authorization

authorization-template <author-template-name> template.
5 ZXR10(config-submanage)#local-subscriber <sub-name> Creates a local user.

domain-name <domain-name> password <password>
1 ZXR10(config)#vbui-configuration Enters vbui configuration

mode.
2 ZXR10(config-vbui)#interface vbui <interface-name> Enters vbui interface

configuration mode.
3 ZXR10(config-vbui-if)#ip-pool pool-name Creates an IP pool, and

<pool-name>[pool-id <pool-id>] specifies its ID and name.
4 ZXR10(config-vbui-ip-pool)#access-domain Binds the domain of the

<domain-name> address pool.
5 ZXR10(config-vbui-ip-pool)#member <number> Specifies the member ID,

range: 1 to 8.
6 ZXR10(config-vbui-ip-pool-number)#start-ip Creates an IP network

<start-ip> end-ip <end-ip> segment in the address pool.
7 ZXR10(config-vbui-ip-pool-number)#static-ip Specifies the IP pool range.

<static-ip>[<end-ip>]
3-4

<start-ip>, <end-ip>: Specifies the start IP address and the end IP address for members
in the address pool. One member can be configured with 4096 IP addresses at most.

mode.
2 ZXR10(config-vcc)#interface <interface-name> Creates a VCC interface,

and then enters its service
configuration mode.
6. Configure IP-HOST users.

mode.
2 ZXR10(config-vbui)#interface vbui <interface-name> Creates a VBUI interface, and

then enters its VBUI service
configuration mode.
3 ZXR10(config-vbui-if)#ip-host [description Creates an IP-HOST user.

<user-description>]<start-ip>[<mac-address>|<end-ip>]<int
erface-name>[vlan <id>[sec-vlan <id>]][author-temp-no
<author-template-number>][user-info <user-name><domai
n-name><password>][detect <count-number>][group-user]
vlan <id>: The vlan-id or outer-layer vlan-id, range: 1 to 4094.

sec-vlan <id>: The inner-layer vlan-id. Range: 1–4094.
<author-template-number>: Name of the authorization template, 1 to 31 characters in
length.
<user-name>: The user name, 1 to 31 characters in length.
<domain-name>: Domain name of the user, 1 to 31 characters in length.

<password>: The user password, 1 to 31 characters in length.
<count-number>: Number of detections, range: 1 to 20.

group-user: speed-restriction flag of the group of users.
Command Function
ZXR10#show subscriber ip-host [statistics | verbose | Shows related information of all

summary [ipv4 | ipv6]] IP-HOSTv4 subscribers.
3-5

Command Function
ZXR10#show subscriber ip-host domain Shows the information of IP-HOST users

{domain-name <domain-name>}[statistics | belonging to the specified domain.
verbose]
ZXR10#show subscriber ip-host ipv4-address Shows the detailed information of

<ipv4-address>[vrf <vrf-name>] IP-HOST users using the specified IPv4
address.
ZXR10#show subscriber ip-host user-name Shows the information of specified

<user-name> domain-name <domain-name>[vrf IP-HOST users.
<vrf-name>][statistics | verbose]
ZXR10#show subscriber ip-host circuit Shows the IP-HOSTv4 subscriber

<interface-name>[vlan <id>[second-dot1q information on a specific circuit.
<id>]][statistics | verbose]
ZXR10#show subscriber ip-host interface Shows the IP-HOSTv4 subscriber

<interface-name>[statistics | verbose] information on a specific interface.
ZXR10#show subscriber ip-host vlan <vlan-id>[secon Shows the information of IP-HOSTv4

d-dot1q <id>][statistics | verbose] subscribers in a specific VLAN.
ZXR10#show subscriber ip-host vrf <vrf-name>[stati Shows the information of IP-HOSTv4

stics | verbose] subscribers in a specific VRF.
3.3 Example: IP-HOSTv4 Configuration

Overview
As shown in Figure 3-2, the ZXR10 works as a BRAS server, and the PC works as a client.
The PC starts a dial-up attempt through the IP-HOST.
Figure 3-2 Basic IP-HOST Network Structure
Configuration Flow
1. Configure a VBUI to be the virtual BRAS user-side interface. Configure an address
pool in VBUI configuration mode, and configure a static address.
2. Configure an interface in VCC configuration mode.
3. Return to VBUI configuration mode, and configure an IP-HOST subscriber on the
VBUI.
3-6

Commands
Configuration on ZXR10:
ZXR10(config)#radius authentication-group 10
ZXR10(config-authgrp-10)#server 1 192.168.107.9 master key uas
ZXR10(config-authgrp-10)#deadtime 0
ZXR10(config-authgrp-10)#user-name-format include-domain
ZXR10(config-authgrp-10)#nas-ip-address 192.168.60.5
ZXR10(config-authgrp-10)#exit
ZXR10(config)#radius accounting-group 10
ZXR10(config-acctgrp-10)#server 1 192.168.107.9 master key uas
ZXR10(config-acctgrp-10)#deadtime 0
ZXR10(config-acctgrp-10)#user-name-format include-domain
ZXR10(config-acctgrp-10)#nas-ip-address 192.168.60.5
ZXR10(config-acctgrp-10)#local-buffer enable
ZXR10(config-acctgrp-10)#exit
ZXR10(config-submanage-authen-template)#authentication-type radius
ZXR10(config-submanage-authen-template)#authentication-radius-group 10
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#authorization-type mix-radius
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#accounting-template zte
ZXR10(config-submanage-accounting-template)#accounting-type radius
ZXR10(config-submanage-accounting-template)#accounting-radius-group first 10
ZXR10(config-submanage-accounting-template)#exit
ZXR10(config-submanage-domain)#bind authorization-template zte
ZXR10(config-submanage-domain)#bind accounting-template zte
ZXR10 (config-submanage)#exit
ZXR10(config-vbui-if)#ip-pool pool-name iphostpool pool-id 20
3-7

ZXR10(config-vbui-if-ip-pool-member)#static-ip 20.0.0.2
ZXR10(config-vcc)#interface gei-0/3/0/6
ZXR10(config-vbui-if)#ip-host 20.0.0.2 gei-0/3/0/6 user-info IPHOST domain199 123
ZXR10(config-vbui-if)#end
Verification
Check the IP-HOSTv4 subscriber interface configuration, as shown below.
! <UIM>
vbui-configuration
interface vbui20
$
$
vcc-configuration
$
!
! </UIM>
ZXR10#show running-config ip-host
!<IPHOST>
vbui-configuration
interface vbui20
ip-host 20.0.0.2 gei-0/3/0/6 user-info IPHOST domain199 123
$
$
!</IPHOST>
Check the BRAS address pool configuration, as shown below.
! <AM>
vbui-configuration
3-8

interface vbui20
ip-pool pool-name iphostpool pool-id 20
access-domain domain199
member 1
start-ip 20.0.0.1 end-ip 20.0.0.255
static-ip 20.0.0.2
$
$
$
! </AM>
Check the IP-HOSTv4 subscriber information, as shown below.
ZXR10(config)#show subscriber ip-host

*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify :15
user-name :IPHOST
mac-address :0069.9600.0001
session-id :0
access-interface :gei-0/3/0/6
internal-vlan :0
external-vlan :0
authentication-mode : RADIUS
eap-type :FALSE
sibprofileid :0
create-time :2012/05/21 10:20:50
online-time :439
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
3-9

subscriber-type :IPv4 HOST

vrf-name :
vpn-id :0
gateway :20.0.0.1
primary-dns :
second-dns :
*******************************************************************************
-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
3-10

Chapter 4
PPPoEv4 Configuration
Table of Contents
PPPoEv4 Overview ....................................................................................................4-1
Configuring PPPoEv4.................................................................................................4-3
PPPoEv4 Configuration Examples .............................................................................4-6
4.1 PPPoEv4 Overview

PPPoEv4 Introduction
The PPPoE determines a one-to-one logical relationship on a broadcast network. It adds
an Ethernet header in front of a standard PPP frame. It connects to a remote access device
through a simple bridge access device, and it can connect to several user hosts through
the shared connections of Ethernet.
In such a model, through PPPoE, each subscriber has his or her own PPP stack, access
control, and Type Of Service (ToS). Subscribers can implement online operations on
familiar interfaces. A service provider can establish a unique PPP session with each
access subscriber. Access control and accounting can be executed for each subscriber.
The PPPoE provides the following benefits:
l The installation and operation mode are similar to those in a dial-up network.
l No configuration is needed on the XDSL modem of subscribers.
l Allowing several subscribers to share the same high-speed data access link.
l Meeting the requirements of small-scale enterprises and telecommuting.
l Terminal users can access several Internet Service Providers (ISPs). The dynamic
service selection function makes ISPs provide new services more easily .
l Compatible with all current XDSL Modem and Digital Subscriber Line Access
Multiplexer (DSLAM).
l Compatible with ISP access structures.
PPPoEv4 Work Flow

Figure 4-1 shows the communication flow of PPPoEv4 .
4-1

Figure 4-1 PPPoE Communication Flow
In general, a successful PPPoE access is divided into two states, the discovery stage and
the session stage. The functions of the two stages are described below.
1. The discovery stage is to establish a link layer connection between the host and the
BRAS device (to discover the MAC of the BRAS device), and generate a PPPoE
session ID. The session ID is carried along with the PPP dial-up service until the
session ends.
2. The session stage is responsible for negotiation of data-link layer parameters
(including authentication and Maximum Receive Unit (MRU)) and negotiation of
network-layer parameters (including IP address).
The procedure of the PPPoE discovery is described below.
1. A host broadcasts a PADI message on the Ethernet. The message contains the ToS
information that the host expects.
2. After all BRAS devices on the Ethernet receive the message, they compare the service
requested in the message with the service that can be provided by themselves. The
access concentrator that provides the service requested by the host replies a PADO
message.
3. The host may receive PADO messages from several BRAS devices. The host selects
an access concentrator that can provide the service among the access concentrators
that replies a PADO message according to the information in the message and
certain conditions. Then the host sends a PADR unicast session request message
that contains the information of the requested service.
4. After the BRAS device receives the PADR message, it replies a PADS message that
contains a session ID that identifies the PPPoE session between the BRAS device
and the host uniquely.
After the discovery stage ends, the session stage begins. Once entering the PPPoE
session stage, the host and the access concentrator send PPP data according to PPP
and negotiate parameters.
4-2

Chapter 4 PPPoEv4 Configuration
The packets transmitted in this stage must keep session ID fixed in the discovery stage.
At the two ends of the PPP session, there are peer entities. Either entity can begin or
end a connection. The establishment of a PPP connection includes LCP negotiation, user
authentication and IP Control Protocol (IPCP) negotiation.
LCP negotiation is responsible for the attribute negotiation of the link between the host and
the access server. The attributes include:
l MRU
l The authentication protocol used in the authentication stage (PAP or CHAP)
l Whether to use the magic number option
l Whether to compress the protocol field
l Whether to compress the address field and the control field
The PPP supports PAP authentication and CHAP authentication. After the authentication
ends, IPCP negotiation begins. It is mainly to negotiate the network address. The PPPoE
IPCP procedure is similar to the LCP procedure. The difference is that LCP requests the
link layer options while IPCP requests the network layer option.
4.2 Configuring PPPoEv4

This procedure describes how to configure PPPoEv4.
Steps

mode.

mode.

<ip-address><net-mask> mask.

mode.
2 ZXR10(config-submanage)#authentication-template Enters authentication template

<authen-template-name> configuration mode.
3 ZXR10(config-submanage-authen-template)#aut Specifies the authentication

hentication-type {none | local | radius | local-radius | type.
4-3

4 ZXR10(config-submanage-authen-template)#max-ses Sets the maximum number of

sion <num> sessions, range: 1 to 256000.
5 ZXR10(config-submanage)#authorization-template Enters authentication template

<author-template-name> configuration mode.
6 ZXR10(config-submanage-author-template)#authori Specifies the authorization

zation-type {none | mix-radius | radius} mode.
7 ZXR10(config-submanage)#accounting-template Enters accounting template

<acct-template-name> configuration mode.
8 ZXR10(config-submanage-accounting-template)#acc Specifies the accounting type.

ounting-type {none | radius}
9 ZXR10(config-submanage)#domain <domain-name> Creates a domain, and enters

domain configuration mode.
The domain number range is
1 to 2000.
10 ZXR10(config-submanage-domain)#bind <template> Binds an authentication

template, an accounting
template, an authorization
template or a security
template.
1 ZXR10(config)#interface vbui <vbui-interface> Creates a VBUI interface,

and enters VBUI configuration
mode.

<ip-address><net-mask> mask on a VBUI interface.

mode.
4 ZXR10(config-vbui)#interface vbui <vbui-interface> Enters VBUI interface

configuration mode.
5 ZXR10(config-vbui-if)#ip-pool pool-name Sets an IP address pool.

<pool-name>[pool-id <pool-id>]
6 ZXR10(config-vbui-ip-pool)#access-domain Sets an access domain.

<domain-name>
7 ZXR10(config-vbui-ip-pool)#member <member-id> Sets an address pool member.
8 ZXR10(config-vbui-ip-pool-member)#start-ip Sets the addresses in the

<start-ip> end-ip <end-ip> address pool.
4-4

<pool-name>: Name of the IP pool, 1 to 31 characters in length.

<pool-id>: ID of the IP pool, range: 1 to 4096.
<member-id>: ID of the IP pool member, range: 1 to 16. One address pool supports a
maximum of 16 members.
<start-ip>, <end-ip>: Start IP address and end IP address of an IP pool member. One
member supports a maximum of 4096 IP addresses.
4. Configure a subscriber.

mode.
2 ZXR10(config-submanage)#local-subscriber <sub-name> Creates a local subscriber,

domain-name <domain-name> password <password> and specifies the username,
password and the domain
which the subscriber belongs
to.
<sub-name>: Name of the local subscriber, 1 to 127 characters in length.

<password>: Password for the local subscriber, 1 to 31 characters in length.
<domain-name>: Name of the domain which the subscriber belongs to, 1 to 31

characters in length.
5. Configure a user-side circuit.

mode.
2 ZXR10(config-submanage)#pppox-cfg <pppox-template- Creates a PPPoX template,

num> and enters PPPoX
configuration mode.
3 ZXR10(config-submanage-pppox)#ppp authentication Sets the authentication mode

{chap | pap | pap-chap | mschapv1 | mschapv2} for the PPPoX template.
4 ZXR10(config-submanage-pppox)#ppp check-magic-nu Enables PPP magic number

mber check.
5 ZXR10(config-submanage-pppox)#ppp keepalive timer Sets the PPP keepalive timer

<time-value> count <count-value> for the interface.
6 ZXR10(config-submanage-pppox)#ppp mru Sets the MRU for the PPP

<mru-value> link.
4-5

7 ZXR10(config-submanage-pppox)#pppoe ac-name Sets the ac-name information

<ac-name> that is sent to the PPPoE
dial-up software through a
circuit interface.

mode.
9 ZXR10(config-vcc)#interface <interface-name> Enters VCC interface service

configuration mode.
10 ZXR10(config-vcc-if)#encapsulation {ppp-over-ethe Sets the encapsulation type

rnet | multi} to PPPoE or multi for the
interface.
11 ZXR10(config-vcc-if)#pppox template Binds a PPPoX template to

<pppox-template-num> the interface.
<time-value>: Keepalive time (in seconds) for the PPPoX template, in the unit of
second, range: 10 to 14400.
<count-value>: Keepalive number for the PPPoX template, range: 1 to 10.
<mru-value>: MRU (in bytes) of the PPPoX template, range: 128 to 1492.
Command Function
ZXR10#show running-config aim Shows the configuration in subscriber

management mode.
ZXR10#show running-config am Shows the address pool information for

the VBUI interface.
ZXR10#show running-config uim Shows the VBUI and VCC configuration.
ZXR10#show running-config pppox Shows the PPPoX template configuration.
4.3 PPPoEv4 Configuration Examples

4.3.1 Example: PPPoEv4 Configuration
Overview
The basic network structure can be considered as a host directly connecting to the Ethernet
interface of the BRA, see Figure 4-2. There may be some intermediate Layer-2 devices
4-6

(such as HUB or LAN switch) between the host and the BRAS. Packets passing through
Layer-2 devices do not undergo any changes or encapsulation.
Figure 4-2 Basic PPPoE Network Structure
Configuration Flow
1. Configure an IP address on the network-side interface fei-0/10/1/2.
2. Configure an authentication template, an authorization template and an accounting
template, and bind them to a domain. Configure a PPPoE template and configure
related PPP attributes in the template.
3. Configure a user-side interface, and configure an address pool on the VBUI interface.
Bind the address pool with the domain.
4. Configure a subscriber through the RADIUS software.
5. Bind the PPPoE template to the VCC interface.
1. The network-side interface configuration is as follows:
2. The domain configuration is as follows:
ZXR10(config-authgrp-10)#server 1 192.168.112.111 master key zte
4-7

ZXR10(config-submanage)#pppox-cfg 199
ZXR10(config-submanage-pppox)#ppp authentication pap
ZXR10(config-submanage-pppox)#exit
3. The user-side interface configuration is as follows:
ZXR10(config-vbui-if)#ip-pool pool-name pool199 pool-id 199
ZXR10(config-vbui-ip-pool)#access-domain domain199
ZXR10(config-vbui-ip-pool)#pppoe-dns-server 1.1.1.1
ZXR10(config-vbui-ip-pool)#pppoe-dns-server 2.2.2.2 second
ZXR10(config-vbui-ip-pool)#member 1
ZXR10(config-vbui-ip-pool-member)#start-ip 199.1.1.2 end-ip 199.1.2.1
ZXR10(config-vbui-ip-pool-member)#exit
4. The user-side circuit configuration is as follows:
ZXR10(config-vcc-if)#pppox template 199
ZXR10(config-vcc-if)#encapsulation ppp-over-ethernet
ZXR10(config-vcc-if)#end
Execute the show subscriber pppox command, and verify that the subscriber is online, as
shown below.
4-8

ZXR10(config)#show subscriber pppox

*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify :16
user-name :PPPOE
mac-address :0010.9400.0001
session-id :1
internal-vlan :0
external-vlan :0
authentication-mode :RADIUS
eap-type :FALSE
sibprofileid :0
create-time :2012/05/21 14:21:45
online-time :19
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :IPv4 PPPox
vrf-name :
vpn-id :0
gateway :199.1.1.1
second-dns :2.2.2.2
*******************************************************************************
-------------------------------------------------------------------------------
4-9

IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
4.3.2 Example: PPPoEoVv4 Configuration

Overview
The PPPoEoVv4 service work as follows:
1. Upon arrival of a PPP message, the Ethernet port of the user host encapsulates it into
a PPPoE message, and forwards the message to the LAN Switch.
2. Upon receipt of the PPPoE message, the LAN Switch marks it as VLAN, and forwards
the message (called PPPoEoV message) to the BRAS.
The basic network structure for implementing the PPPoEVv4 service can be considered
as a host connecting to Ethernet port of the BRAS through a 802.1Q-compliant switch, see
Figure 4-3.
Figure 4-3 Basic PPPoEoVv4 Network Structure
Configuration Flow
1. Configure an IP address on the network-side interface fei-0/10/1/2.
template, and bind them to a domain. Configure a PPPoE template, and configure
related PPP attributes in the template.
3. Configure a user-side interface, and configure an address pool for the VBUI interface.
Bind the address pool to the domain.
4-10

5. Bind the PPPoE template to the VCC interface.
1. The network-side interface configuration is as follows:
2. The domain configuration is as follows:
ZXR10(config-submanage-accounting-template)#accounting-type none
3. The user-side interface configuration is as follows:
4-11

4. The user-side circuit configuration is as follows:
ZXR10(config)#interface fei-0/10/1/1.1
ZXR10(config-if-fei-0/10/1/1.1)#exit
ZXR10(config-vcc)#interface fei-0/10/1/1.1
ZXR10(config)#vlan-configuration
ZXR10(config-vlan)#interface fei-0/10/1/1.1
ZXR10(config-vlan-if-fei-0/10/1/1.1)#encapsulation-dot1q 100
/*It also can be set to a QinQ interface.*/
ZXR10(config-vlan-if-fei-0/10/1/1.1)#end
Execute the show subscriber pppox command, and verify that the subscriber is online, as
shown below.
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify :17
user-name :PPPOE
mac-address :0010.9400.0001
session-id :2
access-interface :fei-0/10/1/1.1
4-12

internal-vlan :0
external-vlan :100
eap-type :FALSE
sibprofileid :0
create-time :2012/05/21 14:28:32
online-time :12
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
vrf-name :
vpn-id :0
gateway :199.1.1.1
second-dns :2.2.2.2
*******************************************************************************
-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
4-13

4.3.3 Account Sharing Configuration Example

Figure 4-4 illustrates a sample network topology that allows multiple PC users to start
dial-up connections by using the same account simultaneously.
Figure 4-4 Account Sharing Configuration Example
Configuration Flow
1. Configure the IP address of the fei-0/10/1/2 interface on the network side.
2. Configure an authentication template, an authorization template, and an accounting
template, and associate them with a domain. Configure a PPPoE template, and set
the related PPP attributes in the template.
Associate the address pool with the domain.
4. Configure users on the RADIUS server.
5. Associate the VCC interface with the PPPoE template.
6. Enable account sharing in the domain.
1. Run the following commands on the ZXR10 M6000 to configure a network-side
interface:
2. Run the following commands on the ZXR10 M6000 to configure a domain:
4-14


ZXR10(config-submanage)#authorization-template 199
ZXR10(config-submanage)#accounting-template 199
ZXR10(config-submanage-domain)#account-share enable
/*Enables account sharing*/
3. Run the following commands on the ZXR10 M6000 to configure a user-side interface:
4-15


ZXR10(config-vbui-ip-pool)#exit
4. Run the following commands on the ZXR10 M6000 to configure a VCC:
ZXR10(config-fei-0/10/1/1)#exit
ZXR10(config-vcc-if)#end
Run the show subscriber pppox user-name command to check whether multiple users with
the same username have come online. The execution result is displayed as follows:
ZXR10(config)#$iber pppox user-name PPPOE domain-name domain199 statistics
-------------------------------------------------------------------------------
IPv4 4 4 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 4 4 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
4.3.4 Exact Binding Configuration Example

Figure 4-5 shows a sample network topology where exact binding is configured in the
local-subscriber. In this topology, only the users meeting the exact binding requirements
can come online.
4-16

Figure 4-5 Exact Binding Configuration Example
Configuration Flow
the related PPP attributes in the template. Configure local users.
2. Configure exact binding information in the local-subscriber.
ZXR10(config-submanage)#local-subscriber pppoeee domain-name domain199

password 123
2. Run the following commands on the ZXR10 M6000 to configure exact binding:
ZXR10(config-submanage)#local-subscriber pppoeee domain-name domain199
password 123
ZXR10(config-submanage-local-sub)#cir-bind bras 0 0 0 2 vlan 1 secondvlan
4-17

100
ZXR10(config)#interface gei-0/0/0/2.1
ZXR10(config-gei-0/0/0/2.1)#exit
ZXR10(config-vcc)#interface gei-0/0/0/2.1
ZXR10(config-vlan)#interface gei-0/0/0/2.1
ZXR10(config-vlan-if-gei-0/0/0/2.1)#qinq range internal-vlan-range 1-200
external-vlan-range 1
ZXR10(config-vlan-if-gei-0/0/0/2.1)#end
Run the show subscriber pppox command to check whether subscribers have come
online. The execution result is displayed as follows:
ZXR10#show subscriber pppox

**************************************************************************
--------------------------------------------------------------------------
Basic Information
4-18

-------------------------------------------------------------------------------
user-identify :16
user-name :pppoeee
mac-address :0010.94ab.8801
session-id :8
access-interface :gei-0/0/0/2.1
internal-vlan :100
external-vlan :1
eap-type :FALSE
sibprofileid :0
create-time :2011/04/05 09:17:43
online-time :14
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------
IPv4 Information
--------------------------------------------------------------------------
vrf-name :
vpn-id :0
gateway :199.1.1.1
second-dns :2.2.2.2
**************************************************************************
-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
4-19

ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
It can be seen that one subscriber fails to establish a dial-up connection through the
gei-0/0/0/2.1 interface associated with the VCC, outer-VLAN 2, and inner-VLAN 50,
while the other subscriber successfully establishes a dial-up connection through the
gei-0/0/0/2.1 interface, outer-VLAN 1, and inner-VLAN 100.
4.3.5 Example of the Multi-Level Domain Name Resolution

Configuration
Figure 4-6 shows a sample network topology where multi-level domain name resolution is
configured. In this topology, users are allowed to establish dial-up connections by using
the usernames carrying domain name delimiters.
Figure 4-6 Example of the Multi-Level Domain Name Resolution Configuration
Configuration Flow
related PPP attributes in the template. Configure local users.
2. Configure the multi-level domain name resolution direction.
4-20

ZXR10(config-submanage)#domain zte
ZXR10(config-submanage)#domain kaka@zte
ZXR10(config-submanage)#local-subscriber uu domain-name kaka@zte password

123
ZXR10(config-submanage)#local-subscriber uu@kaka domain-name zte password
123
2. Run the following commands on the ZXR10 M6000 to configure the direction of
multi-level domain name resolution:
ZXR10(config-submanage)#domainname-parse-direction right-to-left
ZXR10(config-vbui-ip-pool)#access-domain zte
ZXR10(config-vbui-ip-pool)#access-domain kaka@zte
4-21


ZXR10(config-gei-0/0/0/2.1)#exit
ZXR10(config-vlan-if-gei-0/0/0/2.1)#qinq range internal-vlan-range 1-200
external-vlan-range 1
ZXR10(config-vlan-if-gei-0/0/0/2.1)#end
A subscriber attempts to start a dial-up connection through the gei-0/0/0/2.1 interface
(associated with the VCC) by using uu@kaka@zte. Run the show subscriber command
to check the domain name resolution result, username information, and whether the
subscriber has come online. The execution result is displayed as follows:
**************************************************************************
--------------------------------------------------------------------------
Basic Information
--------------------------------------------------------------------------
user-identify :18
user-name :uu@kaka /*username*/
domain-name :zte /*domain name*/
local-domain-name :zte
authorize-domain-name :zte
mac-address :0010.94ab.cc01
session-id :12
internal-vlan :100
external-vlan :1
eap-type :FALSE
sibprofileid :0
4-22


create-time :2011/04/05 10:25:00
online-time :478
vpdnAcctClass :
route-map-name :
--------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
vrf-name :
vpn-id :0
gateway :199.1.1.1
second-dns :2.2.2.2
**************************************************************************
-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
After the domainname-parse-direction right-to-left command is executed, the domain name

resolution direction is from right to left. This means that, for uu@kaka@zte, the domain
name is zte, and the username is uu@kaka.
After the subscriber goes offline, delete the configured multi-level domain name resolution
direction.
ZXR10(config-submanage)#no domainname-parse-direction
The subscriber attempts to start a dial-up connection through the gei-0/0/0/2.1 interface by
using guu@kaka@zte again. Run the show subscriber command to check the domain
name resolution result and whether the subscriber has come online.
ZXR10(config-submanage)#show subscriber pppox

**************************************************************************
4-23

--------------------------------------------------------------------------
Basic Information
--------------------------------------------------------------------------
user-identify :19
user-name :uu /*username*/
domain-name :kaka@zte /*domain name*/
local-domain-name :kaka@zte
authorize-domain-name :kaka@zte
mac-address :0010.94ab.cc01
session-id :13
internal-vlan :100
external-vlan :1
eap-type :FALSE
sibprofileid :0
create-time :2011/04/05 10:38:49
online-time :8
vpdnAcctClass :
route-map-name :
--------------------------------------------------------------------------
IPv4 Information
--------------------------------------------------------------------------
vrf-name :
vpn-id :0
gateway :199.1.1.1
second-dns :2.2.2.2
**************************************************************************
-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
4-24

-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
After the specified domain name resolution direction is deleted, the default resolution
direction is from left to right. This means that, for uu@kaka@zte, the domain name is
kaka@zte, and the username is uu.
4-25

4-26

Chapter 5
VPDN Configuration
Table of Contents
VPDN Overview .........................................................................................................5-1
Configuring VPDN ......................................................................................................5-5
VPDN Configuration Examples.................................................................................5-10
5.1 VPDN Overview

VPDN Introduction
The VPDN is used to access a public network by using the dial-up function of the
public network (such as Integrated Services Digital Network (ISDN) and Public Switched
Telephone Network (PSTN)) to implement a virtual private network. This provides
access services for enterprises, ISPs and mobile office staffs. The VPDN provides an
economical and effective point-to-point connection mode between remote users and a
private enterprise network.
The VPDN uses a special network communication protocol to construct a secure virtual
private network on a public network. Mobile office staffs can connect to the enterprise
headquarters through a virtual tunnel and the public network. Other users on the public
network cannot pass through the virtual tunnel and access the resources inside the
enterprise network.
The VPDN is implemented by using one of the following modes:
l An Network Access Server (NAS) starts a VPDN connection attempt.
The NAS connects a PPP connection of a user to the VPDN gateway of the
enterprise through a VPDN tunneling protocol, thus establishing a tunnel with the
VPDN gateway. This is invisible for the user. The user only needs to log in once to
access the enterprise network. The enterprise network authenticates the user, and
allocates a private address instead of a public address. In this mode, the NAS needs
to support VPDN and the authentication system needs to support the VPDN attribute.
l A user starts to establish a VPDN connection.

The client of the user establishes a tunnel with the VPDN gateway. In this mode, the
client establishes a connection with the Internet first, and then the client establishes
a tunnel with the VPDN gateway through a special program (such as the L2TP client
supported by the Windows 2000 operating system). The method which the user uses
to connect to the Internet and the place where the user connects to the Internet are not
restricted. No ISP is involved. However, the user needs to install a special program
5-1

(generally on the Windows 2000–based platform), which restricts the platform the user
uses.
In general, the VPDN gateway is a router or a VPDN private server.
Tunnel Technology
Tunnel technology is one of the basic technologies to establish a secure Virtual Private
Network (VPN). It is similar to point-to-point connection technology. It is to establish a
data tunnel on the public network, and transmit packets over this tunnel.
A tunnel is established according to the tunnel protocol. There are Layer–2 tunnel
protocols and Layer–3 tunnel protocols.
l Layer–2 tunnel protocols include L2F, PPP Tunnel Protocol (PPTP) and Layer–2
Tunnel Protocol (L2TP). It is used to encapsulate different network protocols to the
PPP, and then encapsulate the packets into the tunnel protocol. The packets after
dual-layer encapsulation are transmitted according the Layer–2 protocol.
l Layer–3 protocols include General Routing Encapsulation (GRE) and IP Security
Protocol (IPSec). The essential difference between Layer–2 tunnel protocols and
Layer–3 tunnel protocol is that the received packets are encapsulated by using which
protocols.
L2TP is a Layer–2 tunnel protocol drafted by IETF, and is set down by Microsoft, Ascend,
Cisco and 3COM. It combines the advantages of PPTP and L2F. It is accepted by many
corporations, and has become the IETF industrial standard related to Layer–2 tunnel
protocols.
The VPDN technology of ZTE is based on L2TP.
L2TP Network Structure

Figure 5-1 shows the access modes of L2TP.
5-2

Chapter 5 VPDN Configuration
Figure 5-1 Three Access Modes of L2TP
The above figure shows three common construction modes of L2TP. It also shows the
three elements required to construct an L2TP network: L2TP Network Server (LNS), L2TP
Access Concentrator (LAC) and client.
l LNS: It is an VPN server on the L2TP enterprise side. The LNS implements final
authorization and authentication for subscribers, receiving the tunnel from an LAC,
receiving connection requests, and establishing PPP tunnels connecting the LNS and
subscribers.
l LAC: It is an L2TP access device. The LAC provides Authentication, Authorization and
Accounting (AAA) services for different subscriber accesses, establishes connections
for tunnels and sessions, and implements proxy authentication for VPN subscribers. It
is an access device that provides the VPN service on the ISP side. It can be physically
a router supporting L2TP, an access server or a special VPN server.
l Client: It is a dial-up client.
L2TP Overview
The PPP session is carried over an L2TP tunnel session. PPP frames are transmitted over
the tunnel. Figure 5-2 illustrates the encapsulation procedure of the data.
5-3

Figure 5-2 L2TP Encapsulation Procedure of PPP Frames
The above figure shows the position of L2TP in the Transfer Control Protocol/Internet
Protocol (TCP/IP) hierarchic structure. It also shows the stack structure and encapsulation
procedure of an IP packet during the transmission procedure.
1. After receiving a PPP frame from a client, the LAC adds an L2TP header in front of
the PPP frame. The entire L2TP message, including the L2TP header and payload,
is encapsulated by using the User Datagram Protocol (UDP) and then forwarded.
2. The initial end of the L2TP tunnel selects an available UDP port (Port 1701 or another
port), and sends the data to Port 1701 of the destination host.
3. The receiver selects an idle port (Port 1701 or another port) in its system. It sends
its reply to the UDP port of the initial end, and sets its UDP source port to the idle
port. Once a connection is established between the source and destination ends, the
connection keeps unchanged during the life period of the tunnel.
4. When the IP layer receives the UDP packet, it adds an IP header. At this time, the IP
packet contains a second IP packet, but the two IP addresses are different. In general,
the IP address of the subscriber packet is a private address, and the IP address on
the LAC is a public address. Until now, the encapsulation of VPN private data is
completed.
5. On the LNS side, when receiving the L2TP/VPN IP packet, the LNS removes the
IP header, UDP header and the L2TP header, and then it obtains the PPP frame
of the subscriber. It removes the PPP header and then obtain the IP packet. Till
now, the LNS obtains the IP packet of the subscriber. In this way, IP data of the
subscriber is transmitted transparently through a tunnel. At the same time, the entire
PPP header/frame is not changed during the transmission.
Figure 5-3 illustrates the encapsulation structure of a packet.
Figure 5-3 L2TP Packet Encapsulation Structure
5-4

LTS (L2TP Tunnel Switch) Service

L2TP can make the handling of a PPP packet be separated from the L2 circuit terminal.
L2TP tunnel switching can make the terminal of a PPP session be moved to another farther
LSN that may be unknown for the first LAC. This is implemented by using another L2TP
tunnel to transmit the PPP session to another LNS.
Figure 5-4 shows a typical situation of an incoming tunnel switching. A user starts a PPP
session on an LAC. The LAC transmits the L2 session to a TSA over an L2TP tunnel. The
TSA first works as an LNS to establish a tunnel with the LAC on the user side. Then the
TSA determines whether to terminate this PPP session locally or to use a second tunnel
to continue transmitting this PPP session based on the local policy. If the TSA determines
to use a second tunnel to continue transmitting this PPP session, the TSA works as an
LAC again to establish a tunnel with the LNS at the server end. It switches the same PPP
session to the L2TP tunnel that starts from the TSA and ends on the LNS.
Figure 5-4 Typical LTS
Figure 5-5 shows an LTS application.
Figure 5-5 Typical L2TP LTS Application Network Structure
5.2 Configuring VPDN

This procedure describes how to configure VPDN.
5-5

Steps
1. Configure the basic functions of VPDN.
1 ZXR10(config)#vpdn Enters VPDN configuration

mode.
2 ZXR10(config-vpdn)#enable Enables the L2TP function.
3 ZXR10(config)#check-hostname-avp Sets whether to force a check

on the hostname avp during
the tunnel negotiation.
Default: Yes
4 ZXR10(config-vpdn)#tunnel-id base <base tunnel ID> Sets the allocation range of

max <maximum number of tunnel IDs> tunnel IDs of the centralized
device.Default is none.
5 ZXR10(config-vpdn)#vpdn-group <group-name> Creates a VPDN group,

and enters VPDN group
configuration mode.
The VPDN group name
should be 1 to 31 characters
in length.
6 ZXR10(config-vpdn-group)#service-type {lac | lns} Sets the service type of a

VPDN group to LAC or LNS,
default: LAC.
2. Configure the basic attributes of an L2TP tunnel.
1 ZXR10(config-vpdn-group)#local name <local-name> Sets the local name of a

tunnel, 1-31 characters in
length.
If the local name is not set,
the local name of the device
is used.
2 ZXR10(config-vpdn-group)#l2tp hidden Sets the hidden function of a

tunnel.
ZXR10(config-vpdn-group)#l2tp tunnel authentication Enables authentication during

the tunnel negotiation.
ZXR10(config-vpdn-group)#l2tp tunnel password Sets a plaintext password

{<tunnel-password>| encrypted <tunnel-password>} (1–31 characters) or
encrypted password (1–64
characters).
5-6

3 ZXR10(config-vpdn-group)#l2tp tunnel hello Sets the interval (in seconds)

<hello-time> between successive Hello
packets, range: 1 to 3600,
default: 60.
ZXR10(config-vpdn-group)#l2tp tunnel receive-window Sets the number of tunnel

<receive-window-number> control packets that can be
received by the receiving
window, range: 4-10, default:
4.
ZXR10(config-vpdn-group)#l2tp tunnel retransmit Sets the number of attempts to

retries <retry-count> retransmit tunnel negotiation
packets, range: 1-10, default:
5.
ZXR10(config-vpdn-group)#l2tp tunnel retransmit Sets the interval (in seconds)

timeout <timeout-interval> for retransmitting tunnel
negotiation packets, range: 1
to 8, default: 8.
ZXR10(config-vpdn-group)#l2tp tunnel timeout setup Sets the tunnel aging period

<timeout-time> in seconds, range: 5 to 60,
default: 10.
ZXR10(config-vpdn-group)#l2tp tunnel timeout Sets the tunnel idle period in

no-session <no-session-timeout > seconds, range: 1 to 65535,
default: 15.
3. Configure LAC.

mode.
2 ZXR10(config-vpdn)#radius vpdn-group < group-name > Creates a default LAC VPDN

group.
3 ZXR10(config)#vpdn-group <group-name> Enters VPDN group

configuration mode.
4 ZXR10(config-vpdn-group)#source-ip-addr Sets the source IPv4 address

<source-ip-address> of a tunnel.
5-7

5 ZXR10(config-vpdn-group)#initiate-to-ip-addr Sets the destination IPv4

<initiate-ip-address>[priority <priority>] address of a tunnel.
<priority>: Tunnel address
priority, range: 0 to 65535.
Default: 50. The smaller
value, the higher priority.
6 ZXR10(config-vpdn-group)#max-session Sets the maximum number

<max-session-number> of VPDN users, range: 1 to
16000, default: 16000.
7 ZXR10(config-vpdn-group)#max-session-per-tunnel Sets the maximum number

<session-number-per-tunnel> of VPDN users per tunnel,
range: 1 to 16000, default:
16000.
8 ZXR10(config-vpdn-group)#domain <domain-name> Associates an LAC VPDN

group to a domain.
4. Configure LNS.
1 ZXR10(config-vpdn-group)#service-type {lns} Creates an LNS VPDN group.
2 ZXR10(config-vpdn-group)#virtual-template Sets a virtual template for a

<virtual-template-number> VPDN group, and specifies its
number ( range: 1 to 64).
3 ZXR10(config-vpdn-group)#force-local-chap Forces CHAP authentication

on users.
4 ZXR10(config-vpdn-group)#lcp renegotiation {disable | Specifies a LCP renegotiation

always | on-mismatch} mode.
always: Ignores
proxy-authentication result,
and forces re-renegotiation.
disable: Disables LCP
renegotiation.
on-mismatch: Performs
renegotiation after
proxy-authentication fails.
5 ZXR10(config-vpdn-group)#terminate-from hostname Sets the name of a terminal

<hostname> LAC device.
A LNS selects a VPDN group
according to this name.
5-8

6 ZXR10(config-vpdn)#default vpdn-group <group-name> Sets a default VPDN group.

If no matched VPDN group is
found, the user goes online as
the VPDN group.
7 ZXR10(config-vpdn-group)#lns-send-sli Sets whether PPP attributes

are allowed to be negotiated
again when an LNS session
is online.
8 ZXR10(config-vpdn-group)#vrf <vrf-name> Configures VRF for the LAC

tunnel. Instructs the LNS to
match the VPDN group based
on the VRF for the access
interface.
9 ZXR10(config)#ppp Enters PPP configuration

mode.
10 ZXR10(config-ppp)#interface virtual_template<num> Enters virtual interface in the

PPP mode.
11 ZXR10(config-ppp-if-virtual_template-num)#keep Configures the PPP keepalive

alive [disable |<times>] duration. Default: 10 seconds.
12 ZXR10(config-ppp-if-virtual_template-num)#ppp Configures the PPP

authentication {chap | pap} authentication mode.
13 ZXR10(config-ppp-if-virtual_template-num)#bind- Binds the platform IP

ip-pool <pool-name> address pool under the
virtual interface.
5. Configure LTS.
1 ZXR10(config-vpdn)#multihop Enables the LTS function.
2 ZXR10(config-vpdn)#tsa-id <tsa-name> Sets the name of an LTS

node.
3 ZXR10(config-vpdn-group)#domain <domain-name> Associates an LAC VPDN

group with a domain.
Command Function
ZXR10#show vpdn session Shows brief information of the VPDN

session.
5-9

Command Function
ZXR10#show vpdn tunnel {brief | local-tunnel-id Shows the VPDN tunnel information.
<tunnel-id>| remote-name <remote-name>|summary |
statistic }
ZXR10#show vpdn failure Shows the offline reason for a VPDN

user.
7. Maintain VPDN.
Command Function
ZXR10#debug l2tp {all | data | error | event | packet} Shows the L2TP debugging
information.
ZXR10#show debug l2tp Shows the VPDN debugging switch.
5.3 VPDN Configuration Examples

5.3.1 LAC Configuration Example
Figure 5-6 shows the network structure for LAC access.
Figure 5-6 LAC Configuration Example
Configuration Flow
1. Enter subscriber management configuration mode. Configure an authentication
template, configure local authentication for the authentication template, and then exit
to subscriber-manage configuration mode.
2. Create and enter domain configuration mode. Bind the authentication template to the
domain, and enable the tunnel-domain function. Set the alias of the domain, and exit
to subscriber-manage configuration mode.
5-10

3. Configure a local subscriber. Configure the username and password. Exit to

subscriber management configuration mode.
4. Create a PPP template, and then exit to subscriber management configuration mode.
5. Enter the user-side interface, and then run no shutdown. Exit to global configuration
mode.
6. Enter VCC configuration mode, and enter the user-side interface. On interface
gei-0/2/0/2, set the encapsulation mode to PPPoE, and bind the PPP template. Exit
to global configuration mode.
7. Enter the interface connecting to the LNS, and configure an IP address. Exit to global
configuration mode.
8. Enter VPDN configuration mode, and configure a VPDN group. Set the name of the
VPDN group to zte. Configure the destination IP address, source IP address, local
name and remote name of the tunnel. Disable tunnel authentication.
Configuration on the LAC device:
ZXR10(config-submanage)#domain l2tp
ZXR10(config-submanage-domain)#tunnel-domain enable
/*Configure a local access user lac1@l2tp and password 123*/

ZXR10(config-submanage)#local-subscriber lac1 domain-name l2tp
password 123
/*Configure pppox template*/

/*Configure a vcc*/
5-11

/*Configure an LAC vpdn group*/

ZXR10(config)#vpdn-group zte
ZXR10(config-vpdn-group)#domain l2tp /*Associate to a domain*/
ZXR10(config-vpdn-group)#initiate-to-ip-addr 102.1.1.1
/*IP address of the interface on the LNS*/
ZXR10(config-vpdn-group)#source-ip-addr 102.1.1.2
/*IP address of the interface that the LAC uses to connect to the LNS*/
ZXR10(config-vpdn-group)#local name ztelac
ZXR10(config-vpdn-group)#terminate-from hostname ztelns
ZXR10(config-vpdn-group)#exit
/*Global configuration, enable vpdn*/

ZXR10(config)#vpdn
ZXR10(config-vpdn)#enable
ZXR10(config-vpdn)#exit
Execute the show running-config vpdn all command, and verify that the tunnel attributes
are properly set.
ZXR10(config)#show running-config vpdn all
! <VPDN>
vpdn-group zte
#service-type lac
#ip tcp adjust-mss 1400
#calling-number-format none
domain l2tp
local name ztelac
terminate-from hostname ztelns
#no force-local-chap
#no l2tp hidden
#no l2tp tunnel authentication
#l2tp tunnel hello 60
#l2tp tunnel receive-window 4
#l2tp tunnel retransmit retries 5
#l2tp tunnel retransmit timeout 8
#l2tp tunnel timeout no-session 15
5-12

#l2tp tunnel timeout setup 10

#lcp renegotiation always
#no lns-send-sli
#max-session 16000
#max-session-per-tunnel 16000
source-ip-addr 102.1.1.2
#set-dscp-outer 48
initiate-to-ip-addr 102.1.1.1 priority 50
$
vpdn
#vpdn-mode centralization
#calling-number-avp disable
#calling-number-format class1
#check-hostname-avp
enable
#invalid-peerip-timeout 300
#tid-alloc-mode first
#no multihop
#tunnel-num-per-spu 1000
$
! </VPDN>
The all parameter is used to display the default configuration. The result shows that
VPDN is enabled in global configuration mode. The configuration information (including
the default group) is displayed.
Execute the show vpdn tunnel brief command, and verify that the tunnel has been
established.
ZXR10(config)#show vpdn tunnel brief
LTID RTID RemoteName State RemoteAddr RemotePort Sessions
26566 59221 ztelns Established 102.1.1.1 1701 1
In the above information, "EST" in the "State" column means that the tunnel has been
established successfully.
Execute the show subscriber vpdn lac command, and verify that the subscribes has been
online.
ZXR10(config)#show subscriber vpdn lac
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify :20
user-name :lac1
domain-name :l2tp
5-13

local-domain-name :l2tp
authorize-domain-name :l2tp
mac-address :0010.9434.0a01
session-id :14
internal-vlan :0
external-vlan :0
eap-type :FALSE
sibprofileid :0
create-time :2011/04/05 13:58:56
online-time :207
vpdnAcctClass :L2TP
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :VPDN
local-sessionid :1
local-tunnelid :26566
remote-sessionid :123
remote-tunnelid :59221
ipv4-address :
vrf-name :
vpn-id :0
tunnel-vrf-name :
tunnel-vpn-id :0
lac-ipv4-address :102.1.1.2
lns-ipv4-address :102.1.1.1
*******************************************************************************
-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
5-14

ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
The above information means that the user is on line.
5.3.2 Example: LTS Configuration

Overview
As shown in Figure 5-7, the ZXR10 M6000 works as an LTS. It is necessary to configure
the L2TP groups corresponding to the LAC and LNS, so that they can serve as a LTS. The
LTS domain configuration is the same as the LAC domain configuration, except that an IP
pool should be specified.
Figure 5-7 Networking Topology for LTS Configuration
Configuration Flow
1. On the one hand, an LTS works as an LNS to respond the tunnel connection request
of the LAC on the user side. On the other hand, the LTS works as an LAC to send a
tunnel connection request to the LNS (or another LTS) on the server side. Therefore,
to configure an LTS, it is necessary to create two L2TP groups. One group works as
an LNS to receive the tunnel connection request sent by the LAC. The other group
works as an LAC to send the tunnel connection request to the LNS.
2. Configure addresses on the interfaces connected to the LAC and the LNS.
3. Create a virtual template in global configuration mode, and enter virtual template
configuration mode. Set the mode to PPP, and bind the template to an interface.
4. Configure domains of the L2TP subscribers.
5. Configure an LAC.
6. Configure an LNS.
Configuration of LTS:
5-15

R2(config)#interface virtual_template20
R2(config-if-virtual_template20)#mode ppp
R2(config-if-virtual_template20)#ip unnumbered gei-0/2/0/1
R2(config-if-virtual_template20)#exit
/*Configure PPP*/
R2(config)#ppp
R2(config-ppp)#interface virtual_template20
R2(config-ppp-if-virtual_template20)#keepalive 20
R2(config-ppp-if-virtual_template20)#ppp authentication pap
R2(config-ppp-if-virtual_template20)#ppp pap sent-username lac1@l2tp password 123
R2(config-ppp-if-virtual_template20)#bind-ip-pool zte
R2(config-ppp-if-virtual_template20)#exit
R2(config-ppp)#exit
R2(config)#vpdn
R2(config-vpdn)#enable
R2(config-vpdn)#multihop /*Enable the LTS function*/
R2(config-vpdn)#tsa-id lts /*Configure the tsa-id of the device*/
R2(config-vpdn)#exit
/*Configure an LNS VPDN group*/

R2(config)#vpdn-group lns
R2(config-vpdn-group)#service-type lns /*Set the service type to LNS*/
R2(config-vpdn-group)#local name lns
R2(config-vpdn-group)#terminate-from hostname ztelac
R2(config-vpdn-group)#virtual-template 20
R2(config-vpdn-group)#exit
/*Configure an LAC VPDN group*/

R2(config)#vpdn-group lac
R2(config-vpdn-group)#domain l2tp /*Associate it to a domain*/
R2(config-vpdn-group)#local name lac
R2(config-vpdn-group)#source-ip-addr 102.1.1.2
R2(config-vpdn-group)#initiate-to-ip-addr 102.1.1.1
R2(config-vpdn-group)#terminate-from hostname ztelns
5-16

R2(config)#subscriber-manage
R2(config-submanage)#authentication-template zte
R2(config-submanage-authen-template)#authentication-type local
R2(config-submanage-authen-template)#exit
R2(config-submanage)#authorization-template zte
R2(config-submanage-author-template)#authorization-type radius
R2(config-submanage-author-template)#vpdn-group lac
R2(config-submanage-author-template)#exit
R2(config-submanage)#domain l2tp
R2(config-submanage-domain)#bind authentication-template zte
R2(config-submanage-domain)#bind authorization-template zte
R2(config-submanage-domain)#exit
R2(config-submanage)#local-subscriber lac1 domain-name l2tp
password 123
R2(config-submanage-local-sub)#exit
R2(config-submanage)#exit
R2(config)#ip pool zte

Run the show vpdn tunnel brief command, and verify that the tunnel state is proper. When
a subscriber is online, the system generates two tunnels automatically. One tunnel is
between the LAC and the LTS. The other tunnel is between the LTS and the LNS.
L2TP Tunnel Infomation
==============================================================================
13928 61336 ztelac Established 101.1.1.1 1701 1
Run the show running-config ppp all command, and verify that the PPP configuration is
proper.
R2(config)#show running-config ppp all

!<ppp>
ppp
interface virtual_template20
keepalive 20
ppp authentication PAP
ppp pap sent-username lac1@l2tp password encrypted dL998qTlIp0HNDR0td3t3A==
5-17

bind-ip-pool zte
!
!</ppp>
Run the show running-config vpdn all command, and verify that the PPP configuration
is proper.
R2(config)#show running-config vpdn all
! <VPDN>
vpdn-group lns
service-type lns
local name lns
terminate-from hostname ztelac
#no l2tp hidden
#no lns-send-sli
local name lns
#max-session 16000
virtual-template 20
#set-dscp-outer 48
$
vpdn-group lac
#service-type lac
domain l2tp
local name lac
#no l2tp hidden
5-18


#no lns-send-sli
#max-session 16000
#service-type lac
initiate-to-ip-addr 102.1.1.1
$
vpdn
#check-hostname-avp
enable
multihop
tsa-id lts
$
! </VPDN>
5.3.3 LNS Configuration Example

As shown in Figure 5-8, the ZXR10 M6000 works as an LNS. A tunnel, between the ZXR10
M6000 and the LAC, provides the access to private enterprise network for subscribers.
Figure 5-8 LNS Configuration Example
Configuration Flow
1. Configure an address pool that assigns addresses to subscribers.
2. Create a virtual template in global configuration mode, and enter the virtual template.
Set the mode to PPP, and bind an interface.
3. Enter subscriber management configuration mode. Configure the domain name,
username and password. Set the domain name to L2T, set the username to lac1,
and set the password to 123.
5-19

4. Enter the virtual template in PPP configuration mode. Set the authentication mode to
PAP and bind the address pool.
5. Enter the interface connecting to the LAC directly, and then configure an IP address.
6. Exit to global configuration mode, and then enter VPDN configuration mode. Configure
a VPDN group. Configure the type of service of the VPDN group. Configure the source
IP address, destination IP address, local name and remote name of the tunnel. Bind
the virtual interface, and disable tunnel authentication.
7. Configure the domain and local user information on the LNS. Ensure that it is the same
as that on the LAC.
Configuration on the LNS device:
/*Configure an IP pool*/
/*Configure a virtual template*/

/*The interface that the LNS uses it to connect to the LAC directly*/
/*Configure PPP*/
R2(config)#ppp
R2(config-ppp)#exit
/*Run the following commands to configure the local authentication database*/

R2(config)#system-user
R2(config-system-user)#user-group special l2tp lac1 123
R2(config-system-user)#exit
/*Configure an LNS VPDN group*/

R2(config)#vpdn
5-20

R2(config-vpdn)#enable /*Enable VPDN*/

R2(config)#vpdn-group zte
R2(config-vpdn-group)#local name ztelns
R2(config-vpdn-group)#end
/*Run the following commands to configure the user authentication template*/

R2(config-submanage-domain)#tunnel-domain enable
/*Run the following commands to configure a local access user/*

/*(username:lac1@l2tp, password: 123)*/
R2(config-submanage)#local-subscriber lac1 domain-name l2tp password 123
Execute the show vpdn tunnel brief command, and verify that the tunnel has been
established.
R2(config)#show vpdn tunnel brief
59221 26566 ztelac Established 102.1.1.2 1701 1
Execute the show running-config vpdn all command, and verify that the VPDN configuration
is proper, as shown below.
R2(config)#show running-config vpdn all
! <VPDN>
vpdn-group zte
service-type lns
local name ztelns
terminate-from hostname ztelac
#no l2tp hidden
5-21


#no lns-send-sli
#max-session 16000
virtual-template 20
#set-dscp-outer 48
$
vpdn
#check-hostname-avp
enable
#no multihop
$
! </VPDN>
Run the show ip local pool command to check whether the address pool is properly set.
The execution result is displayed as follows:
ZXR10(config)#show ip local pool
PoolName Begin End Mask Free Used
zte 135.1.0.1 135.1.255.254 16 65533 1
TotalPool: 1
Run the show subscriber vpdn lns command to check whether the subscriber has come
online. The execution result is displayed as follows:
R2(config)#show subscriber vpdn lns

**************************************************************************
--------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify :1086
user-name :lac1
5-22

domain-name :l2tp
mac-address :0000.0000.0000
session-id :0
access-interface :virtual_template20
internal-vlan :0
external-vlan :0
eap-type :FALSE
sibprofileid :0
create-time :2012/07/27 14:34:25
online-time :454
vpdnAcctClass :L2TP
route-map-name :
--------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :IPv4 L2TP LNS
local-sessionid :123
remote-sessionid :1
vrf-name :
vpn-id :0
**************************************************************************
-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
5-23

ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
The output information indicates that the subscriber has come online.
5.3.4 Configuration Example for CGN Flexible Protection Solution

in L2TP Mode
As shown in Figure 5-9, the ZXR10 M6000 device (LAC) operates as the BRAS NAT. When
using the dial-up Internet service, a user is connected to the network through the PPPOE
if the NAT function is normal. If the NAT function becomes unavailable, the user accesses
the network through the L2TP rather than the PPPoE. A channel is established between
the LAC and the LNS, and the user can access the network through this channel.
Figure 5-9 Flexible Protection Solution Example in L2TP Mode
Configuration Flow
1. Configure dynamic PAT conversion.
2. Configure the PPPoE, VCC interface, and PPPoX template.
3. Configure the address pool that contains IP addresses to be allocated to users.
4. Create and enter the virtual template in global mode, set the mode to PPP, and bind
an interface.
5. Enter the virtual template in PPP mode, set the user authentication mode to PAP, and
bind the address pool.
6. Enter configuration mode of the interface directly connected to the LAC, and set its IP
address.
7. Enter VPDN configuration mode, and configure VPDN groups, including the service
type, source IP address of the channel, local end name of the channel, remote end
name of the channel. Bind the virtual interface, and disable the channel authentication
function.
8. Configure the domain and local user information for the LNS end, which should be the
same as those for the LAC end.
Configure the LAC as follows:
/*Configure dynamic PAT conversion*/
5-24

R1(config)#service 0/9/3 cgn_ext enable /*Enable the CGN function of the service board*/
R1(config)#cgn yf 1
R1(config-cgn)#location
R1(config-cgn-location)#node 1 SPU-0/9/3
R1(config-cgn-location)#exit
R11(config-cgn)#cgn-pool dynamic-pat poolid 3 mode pat
R1(config-cgn-patpool)#section 1 203.1.1.1 203.1.1.64
R1(config-cgn-patpool)#exit
R1(config-cgn)#domain 1 1 type bras ipv4-issue
R1(config-cgn-domain)#dynamic source rule-id 1 ipv4-list zte permit pool dynamic-pat
R1(config-submanage)#nat44-service kick-off-subscriber enable
/*Configure the user authentication template*/

/*Configure the user authorization template*/

R1(config-submanage)#authorization-template zte
R1(config-submanage-author-template)#authorization-type mix-radius
R1(config-submanage-author-template)#nat-type inside
R1(config-submanage-author-template)#bind nat-domain-name 1
R1(config-submanage-author-template)#nat44-service unavailable
pppox-switch-to-l2tp vpdn-group zte
/*Use the L2TP when the NAT function fails, which can be configured locally or
configured by the Radius based on the NAT failure flag. Special Radius is required */
R1(config-submanage-domain)#bind authorization-template zte
/*Configure an LAC VPDN group*/

R1(config-vpdn-group)#domain l2tp /*Bind a domain*/
R1(config-vpdn-group)#initiate-to-ip-addr 102.1.1.1
/*Configure the IP address of the interface on the LNS*/
R1(config-vpdn-group)#source-ip-addr 102.1.1.2
/*Configure the IP address of the interface used to connect the LAC and the LNS*/
R1(config-vpdn-group)#local name ztelac
R1(config-vpdn-group)#terminate-from hostname ztelns
5-25

/*Configure a PPPoX template*/

R1(config-submanage)#pppox-cfg 1
R1(config-submanage-pppox)#exit
/*Configure the VCC*/

R1(config)#vcc-configuration
R1(config-vcc)#interface gei-0/2/0/2
R1(config-vcc-if)#encapsulation ppp-over-ethernet
R1(config-vcc-if)#pppox template 1
R1(config-vcc-if)#exit
R1(config-vcc)#exit
/*Enable the VPDN*/

R1(config)#vpdn
R1(config-vpdn)#enable
/*Configure the vbui interface and the address pool for PPPoE access*/
R1(config)#interface vbui118
R1(config-if-vbui118)#ip address 43.2.1.1 255.255.0
R1(config-if-vbui118)#exit
R1(config)#vbui-configuration
R1(config-vbui)#interface vbui118
R1(config-vbui-if)#ip-pool pool-name 118 pool-id 118
R1(config-vbui-if-ip-pool)#access-domain l2tp
R1(config-vbui-if-ip-pool)#pppoe-dns-server 22.222.222.22
R1(config-vbui-if-ip-pool)#member 1
R1(config-vbui-if-ip-pool-member)#start-ip 43.2.1.2 end-ip 43.2.10.2
R1(config-vbui-if-ip-pool-member)#exit
Configure the LAC device as follows:

/*Configure an IP address pool*/
/*Configure a virtual template*/

5-26

/*Configure the interface (of the LNS) used to directly connect to the LAC*/
/*Configure the PPP*/

R2(config)#ppp
R2(config-ppp)#exit
/*Configure the LNS VPDN group*/

R2(config)#vpdn
R2(config-vpdn)#enable /*Enable the VPDN function*/
R2(config-vpdn-group)#local name ztelns
R2(config-vpdn-group)#end
/*Configure the user authentication template*/

/*Add a locally accessed user whose username is lac1@l2tp and password is 123*/
R2(config-submanage)#local-subscriber lac1 domain-name l2tp password 123
If the NAT function fails, and the user starts using the dial-up Internet service, the user type
is VPDN. Run the show running-config vpdn all to query the VPDN configuration.
ZXR10(config)#show running-config vpdn all

! <VPDN>
vpdn-group zte
#service-type lac
5-27

domain l2tp
local name ztelac
#no l2tp hidden
#no lns-send-sli
#max-session 16000
#set-dscp-outer 48
initiate-to-ip-addr 102.1.1.1 priority 50
$
vpdn
#check-hostname-avp
enable
#no multihop
$
! </VPDN>
Parameter all indicates to show default configuration, including whether the VPDN in global
mode is enabled or not, and the default group.
Run the show vpdn tunnel brief command to check whether the channel is established.
If parameter state is Established, the channel is successfully established.

Run the show subscriber vpdn lac command to check whether the user is online.
ZXR10(config)#show subscriber vpdn lac
*******************************************************************************
5-28

-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify :20
user-name :lac1
domain-name :l2tp
mac-address :0010.9434.0a01
session-id :14
internal-vlan :0
external-vlan :0
eap-type :FALSE
proxy-flag :
sibprofileid :0
create-time :2011/04/05 13:58:56
online-time :207
vpdnAcctClass :L2TP
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :VPDN
local-sessionid :1
remote-sessionid :123
ipv4-address :
vrf-name :
vpn-id :0
tunnel-vrf-name :
tunnel-vpn-id :0
*******************************************************************************
5-29

-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
The above command output indicates that the user is online.
5-30

Chapter 6
BRAS AAA Configuration
Table of Contents
BRAS AAA Overview .................................................................................................6-1
Configuring BRAS AAA ..............................................................................................6-2
BRAS AAA Configuration Example.............................................................................6-5
6.1 BRAS AAA Overview

BRAS AAA Introduction
All network service providers should solve the problem of how to protect network
resources effectively so that network resources can be used reasonably, and how to
guarantee subscriber benefits in security and reliably. Aiming at this problem, the AAA
service provides a platform for network service providers on which they can manage
subscribers effectively.
AAA controls various subscribers to access different networks to obtain corresponding
application services through authentication, authorization and accounting. An AAA server
provides supports subscriber authentication, authorization and collecting information about
the service uses of the subscribers.
For a service provider, there should be an application interface of a specific mode on an
AAA server. The services provided by this interface should be authorized. In practical
applications, an AAA server has a subscriber database (a system subscriber database or
an independent database system) that contains the initialization information of subscribers.
The database shows the valid attribute values and the rights of each subscriber. Related
operations are performed through the communications between the database and the
client.
l Authentication determines whether a terminal subscriber has the right to access the
network according to the identification attributes of the terminal subscriber. In general,
a terminal subscriber needs to provide a username (the username should be unique in
the authentication system) and a corresponding password. The AAA server compares
the information submitted by the subscriber with the information to be associated and
stored in the database. If the information matches, the login is valid. Otherwise, the
subscriber request is refused.
l After the subscriber passes the authentication, authorization decides the network
access right of the subscriber and the services that the subscriber can use, for
example, providing an IP address, or providing filter of some rule to determine the
6-1

applications and protocols supported. In AAA management mode, authentication

and authorization can be performed together.
l Accounting provides the methods of collecting the network resource use information
of subscribers. The information collected provides the basis for network check,
development and structural readjustment.
BRAS AAA Work Flow

Figure 6-1 shows the components of an AAA solution. Several servers can be used
together as a storage center to store and distribute information.
Figure 6-1 AAA General Frame Diagram
A Network Access Server (NAS) can be a router, a terminal server or a host. It is an ingress
of the network, and works as a client in AAA server mode. The AAA working procedure is
described below.
1. A terminal subscriber sends a request of connecting to the network to the AAA client
(that is, the NAS).
2. The AAA client prompts the subscriber to type in the username and password. Then
it collects and forwards the information to the AAA server.
3. The AAA server executes the program (comparing the information with that in the
database), and then returns a result to the NAS. The result may be acceptance,
rejection or other related information.
4. The AAA client sends the result to the terminal subscriber. The subscriber, if passing
the authentication, is allowed to come online.
6.2 Configuring BRAS AAA

This procedure describes how to configure BRAS AAA.
Steps
1. Configure AAA authentication.
6-2

Chapter 6 BRAS AAA Configuration
1 ZXR10(config)#aaa-authentication-template Creates an AAA

<template-number> authentication template,
and specifies its number
(range: 1 to 2128).
2 ZXR10(config-aaa-authen-template)#aaa-authenticat Specifies an AAA

ion-type {none | local | radius | local-radius | radius-local authentication mode.
| radius-none | tacacs | local-tacacs | tacacs-local |
tacacs-none | diameter}
3 ZXR10(config-aaa-authen-template)#authenticatio Associates the authentication

n-radius-group <number> template with a RADIUS
authentication group.
The range of the RADIUS
authentication group number
is 1 to 2000.
4 ZXR10(config-aaa-authen-template)#authentication- Associates the authentication

tacacs-group <tacacs-server-group-name> template with a TACACS
The TACACS authentication
group name is 1 to 31
5 ZXR10(config-aaa-authen-template)#description Specifies the authentication

<description-str> group name, 1 to 31
2. Configure AAA authorization.
1 ZXR10(config)#aaa-authorization-template Sets a AAA authorization

<template-number> template, and specifies its
number (range: 1 to 2128).
2 ZXR10(config-aaa-author-template)#aaa-authorizati Specifies an AAA

on-type {mix-radius | none | mix-tacacs | radius | tacacs} authorization mode, options:
l mix-radius
l none
3 ZXR10(config-aaa-author-template)#authorization-t Associates the authorization

acacs-group <tacacs-server-group-name> template with a TACACS
The TACACS authentication
group name is 1 to 31
6-3

4 ZXR10(config-aaa-author-template)#description Description information for the

<description-str> authorization template, 1 to 31
3. Configure AAA accounting.
1 ZXR10(config)#aaa-accounting-template Creates the AAA accounting

<template-number> template, and specifies its number
(range: 1 to 2128).
2 ZXR10(config-aaa-acct-template)#aaa-accoun Specifies an AAA accounting type.

ting-type {radius | none | tacacs}
3 ZXR10(config-aaa-acct-template)#accounting- Associates the accounting template

radius-group first <number>[second <number>] with the first and second RADIUS
accounting groups.
The range of the RADIUS
accounting group ID is 1 to 2000.
4 ZXR10(config-aaa-acct-template)#accounting- Associates the accounting template

tacacs-group <tacacs-server-group-name> with a TACACS accounting group.
The TACACS accounting group
name is 1 to 31 characters in length.
5 ZXR10(config-aaa-acct-template)#description Description information for the

<description-str> accounting template, 1 to 31
Command Function
ZXR10#show running-config aaa [all | begin <string>| Shows the AAA configuration.
exclude <string>| include <string>]
ZXR10#show running-config radius [all | begin <string>| Shows the RADIUS configuration.
exclude <string>| include <string>]
5. Maintain BRAS AAA.
Command Function
ZXR10#debug radius [all | accounting | authentication | Shows the subscriber debugging

exeption | user <string>] information.
6-4

6.3 BRAS AAA Configuration Example

Authentication, authorization and accounting can be configured respectively on ZXR10.
l In the authentication template, the following authentication modes can be used:
RADIUS, LOCAL, NONE, RADIUS-LOCAL, RADIUS-NONE, LOCAL-RADIUS.
l In the authorization template, the following authorization modes can be used: Mix-RA-
DIUS, RADIUS and None.
l In the accounting template, the following accounting modes can be used: RADIUS
and None.
In the network structure shown in Figure 6-2, it is required to configure AAA function. The
authentication mode is local, the authorization mode is mix-RADIUS, and the accounting
mode is RADIUS.
Figure 6-2 BRAS AAA Configuration Example
Configuration Flow
1. Configure AAA configuration related to the subscriber.
2. Bind an AAA template to the specified domain.
1. Configuration of AAA related to the subscriber on ZXR10:
Note:
Before the authentication template is associated with the accounting server,
corresponding RADIUS server should has been configured. For the RADIUS server
configuration, refer to the "RADIUS Configuration" chapter.
ZXR10(config-submanage)#authentication-template 2000
6-5

2. Bind the AAA template to the domain.
ZXR10(config-submanage)#domain 2000
ZXR10(config-submanage-domain)#bind authentication-template 2000
ZXR10(config-submanage-domain)#bind authorization-template 20000
ZXR10(config-submanage-domain)#bind accounting-template 2000
ZXR10(config-submanage)#local-subscriber 8888 domain-name 2000 password 123
ZXR10(config-submanage-local-sub)#bind author-template 20000
ZXR10(config-submanage-local-sub)#bind accounting-template 2000
ZXR10(config-submanage)#circuit-map eth-cir external-vlan 0 internal-vlan-range 0
interface fei-0/10/0/7 zte 2000 123
The configuration on ZXR10 is shown below.

! <AIM>
subscriber-manage
authentication-template 2000
$
authorization-template 20000
authorization-type mix-radius
$
accounting-template 2000
accounting-type radius
$
domain 2000
bind authentication-template 2000
bind authorization-template 20000
bind accounting-template 2000
$
local-subscriber 8888 domain-name 2000 password 123 bind author-template 20000
$
circuit-map eth-cir external-vlan 0 internal-vlan-range0
$ /*Circuit subscriber configuration information*/
6-6

! </AIM>
Note:
If local authentication mode is used, and if the subscriber wants to obtain information
related to authentication, authorization and accounting, it is necessary to bind related
templates to the local subscriber.
6-7

6-8

Chapter 7
BRAS RADIUS Configuration
Table of Contents
BRAS RADIUS Overview ...........................................................................................7-1
Configuring BRAS RADIUS ........................................................................................7-3
BRAS RADIUS Configuration Example ....................................................................7-10
7.1 BRAS RADIUS Overview

BRAS RADIUS Introduction
RADIUS is a protocol that carries over authentication, authorization, accounting and
configuration between network access devices and authentication servers. It is one of
the most widely used protocols for authentication, authorization and accounting. RADIUS
has the following features.
l Client/Server structure
An NAS is a RADIUS client. The client is responsible for transmitting subscriber
information to the RADIUS server and then handling the reply of the RADIUS server.
The RADIUS server is responsible for receiving the connection request of a

subscriber, authenticating the subscriber, and then replying the client with the
necessary configuration information in the service provided for the subscriber.
A RADIUS server can work as a proxy client of another RADIUS server or an
authentication server of another type.
l Using the password to ensure network transmission security
A client and a RADIUS server interact to perform authentication for each other
through the password. The password is not transmitted on the network. In addition,
to reduce the possibility that the subscriber password is detect on insecure networks,
the password transmitted between the client and the RADIUS server is encrypted.
l Good scalability
A RADIUS server supports several modes of authentication for subscribers. If a
subscriber provides the username and plaintext password, RADIUS supports PPP
PAP, CHAP and UNIX login.
l Flexible authentication mechanism

Each interaction packet is formed by a triad consisting of three Attribute-Length-Values
with different lengths. The join of new attribute values does not affect the
implementation of the protocol.
7-1

RADIUS is carried over the UDP. The authentication port number defined officially is
1812, and the accounting port number defined officially is 1813.
BRAS RADIUS Network Structure

Figure 7-1 and Figure 7-2 show a typical network structure of RADIUS.
Figure 7-1 Typical Network Structure for RADIUS
Figure 7-2 RADIUS Network with a Proxy Server
There elements involved are as follows:

l Remote client: It is a remote client who needs to access local resources.
l NAS: It is an access server that provides network service for the remote client.
l RADIUS server: It contains a database. It maintains the secure data, including
subscriber identity information, authorization information and access records.
l RADIUS proxy server: RADIUS protocol trunk. For remotely managed subscribers,
RADIUS messages are sent to the target server. For a lower-level RADIUS client, the
RADIUS proxy server acts as the RADIUS server.
A remote client can be a PC or a router. It uses PPP, SLIP or ARAP to access the NAS
through a modem or ISDN. A RADIUS client runs on an NAS, and it interacts with the
secure server through RADIUS to implement the following functions:
l Identity authentication: The RADIUS client provides complete identity authentication
service through different authentication protocols, such as username and password,
and challenge response.
l Accounting: The RADIUS client collects the information of the access network of
a subscriber to the RADIUS server. The information includes the time when the
subscriber logs in and ends the session, execution commands and traffic statistics
7-2

Chapter 7 BRAS RADIUS Configuration
(counter of IP packets and counter of bytes). The information can be used as the
basis of accounting and security audit.
The brief working flow between a RADIUS server, a RADIUS client and a subscriber is
described below:
1. The remote client sends an authentication or authorization request to the NAS (that is,
the RADIUS client).
2. The RADIUS client forms authentication or authorization packets according to the
request of the remote client, and then sends the packets to the RADIUS server for
authentication or authorization.
3. The RADIUS client receives the response packets from the RADIUS server, and
execute authentication or authorization for the remote client.
For the RADIUS server operation flow, refer to the following:

1. Processes the authentication/charging requests from the RADIUS client to
authenticate the validity and extract the authentication and charging information.
2. Authenticates and charges locally managed users and returns the results to the client.
3. For remotely managed users, the proxy server forwards the messages to the remote
server, processes the messages returned by the remote server, and returns the results
to the client.
7.2 Configuring BRAS RADIUS

The ZXR10 M6000 supports the functions of the RADIUS client and the proxy server. But
local authentication is unavailable because the ZXR10 M6000 does not have the user
database. The following procedures describe how to configure the ZXR10 M6000 as a
client and proxy server.
7.2.1 Configuring BRAS RADIUS Client

This procedure describes how to configure BRAS RADIUS client authentication and
accounting.
Steps
1. Configure the basic attributes of a RADIUS authentication group.
1 ZXR10(config)#radius authentication-group Creates a RADIUS authentication group,

<group-number> and enters RADIUS authentication group
configuration mode.
The range of the group number is 1 to
2000.
7-3

2 ZXR10(config-authgrp-number)#algorithm Sets an algorithm for selecting the

{first | round-robin} RADIUS server.
The default algorithm is first.
3 ZXR10(config-authgrp-number)#alias Sets an alias for the RADIUS server

<name-str> group.
2. Configure the basic attributes of a RADIUS accounting group.
1 ZXR10(config)#radius accounting-group Creates a RADIUS accounting group,

<group-number> and enters RADIUS accounting group
configuration mode. The range of the
group number is 1 to 2000.
2 ZXR10(config-acctgrp-number)#algorithm Sets the algorithm for selecting the

{first | round-robin} RADIUS server.
The default algorithm is first.
3 ZXR10(config-acctgrp-number)#alias Sets an alias for the RADIUS server

<name-str> group.
first: selects the current valid server as the authentication/accounting server for a new
calling subscriber.
round-robin: selects the next valid server as the authentication/accounting server for
a new calling subscriber.
alias <name-str>: The alias is a unique ASCII character string. The string can contain
any letter and number, excluding space. The length of the alias is 1 to 31.
3. Configure the calling-station-format and nas-port-id-format fields for the RADIUS
authentication group and accounting group.
The following commands are executed in RADIUS authentication mode. In RADIUS
accounting group mode, the same commands and parameters are used, except for
the configuration mode (ZXR10(config-acctgrp-number)#).
Command Function
ZXR10(config-authgrp-number)#calling-stati Sets the format of the calling-station-id field,

on-format {class1 | class2 | class3 | class4 | class5 1 to 88 characters in length, default: class3.
| user-defined{[ slot] ,[ sub-slot] ,[ port],[ vlan],[
second-vlan],[ mac1],[ mac2],[ mac3],[ mac4],[
mac5],[ mac6]} text <string>}
7-4

Command Function
ZXR10(config-authgrp-number)#nas-port Sets the format of the nas-port-id-format

-id-format {keep-agent-circuit-id | china-tel | field, 1 to 88 characters in length, default:
china-unicom | class1 | class2 | class3 | class4 | class5 china-tel (telecommunication format).
| class6 | class7 | user-defined {[slot] , [sub-slot],
[port], [vlan], [second-vlan]} text <string>}
A description of the parameters in the calling-station-format field is as follows:

class1: Indicates the physical information and MAC information of the user access.
The format of this information is "slot port vpi vci vlanid mac (ASCII, Hex)".
class2: Indicates the physical information of the user access. The format is "slot port
vpi vci vlanid (ASCII, Hex)".
class3: Saves only the MAC address. The format is "xx xx xx xx xx xx".
class4: slot-port format used for Turk Telekom. For ATM access, the format of
“Hostname#shelf/slot/subslot/port#VPI#VCI” is used. For ETH access, the format of
“Hostname# shelf/slot/subslot/port #exVlan:inVlan” is used.
class5: For Nepol telecommunication only. Format is “Hostname/{atm|eth|trunk}
NAS_slot/NAS_subslot/NAS_port: XPI.XCI AccessNodeIdentifier/
ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port[:ANI_xpi.ANI_xci]”.
user-defined: Customizes Calling-Station-Id by using one or all of the following options:
slot, subslot, port, vlan, second-vlan, mac.
A description of the parameters in the nas-port-id-format field is as follows:
china-tel: Indicates China telecommunication format.
china-unicom: Indicates China Unicom format.
class1: The format of class1 is "slot port vpi vci vlanid", using ASCII Hex characters.
class2: The format of class2 is "slot=xx;subslot=xx;port=xx;vlanid=xx;vlanid2=xx". It is
a plain coding format defined by HW.
class3: The format of class3 is "lot port vpi vci vlanid", using ASCII Hex characters.
There is no separator between each string, and the width is (2 2 2 4 4).
class4: The format of class4 is "slot=xx;subslot=xx;port=xx;vlanid=xx;vlanid2=xx".
class5: Indicates PPPOE+ format. It includes only the information of the DSLAM
device.
class6: physical format for Turk Telekom: “slot/port [vpi-vci vpi vci | vlan-id
[svlan-id:]cvlan-id]”.
class7: all format for Turk Telekom: “slot/port [vpi-vci vpi vci | vlan-id [svlan-id:]cvlan-id]
[pppoe sess-id]”.
user-defined: Customizes NAS-Port-Id by using one or all of the following options: slot,
subslot, port, vlan, second-vlan.
7-5

4. Configure other attributes of the RADIUS authentication group and accounting group.
The following commands are executed in RADIUS authentication group mode. In
RADIUS accounting group mode, the same commands and parameters are used,
except for the configuration mode (ZXR10(config-acctgrp-number)#).
Command Function
ZXR10(config-authgrp-number)#deadtime Sets the invalid period of an authentication

<time> server.
The period, measured in minutes, is in a
range of 0 to 3600. Default: 5.
If there is only one authentication server in
the authentication group, it is recommended
that you set the period to 0. If there
are several authentication servers in the
authentication group, it is recommended that
you use the default.
ZXR10(config-authgrp-number)#ip vrf Associates the RADIUS authentication

<vrf-name> group with a VRF. The VRF name is 1 to 32
characters in length. By default, the RADIUS
authentication group is associated with the
global routing table.
ZXR10(config-authgrp-number)#max-retries Sets the number of retries of the RADIUS

<times> authentication group, that is, the maximum
number of the BRAS device retries to send
an authentication packet. The number of
maximum retries is in a range of 1 to 255,
with the default value being 3.
ZXR10(config-authgrp-number)#nas-ip-address Sets the nas-ip of the RADIUS server. The

<ip-address> nas-ip corresponds to the nas-ip field and
source IP address in the packet.
ZXR10(config-authgrp-number)#server Sets a RADIUS server and its parameters.

<server-num><ip-address>[master] key
<keystr>[port <port-num>]
ZXR10(config-authgrp-number)#timeout Sets the authentication time-out period (in

<time> seconds) of the RADIUS server, range: 1 to
255, default: 3.
ZXR10(config-authgrp-number)#user-name-for Sets the format of the username that is sent

mat {include-domain | strip-domain | only-domain} to the RADIUS server by the BRAS device,
default: strip-domain.
ZXR10(config-authgrp-number)#vendor Sets whether to contain the attributes defined

{enable | disable} by the vendor in RADIUS protocol packets,
default: enable.
7-6

<server-num>: ID of the authentication server, range: 1 to 4.

master: Indicates that this is a master server, optional. There is only one master server
is an authentication group.
<keystr>: Password of the server and the BRAS device, 1 to 31 characters in length.
<port-num>: Server port number, optional, range: 1025 to 65535, default: 1812.
strip-domain: The domain name is not contained in the username.
include-domain: The domain name is contained in the username.
only-domain: Only the domain name is contained in the username.
enable | disable: Sends (Do not sends) the attributes defined by the vendor.
Command Function
ZXR10#show configuration radius all Shows all RADIUS configuration.
ZXR10#show radius-server all Shows the information of all RADIUS server

groups.
ZXR10#show radius-server authentication-group Shows the information of the RADIUS

<group-number> authentication server.
ZXR10#show radius-server accounting-group Shows the information of the RADIUS

<group-number> accounting server.
6. Maintain BRAS RADIUS.
Command Function
ZXR10#debug radius all Shows all debugging information of RADIUS.
ZXR10#debug radius authentication data Shows the debugging information of the

RADIUS authentication group.
ZXR10#debug radius authentication error Shows the debugging error information of the
ZXR10#debug radius authentication event Shows the debugging event information of the
ZXR10#debug radius authentication packet {all Shows the debugging packet information of the
|<group-number>} RADIUS authentication group.
ZXR10#debug radius accounting data Shows the debugging information of the

RADIUS accounting group.
ZXR10#debug radius accounting error Shows the debugging error information of the
ZXR10#debug radius accounting event Shows the debugging event information of the
7-7

Command Function
ZXR10#debug radius accounting packet {all Shows the debugging packet information of the
|<group-number>} RADIUS accounting group.
7.2.2 Configuring BRAS RADIUS PROXY

This procedure describes how to configure the authentication, charging, and DM/CoA
functions of the ZXR10 M6000 as the BRAS RADIUS proxy server.
Steps
1. Configure the basic attributes of the RADIUS client.
1 ZXR10(config)#radius listening-port {authentication Sets at most 4 listening

<1025-65535>| accounting <1025-65535>} ports for authentication
and charging services
respectively.
2 ZXR10(config)#radius client-group <client-group-name> Creates an RADIUS client

group and enters the client
group configuration mode.
3 ZXR10(config)#radius client-group-default Sets the default client group.

<client-group-name> The configurations of the
clients that are not configured
are obtained from this group.
4 ZXR10(config-radius-clientgrp)#client ip Creates a client. The clients in

<ipv4-address>[vrf <vrf-name>][key encrypted the same group must belong
<en-keystr>|<keystr>] to the same VRF.
ZXR10(config-radius-clientgrp)#default-key Sets the default key of the

{encrypted <en-keystr>|<keystr>} client group. If the intra-group
clients are not configured
keys, uses this key.
key encrypted <en-keystr>|<keystr>: encrypted indicates that the configured key is

encrypted. Otherwise, it indicates a plain text key.
l <keystr> indicates a plain text key, range: 1–31 characters.

l <en-keystr> indicates an encrypted key, 64 characters.
2. Configure the proxy forwarding to the target server.
7-8

1 ZXR10(config-radius-clientgrp)#authentication-serv Sets the authentication group

er-group <group-number> of the proxy target server,
range: 1–2000.
2 ZXR10(config-radius-clientgrp)#attribute replace Sets whether to update the

nas-ip-address {enable | disable} Nas-IP-Address attribute
of the proxy-forwarded
messages in accordance
with the server group
configurations. By default, it
is enabled.
3 ZXR10(config-radius-clientgrp)#attribute replace Sets whether to configure the

nas-identifier {enable | disable} Nas-Identifier attribute of the
proxy-forwarded messages in
accordance with the server
group configurations. By
default, it is enabled.
3. Configure the parameters for forwarding messages to the client.
Command Function
ZXR10(config-radius-clientgrp)#dm-coa timeout <time> Sets the timeout period of the

DM/CoA messages sent to the
client, range: 1–60 seconds,
default, 3 seconds.
ZXR10(config-radius-clientgrp)#dm-coa max-retries Sets the maximum number

<count> of attempts to send DM/CoA
messages to the client, range:
1–10, default, 3.
ZXR10(config-radius-clientgrp)#source-ip <ipv4-address> Sets the source address of the

DM/CoA messages sent to the
client, which must be a valid
local address.
Command Function
ZXR10#show radius listening-port Shows the listening port of the

RADIUS server.
ZXR10#show configuration radius client-group {brief | all | Shows the client group
group-name <name>} configurations.
7-9

7.3 BRAS RADIUS Configuration Example

7.3.1 BRAS RADIUS Client Configuration Example
As shown in Figure 7-3, the ZXR10 and RADIUS server communicate with each other
through the RADIUS protocol. After the PC initiates a dial-up attempt, the ZXR10 sends
an authentication request to the RADIUS server. If the authentication is successful, the
ZXR10 sends an accounting request to the RADIUS server.
Figure 7-3 BRAS RADIUS Configuration Example
Configuration Flow
1. Configure an authentication group.
2. Configure connections to the RADIUS server on the ZXR10.
1. Configure an authentication group:
ZXR10(config-submanage)#authentication-template 2000
ZXR10(config-submanage-author-template)#authorization-type radius
ZXR10(config-submanage-accounting-template)#accounting-radius-group first
2000
ZXR10(config-submanage)#domain 2000
ZXR10(config-submanage-domain)#bind authentication-template 2000
ZXR10(config-submanage-domain)#bind authorization-template 20000
ZXR10(config-submanage-domain)#bind accounting-template 2000
7-10

ZXR10(config-submanage)#circuit-map external-vlan 0 internal-vlan-range 0
2. Configure a connection to the RADIUS server:
ZXR10(config-authgrp-2000)#server 1 192.168.11.23 master key uas port 1812

ZXR10(config-acctgrp-2000)#server 1 192.168.11.23 master key uas port 1813
Verify that the ATM configuration on the ZXR10 is proper.
! <AIM>
subscriber-manage
authentication-template 2000
authentication-radius-group 2000 authentication-type radius
$
authorization-template 20000
authorization-type radius
$
accounting-template 2000
accounting-radius-group first 2000
accounting-type radius
$
domain 2000
bind authentication-template 2000
bind authorization-template 20000
$
circuit-map eth-cir external-vlan 0 internal-vlan-range 0
$ /*Circuit configuration information*/
! </AIM>
Verify that the RADIUS-related configuration on the ZXR10 is proper.
ZXR10#show running-config radius all

! <RADIUS>
radius authentication-group 2000
7-11

server 1 192.168.11.23 master key uas port 1812

#max-retries 3
#timeout 3
#set-dscp-outer 48
#algorithm first
#calling-station-format class3
#nas-port-id-format china-tel
#deadtime 5
#filter-id direction out
#user-name-format strip-domain
#class-as-car disable
#dsl-vendor disable
#vendor enable
nas-ip-address 192.168.5.16
!
radius accounting-group 2000
server 1 192.168.11.23 key uas port 1813
#max-retries 3
#timeout 3
#set-dscp-outer 48
#life-time 2
#algorithm first
#calling-station-format class3
#nas-port-id-format china-tel
#flow-unit byte
#dsl-vendor disable
#deadtime 5
#user-name-format strip-domain
#vendor enable
#local-buffer disable
#interim-packet-quota 80
!
! </RADIUS>
7.3.2 BRAS RADIUS Proxy Server Configuration Example

The ZXR10 and the RADIUS server communicate through the RADIUS protocol. After the
PC initiates a network connection request, the ZXR10 sends an authentication request
to the RADIUS server. If the authentication is successful, the ZXR10 sends a charging
request to the RADIUS server, see Figure 7-4.
7-12

Figure 7-4 RADIUS Proxy Server Configuration Instance
Configuration Flow
1. Configure the authentication proxy server and other parameters on the ZXR10.
2. Configure the RADIUS server listening port on the ZXR10.
3. Configure the access RADIUS client, specified proxy server, and other parameters on
the ZXR10.
4. Configure user management and access on the ZXR10.
1. Configure an authentication group on the ZXR10. For details, refer to the above
section.
2. Configure the listening port and the client:
ZXR10(config)#radius listening-port authentication 1812
ZXR10(config)#radius listening-port accounting 1813
ZXR10(config-radius-clientgrp)#client ip 123.124.125.126 key zte
ZXR10(config-radius-clientgrp)#authentication-server-group 2000
ZXR10(config-radius-clientgrp)#source-ip 192.168.10.101
3. Configure user management and access module (refer to “AC Separation Access
Configuration Instance”).
Run the show command to view the RADIUS authentication group information:
ZXR10(config)#show configuration radius client-group group-name zteac
!
radius client-group zteac
client ip 123.124.125.126 key
33A8EC1030727EB3A9B61002E10BDBEDB5BEA986F5505AD19582826921F45FCB
authentication-server-group 2000
dm-coa timeout 3
dm-coa max-retries 3
source-ip 192.168.10.101
attribute replace nas-ip-address enable
attribute replace nas-identifier enable
7-13

7-14

Chapter 8
Dynamic VLAN Configuration
Table of Contents
Dynamic VLAN Overview ...........................................................................................8-1
Configuring a Dynamic VLAN .....................................................................................8-2
Example: Dynamic VLAN Configuration .....................................................................8-3
8.1 Dynamic VLAN Overview

BRAS devices are typically used at access convergence points to connect dialup
subscribers or special line subscribers to Internet gateways and multicast gateways.
BRAS devices can control accesses of various subscribers.
With the development of broadband access network, carriers have deployed Ethernet in a
large scale as the Layer–2 access network at present. IP DSLAM uplinked by IP replaces
ATM DSLAM uplinked by ATM gradually. Therefore, VLAN has been the main method of
positioning subscriber ports and differentiating services.
Due to diversification of service applications, the planning of VLANs on Layer–2 Ethernet
becomes more and more complicated. Therefore, the method of deploying interfaces
(VLAN information) by manually static configuration is not flexible. For a device, static
configuration wastes a lot of memories. The implementation of allowing user-side
interfaces to dynamically send interface information (VLAN information) is considered to
facilitate configuration and management.
At present, dynamic VLAN can only be configured on VCC sub-interfaces. The commands
used for configuring a dynamic VLAN are the same as that used for configuring a static
VLAN. The differences are: It is necessary to configure dynamic VLAN tags, and only
range segment configuration (including single range and dual ranges) is supported. It
is required to ensure that dynamic VLAN information and the dynamic VLAN tag type
is consistent. After configuration, VLAN information is not deployed immediately. VLAN
information generation and deletion (or aged deletion) are triggered when users come
online or offline.
Figure 8-1 shows a dynamic VLAN network structure.
Figure 8-1 Dynamic VLAN Network Structure
8-1

8.2 Configuring a Dynamic VLAN

This procedure describes how to configure a dynamic VLAN.
Steps
1. Configure a dynamic VLAN.
1 ZXR10(config)#interface <sub-interface-name> Creates a sub-interface.

mode.
3 ZXR10(config-vcc)#interface <sub-interface-name> Creates a VCC sub-interface.
4 ZXR10(config)#vlan-configuration Enters VLAN configuration

mode.
5 ZXR10(vlan-config)#interface <sub-interface-name> Enters VLAN sub-interface

service configuration mode.
6 ZXR10(config-subvlan-if)#user-dynamic-vlan Sets a dynamic VLAN tag for

{any-other-dot1q | any-other-qinq} a VCC sub-interface.
7 ZXR10(config-subvlan-if)#encapsulation-dot1q range Sets a dynamic VLAN range

<VLAN ID>-<VLAN ID> for a VCC sub-interface.
encapsulation-dot1q range:
Sets a single dynamic VLAN
range.
ZXR10(config-subvlan-if)#qinq range Sets a dynamic QinQ range

internal-vlan-range <VLAN ID>-<VLAN ID> for a VCC sub-interface.
external-vlan-range <VLAN ID>-<VLAN ID> qinq range: Sets a dual
dynamic VLAN range.
any-other-dot1q: Supports the single dynamic VLAN function.

any-other-qinq: Supports the dual dynamic VLAN function.
<VLAN ID>-<VLAN ID>: ID of the VLAN supported by the sub interface, range:
1–4094.
Command Function
ZXR10#show running-config-interface Shows the configuration of a specific

<sub-interface-name> sub-interface.
8-2

Chapter 8 Dynamic VLAN Configuration
8.3 Example: Dynamic VLAN Configuration

Overview
As shown in Figure 8-2, the IP address of the VBUI on the ZXR10 is 40.0.0.1. The ZXR10
connects to a PC. The subscriber accesses the network through a dynamic VLAN.
Figure 8-2 Network Topology for Dynamic VLAN Configuration
Configuration Flow
1. Configure the DHCP, a domain (including the alias, authentication mode and
authorization mode), a VBUI (including the gateway address and address pool), and
a VCC (including the encapsulation mode).
2. Configure an SAL, and apply it to corresponding domain. Configure domain name
replacement.
3. Configure dynamic VLAN on an interface.
4. Set the boot-strap authentication mode to Circuit Authentication in BRAS circuit
configuration mode. Bind the SAL. For local authentication, configure the username
and the password for the ZXR10 M6000. For RADIUS authentication, configure the
username and the password for the RADIUS server.
5. Configure the user circuit information, and configure the relationship between the
username, password and domain name in subscriber management configuration
mode.
Configuration on the ZXR10.
Enable the DHCP function in global configuration mode, and configure the DHCP Server.

ZXR10(config)#dhcp
Configure a domain.
8-3

/*Configure an alias of the domain, and bind it to the VBUI.
Configure the DHCP mode.*/
ZXR10(config-submanage)#local-subscriber zte domain-name domain1 password
123
/*Configure the username, password and domain name saved locally*/
ZXR10(config-submanage)#circuit-map eth-cir external-vlan 100
internal-vlan-range 200 interface fei-0/4/0/15.1 zte domain1 123
/*Configure user circuit information and the relationship between the username,
password and domain name.*/
Configure an SAL.
ZXR10(config-submanage)#sal 1
ZXR10(config-submanage-sal-1)#default domain domain1
ZXR10(config-submanage-sal-1)#exit
Configure subscriber interface address.

ZXR10(config)#interface vbui200 /*Create a VBUI*/
Enter VBUI configuration mode, configure VBUI parameters and an address pool, and
configure the DHCP Server in ip pool configuration mode.
/*Create an address pool*/
Set the encapsulation type to IPoE on the interface connecting to the user in circuit interface
configuration mode, and configure non-VLAN encapsulation.
ZXR10(config)#interface fei-0/4/0/15.1
ZXR10(config-if-fei-0/4/0/15.1)#exit
8-4

ZXR10(config-vcc)#interface fei-0/4/0/15.1 /*Enter a VCC interface*/
ZXR10(config-vcc-if-fei-0/4/0/15.1)#bind sal 1 /*Bind the SAL*/
ZXR10(config-vcc-if-fei-0/4/0/15.1)#encapsulation ip-over-ethernet
/*Encapsulate IPOE*/
ZXR10(config-vcc-if-fei-0/4/0/15.1)#ipox authentication-type ipv4 dhcpv4 cir-map
/*Enable circuit authentication for the user accessing the network through the DHCP*/
Configure a dynamic VLAN interface.

ZXR10(config-vlan)#interface fei-0/4/0/15.1
ZXR10(config-vlan-if)#user-dynamic-vlan any-other-qinq
ZXR10(config-vlan-if)#qinq range internal-vlan-range 1-200
external-vlan-range 1-200
ZXR10(config-vlan-if)#exit
ZXR10(config-vlan)#exit
Verify that the configuration on the sub-interface is proper.
ZXR10#show running-config-interface fei-0/4/0/15.1
!<Interface>
interface fei-0/4/0/15.1
$
!</Interface>
!<vlan>
vlan-configuration
user-dynamic-vlan any-other-qinq /*Dynamic QinQ VLAN*/
qinq range internal-vlan-range 1-200 external-vlan-range 1-200
$
$
!</vlan>
!<AIM>
subscriber-manage
circuit-map eth-cir external-vlan 100 internal-vlan-range 200 interface
fei-0/4/0/15.1 zte domain1 123
$
!</AIM>
!<UIM>
vcc-configuration
8-5


bind sal 1
$
$
!</UIM>
!<AIM>
subscriber-manage
circuit-map eth-cir external-vlan 100 internal-vlan-range 200
zte domain1 123
!</AIM>
Verify that the online subscriber information is proper, as shown below.

*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify :28
user-name :zte
mac-address :0010.9400.0001
session-id :0
access-interface :fei-0/4/0/15.1
internal-vlan :200
external-vlan :100
eap-type :FALSE
sibprofileid :0
create-time :2012/05/22 10:33:08
online-time :22
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
8-6

IPv4 Information
-------------------------------------------------------------------------------
vrf-name :
vpn-id :0
gateway :40.0.0.1
primary-dns :
second-dns :
*******************************************************************************
-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
The above information shows that the subscriber is online.
8-7

8-8

Chapter 9
Subscriber Management
Configuration
Table of Contents
Subscriber Management Overview.............................................................................9-1
Configuring User Management...................................................................................9-4
Subscriber Management Configuration Examples ......................................................9-7
9.1 Subscriber Management Overview

Subscriber Management Introduction
The ZXR10 M6000 manages the subscriber access on the basis of domains. Each
subscriber belongs to a domain. Subscribers belonging to the same domain have the
same service attributes.
In applications, except for no authentication, local authentication and no accounting
applications, all subscriber accounts are configured on a RADIUS server. The domains of
subscriber accounts on the RADIUS server should be configured on the ZXR10 M6000.
To make the authorization attributes deployed by the RADIUS server take effect, it is
necessary to associate them with the authorization templates in the domains.
The priority of a service attribute in a domain is lower than that of a service attribute
deployed by the RADIUS server. When both a service attribute in a domain and a service
attribute deployed by the RADIUS server exist, the ZXR10 M6000 uses the latter with
precedence. The service attribute of a domain takes effect when the RADIUS server does
not support or deploy a service attribute.
Service Access List

The function of an SAL is to control and manage subscribers to access a domain.
According to ISPs' requirements, it is necessary to translate, deny or permit the domain
where a subscriber is located when the subscriber accesses the network. In this way,
ISPs can control subscriber accesses and obtain related resources.
SAL can meet the following requirements:
l An access subscriber without a domain name can be controlled by the default domain
of an SAL. The access subscriber can obtain related resources.
l If the domain name of a subscriber is not in the range managed by the local ISP, the
domain can be managed by a roaming domain.
9-1

l When a subscriber accesses a network, an ISP can deny or permit the domain where
the subscriber is located, thus allowing or disallowing the subscriber to obtain related
resources.
l When a subscriber accesses a network, an ISP can translate the domain where the
subscriber is located, thus controlling the authentication, authorization and accounting
modes used by the subscriber.
An SAL provides the following functions, and the principles are described below:
l The SAL provides a default domain. Information sent by a subscriber may not contain
the domain name. If so, the access module cannot obtain the domain name and send
it to the AIM module in an authentication request packet. Without the domain name,
the AIM module cannot perform authentication or authorization. In this situation, the
default domain of an SAL can be configured to solve the problem. The SAL serial
number is bound to an logical interface.
l The SAL can translates domains. When the access module sends an SAL serial
number, if the domain name matches the source domain of the translation domain
entity, the domain is translated into a destination domain. If the domain name does
not match any translation entities, it is necessary to check whether the translate
any command is configured. If the command is configured, any access domain is
translated into a destination domain.
l The SAL can control a domain. When the access module reports the SAL number,
if the domain name obtained through the default domain and conversion domain
matches the permit domain or deny domain policy, the users within the domain are
allowed or restricted to access the network. If the deny any command is configured,
subscriber accesses from any domain are denied. After an SAL is configured, the
default status is permit any which indicates that subscriber accesses from any
domain are permitted.
l Change domain (change-domain): When the access module reports the SAL
number, if the domain name obtained through the default domain, conversion
domain, and control domain matches the change-domain, the change-domain is used
for authentication, and the local-domain obtained through a conversion is used as
the administrative domain.
l The SAL supports roaming domain. If the domain name of a subscriber is not in
the management range of the current system, when the access module sends the
domain name in an authentication request packet to the AIM module, the AIM module
cannot find the corresponding domain serial number according to the domain name.
In this situation, if a roaming domain is configured in an SAL, the MAIM module can
obtain the roaming domain according to the SAL serial number, and then it uses the
roaming domain to perform authentication and authorization. If the keep parameter
is configured in the roaming domain, the AIM uses the domain name sent by the
subscriber to perform authentication on the RADIUS server, and the AIM module
uses the roaming domain to perform local authentication, authorization and address
resource application.
9-2

Chapter 9 Subscriber Management Configuration
Subscriber Offline Code Adjustment

According to the offline code specification defined by ISPs, subscriber offline reasons are
classified. According to the relationships between the reasons and the offline codes, an
offline code is contained in an accounting end packet sent to a RADIUS server.
To make the subscriber statistics reports use the unified format, the offline code adjustment
function can be used to adjust the subscriber offline code according to a certain rate. After
adjustment, subscriber offline codes are USER_REQUESTs.
An offline code is sent through an accounting packet. Therefore, it is necessary to
authenticate subscribers and use RADIUS accounting. When a subscriber comes
online, there is an authentication procedure. When the subscriber falls offline, there is
an accounting procedure. in this way, an offline code can be sent. If the offline code
adjustment rate (0-1000) is set, the offline codes are translated according to the rate.
After adjustment, offline codes are USER_REQUESTs.
For example, if the offline code rate is set to 100, the probability that subscriber offline
codes are translated into USER_REQUESTs is 10%. If the offline code rate is set to
0, the subscriber offline codes are not adjusted, and only the actual offline codes are
displayed. If the offline code rate is set to 1000, all subscriber offline codes are adjusted
to USER_REQUESTs.
Authentication Frequency Control

Some access device with automatic dialing function dials frequently when the passwords
are not set correctly. To some extent, this affects RADIUS authentication of subscribers
connecting to BRAS devices. Trying passwords frequently is also a type of attack to the
RADIUS server.
The authentication frequency control function is to lock a subscriber if the subscriber fails
to pass authentication for several times. The subscriber is unlocked after a period of time.
During the period, the authentication requests sent by the subscriber is limited. In this way,
the subscriber authentication frequency is controlled.
If the subscriber fails to pass authentication, the failure information is recorded in the
authentication failure information table. When the subscriber comes online next time, the
access device searches the table first. It calculates out the limit period and determines
whether the subscriber is allowed to access. During the denied period, there is no
response to the request. During the permitted period, AAA authentication is started. If the
authentication is passed, the corresponding table is deleted. If the authentication fails,
the latest online time in the table is updated.
Address Pool Usage

If the usage of addresses in an address pool on a device is not clear, addresses may be
not enough, which may causes that subscribers cannot come online properly. An address
pool usage alarm arises.
When a subscriber comes online, the subscriber occupies an address. When the number
of used addresses in the pool reaches a certain threshold, an alarm arises.
9-3

9.2 Configuring User Management

This procedure describes how to configure user management.
Steps

mode.
2 ZXR10(config-submanage)#sal < sal-number > Enters SAL configuration

mode.
3 ZXR10(config-submanage-sal-number)#default Sets a default domain.

domain <domain-name>
4 ZXR10(config-submanage-sal-number)#permit {any | Permits the access of the

domain <domain-name>} specified or all domains.
5 ZXR10(config-submanage-sal-number)#deny{any | Forbids a domain to be

domain < domain-name >} accessed.
6 ZXR10(config-submanage-sal-number)#translate Sets domain name mapping.

{any | src-domain < domain-name >} des-domain <
domain-name >
7 ZXR10(config-submanage-sal-number)#none domain Sets a roaming domain.

< domain-name >[keep]
8 ZXR10(config-submanage-sal-number)#change-dom Converts the subscriber's

ain <change-domain> local-domain <local-domain> change-domain name into
a local-domain name for
using the change-domain
to implement authentication
and using the local-domain to
implement management.
2. Configure subscriber offline code adjustment.
Command Function
ZXR10(config-submanage)#session-offline-standardize Sets the amount of subscriber

<number> offline code adjustment, range:
0 to 1000, default: 0.
3. Configure authentication frequency control.
9-4

Command Function
ZXR10(config-submanage)#authentic-request-ctrl control Enables or disables

{enable | disable} authentication frequency control.
ZXR10(config-submanage)#authentic-request-ctrl Sets parameters for

request-count <request-times> forbid-period <forbid-period> authentication frequency control.
reset-period <reset-period>
ZXR10(config-submanage)#authentic-request-ctrl Sets the authentication interval.

request-interval <authentic-request-interval-time>
<request-times>: Number of subscriber authentication failures, range: 1 to 1000.

<forbid-period>: The forbidding period (in seconds), range: 1 to 3600.
<reset-period>: The period (in minutes) of clearing the subscriber access authentication
control records, range: 1 to 2880.
<authentic-request-interval-time>: The authentication interval (in seconds), range: 1 to
3600.
4. Configure the address pool usage.

management mode.
2 ZXR10(config-submanage)#domain <domain-name> Creates a domain, and

specifies its number (range: 1
to 2000).
3 ZXR10(config-submanage-domain)#alarm-threshold Sets the address pool usage

upper-limit <upper-limit> lower-limit <lower limit> in a domain.

mode.
5 ZXR10(config-vbui)#interface <vbui-interface-name> Enters VBUI interface

configuration mode.
6 ZXR10(config-vbui-if)#alarm-threshold <domain Sets the address pool usage

name> upper-limit <upper limit> lower-limit <lower in a domain on a VBUI
limit> interface.
<upper limit>: Upper alarm threshold, range: 70 to 90, default: 70.

<lower limit>: Lower alarm threshold, range: 10 to 60, default: 10.
<domain name>: Domain name, 1-31 characters in length.

9-5

Command Function
ZXR10#show configuration submanage domain Shows the domain configuration.

{<domain-name>| all }
ZXR10#show configuration submanage local-subscriber {< Shows the local subscriber

local-subscriber-name>| all } configuration.
ZXR10#show configuration submanage sal {<sal-number>| all } Shows the SAL configuration.
ZXR10#show subscriber all Shows all subscribers.
ZXR10#show subscriber domain domain-name Shows the subscribers by access

<domain-name>[statistics | verbose | summary <ipv4>] domain.
ZXR10#show subscriber interface <interface-name>[all | Shows the subscribers by

statistics | verbose | summary <ipv4>] interface.
ZXR10#show subscriber ipv4-address <ipv4-address>[vrf Shows the subscribers by IP

<vrf-name>] address.
ZXR10#show subscriber user-name <subscriber-name> Shows the subscribers by

domain-name <domain-name>[vrf <vrf-name>][statistics | subscriber name.
verbose]
ZXR10#show subscriber [ipox|ip-host|pppox] Shows the subscribers by

subscriber type.
ZXR10#show subscriber vrf <vrf-name>[statistics|verbose] Shows the subscribers by VPN

name.
ZXR10#show running-config aim Shows the AIM configuration.
ZXR10#show running-config uim Shows the UIM configuration.
6. Maintain user management.
Command Function
ZXR10#clear subscriber domain <domain-id>| domain-name Clears subscribers by access

<domain-name> domain.
ZXR10#clear subscriber all [ipv4 ] Clears all online subscribers.
ZXR10#clear subscriber interface <interface-name>[ipv4 ] Clears subscribers by interface.
ZXR10#clear subscriber user-name <subscriber-name> Clears subscribers by subscriber

domain-name <domain-name>[vrf <vrf-name>][ipv4] name.
ZXR10#clear subscriber ipv4-address <ipv4-address>[vrf Clears subscribers by IP

<vrf-name>] address.
ZXR10#clear subscriber vrf <vrf-name>[ipv4 ] Clears subscribers by VPN

name.
9-6

9.3 Subscriber Management Configuration Examples

9.3.1 Example: Roaming Domain Configuration
Overview
As shown in Figure 9-1, the PC uses the "user1@pppoe"account to dial and come online.
There is no pppoe domain on the BRAS. The subscriber needs to roamed to the local dhcp
domain. The subscriber name is still user1@pppoe.
Figure 9-1 Network Structure for PPPoE Roaming Access
Configuration Flow
1. Configure PPPoE subscriber access.
2. Configure an SAL to implement roaming.
3. Associate the SAL with the user-side circuit.
1. For PPPoE access configuration, refer to the "PPPoEv4 Configuration
Examples"section.
ZXR10(config-submanage)#sal 1 /*Enter SAL configuration mode*/
ZXR10(config-submanage-sal-1)#permit domain pppoe
/*Allow subscriber with "pppoe" domain name to access*/
ZXR10(config-submanage-sal-1)#none domain dhcp
/*Configure the subscriber to roam to the DHCP domain for access.*/
3. Associate the SAL with the user-side circuit.
ZXR10(config-vcc-if)#bind sal 1
4. View the configuration.
ZXR10(config-submanage)# show running-config aim
!<AIM>
subscriber-manage
9-7

authentication-templatezte
$
domaindhcp
$
sal 1
permit domain pppoe
none domain dhcp
$
local-subscriber user1 domain-name dhcp password 123
$
$
!</AIM>
ZXR10(config-submanage)#show running-config am
!<AM>
vbui-configuration
interface vbui200
ip-pool pool-name pool200 pool-id 4
access-domain dhcp
pppoe-dns-server 1.1.1.1
pppoe-dns-server 2.2.2.2 second
member 1
start-ip 120.121.1.2 end-ip 120.121.2.255
$
$
$
$
!</AM>
The PC uses the "user1@pppoe" account and password "123" to dial. After the subscriber
dials successfully, run the show subscriber ipv4 <ipv4-address> command on the BRAS to
view the detailed user information.
ZXR10(config)#show subscriber ipv4-address 120.121.1.2
*******************************************************************************
Subscriber Verbose Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type : IPv4
subscriber-author-type : IPv4
user-identify : 32
user-name : user1
9-8

domain-name : dhcp
local-domain-name : dhcp
authorize-domain-name : dhcp
mac-address : 0010.94a0.0c01
session-id : 38
authentication-mode : LOCAL
authentication-status : ACCEPT
record-status : CREATED
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
hot-bak-status : NONE
circuit-information : gei-0/0/0/2 [vlan:0 sec-vlan:0]
vbui-interface : vbui200
create-time : 2011/04/09 09:16:49
authentication-time : 2011/04/09 09:16:49
online-time : 743
limited-status : UNLIMITED
restTimeType : ABSOLUTE
dpi-policy : 0
user-priority-input :
user-priority-output :
vpdnAcctClass :
route-map-name :
calling-station-id :
ani-location
-----------------------------------------------------------------------
Identifier:
rack:0 frame:0 slot:0 sub-slot:0 port:0
XpiEnable:Disable xpi:0 xci:0
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
slot:0 sub-slot:0 port:0 port-type:
xpi:0 xci:0 AccessMethod:
-----------------------------------------------------------------------
accounting information
-----------------------------------------------------------------------
restTime(s) : 0(unlimited) restFlow(KB) : 0(unlimited)
absTimeout(s) : 0 idleTimeout(s) : 0
idleTraffic(KB) : 0 acctInterval(s): 0
9-9

sessionLimitType: acctSession :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 PPPox
ipv4-address : 120.121.1.2
gateway-address : 120.121.1.1
vrf-name :
vpn-id : 0
second-dns :2.2.2.2
ip-pool-name : pool200
igmpProfile : 0
tcp-session-limit : 0
tcp-syn-rate(Packets/s): 0
nat-type : NONE
nat-multi-flag : 0
nat-default-flag : 0
nat-domain-id : 0
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
nat-port-range : 0~0
abnormal-offline-keep : FALSE
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
subCarInfoUp-cir : 0 subCarInfoUp-pir : 0
subCarInfoUp-cbs : 0 subCarInfoUp-pbs : 0
subCarInfoDown-cir: 0 subCarInfoDown-pir: 0
subCarInfoDown-cbs: 0 subCarInfoDown-pbs: 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
9-10

user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
float-accounting information
-----------------------------------------------------------------------
upDropPackets(Packets) : 0 upDropCycles : 0
downDropPackets(Packets): 0 downDropCycles : 0
ispUpBytes(Bytes) : 0 ispUpCycleCount : 0
ispDownBytes(Bytes) : 0 ispDownCycleCount : 0
isp2UpBytes(Bytes) : 0 isp2UpCycleCount : 0
isp2DownBytes(Bytes) : 0 isp2DownCycleCount: 0
upBytes(Bytes) : 0 upCycleCount : 0
downBytes(Bytes) : 0 downCycleCount : 0
upIspChargePackets : 0 upIspChargeCycleCount : 0
downIspChargePackets : 0 downIspChargeCycleCount : 0
upIsp2ChargePackets : 0 upIsp2ChargeCycleCount : 0
downIsp2ChargePackets : 0 downIsp2ChargeCycleCount : 0
upIspNoChargePackets : 0 upIspNoChargeCycleCount : 0
downIspNoChargePackets : 0 downIspNoChargeCycleCount : 0
upPackets(Packets) : 0 upPacketCycleCount : 0
downPackets(Packets) : 0 downPacketCycleCount : 0
9.3.2 Example: Subscriber Offline Code Adjustment Configuration

Overview
As shown in Figure 9-2, it is required to modify the offline code adjustment code on the
device. The PC uses the "user1@pppoe" account to dial up and comes online. After the
subscriber is offline, view the offline reason carried in the accounting end packet.
Figure 9-2 Network Structure for Subscriber Offline Code Adjustment
Configuration Flow
9-11

2. Configure the offline code adjustment function.

3. After the subscriber comes online, clear the subscriber to make the subscriber offline.
Capture accounting end packets on the RADIUS client, and view the offline reason.
1. For PPPoE access configuration, refer to the "PPPoEv4 Configuration Example"
section. In this case, you need to configure the RADIUS accounting, and bind the
accounting template in this domain.
2. Configure the offline code adjustment function.
ZXR10(config-submanage)#session-offline-standardize 1000
3. After the subscriber comes online, clear the subscriber to make the subscriber offline.
Capture accounting end packets on the RADIUS client.
The PC uses the "user1@pppoe" account and password "123" to dial. After the subscriber
dials successfully, run the clear subscriber user-name user1 domain-name pppoe command
to clear the subscriber. Capture accounting end packets on the RADIUS client. The value
of the ACCT-Terminate-Cause field is USER_REQUEST.
9.3.3 Example: Authentication Frequency Control Configuration

Overview
As shown in Figure 9-3, it is required to configure the authentication frequency control
function. The PC uses the "user1@pppoe" account to dial and come online. If the
password is incorrect, authentication fails. After being forbidden, the subscriber enter
the correct password to dial during the forbidding period. Check whether the subscriber
passes authentication and comes online.
Figure 9-3 Networking Topology for Authentication Frequency Control
Configuration Flow
2. Configure authentication frequency control parameters.
3. Start several dial-up attempts by using an incorrect password, and view the forbidding
table.
4. During the forbidding period, the subscriber starts a dialling by using the correct
password. Check whether the subscriber has come online.
9-12

1. For PPPoE access configuration, refer to the "PPPoEv4 Configuration Examples"
section.
2. Configure the authentication frequency control function.
ZXR10(config)#sbscriber-manage
ZXR10(config-submanage)#authentic-request-ctrl control enable
ZXR10(config-submanage)#authentic-request-ctrl request-interval 30
ZXR10(config-submanage)#authentic-request-ctrl request-count 3 forbid-period
100 reset-period 4
3. The subscriber starts three dial-up attempts with an incorrect password. Display the
forbidding table.
4. During the forbidding period, the subscriber starts a dial-up attempt with the correct
password. Check whether the subscriber comes online.
The PC uses the "user1@pppoe" account and password "1234" to dial. After the
subscriber starts three dial-up attempts with an incorrect password, the authentication
fails, and check the control table on the BRAS.
ZXR10(config)#show submanage authentic-request-ctrl pppox slot 6 brief
--------------------------------------------------------------------------------
total: 1 peak_record: 1
Display detailed information of the subscriber.

ZXR10(config)#show submanage authentic-request-ctrl pppox slot 6 detail
----------------------------------------------------------------------------------
Mac: 00-10-94-E0-00-02
Cir: gei-0/6/0/3.2 (invlan: 1 outvlan: 2001)
Username: user1
Domainname: pppoe
Last-request-time: 2011/04/17 09:27:45
Request-count: 3
Forbid-time: 2011/04/17 09:29:25(remaining: 88 s)
--------------------------------------------------------------------
total: 1 peak_record: 1
During the forbidding period, that is, before 09:29:25, the subscriber starts a dial-up attempt
with the correct password. The subscriber cannot come online.
9.3.4 Example: Address Pool Usage Configuration

Overview
As shown in Figure 9-4, it is required to configure an address pool on a VBUI interface, and
associate the address pool with a PPPoE domain. Configure an address pool usage alarm
command on the VBUI interface. Multiple PC users use the "user1@pppoe" account to dial
9-13

and come online. When the number of the used addresses in the address pool reaches
the threshold, view the alarm information.
Figure 9-4 Network Topology for Authentication Frequency Control Configuration
Configuration Flow
2. Configure an address pool, and configure the alarm threshold of the address pool in a
domain on the VBUI interface.
3. Multiple subscribers establish dial-up connections from the same domain.
4. When the number of the used addresses in the address pool reaches the threshold,
view the alarm.
1. For the PPPoE access configuration, refer to the "PPPoEv4 Configuration Examples"
section.
2. Configure an address pool, and configure the alarm threshold of the address pool in a
domain on the VBUI interface.
ZXR10(config-vbui-if)#ip-pool pool-name pppoe pool-id 167
ZXR10(config-vbui-if-ip-pool)#access-domain pppoe
ZXR10(config-vbui-if)#!
9-14

ZXR10(config-submanage)#domain pppoe
ZXR10(config-submanage-domain)#alarm-threshold upper-limit 80 lower-limit 20
3. After multiple subscribers establish dial-up connections from the PPPoE domain, view
the alarm information.
Multiple PC users log onto the network by establishing PPPoE dial-up connections
(username/password: user1@pppoe/123).
When the number of occupied addresses in the address pool reaches the threshold, an
alarm arises.
An alarm 410102 ID 1963 level 5 occurred at 16:14:07 05-09-2011 sent by
ZXR10 MPU-0/20/0 %AM% IP resource of domain threshold reached
(Current = 72.73%,Threshold = 70.00%, Domain name = pppoe)
An alarm 410101 ID 1964 level 5 occurred at 16:14:07 05-09-2011 sent by
ZXR10 MPU-0/20/0 %AM% IP pool threshold reached (IP pool name = pppoe)
An alarm 410103 ID 1965 level 5 occurred at 16:14:07 05-09-2011 sent by ZXR10
MPU-0/20/0 %AM% IP resource of domain on VBUI threshold reached
(Current = 81.82%,Threshold = 80.00%, Domain name = pppoe, VBUI name = vbui199)
Display alarm information on ZXR10 M6000.

ZXR10(config)#show submanage ip-pool alarm-condition domain
------------------------------------------------------------
domain-name:pppoe
vbui-name :vbui199
alarm-high :80(%) alarm-low:20(%) used-rate:100.00(%)
9.3.5 Default Domain Configuration Example

Figure 9-5 shows a sample network topology. It is required to configure the default domain
on the BRAS to enable a PC user to establish a dial-up connection by using an account
without the domain name.
Figure 9-5 Default Domain Configuration Example
Configuration Flow
1. Configure the basic functions of PPPoE access.
9-15

2. Enable the default domain function on an SAL.

3. Associate a user-side circuit with the SAL.
1. For the basic configuration of PPPoE access, refer to the "PPPoEv4 Configuration
Examples" section.
2. Configure an SAL:
ZXR10(config-submanage)#sal 1
/*Enters SAL configuration mode*/
ZXR10(config-submanage-sal-1)#default domain dhcp
/*Sets the default domain (dhcp)*/
3. Associate a user-side circuit with the SAL:
ZXR10(config-vcc-if-gei-0/0/0/2)#bind sal 1
ZXR10(config-vcc-if-gei-0/0/0/2)#exit
4. View the configuration:
ZXR10(config-submanage)#show running-config aim
!<AIM>
subscriber-manage
authentication-templatezte
$
domaindhcp
bind authentication-templatezte
$
sal 1
default domain dhcp
none domain dhcp
$
local-subscriber user1 domain-name dhcp password 123
$
$
!</AIM>
ZXR10(config-submanage)#show running-config am
!<AM>
vbui-configuration
interface vbui200
ip-pool pool-name pool200 pool-id 4
access-domain dhcp
pppoe-dns-server 1.1.1.1
9-16

pppoe-dns-server 2.2.2.2 second

member 1
start-ip 120.121.1.2 end-ip 120.121.2.255
$
$
$
$
!</AM>
A PC user (user1/123) starts a PPPoE dial-up connection. Run the show subscriber
command to check whether the PC user has come online. The execution result is displayed
as follows:
************************************************************************
------------------------------------------------------------------------
Basic Information
------------------------------------------------------------------------
user-identify :33
user-name :user1
domain-name :dhcp
local-domain-name :dhcp
authorize-domain-name :dhcp
mac-address :0010.94a0.0c01
session-id :43
internal-vlan :0
external-vlan :0
eap-type :FALSE
sibprofileid :0
create-time :2011/04/09 10:35:45
online-time :11
vpdnAcctClass :
route-map-name :
------------------------------------------------------------------------
9-17

IPv4 Information
------------------------------------------------------------------------
vrf-name :
vpn-id :0
gateway :120.121.1.1
second-dns :2.2.2.2
************************************************************************
-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
9.3.6 Example of the User Access Control Configuration

Figure 9-6 shows a sample network topology. It is required to control the dial-up access
of PPPoE users and IPoE users through a VCC interface.
Figure 9-6 Example of the User Access Control Configuration
Configuration Flow
1. Configure the access of PPPoE users and IPoE users.
2. Configure the maximum number of PPPoE users and maximum number of IPoE users
allowed to access the network through the VCC interface.
9-18

1. For the basic configuration of PPPoE access, refer to the "PPPoEv4 Configuration
Examples" section. For the basic configuration of IPoE access, refer to the "IPoEv4
configuration examples" section.
2. Configure the maximum number of users allowed to access the network through the
VCC interface:
ZXR10(config-vcc-if)#access max-ipox-session 20
ZXR10(config-vcc-if)#access max-pppox-session 30
3. View the configuration:
ZXR10(config)#show running-config uim
!<UIM>
vbui-configuration
interface vbui200
$
$
vcc-configuration
access max-pppox-session 30
access max-ipox-session 20
encapsulation multi
pppox template 123
$
$
!</UIM>
A large number of PC users start PPPoE dial-up connections and IPoE dial-up connections
through the same VCC interface. Run the show subscriber pppox circuit gei-0/0/0/2
statistics command to check whether these subscribers have come online. The execution
result is displayed as follows:
ZXR10(config)#show subscriber pppox circuit gei-0/0/0/2 statistics
-------------------------------------------------------------------------------
IPv4 30 30 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 30 30 0 0 0
9-19

ipv6-stack: 0 0 0 0 0
all-stack: 30 30 0 0 0
-------------------------------------------------------------------------------
ZXR10(config)#show subscriber ipox circuit gei-0/0/0/2 statistics

-------------------------------------------------------------------------------
IPv4 20 20 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 20 20 0 0 0
ipv6-stack: 0 0 0 0 0
all-stack: 20 20 0 0 0
-------------------------------------------------------------------------------
The output information shows that the configurations take effect.
9-20

Chapter 10
Page Push Configuration
Table of Contents
Page Push Overview................................................................................................10-1
Configuring Page Push.............................................................................................10-3
Page Push Configuration Examples .........................................................................10-8
10.1 Page Push Overview

Page Push Introduction
Page push is divided into the following types:
l Authentication push: performs Web authentication on online users.
l Advertisement push: for sales promotion purposes.
l Arrear push: prompts users accounts are in arrears.
Authentication Push
The working procedure of authentication push is as follows:
1. Assign a PC attempting to access the network with an IP address.
Before the PC user passes Web authentication, the corresponding ACL is used to
restrict the user's access permissions. For example, the PC user can only access
some free websites (including portal websites).
2. Redirect the PC user to a Web user authentication page.
After the PC user launches a Web browser and enters an IP address, a TCP
connection is established between the PC and ZXR10 M6000, and then an HTTP
packet is sent to the Portal client (the ZXR10 M6000) for further processing.
The Portal client re-constructs an HTTP packet and sends it to the PC user. The
packet carries the address of redirecting the PC user to the Portal server. The user
accesses the Portal server after obtaining the redirection address. Upon receipt of an
HTTP request, the Portal server returns a Web user authentication page to the user.
3. Start web authentication on the user.
The user enters and submits the username and password on the Web authentication
page. The format of the username is username@name of the domain where the user
is located.
Upon receipt of the authentication request from the user, the Portal server determines
the authentication type. If the authentication type is CHAP authentication, the Portal
10-1

server sends a Challenge request to the Portal client (the ZXR10 M6000). After
the Portal server receives an acknowledgement from the Portal client, it sends an
authentication request carrying the entered username and password to the Portal
client.
After the Portal client receives the username and password, it searches for the
authentication mode based on the domain name. If the authentication mode is local
authentication, the local authentication flow is started. If the authentication mode is
RADIUS authentication, the Portal client sends the username and password to the
RADIUS server for authentication.
If authentication is passed, the ZXR10 M6000 permits the user to access the network,
and informs the Portal Server that the user has passed authentication. The Portal
Server informs the user of the authentication result on the Web page through HTTP
mode.
If authentication fails, theZXR10 M6000 informs the Portal server that the user fails to
pass authentication, and the Portal server informs the user of the authentication result
on the Web page through HTTP mode.
The ZXR10 M6000 supports authentication push for IPoX users and MHoX users.
Advertisement Push
The advertisement push works either in PADM or PORTAL mode.
l The working procedure of PADM-mode advertisement push is as follows:
1. After a user logs onto the network, a push page is displayed.
2. An IPCP negotiation starts. If the negotiation is successful, a URL is sent to the
user through a PPPoE PADM message.
3. Upon arrival of the PADM message, the client launches an IE browser, and a
specified page is displayed.
Note:
PROTAL mode is applicable to the case where the PADM message is unrecognizable
for some clients.
l The working procedure of PORTAL-mode advertisement push is as follows:

The PORTAL-mode advertisement push is divided into two types: restricted and
non-restricted. In a restricted advertisement push, the RADIUS server sends the
“ACTION = 3” attribute, and the push flag does not need to be cleared (that is, there
is no limit for the number of push operations). For non-restricted advertisement push,
the push flag needs to be cleared after the maximum number of push operations is
reached.
10-2

Chapter 10 Page Push Configuration
After a logged user launches a browser for the first time, the WEB page is redirected
to the page that is pre-configured on the BRAS, regardless of which address he or
she enters.
The ZXR10 M6000 supports restricted advertisement push for IPoX users, MHoX users,
and PPPoX users. It also supports non-restricted advertisement push for PPPoX users.
Arrear Push
Arrear push is divided into two types: RADIUS-based arrear push and forced push
(configured in the authorization template).
l The working procedure of the RADIUS-based arrear push is as follows:
1. A user passes RADIUS authentication.
2. The RADIUS server sends an "Authentication passed" message that carries
an arrear flag (ZTE_AUTH_ACTION) and an arrear URL. The arrear flag must
be sent through the RADIUS server, and the arrear URL can be obtained by
configuring a redirect URL in the local user template. The user redirection page
is provided by the arrear server.
3. Each time the user attempts to access the network, an arrear page is displayed,
prompting that the account is in arrears, and network access is denied.
The ZXR10 M6000 supports arrear push for IPoX users, PPPoX users, LNS users,
and MHoX users.
l The working procedure of forced push is as follows:

1. A user comes online.
2. The user passes authentication, but the corresponding attributes are not sent. If
forced push is configured in the authorization template, the user is redirected to
a pre-configured URL.
The ZXR10 M6000 supports forced push for IPoX users, PPPoX users, and LNS
users.
10.2 Configuring Page Push

This procedure describes how to configure page push.
Steps
1. Configure forced push.
Before the authentication page push configuration, ensure that the network
access configuration of users and the corresponding PORTAL configuration
have been completed. The PORTAL configuration is performed in
config-submanage-websvr-server-id mode.
10-3

Step Command Description

mode.
2 ZXR10(config-submanage)#web-server <server-id> Enters web-server

configuration mode.
<server-id>: range: 1–4.
3 ZXR10(config-submanage-websvr-server-id)#url Sets the redirect URL, range:

<url> 1–64 characters.
4 ZXR10(config-submanage-websvr-server-id)#ip-a Sets the active IP address,

ddr <ip-address>[{port <port-id>| backup}] backup IP address and port
number of the portal server.
5 ZXR10(config-submanage-websvr-server-id)#uas Sets the IP address of the

-ip <ip-address> interface <interface-name> interface that the ZXR10
M6000 uses to connect to
the Web server.

mode.
7 ZXR10(config-vbui)#interface <vbui-interface> Enters VBUI interface

configuration mode.
8 ZXR10(config-vbui-if)#web-acl <acl-name> Sets a Web ACL for

authentication page push.
<acl-name>: range: 1–31
characters.
<port-id>: the port number of the portal server, range: 1–65535.

backup: backup IP address.
2. Configure advertisement push.
l Configure advertisement push information on the BRAS.
Non-restricted advertisement push is applicable to PPPoX users only. On the

ZXR10 M6000, except for the network access and authentication configurations
of PPPoX users, ensure that advertisement push information of PPPoX users is
configured in the corresponding authorization templates (configured in subscriber
management mode). The configuration information can be set on the BRAS or
RADIUS server, and is sent through the RADIUS server.

mode.
10-4

2 ZXR10(config-submanage)#authorization-template Enters authorization

<author-template-name> template configuration
mode. Specifies an ID for
the subscriber authorization
template, range: 1 to 20000.
3 ZXR10(config-submanage-author-template)#ppp Configure the URL

url <url> information for PPP users,
1 to 63 characters in length.
4 ZXR10(config-submanage-author-template)#ppp Sets the URL type of PPP

url-mode {portal [delay <delay-time>]| padm} users and the delay time in
pushing advertisements.
5 ZXR10(config-submanage-author-template)#ppp Configure the WEB-page

web-force timer <timer> count <count> push time and amount for
PPP users.
portal: specifies the URL type of PPP users is portal.
padm: specifies the URL type of PPP users is PADM.

delay: specifies the time delay in pushing advertisements.
<delay-time>: specifies the time delay (in seconds) in pushing advertisements,
range: 0–3.
<timer>: sets the page push time (in minutes) for PPP users, range: 5 to
2147483647.
<count>: sets the page push amount for PPP users, range: 1–2147483647.
Note:
ppp url-mode {portal | padm} and ppp url <url> should be configured at the same
time; otherwise, the PPPoX advertisement push does not work.
l Configure advertisement push information on the RADIUS server.
The attributes of restricted advertisement push are sent by the RADIUS

server. On the ZXR10 M6000, except for the network access and special ACL
configurations of users, no additional configurations are needed.
ZTE's private attributes are as follows:
à ZTE_PPPOE_URL: The redirect URL, private attribute 27.
10-5

à ZTE_PPP_CLIENT_TYPE: The push type, private attribute 101. 0 refers to

the portal-mode push, 1 refers to no push, and 2 refers to the PADM-mode
push.
à ZTE_PPPWEBFORCETIMER: The periodical push time, private attribute
209.
à ZTE_PPPWEBFORCECOUNTER: The periodical push amount, private
attribute 210.
3. Configure arrear page push.
l To configure RADIUS-based arrear page push, perform the following steps:

mode.

mode, ID of the subscriber
authorization template,
range: 1–20000.
3 ZXR10(config-submanage-author-template)#red Sets a redirect URL, used

irect-url <url> when the RADIUS server
does not send the redirect
URL.
4 ZXR10(config-submanage-author-template)#user Sets the user status.

quota-exceed {hold | kickoff | redirect-web} hold: keeps the user online.
kickoff: takes the user
offline immediately.
redirect-web: redirects the
user to a pre-configured
Web page.
5 ZXR10(config-submanage-author-template)#auth Sets a policy to be taken

-fail policy {offline | redirect-web [none-accounting]} when authentication fails.
offline: takes the user
offline if authentication is
not passed.
redirect-web: starts the
Web authentication flow
if authentication is not
passed.

mode.
10-6


configuration mode.
8 ZXR10(config-vbui-if)#redirect-web-acl Sets a redirect ACL.

<acl-name> <acl-name>: range: 1–31
characters.
<url>: redirect URL, range: 1–63 characters, format: "http://10.10.10.20 (IP

address of the Web server)"
l To configure forced push in an authorization template, perform the following steps:

mode.

mode. <author-template-
name>: range: 1–31
characters.
3 ZXR10(config-submanage-author-template)#red Sets a redirect URL.

irect-url <url>
4 ZXR10(config-submanage-author-template)#fo Enables forced push.

rce redirect-web

mode.

configuration mode.
7 ZXR10(config-vbui-if)#special-acl <acl-name> Sets the ACL for URL

redirection.
4. To display the configurations, run the following commands:
Command Description
ZXR10#show configuration submanage template Shows the authorization template

authorization-template {all | name <author-template-name>} configuration.
ZXR10#show running-config portal [all] Shows PORTAL-related

commands.
ZXR10#show running-config aim [all] Shows ATM-related commands.
ZXR10#show running-config uim [all] Shows UIM-related commands.
10-7

5. To maintain page push, run the following commands:
Command Description
ZXR10#debug portal all Enables the debugging of the PORTAL

module.
10.3 Page Push Configuration Examples

10.3.1 Example: PPPoX Advertisement Push Configuration
Overview
Tools other than ENTERNET500 cannot recognize the PADM field, which causes the
PADM-mode push to be implemented by establishing a dial-up connection through
ENTERNET500 (Windows 2000-compatible only). This manual describes how to publish
advertisements by using the PORTAL-mode push. Figure 10-1 shows the networking
topology for the PPPoX advertisement push.
Figure 10-1 Networking Topology for PPPoX Advertisement Push
Configuration Flow
1. Configure PPPoE user access.
2. Configure PPPoX advertisement push contents.
3. Configure the PORTAL server.
Configuration Procedure
1. For the basic configuration relating to PPPoE user access, refer to the "PPPoEv4
Configuration Examples" section, keep in mind that the authorization mode of the
authorization template should be set to mix-radius, that is, the push parameters are
sent through the ZXR10 M6000 or RADIUS router. The following use the procedure
of sending push parameters through the ZXR10 M6000 as an example.
2. Configure the PPPoX advertisement push.
10-8

ZXR10(config-submanage-author-template)authorization-type mix-radius
ZXR10(config-submanage-author-template)#ppp url-mode portal
ZXR10(config-submanage-author-template)#ppp url
http://192.168.105.112:88/LoginOn.jsp
ZXR10(config-submanage-author-template)#ppp web-force timer 5 count 3
3. In the CMD window of the PORTAL server, configure a return route for the redirect
page.
C:\Documents and Settings\Administrator>route add 179.18.0.0 255.255.0.0
192.168.4.2 –p /*179.18.0.0/16 refers to the network segment
assigned to the user after he or she logs onto the network.
192.168.4.2 refers to the IP address of the BRAS,
and p refers to a permanent route*/
After the PC user successfully establishes a PPPoE dial-up connection
(username/password: user1@pppoe/123), run the show subscriber pppox <ipv4-address>
command on the BRAS to view the detailed information of the user. After launching a
browser, this user is redirected to the pre-configured page, regardless of which address
he or she enters.
ZXR10(config)#show subscriber pppox ipv4-address 179.18.0.2
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify : 83
user-name : user1
domain-name : pppoe
local-domain-name : pppoe
authorize-domain-name : pppoe
mac-address : 0025.1165.5960
session-id : 92
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
10-9

circuit-information : smartgroup6 [vlan:0 sec-vlan:0]
create-time : 2011/09/20 10:51:56
online-time : 383
vpdnAcctClass :
route-map-name :
ani-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
sessionLimitType: 0 acctSession : 10515686ppp0dda0025116559600052
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
ipv4-address : 179.18.0.2
vrf-name :
vpn-id : 0
primary-dns : 1.1.1.1
second-dns : 2.2.2.2
igmpProfile : 0
10-10

nat-type : NONE
nat-multi-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
10-11

10.3.2 Example: Arrear Push Configuration

Overview
A delinquent user tries to establish a dial-up connection, however, the attempt is rejected,
and he or she is redirected to a page reminding him or her of a delinquent account. Figure
10-2 shows the networking topology for the arrear push.
Figure 10-2 Networking Topology for Arrear Push
Configuration Flow
2. Configure the arrear advertisement push contents.
3. Configure the arrear server.
4. Verify the configuration.
1. For the basic configuration relating to PPPoE user access, refer to the "PPPoEv4
Configuration Examples" section. The arrear push only supports sending the arrear
flag through the RADIUS server, and the redirect URL can be sent through the
10-12

ZXR10 M6000 or RADIOUS server. In this case, the authorization template should
be configured to use RADIUS authentication, and the authorization mode of the
authorization template can be set to mix-radius (that is, both the ZXR10 M6000 or
RADIUS router can send the push parameters). The following use the procedure of
sending a redirect URL through the ZXR10 M6000 as an example.
2. Configure the arrear push.
ZXR10(config)#ipv4-access-list owe
ZXR10(config-ipv4-acl)#rule permit ip any 192.168.112.106 0.0.0.0
ZXR10(config-vbui-if)#redirect-web-acl owe
ZXR10(config-submanage-author-template)#redirect-url
http://192.168.112.106:88/LoginOn.jsp
3. In the CMD window of the arrear server, configure a return route for the redirect page.
C:\Documents and Settings\Administrator>route add 164.1.0.0 255.255.0.0
192.168.4.7 –p /*164.1.0.0/16 refers to the network segment assigned
to the user for accessing the network 192.168.4.7 refers to the IP address of the
BRAS, and p refers to a permanent route.*/
After a PC user successfully establishes a PPPoE dial-up connection
(username/password: user1@pppoe), run the show subscriber pppox interface verbose
command on the BRAS to view the detailed information of the user. Verify that
charge-status: OWE is displayed, that is, the arrear flag has been sent to the user. After
launching a browser, this user is redirected to the pre-configured page regardless of
which address he or she enters.
ZXR10(config)#show subscriber pppox interface smartgroup8.888 verbose
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
10-13

user-identify : 35425
family-identify : 0
user-name : user1
domain-name : pppoe
local-domain-name : pppoe
authorize-domain-name : pppoe
mac-address : 0021.86f8.c5b1
session-id : 65
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
circuit-information : smartgroup8.888 [vlan:350 sec-vlan:0]
create-time : 2011/10/19 13:35:51
online-time : 3348
limited-status : OWE
vpdnAcctClass :
route-map-name :
ani-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
10-14


sessionLimitType: 0 acctSession : 13355274ppp16b0002186f8c
5b19a3f
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
vrf-name :
vpn-id : 0
second-dns : 80.80.80.8
ip-pool-name :pool199
igmpProfile : 0
nat-type : NONE
nat-multi-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
10-15

-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
-----------------------------------------------------------------------

IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
10-16

Chapter 11
BRAS SmartGroup Access
Configuration
Table of Contents
BRAS SmartGroup Access Overview .......................................................................11-1
Configuring BRAS SmartGroup Access....................................................................11-2
BRAS SmartGroup Access Configuration Examples.................................................11-3
11.1 BRAS SmartGroup Access Overview

BRAS SmartGroup Access Introduction
A SmartGroup interface is an aggregation interface. It aggregates several physical
interfaces into one interface. The interfaces aggregated can cross boards.
The SmartGroup function can provide customers with more flexible and effective
solutions. It provides much flexibility when customers use ZXR10 series products to
plan and construct networks. At the same time, it improves the stability of networks
greatly, especially for Ethernet environment and Ethernet interface environment. With
SmartGroup function, customers can enlarge bandwidth and improve network stability.
SmartGroup function also makes the network construction cost more reasonable.
SmartGroup function on the ZXR10 M6000 can aggregate several Ethernet interfaces of
the same type into one SmartGroup logical interface.
l The ZXR10 M6000 supports aggregation of Ethernet interfaces on the same interface
board.
l Load sharing on the ZXR10 M6000 supports per-packet mode and per-destination
mode. In per-destination mode, source IP address and destination address are
considered.
l The ZXR10 M6000 supports SmartGroup interfaces at most.
l Each SmartGroup interface on SmartGroup supports 16 Ethernet interface at most.
When the physical interface aggregated cross different boards, it is necessary to
synchronize related service information to the member line cards on the BRAS device.
BRAS SmartGroup Access Features

A BRAS SmartGroup interface has the user-side attribute, and services are accessed
through the VBUI interface. This is the main difference between a BRAS SmartGroup
interface and a common SmartGroup interface.
11-1

When a subscriber comes online through a cross-board SmartGroup interface, the BRAS
device synchronizes the information (including protocol data and related service data)
associated with the subscriber to all line cards of the member interfaces. If one of the
line cards powers down, the subscriber does not fall offline. All protocol packets of the
subscriber are handed over to other member boards. In addition, the downlink packets
can be shared through the load sharing function of the Link Aggregation Control Protocol
(LACP).
At present, BRAS Smartgroup access supports the IPoE boot-strap authentication and
PPPoE function. The difference from the IPoE function and PPPoE function described
previously is that the SmartGroup interface here is an aggregation interface supporting
cross-board accesses.
11.2 Configuring BRAS SmartGroup Access

This procedure describes how to configure BRAS SmartGroup access.
Context
The differences between the configuration of BRAS SmartGroup access and those of
IPoE access and PPPoE access is that a SmartGroup interface is associated with a VCC
interface on the user side. Here, only the configuration commands of a SmartGroup
interface are described. For other configuration commands, refer to the "Configuring
IPoEv4" section and the "Configuring PPPoEb4" section.
Steps
1. To configure a BRAS SmartGroup interface, perform the following steps:

mode.
2 ZXR10(config)#interface<smartgroup- interface-name> Creates a SmartGroup

interface.
3 ZXR10(config)#lacp Enters LACP configuration

mode.
4 ZXR10(config-lacp)#interface <smartgroup-interface- Enters interface configuration

name> mode.
5 ZXR10(config-lacp-sg-if)#lacp mode {802.3ad | on} Sets the interface binding

attributes.
6 ZXR10(config-lacp)#interface {byname Enters LACP member

<byname>|<interface-name>} interface configuration mode.
11-2

Chapter 11 BRAS SmartGroup Access Configuration
7 ZXR10(config-lacp-member-if)#smartgroup Adds an interface to the

<smartgroup-id> mode {passive | active| on} SmartGroup, and sets the
aggregation mode of the
interface.
<smartgroup-id>: SmartGroup ID, range: 1 to 64.

passive: sets the LACP of the interface to be in passive negotiation mode.
active: sets the LACP of the interface to be in active negotiation mode.
on: static trunk. The LACP does not run in this mode. Both aggregated ends should
be set to "on" mode.
Note:
The aggregation mode of the interface should be consistent with that of the
SmartGroup interface. Otherwise, the interface cannot be added to the SmartGroup.
After configuring a SmartGroup interface, set the SmartGroup interface to a VCC

interface.
2. To display the configuration, run the following command:
Command Function
ZXR10#show lacp {[<smartgroup-id>]{counters | internal | Shows the LACP information.

neighbors}| sys-id}
11.3 BRAS SmartGroup Access Configuration

Examples
11.3.1 Example: PPPoE-Mode QinQ Access Configuration
Overview
SmartGroup interfaces on the ZXR10 M6000 supports PPPoE access, IPoE access and
L2TP access. The following use the PPPoE-mode QinQ access configuration as an
example.
11-3

As shown in Figure 11-1, interfaces gei-0/1/0/1 and gei-0/1/0/2 on the ZXR10 M6000 are
connected to interfaces gei_3/1 and gei_3/2 on the LAN switch, respectively. Interfaces
gei-0/1/0/1 and gei-0/1/0/2 are aggregated to a SmartGroup.
Figure 11-1 Network Topology for PPPoE-Mode QinQ Access
Configuration Flow
1. Create a SmartGroup logical access interface, and configure LACP attribute on the
interface.
2. Add member ports to the SmartGroup interface.
3. Configure an AAA authentication template, and associate it with a domain. Configure
a PPPoE template, and configure related PPP attributes in the template.
4. Configure a user-side interface, and configure a PPPoE address pool on the interface.
Associate the interface with the domain.
6. Create a VCC sub-interface. Associate the PPPoE template with the VCC interface.
Configure QinQ on the VCC sub-interface.
1. Create a SmartGroup logical access interface, and configure the LACP attribute on
the interface.
ZXR10(config)#interface smartgroup64
ZXR10(config-if-smartgroup64)#exit
ZXR10(config)#lacp
ZXR10(config-lacp)#interface smartgroup64
ZXR10(config-lacp-sg-if-smartgroup64)#lacp mode on
ZXR10(config-lacp-sg-if-smartgroup64)#exit
ZXR10(config-lacp)#exit
ZXR10(config)#lacp
ZXR10(config-lacp)#interface gei-0/1/0/1
ZXR10(config-lacp-member-if-gei-0/1/0/1)#smartgroup 64 mode on
ZXR10(config-lacp-member-if-gei-0/1/0/1)#exit
11-4

ZXR10(config-lacp)#exit
3. Configure an AAA authentication template, and associate it with a domain. Configure
a PPPoE template, and configure related PPP attributes in the template.
ZXR10(config-submanage-author-template)#authorization-type none
4. Configure a user-side interface, and configure a PPPoE address pool on the interface.
Associate the interface with the domain.
11-5


ZXR10(config-vbui-if-ip-pool)#pppoe-dns-server 1.1.1.1
ZXR10(config-vbui-if-ip-pool)#pppoe-dns-server 2.2.2.2 second
5. Create a VCC sub-interface.
ZXR10(config)#interface smartgroup64.1
ZXR10(config-if-smartgroup64.1)#exit
ZXR10(config-vcc)#interface smartgroup64.1
ZXR10(config-vlan)#interface smartgroup64.1
ZXR10(config-vlan-if-smartgroup64.1)#qinq internal-vlanid 1
external-vlanid 100
ZXR10(config-vlan-if-smartgroup64.1)#end
Execute the show subscriber command, and verify that the subscriber has been online, as
shown below.
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify : 155
family-identify : 0
user-name : pppoe
domain-name : domain199
local-domain-name : domain199
authorize-domain-name : domain199
mac-address : 0010.9400.0bf6
11-6

session-id : 15
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
hot-back-status : NONE
create-time : 2011/05/09 11:10:15
online-time : 16
vpdnAcctClass :
dpi-policy : 0
route-map-name :
ani-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
sessionLimitType: 0 acctSession : 15215591ppp0e25001094000
001000f
-------------------------------------------------------------------------------
11-7

IPv4 Information
-------------------------------------------------------------------------------
vrf-name :
vpn-id : 0
igmpProfile : 0
nat-type : NONE
nat-multi-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
11-8

aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
11.3.2 Example: IP-HOST-Mode QinQ Access Configuration

Overview
SmartGroup interfaces on the ZXR10 M6000 supports PPPoE access, IPoE access and
L2TP access. The following use the IP-HOST-mode QinQ access configuration as an
example.
As shown in Figure 11-2, interfaces gei-0/1/0/1 and gei-0/1/0/2 on the ZXR10 M6000 are
connected to interfaces gei_3/1 and gei_3/2 on the LAN switch. Interfaces gei-0/1/0/1 and
gei-0/1/0/2 are aggregated to a SmartGroup.
11-9

Figure 11-2 Networking Topology for IP-HOST-Mode QinQ Access
Configuration Flow
1. Create a SmartGroup logical access interface, and configure LACP attribute on the
interface.
3. Configure an AAA authentication template, and associate it with a domain.
4. Configure a user-side interface, and configure an IP-HOST address pool on the
interface. Associate the interface with the domain.
6. Create a VCC sub-interface. Configure QinQ on the VCC sub-interface.
7. Configure IP-HOST with a VLAN, a username and a domain name on the VBUI
interface.
8. Configure a static IP address on the client. The IP address is the same as the IP-HOST
address.
1. Create a SmartGroup logical access interface, and configure the LACP attribute on
the interface.
ZXR10(config)#interface smartgroup64
ZXR10(config-if-smartgroup64)#exit
ZXR10(config)#lacp
ZXR10(config-lacp)#interface smartgroup64
ZXR10(config-lacp-sg-if-smartgroup64)#lacp mode on
ZXR10(config-lacp-sg-if-smartgroup64)#exit
ZXR10(config)#lacp
3. Configure an AAA authentication template, and associate it with a domain.
11-10

ZXR10(config-submanage-author-template)#authorization-type none
ZXR10(config-submanage-domain)#bind authentication-template xte
4. Configure a user-side interface, and configure an IP-HOST address pool on the
interface. Associate the interface with the domain.
ZXR10(config-vbui-if-ip-pool-member)#static-ip 199.1.1.10 199.1.1.100
11-11

5. Create a VCC sub-interface. Configure QinQ on the VCC sub-interface.

ZXR10(config)#interface smartgroup64.1
ZXR10(config-if-smartgroup64.1)#exit
ZXR10(config-vcc)#interface smartgroup64.1
ZXR10(config-vcc-if)#encapsulation multi
ZXR10(config-vlan)#interface smartgroup64.1
ZXR10(config-vlan-if-smartgroup64.1)#qinq internal-vlanid 1
external-vlanid 100
ZXR10(config-vlan-if-smartgroup64.1)#end
6. Configure IP-HOST with a VLAN, a username and a domain name on the VBUI
interface.
ZXR10 (config)#vbui-configuration
ZXR10(config-vbui-if)#ip-host 199.1.1.10 smartgroup64.1 vlan 100 sec-vlan 1
user-info iphost domain199 123 detect 5
Configure a static IP address on the client. The IP address is the same as the IP-HOST
address.
Execute the show subscriber command, and verify that the subscriber has been online, as
shown below.
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify : 156
family-identify : 0
user-name : iphost
mac-address : 0010.9400.0bf6
session-id : 0
11-12

eap-type : FALSE
sibprofileid : 0
domain-priority : 0
create-time : 2011/05/09 11:15:15
online-time : 20
dpi-policy : 0
vpdnAcctClass :
route-map-name :
ani-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
sessionLimitType: 0 acctSession : 10182445---05f2001094000
0020000
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 HOST
11-13

vrf-name :
vpn-id : 0
primary-dns :
second-dns :
igmpProfile : 0
nat-type : NONE
nat-multi-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
11-14

ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
11-15

11-16

Chapter 12
ATM Access Configuration
Table of Contents
ATM Access Overview..............................................................................................12-1
Configuring BRAS ATM Access................................................................................12-2
Example: ATM Access Configuration .......................................................................12-3
12.1 ATM Access Overview

The ATM access of BRAS supports the BRAS subscriber access function on the ATM
network, that is, the subscriber broadband access service.
The ATM access function of BRAS on the ZXR10 M6000 implements the bridge connection
and protocol conversion between ATM and Ethernet through he ULEI bridge connection
interface. The difference between the BRAS ATM access service and the normal Ethernet
access service is as follows: The ULEI bridge connection interface of the BRAS ATM
function has the attribute of the user side, so it can implement the user access function.
The principle of three user access modes PPPoEoA, IPoEoA, and static IPHOSToEoA
corresponding to the BRAS ATM access is as follows:
l Point-to-Point Protocol over Ethernet over ATM (PPPoEoA) is a type of network
protocol, which encapsulates the PPP frame to the Ethernet frame, and then to the
ATM cell. With the PPPoEoA access function, you can access the PPP subscribers
through the PPPoE mode on the ATM circuit.
l With the IPoEoA access function, you can access the DHCP subscribes through IPoE
mode on the ATM circuit.
l With the IPHOSToEoA access function, you can access the static HOST subscribers
through the ATM circuit.
The following use PPPoEoA user access as an example. Figure 12-1 shows the
networking topology for a typical application scenario.
12-1

Figure 12-1 Networking Topology for PPPoEoA User Access
12.2 Configuring BRAS ATM Access

This procedure describes how to configure BRAS ATM access.
Context
ATM access differs from Ethernet access in that is applies the ULEI interface to the VCC
interface. To configure ATM access is to create a ULEI access interface, and then configure
a mapping relationship between the PVC and ULEI interface.
Steps
1. Configure ATM access on the ZXR10 M6000.
1 ZXR10(config)#request interface <ulei-interface> Creates a bridge connection ULEI

interface.
2 ZXR10(config)#interface <atm-interface> Enters ATM interface configuration

mode.
3 ZXR10(config-if)#pvc <pvc-number><vpi-valu Sets PVC, and then enters PVC

e><vci-value> configuration mode.
4 ZXR10(config-if-atm-vc)#map-to Sets a mapping between the PVC

<ulei-interface> and ULEI interface.
5 ZXR10(config)#vcc-configuration Enters VCC configuration mode.
6 ZXR10(config-vcc)#interface <ulei-interface> Enters VCC interface configuration

mode.
<pvc-number>: PVC ID, range: 1 to 4000.

<vpi-value>: VPI value, range: 0 to 255.
<vci-value>: VCI value, range: 32 to 65535.
12-2

Chapter 12 ATM Access Configuration
Command Function
ZXR10#show atm configuration [interface Shows the ATM interface configuration.

<atm-interface>][<pvc-number><vpi-value><vci-value>]
ZXR10#show running-config uim [all] Shows the configuration commands of

the UIM module.
12.3 Example: ATM Access Configuration

Overview
ATM access differs from Ethernet access in that it applies the ULEI interface to the VCC
interface. The following use the PPPoEoA user access configuration as an example.
Figure 12-2 shows the networking topology for ATM access.
Figure 12-2 Networking Topology for ATM Access
Configuration Flow
1. Create a ULEI access interface, and configure the mapping relationship between the
ULEI interface and the ATM physical interface.
2. Configure the authentication, authorization, and accounting templates, and associate
them with the domain. Configure the PPPoX template, and configure the related PPP
attribute in this template.
3. Configure the interface on the user side, configure an address pool under the vbui
interface, and associate them with the domain.
4. Configure subscribers on the RADIUS server.
5. Set the VCC interface to the ULEI sub-interface, and associate the PPPoX template
with the VCC interface.
1. Create a ULEI access interface, and configure the mapping relationship between the
ULEI interface and the ATM physical interface.
ZXR10(config)#request interface ulei-0/0/0/2
12-3

ZXR10(config)#interface atm622-0/0/0/2
ZXR10(config-if-atm622-0/0/0/2)#pvc 1 0 32
ZXR10(config-if-atm622-0/0/0/2-atm-vc)#map-to ulei-0/0/0/2
ZXR10(config-if-atm622-0/0/0/2-atm-vc)#exit
ZXR10(config-if-atm622-0/0/0/2)#exit
2. Configure the authentication, authorization, and accounting templates, and associate
them with the domain. At the same time, configure the PPPoX template, and configure
the related PPP attribute in this template.
ZXR10(config-submanage)#domain zte.331
3. Configure the interface on the user side, configure the address pool under the vbui
interface, and associate them with the domain.
ZXR10(config-vbui-if-ip-pool)#access-domain zte.331
12-4

Chapter 12 ATM Access Configuration
ZXR10(config-vbui-if-ip-pool)#pppoe-dns-server 1.1.1.1
ZXR10(config-vbui-if-ip-pool)#pppoe-dns-server 2.2.2.2 second
4. Configure subscribers on the RADIUS server.
5. Configure the VCC interface.
ZXR10(config)#interface ulei-0/0/0/2.331
ZXR10(config-if-ulei-0/0/0/2.331)#no shutdown
ZXR10(config-if-ulei-0/0/0/2.331)#exit
ZXR10(config-vlan)#interface ulei-0/0/0/2.331
ZXR10(config-vlan-if-ulei-0/0/0/2.331)#encapsulation-dot1q 331
ZXR10(config-vlan-if-ulei-0/0/0/2.331)#exit
ZXR10(config-vcc)#interface ulei-0/0/0/2.331
Configuration Verifications
Run the show subscriber pppox command, and verify that information of the online
subscribers is proper.
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify :111
user-name :yanbd
domain-name :zte.331
local-domain-name :zte.331
authorize-domain-name :zte.331
mac-address :0010.9461.0001
session-id :5
12-5

access-interface :ulei-0/0/0/2.331
internal-vlan :0
external-vlan :331
eap-type :FALSE
sibprofileid :0
create-time :2011/10/28 14:36:10
online-time :216
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
vrf-name :
vpn-id :0
gateway :211.1.1.0
second-dns :2.2.2.2
*******************************************************************************
-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
12-6

Chapter 13
Layer-3 Access
Configuration
Table of Contents
Layer-3 Access Overview.........................................................................................13-1
Configuring Layer-3 Access of DHCP Users.............................................................13-6
Configuring Layer-3 Access of MHOX Static Users (Authorization Only) ................13-12
Configuring Layer-3 Access of MHOX Static Users ................................................13-14
Configuring Layer-3 Access of MHOX Users (Web-Based Forced Push and
Stream-Triggered Authentication) ...........................................................................13-17
Layer-3 Access Configuration Examples ................................................................13-20
13.1 Layer-3 Access Overview

Overview
Among the telecommunication broadband service access modes, Layer-2 mode is used
for subscribers access to the BRAS services, that is, subscribers can access the BRAS
services through a Layer-2 network that is deployed between the BRAS and subscribers,
or through Layer-2 links. The primary access protocols involved are Point-to-Point
Protocol over Ethernet (PPPoE) and Dynamic Host Configuration Protocol (DHCP). The
BRAS learns the subscribers'MAC addresses through the PPPoE and DHCP broadcast
messages, and then implements authentication, authorization and accounting on these
subscribers.
l Layer-3 devices may be deployed in part of carriers' access networks due to
investment protection, service habits or other reasons. In the current networking
environment, the Cable Modem Termination System (CMTS) is used for the access
of services; however, it has no ability to provide the access of Layer-2 services, and
therefore Layer-3 mode is used between the BRAS and users.
l For the campus networks that feature a heavy traffic due to frequent internal access,
Layer-3 mode is used for the access of services.
Due to the network operation and management requirements, authentication, authorization
and accounting need to be implemented on some subscribers access to services through
Layer-3 networks. In this case, the multi-hop access provided by the ZXR10 M6000 can
be used on some trial sites.
13-1

Layer-3 Access Features

In a typical Layer-3 access scenario, a Layer-3 network is deployed between the BRAS
and users. The PPPoE and DHCP broadcast messages cannot be transmitted over the
Layer-3 network from the user side. In this case, the PPPoE cannot be used for the access
of services . If the DHCP is used, DHCP Relay should be enabled on related Layer-3
devices to transfer DHCP messages. The BRAS cannot obtain the users' MAC addresses
through the Layer-3 network, and therefore it implements identification, authentication,
authorization and accounting on users through IP addresses.
Users accessing the Layer-3 network are classified into dynamic and static ones:
l Dynamic users obtain their IP addresses through the DHCP, and their authentication,
authorization and accounting are implemented through DHCP+WEB Portal or DHCP
Option60 mode.
l Static users have fixed IP addresses, and their service modes can be private
line (common Layer-3 IP forwarding) or user management. Their authentication,
authorization and accounting are implemented through WEB Portal mode.
Figure 13-1 shows how a client accesses the Layer-3 network for BRAS services. The
Layer-3 device between the client and the BRAS can be a router, a Layer-3 switch, a
CMTS or a Layer-3 capable device. A Layer-3 network supports the deployment of one or
multiple Layer-3 devices.
Figure 13-1 Networking Topology for Layer-3 Access
Figure 13-2 shows how a dynamic user's IP address is obtained through the DHCP in
a Layer-3 network: Upon receipt of a DHCP request, the Layer-3 device transfers the
message to the DHCP Server through its DHCP Relay, and then the DHCP Server assigns
an address to the dynamic user.
13-2

Chapter 13 Layer-3 Access Configuration
Figure 13-2 Example: Dynamic User Obtains IP Address in Layer-3 Network
The procedure of different types of users access to the network is describes as follows.
DHCP Users Access to the Network

The authentication modes for DHCP users can be OPTION, WEB, circuit and
OPTION-WEB.
l OPTION authentication
Figure 13-3 shows the flow of an OPTION authentication.
Figure 13-3 DHCP OPTION Authentication Flow
1. Upon receipt of a DHCP Discover message from the PC client, the BRAS obtains
the user name by resolving it from the message based on Option60 and Option82,
and sends it to the RADIUS server for an authentication.
2. If the authentication is passed, the BRAS searches for the IP address pool based
on the address of the Relay Agent and Option60. If a match is found, it assigns
an IP address to the user.
3. The user is granted access to the network for BRAS services.
l WEB authentication
Figure 13-4 shows the flow of a WEB authentication.
13-3

Figure 13-4 DHCP WEB Authentication Flow
1. Upon receipt of a DHCP Discover message from the PC client, the BRAS
searches for the IP address pool based on the address of the Relay agent,
Option60 and interface type. If a match is found, it assigns an IP address to the
user.
2. The PC client sends an HTTP message to the BRAS.
3. Based on the push mark of an item in the relation table, the BRAS redirects the
user to the authentication page that is pre-configured on the Portal Server.
4. After the user enters the username and password, an authentication request is
initiated. Upon arrival of the request, the Portal Server originates a Challenge
request to the BRAS based on the user information.
5. The BRAS returns a Challenge acknowledgement based on the user information.
6. The Portal Server sends an authentication request to the BRAS, and the BRAS
searches for the user information based on some indexes (such as the IP
address). If a match is found, the BRAS sends an authentication request to the
RADIUS server based on the user information and user type.
7. The RADIUS server authenticates the user information, and returns the result to
the BRAS. If the authentication is passed, the BRAS clears the push mark of the
item in the relation table, and updates the item. This means that the user can
access the external network services through the BRAS.
8. The BRAS sends the authentication result to the Portal Server, and the Portal
Server notifies the user of the authentication result.
13-4

Static Users Access to the Network

Static users need to undergo authorization only. The procedure is as follows:
1. The PC client sends the user's data flow to the BRAS.
2. The BRAS matches the IP address based on the pre-configured rule, and generates
an item in the relation table if a match is found.
3. The user is authorized access to the network without any authentication or accounting.
Stream Users Access to the Network

Figure 13-5 shows the flow of a static user/stream user access to the network.
Figure 13-5 Static/Stream User Access to the Network
1. The PC client sends the user's data flow to the BRAS.

2. The BRAS matches the IP address based on the pre-configured rule. If a match is
found, it generates an item in the relation table, and marks the user as Push.
3. The PC client sends an HTTP message to the BRAS.
4. Based on the Push mark of the item in the relation table, the BRAS redirects the user
to the authentication page that is pre-configured on the Portal Server.
5. After the user enters the username and password, an authentication request is
initiated. Upon receipt of the authentication request, the Portal Server sends a
Challenge request to the BRAS based on the user information.
6. The BRAS returns a Challenge acknowledgement based on the user information.
7. The Portal Server sends an authentication request to the BRAS, and the BRAS
searches for the user information based on some indexes (such as the IP address).
13-5

If a match is found, the BRAS sends an authentication request to the RADIUS server
based on the user information and user type.
8. The RADIUS server authenticates the user information, and returns the result to the
BRAS. If the authentication is passed, the BRAS clears the Push mark of the item in
the relation table, and updates the item. This means that the user can access the
external network services through the BRAS.
9. The BRAS sends the authentication result to the Portal Server, and the Portal Server
notifies the user of the authentication result.
13.2 Configuring Layer-3 Access of DHCP Users

This procedure describes how to configure layer-3 access of DHCP users.
Context
Users can access the layer-3 networks through the DHCP or Multi-Hops Over X (MHOX,
where X refers to the access mode, such as Ethernet or ATM).
Steps
1 ZXR10(config)#ip pool <pool-name> Creates an IP pool, and enters

IP pool configuration mode.
2 ZXR10(config-ip-pool)#range <start-ip><end-ip><ma Sets an address segment for

sk> the IP pool, and specifies its
start address, end address
and mask.
2. Configure DHCP.
1 ZXR10(config)#dhcp Enters DHCP configuration

mode.
2 ZXR10(config-dhcp)#enable Enables DHCP.
3 ZXR10(config-dhcp)#interface <interface-name> Enters interface configuration

mode.
13-6

4 ZXR10(config-dhcp-if)#deny option60 Sets whether to enable the

<rule-no><option60-str> DHCP Server to filter out
messages based on the
content in the option60 field.
<rule-no>: Specifies the rule
ID in the option60 field, range:
1 to 8.
<option60-str>: Specifies the
information to be filtered out,
which should be consistent
with that in the option60 field,
1 to 64 characters in length.
5 ZXR10(config-dhcp-if)#mode {server| relay | proxy} Specifies an access mode for

the interface.
6 ZXR10(config-dhcp-if)#policy <policy-name> Sets the policy name, 1 to 16

7 ZXR10(config)#ip dhcp pool <dhcp-pool-name> Enters DHCP POOL

configuration mode from
global mode.
8 ZXR10(config-dhcp-pool)#ip-pool <ip-pool-name> Binds the specified IP pool to

the DHCP pool.
9 ZXR10(config-dhcp-pool)#lease-time {infinite Sets the lease time, where:

|<days><hours><minutes>} l infinite: specifies that the
duration of the lease is
unlimited.
l <days>: specifies the
duration of the lease in
numbers of days, range:
0 to 365.
l <hours>: specifies the
number of hours in the
lease, range: 0 to 23,
default: 1
l <minutes>: specifies the
number of minutes in the
lease, range: 0 to 59.
10 ZXR10(config-dhcp-pool)#default-router Sets an IP address for the

*(<ip-address>) default route. A maximum
of eight IP addresses is
supported.
13-7

11 ZXR10(config)#ip dhcp policy <policy-name><priority> Enters policy configuration

mode from global mode, and
specifies a priority (range: 1
to 64).
12 ZXR10(config-dhcp-policy)#dhcp-pool Binds the specified DHCP

<dhcp-pool-name> pool to the DHCP policy.
13 ZXR10(config-dhcp-policy)#relay-agent <ip-address> Sets the IP address of the

Relay Agent.
14 ZXR10(config-dhcp-policy)#option60 {other Creates an option60-based

|[partial-match] string <option60-str>} policy, where:
l other: The policy is
matched provided that
the message carries the
option60 field.
l partial-match: supports
partial matching, optional.
l <option60-str>: The policy
is matched provided that
the message carries the
option60 field, and the
information contained in
the field is consistent with
that in the option60-str
field.
3. Configure the WEB.
1 ZXR10(config-submanage)#web-server <server-id> Enters WEBSVR configuration

mode.
2 ZXR10(config-submanage-submanage-websvr- Sets an IP address and a port

number)#ip-addr <ip-address>[port <port-id>| backup] number for the WEB Server.
3 ZXR10(config-submanage-submanage-websvr- Sets a redirect URL that points

number)#url <url> to the WEB Server.
4 ZXR10(config-submanage-submanage-websvr- Sets an IP address of the

number)#uas-ip <ip-address> interface <interface-name> interface for the ZXR10
M6000 connecting to the WEB
Server.
13-8

5 ZXR10(config-submanage)#web-server-group Creates a WEB Server

<group-id> group, and enters
WEBSVR_GROUP
configuration mode.
6 ZXR10(config-submanage-submanage-websvr-group- Creates a WEB Server in

number)#server <server-id>[master] the WEB Server group, and
specifies its ID.
master refers to a master
WEB Server.
1 ZXR10(config-submanage)#domain <domain-name> Enters BRAS_DOMAIN

configuration mode.

authentication-template <authentication template-name> template to the domain. A
domain can be bound with an
authentication template only.

authorization-template <authorization template-name> template to the domain. A
authorization template only.
4 ZXR10(config-submanage-domain)#bind Binds an accounting template

accounting-template <accounting template-name> to the domain. A domain can
be bound with an accounting
template only.
5 ZXR10(config-submanage-domain)#local-subscriber Sets ID of the local

<sub-name> domain-name <domain-name> password subscriber, and enters
<password> BRAS_LOCALSUB
configuration mode. The
password should be 1 to 31
5. Configure the subscriber-side interface.
1 ZXR10(config)#l3-access-configuration Enters L3 configuration mode.
2 ZXR10(config-l3-access)#interface {byname Enters L3 access interface

<byname>|<interface-name>} configuration mode.
13-9

3 ZXR10(config-l3-access-if)#pre-domain Sets the default domain

<domain-name> before user authentication.
4 ZXR10(config-l3-access-if)#ipox authentication-type Sets the authentication type

ipv4 dhcpv4 {cir-map | option | web | option-web} for DHCP users, options:
l cir-map: implements
the access of DHCP
users through circuit
authentication mode.
l option: implements
the access of DHCP
users through option
l web: implements
the access of DHCP
users through web
l option-web: implements
the access of DHCP
users through the
mixed authentication
mode (that is, if DHCP
users fail to pass option
authentication, the web
authentication flow is
started).
3 ZXR10(config-l3-access-if)#web-acl <acl-name> Sets an ACL, and associates

it with the L3 interface
for WEB-page push
authentication.
4 ZXR10(config-l3-access-if)#web-server-group Sets a WEB Server group for

<group-id> WEB-page push.
7 ZXR10(config-l3-access-if)#web-force Sets Web-based forced push

[authentication] and authentication. If the
authentication parameter is
specified, forced push and
authentication are performed.
If the authentication is not
specified, only forced push is
performed.
13-10

5 ZXR10(config-l3-access-if)#bind sal <sal-name> Sets a Source Address List

(SAL), and associates it with
the L3 interface for replacing
the domain names of users
access to the network through
the L3 interface.
6 ZXR10(config-l3-access-if)#access option60 Sets the option60 content

<option60-info> that can be carried in user
messages, 1 to 31 characters
in length.
7 ZXR10(config-l3-access-if)#dhcp-v4 auth-on-up Sets the username type,

username-type {({mac | mac-option60 | mac-option82 domain name type, and
| option60 | option82} domain-type (optionstring password type for the users
(passwordtype { ( (conffiig <password>) | mac | (authenticated based on the
optionstring}) ) ) | ((mac domain-type) {optionparse option 60 information) under
| ({option | optionstring}(passwordtype {((conffiig the L3 interface.
<password>) | mac | optionstring}))
mac: Specifies the user's MAC address as the username.

option60: Specifies the option60 content as the username.
mac-option82: Specifies a mix of MAC address and option82 content as the username.
option82: Specifies the option82 content as the username.
mac-option60: Specifies a mix of MAC addresses and option60 content as the

username.
default: uses the default self-defined format ("host name"+"-"+"3-digit slot

number"+"1-digit card number"+"2-digit port number"+"4-digit outer VLAN
ID"+"0"+"4-digit inner VLAN ID") to encapsulate the username
option82-default: uses the option82 information as the username preferentially. If the
option 82 information carried in a request packet is null or invalid, the default format
is used.
option: Specifies "option60" as the domain name.
optionstring: Specifies the option60 content as the domain name, and specifies
"option60" as the username type.
optionparse: Applies the format of "domain name/password" to resolve the option60
field. The password type is not required.
config: Specifies a password.

mac: Specifies the MAC address as the password.
optionstring: Specifies the option60 content as the password.
13-11

<password>: Specifies a password, 1 to 31 characters in length.

Command Description
ZXR10#show running-config aim Shows the domain or SAL

configuration.
ZXR10#show running-config portal Shows the Web server configuration.
ZXR10#show running-config dhcp Shows the DHCP configuration.
ZXR10#show running-config ippool Shows the IP pool configuration.
ZXR10#show running-config uim Shows the subscriber-side interface

configuration.
ZXR10#show subscriber multi-hop [statistics | verbose | Shows the information of the

summary] subscribers access to the layer-3
network.
13.3 Configuring Layer-3 Access of MHOX Static Users

(Authorization Only)
This procedure describes how to configure layer-3 access of MHOX static users
(authorization only).
Context
where X refers to the access mode, such as Ethernet or ATM). The MHOX users are
sub-divided into the following categories:
l Static users (authorization only)
l Static users (authentication and authorization)
l Stream users
Steps

mode.
13-12

2 ZXR10(config-submanage)#sal <sal-name> Creates an SAL, specifies

its name, and enters SAL
configuration mode.
3 ZXR10(config-submanage-sal)#default domain Sets the default domain name

<domain-name> for user access.
4 ZXR10(config-submanage-sal)#translate {src-domain Translates the subscriber's

<src-domain>| any} des-domain <dest-domain> domain name to a
pre-configured one.
5 ZXR10(config-submanage-sal)#permit {domain Sets a domain that the

<domain-name>| any} subscriber is permitted to
access.
ZXR10(config-submanage-sal)#deny {domain Sets a domain that the

<domain-name>| any} subscriber is denied to
access.
6 ZXR10(config-submanage-sal)#none domain Sets the roaming domain.

<domain-name>[keep] When the domain name is
not found in the system,
the access of the user is
implemented through the
roaming domain.
7 ZXR10(config-submanage-sal)#change-domain Converts the user's

<change-domain> local-domain <local-domain> change-domain name into
a local domain name. The
change-domain name is used
for authentication, and the
local-domain name is used for
management.

configuration mode.

authorization-template <author-template-name> template to the domain. A
domain can be bound to an
13-13

1 ZXR10(config)#l3-access-configuration Enter L3 configuration mode.


4 ZXR10(config-l3-access-if)#bind sal <sal-name> Sets an SAL associated

with the L3 interface for
replacing the domain name
of the subscriber access to
the network through the L3
interface.
5 ZXR10(config-l3-access-if)#ipv4-multi-host start-ip Sets the option60 information

<ip-adress> end-ip <ip-adress>[vlan <id>[sec-vlan that can be carried in the user
<id>]][authen-none] messages of the L3-interface
type.
<id>: ID of the inner-layer or outer-layer VLAN, range: 1-4094.

authen-none: configures the static user (authorization only).
Command Description

configuration.

configuration.
ZXR10#show running-config mhox Shows the MHOX configuration.

network.
13.4 Configuring Layer-3 Access of MHOX Static Users

This procedure describes how to configure layer-3 access of MHOX static users.
Context
13-14


l Stream users
Steps
1. Configure the Web server.
1 ZXR10(config-submanage)#web-server <server-id> Enters Web server

configuration mode.
2 ZXR10(config-submanage-websvr-number)#ip-addr Sets an IP address and a port

<ip-address>[port <port-id>] number for the Web server.
3 ZXR10(config-submanage-websvr-number)#url <url> Sets a URL that redirect users

to the Web server.
4 ZXR10(config-submanage-websvr-number)#uas-ip Sets an IP address of the

<ip-address> interface <interface-name> interface for the Web server
connecting to the ZXR10
M6000.
5 ZXR10(config-submanage)#web-server-group Creates a Web server

WEBSVR_GROUP
configuration mode.
6 ZXR10(config-submanage-websvr-group-number)#ser Creates a Web server in

ver <server-id>[master] the Web server group, and
specifies its ID.
Web server.

configuration mode.

authentication-template <authen-template-name> template to the domain. A

13-15


accounting-template <accounting-template-name> to the domain. A domain can
template only.
5 ZXR10(config-submanage)#local-subscriber <sub-name> Sets the local user ID, and



4 ZXR10(config-l3-access-if)#web-acl <acl-name> Sets an ACL associated with

the L3 interface for WEB-page
push authentication.

6 ZXR10(config-l3-access-if)#web-force Sets Web-based forced push

[authentication] and authentication. If the
authentication parameter is
specified, forced push and
authentication are performed.
If the authentication
parameter is not specified,
only forced push is performed.

interface.
13-16

8 ZXR10(config-l3-access-if)#ipv4-multi-host start-ip Sets a static user. When

<ip-adress> end-ip <ip-adress>[vlan <id>[sec-vlan the network flow related
<id>]][authen-none] to the user arises, the
Web-based forced push and
authentication is triggered.
<id>: ID of the inner-layer or outer-layer VLAN, range: 1–4094.

authen-none: configures the static user (authorization only).
Command Description

configuration.
ZXR10#show running-config portal Shows the Web server configuration.

configuration.

network.
13.5 Configuring Layer-3 Access of MHOX Users

(Web-Based Forced Push and Stream-Triggered
Authentication)
This procedure describes how to configure layer-3 access of MHOX users (Web-based
forced push and stream-triggered authentication).
Context
Users can access the layer-3 network through the DHCP or Multi-Hops Over X (MHOX,

l Stream users
13-17

Steps
1 ZXR10(config-submanage)#web-server <server-id> Enters WEBSVR configuration

mode.
2 ZXR10(config-submanage-websvr-number)#ip-addr Sets an IP address and a port

<ip-address>[port <port-id>] number for the Web server.
3 ZXR10(config-submanage-websvr-number)#url <url> Sets a URL that redirect users

to the WEB Server.
4 ZXR10(config-submanage-websvr-number)#uas-ip Sets an IP address of the

<ip-address> interface <interface-name> interface for the WEB Server
connecting to the ZXR10
M6000.
5 ZXR10(config-submanage)#web-server-group Creates a WEB Server

WEBSVR_GROUP
configuration mode.
6 ZXR10(config-submanage-websvr-group-number)#ser Creates a WEB Server in

ver <server-id>[master] the WEB Server group, and
specifies its ID.
WEB Server.

configuration mode.

authentication-template <authen-template-name> template to the domain. A


accounting-template <accounting-template-name> to the domain. A domain can
template only.
13-18

5 ZXR10(config-submanage)#local-subscriber <sub-name> Sets the local user ID, and



4 ZXR10(config-l3-access-if)#web-acl <acl-name> Sets an ACL associated with

the L3 interface for WEB-page
push authentication.


interface.
7 ZXR10(config-l3-access-if)#ipv4 user-access-list Sets an IP address segment

<ip-address> mask <mask > that can be accessed through
the L3 interface.
Command Description

configuration.
ZXR10#show running-config portal Shows the WEB Server configuration.

configuration.
13-19

Command Description

summary] subscribers access to the Layer-3
network.
13.6 Layer-3 Access Configuration Examples

13.6.1 Example: DHCP Option User Access Configuration
Overview
Figure 13-6 illustrates a layer-3 networking environment for DHCP Option user access.
Figure 13-6 Networking Topology for DHCP OPTION User Access
Configuration Flow
1. Configure DHCP Relay on the Relay device.
2. Configure a domain and an authentication template on the Server.
3. Configure layer-3 access and related information on the Server.
4. On the Server, configure a route to the Relay device.
5. After a DHCP option user establishes a dial-up connection, run the show subscriber
multi-hop command to view his or her information.
1. The configuration on the Relay device is as follows:
13-20


ZXR10(config)#dhcp
ZXR10(config-dhcp)#interface gei-0/0/0/1
ZXR10(config-dhcp-if-gei-0/0/0/1)#mode relay
ZXR10(config-dhcp-if-gei-0/0/0/1)#relay server group 1
ZXR10(config-dhcp-if-gei-0/0/0/1)#relay agent 183.8.0.1
ZXR10(config-dhcp-if-gei-0/0/0/1)#exit
2. The domain configuration and authentication template configuration on the Server are
as follows:

ZXR10(config-acctgrp-2000)#server 1 192.168.106.2 master key zte
13-21

ZXR10(config-submanage)#domain zy-mhox
ZXR10(config-submanage)#local-subscriber zy-mhox domain-name zy-mhox password
test /*If local mode is applied in an AAA authentication, a local user
should be configured*/
3. The layer-3 access configuration on the Server is as follows:
ZXR10(config)#l3-access-configuration
ZXR10(config-l3-access)#interface gei-0/1/0/1
ZXR10(config-l3-access-if)#ipox authentication-type ipv4 dhcpv4 option
ZXR10(config-l3-access-if)#dhcp-v4 auth-on-up username-type option60 domain-type
optionstring passwordtype config test
ZXR10(config-l3-access-if)#exit
ZXR10(config-l3-access)#exit
ZXR10(config)#ip pool zy-mhox

ZXR10(config-ip-pool)#range 183.8.0.2 183.8.0.254 255.255.0.0
/*The gateway should not be configured in the IP pool*/
ZXR10(config-ip-pool)#exit
ZXR10(config)#ip dhcp pool zy-mhox

ZXR10(config-dhcp-pool)#ip-pool zy-mhox
ZXR10(config-dhcp-pool)#default-router 183.8.0.1
/*This command has no effect on user access, but the lease renewal attempt may fail.
In this configuration mode, the DNS and renewal time can be set. /
ZXR10(config-dhcp-pool)#exit
ZXR10(config)#ip dhcp policy zy-mhox 1

ZXR10(config-dhcp-policy)#dhcp-pool zy-mhox
ZXR10(config-dhcp-policy)#relay-agent 183.8.0.1
ZXR10(config-dhcp-policy)#exit
ZXR10(config)#dhcp
ZXR10(config-dhcp)#interface gei-0/1/0/1
13-22

ZXR10(config-dhcp-if-gei-0/1/0/1)#mode server
ZXR10(config-dhcp-if-gei-0/1/0/1)#policy zy-mhox
ZXR10(config-dhcp-if-gei-0/1/0/1)#user quota 32000
/*Specify a proper access number based on requirements*/
ZXR10(config-dhcp-if-gei-0/1/0/1)#exit
4. On the Server, configure a route to the Relay device by using a static or dynamic
routing protocol. The following uses a static route as an example.
ZXR10(config)#ip route 183.8.0.0 255.255.0.0 83.8.0.1
After the user establishes a dial-up connection, run the show subscriber multi-hop
command on the Server to view his or her information.
ZXR10(config)#show subscriber multi-hop ipv4-address 183.8.0.2
**************************************************************************
--------------------------------------------------------------------------
Basic Information
--------------------------------------------------------------------------
user-identify : 1
family-identify : 0
user-name : zy-mhox
domain-name : zy-mhox
local-domain-name : zy-mhox
authorize-domain-name : zy-mhox
mac-address : 0010.94ab.0001
session-id : 0
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
vbui-interface :
create-time : 2012/08/01 10:26:08
online-time : 206
13-23

vpdnAcctClass :
route-map-name :
ani-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
absTimeout(s) : 0(unlimited) idleTimeout(s) : 0
--------------------------------------------------------------------------
IPv4 Information
--------------------------------------------------------------------------
subscriber-type : IPv4 DHCP SERVER(L3)
vrf-name :
vpn-id : 0
primary-dns :
second-dns :
ip-pool-name :
igmpProfile : 0
nat-type : NONE
nat-multi-flag : 0
nat-domain-name :
nat-acl-no : 0
13-24

nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
13-25

13.6.2 Example: DHCP WEB User Access Configuration

Overview
Figure 13-7 illustrates a layer-3 networking environment for DHCP WEB user access.
Figure 13-7 Networking Topology for DHCP WEB User Access
Configuration Flow
3. Configure layer-3 access and DHCP Server on the Server.
5. After a DHCP WEB user successfully logs onto the network, run the show subscriber
multi-hop command to view his or her information.
DHCP WEB user access differs from DHCP Option user access only in the L3 interface
configuration.
For detailed procedure of the web-acl and web-server-group configuration, refer to the
"IPoEv4 Configuration Examples" section.
The WEB configuration on the Server is as follows:
ZXR10(config-l3-access-if-gei-0/1/0/1)# ipox authentication-type ipv4 dhcpv4 web
13-26

ZXR10(config-l3-access-if-gei-0/1/0/1)#web-acl zy-mhox
ZXR10(config-l3-access-if-gei-0/1/0/1)#web-server-group 1
ZXR10(config-l3-access-if-gei-0/1/0/1)#web-force authentication
ZXR10(config-l3-access-if-gei-0/1/0/1)#exit
After a DHCP WEB user logs onto the network, run the show subscriber multi-hop
command on the Server to view the user information.
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify : 988
family-identify : 0
user-name : test
domain-name : test
authorize-domain-name : zhengchang
mac-address : 0014.7880.ba70
session-id : 0
eap-type : FALSE
sibprofileid : 0
domain-priority : 4
vbui-interface :
create-time : 2011/12/19 16:01:13
online-time : 72
dpi-policy : 0
vpdnAcctClass :
route-map-name :
13-27

ani-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
restTime(s) : 100 restFlow(KB) : 0(unlimited)
sessionLimitType: time acctSession : 16014274---117c00147880b
a700005
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 DHCP SERVER(L3)
vrf-name :
vpn-id : 0
primary-dns :
second-dns :
ip-pool-name :
igmpProfile : 0
nat-type : NONE
nat-multi-flag : 0
nat-domain-name : 0
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
13-28

nat-ipv4-address :
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName : isp1-in
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
13-29

13.6.3 Example: Static User Access Configuration

Overview
Figure 13-8 illustrates a layer-3 networking environment for static user access.
Figure 13-8 Networking Topology for Static User Access
Configuration Flow
3. Configure layer-3 access on the Server.
5. After a static user successfully logs onto the network, run the show subscriber multi-hop
command to view his or her information.
1. The configuration on the Relay device is as follows:
2. The domain configuration and authentication template configuration on the Server are
as follows:
13-30



ZXR10(config-acctgrp-2000)#server 1 192.168.106.2 master key zte
ZXR10(config-submanage)#domain zy-mhox
ZXR10(config-submanage-domain-2000)#bind authentication-template zte
ZXR10(config-submanage-domain-2000)#bind authorization-template zte
ZXR10(config-submanage-domain-2000)#bind accounting-template zte
ZXR10(config-submanage-domain-2000)#exit
ZXR10(config-submanage)#local-subscriber zy-mhox domain-name zy-mhox password
test /*If local mode is applied in an AAA authentication, a local user
should be configured*/
3. The layer-3 access configuration on the Server is as follows:
13-31

ZXR10(config-l3-access-if)#pre-domain zy-mhox
ZXR10(config-l3-access-if)#ipox authentication-type ipv4 dhcpv4 web
ZXR10(config-l3-access-if)#web-acl zy-mhox
ZXR10(config-l3-access-if)#web-server-group 1
ZXR10(config-l3-access-if)#web-force authentication
/*The logged static users can be WEB-authenticated.
Prior to the command, the WEB and SAL should be configured and
validated. Otherwise, related attributes in the user table may be null. */
ZXR10(config-l3-access-if)#ipv4-multi-host start-ip 183.8.0.2 end-ip 183.8.0.10
/*The network segment should not conflict with other existing IP addresses*/
4. On the Server, configure a route to the Relay device by using a static or dynamic
routing protocol. The following uses a static route as an example.
ZXR10(config)#ip route 183.8.0.0 255.255.0.0 83.8.0.1
After a static user logs onto the network, run the show subscriber multi-hop command on
the Server to view the user information.
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify : 986
family-identify : 0
user-name : test
domain-name : test
mac-address : 0000.0000.0000
session-id : 0
eap-type : FALSE
sibprofileid : 0
domain-priority : 4
circuit-information : gei-0/1/01 [vlan:0 sec-vlan:0]
13-32

vbui-interface :
create-time : 2011/12/19 15:53:15
online-time : 21
dpi-policy : 0
vpdnAcctClass :
route-map-name :
ani-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
sessionLimitType: time acctSession : 15533123---09b4000000000
0000004
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 Multi-Hop
gateway-address :
vrf-name :
vpn-id : 0
primary-dns :
second-dns :
ip-poolId : 0
13-33

igmpProfile : 0
nat-type : NONE
nat-multi-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
13-34

13.6.4 Example: Stream User Access Configuration

Overview
Figure 13-9 illustrates a layer-3 networking environment for stream user access.
Figure 13-9 Networking Topology for Stream User Access
Configuration Flow
3. Configure layer-3 access and related information on the Server.
5. After a stream user successfully logs onto the network, run the show subscriber multi-
hop command to view his or her information.
Stream user access differs from static user access only in the L3 interface configuration.
13-35

For detailed procedure of the web-acl and web-server-group configuration, refer to the
"IPoEv4 Configuration Examples" section.
Configure the stream information on the Server.
ZXR10(config-l3-access-if)#pre-domain zy-mhox
ZXR10(config-l3-access-if)#ipox authentication-type ipv4 dhcpv4 web
ZXR10(config-l3-access-if)#web-acl zy-mhox
ZXR10(config-l3-access-if)#web-server-group 1
ZXR10(config-l3-access-if)#web-force authentication
ZXR10(config-l3-access-if)#ipv4 user-access-list 183.8.0.0 mask 255.255.0.0
After a stream user logs onto the network, run the show subscriber multi-hop command on
the server to view the user information.
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify : 985
family-identify : 0
user-name : test
domain-name : test
mac-address : 0000.0000.0000
session-id : 0
eap-type : FALSE
sibprofileid : 0
domain-priority : 4
circuit-information :gei-0/1/0/1 [vlan:0 sec-vlan:0]
vbui-interface :
create-time : 2011/12/19 15:51:34
13-36


online-time : 6
dpi-policy : 0
vpdnAcctClass :
route-map-name :
ani-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
sessionLimitType: time acctSession : 15514277---1459000000000
0000003
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 Multi-Hop
ipv4-address : 183.8.0.246
gateway-address :
vrf-name :
vpn-id : 0
primary-dns :
second-dns :
ip-pool-name :
igmpProfile : 0
13-37

nat-type : NONE
nat-multi-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
13-38

13-39

13-40

Chapter 14
User-Side Multicastv4
Configuration
Table of Contents
User-Side Multicastv4 Overview ...............................................................................14-1
Configuring User-Side Multicastv4............................................................................14-2
User-Side Multicastv4 Cnfiguration Examples ..........................................................14-8
14.1 User-Side Multicastv4 Overview

User-Side Multicast Introduction
Multicast is divided into network-side multicast and user-side multicast. The main
difference between network-side multicast and user-side multicast is that the route egress
is different.
l The egress of user-side multicast is a VBUI interface. There may be several multicast
users on this interface. Therefore, it is necessary to make several copies of a multicast
flow.
l The egress of network-side multicast is a common Layer 3 interface. There is no user
on this interface. Therefore, there is only one copy of a multicast flow at most.
BRAS service supports user-side multicast which is on the basis of Internet Group
Management Protocol (IGMP).
For user-side multicast, the generation of multicast routes and IGMP principle are
consistent with those of network-side multicast. The differences are that user-side
multicast is based on users. Before a user joins or leaves a multicast group, a subscriber
should have been configured on the device. At present, the subscriber configured on the
BRAS device can be an IPoE subscriber or a PPPoE subscriber.
User-side multicast is user-oriented, so there may be several users joining a group on an
interface. The device duplicates user multicast traffic according to related configuration,
such as duplicating according to users or VLAN.
User-Side Multicast Features

User-side multicast contains two basic parts.
l On the one hand, IPoE or PPPoE subscribers joining to IGMP groups can come online
through user-side multicast.
14-1

l On the other hand, after a subscriber joins an IGMP group, the maintenance of a
basic IGMP user multicast group is similar to that of network-side multicast. The
corresponding querier queries whether the user multicast group exists. The existence
of a user multicast group relies on the existence of users. If there is no user, the user
multicast group leaves.
Through the IGMP, a router records whether there is a group member of a specific multicast
group in the local segment instead of the corresponding relationship between the multicast
group and the host.
IGMP provides information that is necessary when packets are forwarded to the destination
(the last stage). The multicast routers and the hosts that receive multicast data exchange
information. The information is collected from the group members of the hosts that are
directly connected to the multicast routers.
IGMP employs two kinds of packets, group member query packets and group member
report packets.
l A multicast router periodically sends group member query packets to all hosts to know
which specific group members exist in the connected subnets.
l The hosts returns group member report packets, reporting the multicast group which
they belong to.
l When a host joins a new group, it sends a Join packet immediately instead of waiting
for a query for cases where the host is the first member of that group.
When a host starts to receive packets as a member of a group, the multicast router checks
whether members of the group take part in the process by periodically querying the group.
The multicast router continues to forward data as long as a host is still taking part in the
process.
When the host leaves the group, the multicast router receives a leaving packet and then it
immediately queries whether there are still active group members in the group. If any, the
multicast router continues to forward data. If not, it does not forward data.
At present, there are three versions of IGMP.

l IGMPv1 defines basic query, and report procedure of a group member.
l IGMPv2 adds the mechanisms (such as fast leaving of a group member, and so on)
on the basis of IGMPv1.
l IGMPv3 adds a function that a member can specify receiving or rejecting packets from
some specified multicast sources to support Source Specific Multicast (SSM).
14.2 Configuring User-Side Multicastv4

This procedure describes how to configure user-side multicastv4.
Context
For more public multicast configuration commands, refer to “ZXR10 M6000 Configuration
Guide (IPv4 Multicast)”.
14-2

Chapter 14 User-Side Multicastv4 Configuration
Steps
1. Configure public IP multicast.
1 ZXR10(config)#ip multicast-routing Enables IP multicast.
2 ZXR10(config-mcast)#router pim Enters PIM mode. The VRF mode

can only be configured after users
enter PIM mode first and then exits
from PIM mode.
3 ZXR10(config-mcast-pim)#exit Exits from PIM mode.
4 ZXR10(config-mcast)#vrf <vrf-name> Enters multicast VRF mode.
5 ZXR10(config-mcast-vrf-vrfname)#mtunnel Sets an interface to the mtunnel

<interface-name> interface.
6 ZXR10(config-mcast-vrf-vrfname)#mdt default Sets the mdt default group of an

<group-address> instance.
7 ZXR10(config-mcast-vrf-vrfname)#mdt data Sets the mdt data group of an

<group-address><group-mask>[<acl-name>] instance.
<acl-name>: range: 1–31
characters.
2. Configure a multicast interface in the non-VRF mode.

The following commands are configured in non-VRF mode. The commands are the
same after a VRF is enable.
1 ZXR10(config-mcast)#router igmp Enters IGMP mode, irrelevant

to whether the IGMP protocol
is enabled. IGMP enabling is
controlled by the ip multicast-routing
command.
2 ZXR10(config-mcast-igmp)#interface Enters IGMP interface configuration

<interface-name> mode, irrelevant to whether the
IGMP protocol is enabled. IGMP
protocol enabling is triggered by
enabling PIM on an interface.
3 ZXR10(config-mcast-igmp)#ssm-map static Sets the mapping from group in a

{<access-list-name><source-address>| default specified range to the source.
<source-address>}
<access-list-name>: name of the access list for the SSM group, 1 to 31 characters in
length.
14-3

<source-address>: source address of the SSM.

The IGMP function of the ZXR10 M6000 is on the basis of PIM interface. The IGMP
function is enabled automatically on the interfaces on which PIM is enabled.
3. Configure an IGMP version.
At present, there are IGMPv1, v2 and v3. By default, IGMPv3 is used. The version
can be adjusted according to the situations with the version <version> command.
Considering security, a router requires all Network Elements (NEs) on the same
segment to use the same IGMP version.
The configuration of IGMP version is on the basis of the interface type. Different
versions can be configured on different interfaces.
4. Configure an IGMP group on an interface.
1 ZXR10(config-mcast-igmp-if-interface- Sets the range of groups, allowing

name)#access-group <access-list-name> the IGMP to join. By default, there
is no limit on IGMP group joining.
2 ZXR10(config-mcast-igmp-if-interface- Sets a static group address on an

name)#static-group <group-address>[source IGMP interface.
{<source-address>| ssm-map}[include | exclude]]
3 ZXR10(config-mcast-igmp-if-interface- Sets the range of groups, allowing

name)#immediate-leave {group-list IGMP to leave immediately.
<access-list-name>| all}
<access-list-name>: the standard IP access list name, range: 1–31 characters.

<group-address>: the address of the group, in the dotted decimal notation.
5. Configure IGMP timers.
a. After enabling IGMP on the interfaces of multicast routers connecting to the
shared network segment, select the optimum interface as the querier of this
network segment. The querier sends query messages to obtain the information
of the group members.
b. After sending query message, the querier waits for the member report sent from
the host that receives the query message for a period. The wait duration is
the maximum response time carried in the query message. By default, it is 10
seconds.
c. After receiving the query message, a host member in the network segment
reduces a random deviation value based on the maximum response time. This
result is used as the own response time of the host member. During this period, if
the querier receives a report from another host member, this host member cancels
the report. Otherwise, the host member sends the host report when the response
time expires. Therefore, extending the maximum response time increases the
14-4

waiting changes of a group member in the network segment accordingly, and

decreases the burst rate of multiple host reports in the network segment.
d. The timers related to the querier can be adjusted according to actual requirements.
Command Function
ZXR10(config-mcast-igmp-if-interface- Sets the IGMP query interval in seconds,

name)#query-interval <interval-seconds> range: 1 to 65535, default: 125.
The <interval-seconds> parameter is the
interval.
ZXR10(config-mcast-igmp-if-interface- Sets the maximum response time (in

name)#query-max-response-time <max-response-sec seconds) contained in query messages,
onds> range: 1 to 25, default: 10. This command
is only valid on IGMPv2 interfaces. The
<seconds> parameter is the time value.
ZXR10(config-mcast-igmp-if-interface- Sets the IGMP querier time-out period

name)#querier-timeout <timeout-seconds> in seconds, range: 60 to 300, default:
(query interval * 2 + query response
interval/2).
ZXR10(config-mcast-igmp-if-interface- Sets the IGMP query interval (in seconds)

name)#last-member-query-interval <last-member-int of a specific group, range: 1 to 25,
erval-seconds> default: 1.
This command is only valid on IGMPv2
interfaces. The <seconds> parameter is
the query interval.
6. Configure IGMP snoop.
1 ZXR10(config)#igmpsnoop Enters global IGMP SNOOP

configuration mode.
2 ZXR10(config-igmpsnoop)#igmp snooping enable Enables IGMP SNOOP.
3 ZXR10(config-igmpsnoop)#igmp snooping Sets the handling methods of IGMP

{packet-manage {igmpv1 | igmpv2 | igmpv3}{accept packets.
| discard | ignore}| querier | query-interval
<interval-seconds>| query-response-interval
<response-interval>}
igmpv1 | igmpv2 | igmpv3: IGMP packet version.

accept | discard | ignore : Packet handling methods.
<interval-seconds>: Query interval (in seconds), range: 30 to 65535, default: 125.
<response-interval>: Query response interval in ticks (1 ticks =100 ms), range: 1-255,
default: 100.
14-5

7. Configure user multicast.

mode.
2 ZXR10(config-submanage)#igmp service-profile Sets a multicast service

<profile-number> profile.
The range of the profile
number is 1 to 100.
3 ZXR10(config-submanage-igmp-service-profile- Creates an ACL, and

number)#access-group <acl-name> associates it with the multicast
service profile. The ACL
name is 1 to 31 characters in
length.
4 ZXR10(config-submanage-igmp-service-profile- Sets the description

number)#description <description> information for the service
profile. The description
information is 1 to 31
5 ZXR10(config-submanage-igmp-service-profile- Sets the maximum number

number)#max-groups <max-group-count> of multicast groups (the
maximum number of multicast
groups that users can join,
including preview groups),
range: 1 to 128, default: 10.
6 ZXR10(config-submanage-igmp-service-profile- Sets the maximum number of

number)#max-prw-groups <max-pre-group-count> preview groups (the maximum
number of preview groups
users can join), range: 1 to
128, default: 10.
7 ZXR10(config-submanage-igmp-service-profile- Sets a static group member of

number)#static-group <group-address> the multicast service profile.
The <group-address>
parameter is the address
of the static IGMP group, in
the dotted decimal notation.
14-6

8 ZXR10(config-submanage-igmp-service-profile- Sets a preview group,

number)#prw-group <group-address><group-mask>[<p including the group address,
rw-times>][<prw-timeout>] mask, the number of preview
attempts and preview period.
<prw-times>: Number of
preview attempts, range: 1 to
1800, default:10.
<prw-timeout>: Preview period
in seconds, range: 1 to 86400,
default: 60.
9 ZXR10(config-submanage)#authorization-template Enters authorization template

10 ZXR10(config-submanage-author-template)#igmp Creates a profile, and

service-profile <profile-number> associates it with the
multicast service profile
in the authorization template.
The range of the profile
number is 1 to 100.
Command Function
ZXR10#show ip igmp interface [<interface-name>] Shows the IGMP configuration on an

interface.
ZXR10#show ip igmp groups [<interface-name>] Shows the IGMP group information on an

interface.
ZXR10#show ip igmp packet-count [<interface-name>] Shows the counters of IGMP protocol

packets received and sent.
ZXR10#show ip igmp user summary Shows the number of current multicast

users.
ZXR10#show ip igmp user ipox Shows the information of current IPoX

multicast users.
ZXR10#show ip igmp user pppox Shows the information of current PPPoX

multicast users.
ZXR10#show ip igmp user group <group-address>[int Shows the number of users in the
erface <interface-name>]{summary | ipox | pppox | all} multicast group. The interface can be
specified.
ZXR10#show ip igmp user ip <ip-address>[group Shows the information about the user in
<group-ip-address>] the multicast group.
ZXR10#show ip igmp snooping Shows all IGMP snoop entities.
14-7

Command Function
ZXR10#show running-config mcsc Shows the detailed information of user

multicast profiles.
9. Maintain user-side multicastv4.
Command Function
ZXR10#clear ip igmp groups [<interface-name>] Deletes multicast groups to which are

joined dynamically.
ZXR10#clear ip igmp packet-count [<interface-name>] Clears the counter of IGMP packets

received and sent.
14.3 User-Side Multicastv4 Cnfiguration Examples

14.3.1 Example: IPoEv4 Subscriber Multicast Group Access
Configuration
Overview
Figure 14-1 illustrates a networking topology for subscriber multicast access through the
ZXR10 M6000.
Figure 14-1 Networking Topology for Subscriber Multicast Access
Configuration Flow
1. Configure an IP address on the network-side interface gei-0/0/1/1.
2. Configure an address on the VBUI interface. Enable PIM-SM on the network-side
interface and the VBUI interface.
14-8

3. Configure a multicast template. Configure a security ACL in the multicast template.

Configure the number of multicast groups that can access the network, or the entities
of static groups and preview groups.
template. Associate the multicast template (as authorization information) with the
authorization template, so that local authentication and authorization can be deployed
to the subscribers through the multicast template.
5. Configure an address pool for IPoE subscribers on the VBUI interface. Configure an
access domain.
6. Configure a VCC interface. Configure the online mode of corresponding DHCP
subscribers.
7. If RADIUS authentication is used, it is necessary to configure the RADIUS server
and related attribute entities of the multicast template to be deployed on the RADIUS
server.
1. Configuration on the network-side interface:
ZXR10(config)#ip multicast-routing
ZXR10(config-mcast)#router pim
ZXR10(config-mcast-pim)#interface gei-0/0/1/1
ZXR10(config-mcast-pim-if-gei-0/0/1/1)#pimsm
ZXR10(config-mcast-pim-if-gei-0/0/1/1)#exit
ZXR10(config-mcast-pim)#exit
ZXR10(config-mcast)#exit
2. Configuration of the multicast template:
/*Allow Group 225.0.0.1 to 225.0.0.10 access to the network*/
ZXR10(config)#ipv4-access-list iptv
ZXR10(config-ipv4-acl)#rule 1 permit igmp any 225.0.0.1 0.0.0.0
14-9

ZXR10(config-submanage)#igmp service-profile 1
ZXR10(config-submanage-igmp-service-profile-1)#access-group iptv
ZXR10(config-submanage-igmp-service-profile-1)#max-groups 40
ZXR10(config-submanage-igmp-service-profile-1)#max-prw-groups 50
ZXR10(config-submanage-igmp-service-profile-1)#prw-group 225.1.1.0
255.255.255.255 3 30 /*Set the preview group to 225.1.1.0,
the preview number to three, and the preview period 30 seconds*/
ZXR10(config-submanage-igmp-service-profile-1)#exit
3. Enable PIM-SM on the VBUI interface.
ZXR10(config-mcast-pim)#interface vbui5
ZXR10(config-mcast-pim-if-vbui5)#pimsm
ZXR10(config-mcast-pim-if-vbui5)#exit
4. Bind the multicast template to the authorization template. Configure an authentication
template and an accounting template. (Here, IPoE Option60 access is used as an
example. For other access mode, refer to the "IPoEv configuration" section.)
5. If RADIUS authentication is used, deploy the attributes. RADIUS server deploys ZTE
private attribute ZTE-Service-Profile.
ZXR10(config-submanage-author-template)#igmp service-profile 1
ZXR10(config-submanage)#local-subscriber 00-69-96-00-00-01 domain-name
14-10

ZXR10(config-vcc-if)#dhcp-v4 auth-on-up username-type mac domain-type optionparse
/*The two commands are not required for common subscribers*/

ZXR10(config)#dhcp
ZXR10(config-dhcp)#end
Execute the show subscriber ip command, and verify that the multicast template is deployed
to subscribers after the subscribers come online. If the value of igmpProfile is 0, the
deployment fails, and the subscribers cannot be added to the multicast groups. The output
information, "igmp service-profile 1", indicates that the multicast template is successfully
deployed to the subscribers.
************************************************************************
------------------------------------------------------------------------
Basic Information
------------------------------------------------------------------------
user-identify : 215
family-identify : 8
user-name : 00-69-96-00-00-01
14-11

domain-name : option60
local-domain-name : option60
authorize-domain-name : option60
mac-address : 0069.9600.0001
session-id :
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
create-time : 2012/08/06 17:21:34
online-time : 191
dpi-policy : 0
vpdnAcctClass :
route-map-name :
ani-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
14-12

sessionLimitType: 0 acctSession :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 DHCP SERVER

vrf-name :
vpn-id : 0
primary-dns :
second-dns :
ip-pool-name : dhcppool
igmpProfile : 1
nat-type : NONE
nat-multi-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
14-13

user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
upIspChargePackets : 0 upIspChargeCycleCount
: 0
downIspChargePackets : 0 downIspChargeCycleCount
: 0
upIsp2ChargePackets : 0 upIsp2ChargeCycleCount
: 0
downIsp2ChargePackets : 0 downIsp2ChargeCycleCount
: 0
upIspNoChargePackets : 0 upIspNoChargeCycleCount
: 0
downIspNoChargePackets : 0 downIspNoChargeCycleCount
: 0
upPackets(Packets) : 0 upPacketCycleCount
: 0
downPackets(Packets) : 0 downPacketCycleCount
: 0
After the subscribers obtain the addresses, they are added to the multicast group.
Execute the show ip igmp snooping command, and verify that the multicast groups that
the subscribers are added to.
ZXR10(config)#show ip igmp snooping

Flags: Type--Instance Type, ID--Instance ID, Dr--Drop,
P--Prejoin, R--Remote, MH--MaxHost, S--Static, D--Dynamic
IP-G:IP-GLOBAL
14-14

Index Type ID Name Source Group Flag MH Ports

--------------------------------------------------------------------------------
1 VBUI 44 vbui5 0.0.0.0 225.0.0.10 -- 4000 D:gei-0/1/0/6;
2 VBUI 44 vbui5 0.0.0.0 225.0.0.9 -- 4000 D:gei-0/1/0/6;
3 VBUI 44 vbui5 0.0.0.0 225.0.0.8 -- 4000 D:gei-0/1/0/6;
4 VBUI 44 vbui5 0.0.0.0 225.0.0.7 -- 4000 D:gei-0/1/0/6;
5 VBUI 44 vbui5 0.0.0.0 225.0.0.6 -- 4000 D:gei-0/1/0/6;
6 VBUI 44 vbui5 0.0.0.0 225.0.0.5 -- 4000 D:gei-0/1/0/6;
7 VBUI 44 vbui5 0.0.0.0 225.0.0.4 -- 4000 D:gei-0/1/0/6;
8 VBUI 44 vbui5 0.0.0.0 225.0.0.3 -- 4000 D:gei-0/1/0/6;
9 VBUI 44 vbui5 0.0.0.0 225.0.0.2 -- 4000 D:gei-0/1/0/6;
10 VBUI 44 vbui5 0.0.0.0 225.0.0.1 -- 4000 D:gei-0/1/0/6;
Execute the show ip igmp groups command, and verify that table items that are generated
after subscribers join the multicast group.
ZXR10(config)#show ip igmp groups
Total: 10 groups
Group addr Interface Present Expire Last Reporter
225.0.0.1 vbui5 00:09:04 never 10.1.1.1
225.0.0.2 vbui5 00:09:04 never 10.1.1.1
225.0.0.3 vbui5 00:09:04 never 10.1.1.1
225.0.0.4 vbui5 00:09:04 never 10.1.1.1
225.0.0.5 vbui5 00:09:04 never 10.1.1.1
225.0.0.6 vbui5 00:09:04 never 10.1.1.1
225.0.0.7 vbui5 00:09:04 never 10.1.1.1
225.0.0.8 vbui5 00:09:04 never 10.1.1.1
225.0.0.9 vbui5 00:09:04 never 10.1.1.1
225.0.0.10 vbui5 00:09:04 never 10.1.1.1
14.3.2 Example: PPPoEv4 Subscriber Multicast Group Access

Configuration
Overview
PPPoE subscriber multicast group access differs from IPoE subscriber multicast group
access in the subscriber access mode. In the view of multicast group joining, there is no
difference. As shown in Figure 14-2, there are no differences in the network structure.
14-15

Figure 14-2 Networking Topology for PPPoEv4 Subscriber Multicast Access
Configuration Flow
1. Configure an IP address on the network-side interface gei-0/0/1/1.
2. Configure an address on the VBUI interface. Enable PIM-SM on the network-side
interface and the VBUI interface.
3. Configure a multicast template. Configure a security ACL in the multicast template.
Configure the number of multicast groups that can access the network, or the entities
of static groups and preview groups.
template. Associate the multicast template (as authorization information) with the
authorization template, so that local authentication and authorization can be deployed
to the subscribers through the multicast template.
5. Configure an address pool for PPPoE subscribers on the VBUI interface. Configure
an access domain.
6. Configure a VCC interface. Configure the online mode of corresponding PPPoE
subscribers. Bind the PPPoX template to the VCC interface.
7. If RADIUS authentication is used, it is necessary to configure the RADIUS server
and related attribute entities of the multicast template to be deployed on the RADIUS
server.
1. Configure the network-side interface:
ZXR10(config-mcast-pim)#interface gei-0/0/1/1
ZXR10(config-mcast-pim-if-gei-0/0/1/1)#pimsm
ZXR10(config-mcast-pim-if-gei-0/0/1/1)#exit
14-16

2. Configure the multicast template:
/*Allow Group 225.0.0.1 to 225.0.0.10 access to the network*/
ZXR10(config)#ipv4-access-list iptv
ZXR10(config-submanage)#igmp service-profile 1
ZXR10(config-submanage-igmp-service-profile-1)#access-group iptv
ZXR10(config-submanage-igmp-service-profile-1)#max-groups 40
ZXR10(config-submanage-igmp-service-profile-1)#max-prw-groups 50
ZXR10(config-submanage-igmp-service-profile-1)#prw-group 225.1.1.0 255.255.255
.255 3 30 /*Set the preview group to 225.1.1.0, preview number to three,
and preview period to 30 seconds*/
ZXR10(config-submanage-igmp-service-profile-1)#exit
3. Enable PIM-SM on the VBUI interface.
ZXR10(config-mcast-pim)#interface vbui5
ZXR10(config-mcast-pim-if-vbui5)#pimsm
ZXR10(config-mcast-pim-if-vbui5)#exit
4. Bind the multicast template to the authorization template. Configure an authentication
template and an accounting template.
5. If RADIUS authentication is used, deploy the attributes. RADIUS server deploys
ZTE-Service-Profile, one of ZTE private attributes.
ZXR10(config-submanage-pppox)#ppp authentication chap
14-17

ZXR10(config-submanage-author-template)#igmp service-profile 1
ZXR10(config-submanage)#local-subscriber aaa domain-name domain5
password 123
14-18

Execute the show subscriber to see the online subscribers. Execute the show sub ipv4-add
ress command to see the IP addresses of subscribers, and verify that the igmpProfile has
been deployed to the subscribers.
*********************************************************************
---------------------------------------------------------------------
Basic Information
---------------------------------------------------------------------
user-identify : 227
family-identify : 0
user-name : aaa
mac-address : 0010.9400.0001
session-id : 338
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
create-time : 2012/08/06 16:56:29
online-time : 19
dpi-policy : 0
vpdnAcctClass :
route-map-name :
ani-location
------------------------------------------------------------------
Identifier:
14-19


------------------------------------------------------------------
onu-location
------------------------------------------------------------------
Identifier:
------------------------------------------------------------------
------------------------------------------------------------------
----------------------------------------------------------------------
IPv4 Information
----------------------------------------------------------------------
vrf-name :
vpn-id : 0
igmpProfile : 1
nat-type : NONE
nat-multi-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
QOS information
------------------------------------------------------------------
14-20

aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
------------------------------------------------------------------
framed-route
------------------------------------------------------------------
count : 0
------------------------------------------------------------------
user-acl
------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
------------------------------------------------------------------
------------------------------------------------------------------
14-21

After subscribers obtain addresses, they are added to the multicast groups. Execute the
show ip igmp snooping command to see the multicast groups that the subscribers have
been added to.
ZXR10(config)#show ip igmp snooping
Flags: Type--Instance Type, ID--Instance ID, Dr--Drop,
P--Prejoin, R--Remote, MH--MaxHost, S--Static, D--Dynamic
IP-G:IP-GLOBAL
Index Type ID Name Source Group Flag MH Ports
--------------------------------------------------------------------------------
1 VBUI 44 vbui5 0.0.0.0 225.0.0.10 -- 4000 D:gei-0/1/0/6;
2 VBUI 44 vbui5 0.0.0.0 225.0.0.9 -- 4000 D:gei-0/1/0/6;
3 VBUI 44 vbui5 0.0.0.0 225.0.0.8 -- 4000 D:gei-0/1/0/6;
4 VBUI 44 vbui5 0.0.0.0 225.0.0.7 -- 4000 D:gei-0/1/0/6;
5 VBUI 44 vbui5 0.0.0.0 225.0.0.6 -- 4000 D:gei-0/1/0/6;
6 VBUI 44 vbui5 0.0.0.0 225.0.0.5 -- 4000 D:gei-0/1/0/6;
7 VBUI 44 vbui5 0.0.0.0 225.0.0.4 -- 4000 D:gei-0/1/0/6;
8 VBUI 44 vbui5 0.0.0.0 225.0.0.3 -- 4000 D:gei-0/1/0/6;
9 VBUI 44 vbui5 0.0.0.0 225.0.0.2 -- 4000 D:gei-0/1/0/6;
10 VBUI 44 vbui5 0.0.0.0 225.0.0.1 -- 4000 D:gei-0/1/0/6;
Execute the show ip igmp groups command to see the table items that are generated after
subscribers join the multicast groups.
ZXR10(config)#show ip igmp groups

Total: 10 groups
Group addr Interface Present Expire Last Reporter
225.0.0.1 vbui5 00:39:03 never 10.1.1.1
225.0.0.2 vbui5 00:39:03 never 10.1.1.1
225.0.0.3 vbui5 00:39:03 never 10.1.1.1
225.0.0.4 vbui5 00:39:03 never 10.1.1.1
225.0.0.5 vbui5 00:39:03 never 10.1.1.1
225.0.0.6 vbui5 00:39:03 never 10.1.1.1
225.0.0.7 vbui5 00:39:03 never 10.1.1.1
225.0.0.8 vbui5 00:39:03 never 10.1.1.1
225.0.0.9 vbui5 00:39:03 never 10.1.1.1
225.0.0.10 vbui5 00:39:03 never 10.1.1.1
14-22

Chapter 15
User-Side QoSv4
Configuration
Table of Contents
User-Side QoSv4 Overview......................................................................................15-1
Configuring User-Side QoSv4 ..................................................................................15-3
User-Side QoSv4 Configuration Examples ...............................................................15-5
15.1 User-Side QoSv4 Overview

User-Side QoS Introduction
The user-side QoSv4 function in BRAS service on the ZXR10 M6000 includes rate limit
and congestion management. BRAS service uses Hierarchical-QoS (H-QoS).
H-QoS is a hierarchical QoS policy. Hierarchical scheduling sets several hierarchical
logical schedulers. A superior scheduler controls the total bandwidths of one or a group
of junior schedulers. The superior scheduler can assign the Committed Information
Rate (CIR) and Peak Information Rate (PIR) of a junior scheduler according to the level
and weight of the junior scheduler. Customers can set the hierarchical relation among
schedulers according to requirements.
Hierarchical scheduling brings the flexibility of bandwidth control to a new level.
Hierarchical schedulers control the total bandwidths of several queues. The queues may
be for the same or difference services of the same user, and they also may be for the
same or difference services of different users. When several users access at the same
time, H-QoS provides different quality and bandwidths guarantees for different users.
User-Side QoS Features

The H-QoS scheduling model is described below:
l The broadband gateway must be able to be configured by a single physical interface,

and it should be able to be configured by a group of physical interfaces.
l The broadband gateway must support the group in which there is one or several outer
VLANs.
l The broadband gateway must support the group in which there is a shared outer
VLAN, and one inner VLAN or a set of several different inner VLANs.
15-1

l The broadband gateway must identify a logical interface and a session according
to the subscriber access position information, IP address, PPPoE session and
subscriber line position information.
H-QoS supports flow classification, scheduling policy and congestion management.
l Flow classification
Flow classification is to classify traffic by marking, thus to treat and handle the flows
with differentiation. This ensures that special packets can be treated and handled
better than other packets.
ZXR10 M6000 supports flow classification on the basis of SVLAN and CVLAN,.
l Scheduling policy
The bandwidth assignment by a superior scheduler to a junior scheduler can be static
(that is, assign the bandwidth through Committed Access Rate (CAR)) or dynamic.
Static bandwidth assignment is suitable to the network of which the network structure
is not changed much. If the network structure changes, the number of subscribers
on the link assigned with many bandwidths decreases suddenly, the bandwidth is
wasted. In such a situations, it is necessary to schedule the bandwidth through
dynamic assignment, so that the network bandwidth can be used fully. At present,
there are the following scheduling policies, Priority Queuing (PQ), Weighted Fair
Queuing (WFQ), and Low Latency Queueing (LLQ).
l Congestion management
The congestion management function of User-side QoS is on the basis of PQ.
PQ is configured through a policy map. Four queues can be configured, including a
high queue, a medium queue, a normal queue and a low queue. The priorities of the
four queues decreases one by one. According to the PQ algorithm, a packet is put
into one of the four queues according to the rules configured in advance to wait to be
sent. Packets that do not match any rules are handled according to the default rule
(typically, the packets are put into the normal queue).
During packet transmission, the packets in the high queue are forwarded with a
precedence (as long as there are packets in a queue with a higher priority, packets in
other queues with lower priorities should wait until all the packets in the queue with
a higher priority are sent).
User-Side QoS Application

The QoS function on the ZXR10 M6000 implements management of subscriber bandwidth
and priority. It provides subscribers with special bandwidths, manages and avoids network
congestion. In the network structure shown in Figure 15-1, QoS can be configured on the
user side and the network side.
15-2

Chapter 15 User-Side QoSv4 Configuration
Figure 15-1 QoS Application
15.2 Configuring User-Side QoSv4

This procedure describes how to configure user-side QoSv4.
Steps
1. Configure flow classification.
1 ZXR10(config)#class-map <class-map-name> match-all Creates a class-map, and

enters class mapping
configuration mode.
2 ZXR10(config-cmap)#match precedence Defines a data flow of a

<precedence>[<precedence-min> -<precedence-max>] class-map according to the IP
precedence, range: 0 to 7.
ZXR10(config-cmap)#match in-vlan <invlan-value>[<i Defines a data flow of a

nvlan-min> -<invlan-max>] class-map according to the
inner-layer VLAN-ID, range: 1
to 4094.
ZXR10(config-cmap)#match out-vlan <exvlan-value>[<e Defines a data flow of a

xvlan-min> -<exvlan-max>] class-map according to the
outer-layer VLAN-ID, range: 1
to 4094.
ZXR10(config-cmap)#match ipv4-access-list <acl-name> Establishes class-map data

stream in accordance with the
IPv4 ACL rules.
2. Configure a policy.
15-3

1 ZXR10(config)#policy-map <policy-map-name> Creates a policy map,

and enters policy mapping
configuration mode.
2 ZXR10(config-pmap)#class <class-map-name> Associates a class with a

class-map, and enters policy
class configuration mode.
3 ZXR10(config-pmap-c)#bandwidth percent Sets the minimum available

<percentage> bandwidth of the policy class.
4 ZXR10(config-pmap-c)#priority-level <pq-level> Sets the PQ priority of the

policy class, range: 1 to 4.
5 ZXR10(config-pmap-c)#priority-llq Sets the LLQ of the policy

class.
6 ZXR10(config-pmap-c)#police cir <cir> cbs <cbs>[pir Sets the traffic policing of the
<pir> pbs <pbs>] policy class.
7 ZXR10(config-pmap-c)#service-policy <policy-map-na Sets the hierarchical policy of

me> the policy class.
8 ZXR10(config)#service-policy <interface-name>{input | Binds the policy map to a VCC

output}<policy-map-name>[overwrite | append][statistic interface.
al-share]
<cir>: CIR value (kbit/s), range: 8 to 20000000.

<cbs>: CBS value (kbytes), range: 1 to 5120000.
<pir>: PIR value (kbit/s), range: 8 to 20000000.

<pbs>: PBS value (kbytes), range: 1 to 5120000.
3. Configure a policy in an authorization template.

mode.
2 ZXR10(config-submanage)#authorization-template Sets an authorization

3 ZXR10(config-submanage-author-template)#sub-car Sets the input rate limit of

-input ipv4 cir <subs-cir> cbs <subs-cbs>[pir <subs-pir> subscribers in an authorization
pbs <subs-pbs>] template.
4 ZXR10(config-submanage-author-template)#sub-car Sets the output rate limit of

-output ipv4 cir <subs-cir> cbs <subs-cbs>[pir <subs-pir> subscribers in an authorization
pbs <subs-pbs>] template.
15-4

5 ZXR10(config-submanage-author-template)#qos-poli Sets a policy in the

cy-input ipv4<policy-map-name>[enable] authorization template.
6 ZXR10(config-submanage-author-template)#qos-poli Sets a policy in the

cy-output ipv4<policy-map-name>[enable] authorization template.
<subs-cir>: CIR value (kbit/s) of a specified user, range: 66 to 16777215.

<subs-cbs>: CBS value (kbytes) of a specified user, range: 15 to 512000.
<subs-pir>: PIR value (kbit/s) of a specified user, range : 66 to 16777215.
<subs-pbs>: PBS value (kbytes) of a specified user, range: 15 to 512000.
Note:
Before the user-side QoSv4 configuration, the policy map sent by the RADIUS server
should be already configured on the router, and does not need to bind to a domain.
During the Smartgroup configuration, it is recommended to clear users in the

Smartgroup first.
Command Function
ZXR10#show class-map [<class-map-name>] Shows all class maps and the

configuration of matching rules.
ZXR10#show policy-map [<policy-map-name>[class Shows all policy maps and the

<class-map-name>]] configuration of policy classes.
ZXR10#show running-config aim Shows policy bindings in the authorization

template.
15.3 User-Side QoSv4 Configuration Examples

15.3.1 Input SUB-CAR Rate Limit Configuration Instance
Overview
As shown in Figure 15-2, the subscribers access the Internet through PPPoE. It is required
to configure input QoS rate limit for the subscribers.
15-5

Figure 15-2 Networking Topology for Input SUB-CAR Rate Limit
Configuration Flow
1. Configure PPPoE.
2. Configure input rate limit in the authorization template.
3. Bind the authorization template to the domain.
4. Bind the authorization template to the local subscriber.
1. For the PPPoE configuration, refer to the "PPPoEv4 Configuration" chapter.
2. Configure input rate limit in the authorization template in subscriber management
configuration mode.
ZXR10(config-submanage-author-template)#sub-car-input ipv4 cir 7000 cbs
100 pir 8000 pbs 100 /*The PIR should be larger than the CIR*/
3. Bind the authorization template to the domain in subscriber management configuration
mode.
4. Bind the authorization template to the local subscriber in subscriber management
configuration mode.
ZXR10(config-submanage)#local-subscriber zex123 domain-name
domain500 password 123
ZXR10(config-submanage-local-sub)#bind author-template zte
Execute the show subscriber ipv4-address 222.0.0.1 command to see the QoS attribute after
subscribers come online, as shown below.
***************************************************************************
---------------------------------------------------------------------------
Basic Information
15-6

---------------------------------------------------------------------------
family-identify : 0
user-name : zex123
mac-address : 0010.9400.b001
session-id : 14102
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
create-time : 2012/08/06 15:45:55
online-time : 1009
dpi-policy : 0
vpdnAcctClass :
route-map-name :
ani-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
15-7

-----------------------------------------------------------------------
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
vrf-name :
vpn-id : 0
igmpProfile : 0
nat-type : NONE
nat-multi-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
-----------------------------------------------------------------------
15-8

framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName: portal
aclInName : test
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
ispDownBytes(Bytes) : 0 ispDownCycleCount: 0
*****************************************************************************
15.3.2 Example: Output SUB-CAR Rate Limit Configuration

Overview
As shown in Figure 15-3, the subscribers access the Internet through PPPoE. It is required
to configure output QoS rate limit for the subscribers.
Figure 15-3 Networking Topology for Output SUB-CAR Rate Limit
15-9

Configuration Flow
1. Configure PPPoE.
2. Configure output rate limit in the authorization template in subscriber management
configuration mode.
mode.
configuration mode.
2. Configure output rate limit in the authorization template in subscriber management
configuration mode.
ZXR10(config-submanage-author-template)#sub-car-output ipv4 cir 7000
cbs 100 pir 8000 pbs 100
mode.
configuration mode.

*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
15-10

family-identify : 0
user-name : zex123
mac-address : 0010.9400.b001
session-id : 14102
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
create-time : 2012/08/06 15:59:37
online-time : 1009
dpi-policy : 0
vpdnAcctClass :
route-map-name :
ani-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
15-11

-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
vrf-name :
vpn-id : 0
igmpProfile : 0
nat-type : NONE
nat-multi-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
15-12

-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName: portal
aclInName : test
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
ispDownBytes(Bytes) : 0 ispDownCycleCount: 0
*****************************************************************************
15.3.3 Rate Limit (VCC VLAN-Based) Configuration Example

Figure 15-4 shows a sample network topology. subscribers access the Internet through
the PPPoE protocol. It is required to configure rate limit based on the VLAN on a VCC
interface.
Figure 15-4 Rate Limit (VCC VLAN-Based) Configuration Example
15-13

Configuration Flow
1. Configure PPPoE.
2. Configure class-maps according to the VLAN in global configuration mode.
3. Configure a policy-map in global configuration mode.
4. Configure service-policies in global configuration mode.
2. Configure class-maps in global configuration mode.
ZXR10(config)#class-map invlan1 match-all
ZXR10(config-cmap)#match in-vlan 1-2
ZXR10(config-cmap)#exit
ZXR10(config)#
ZXR10(config)#policy-map invlan_police
ZXR10(config-pmap)#class invlan1
ZXR10(config-pmap-c)#police cir 1000 cbs 100
ZXR10(config-pmap-c)#exit
ZXR10(config-pmap)#exit
4. Configure service-policies in global configuration mode.
ZXR10(config-if-gei-0/10/1/1.1)#exit
ZXR10(config-vlan-if-gei-0/10/1/1.1)#qinq internal-vlanid 2 external-vlanid 1
ZXR10(config-vlan-if-gei-0/10/1/1.1)#!
ZXR10(config-vcc-if)#ipoe-transmitmodeswitch ipv4 user
15-14

ZXR10(config-vcc-if)#!
ZXR10(config-vlan-if-gei-0/10/1/2.1)#qinq internal-vlanid 2 external-vlanid 1
ZXR10(config-vlan-if-gei-0/10/1/2.1)#!
ZXR10(config-vcc-if)#ipoe-transmitmodeswitch ipv4 user
ZXR10(config-vcc-if)#!
ZXR10(config)#service-policy gei-0/10/1/1.1 output invlan_police

ZXR10(config)#service-policy gei-0/10/1/2.1 output invlan_police
The QoS attribute is for ports, and therefore it is not displayed in the user attribute table
and output information from the show subscriber ipv4-address 222.0.0.3 command. The
rate-limiting effect can be verified by sending traffic only.
ZXR10#show subscriber ipv4-address 222.0.0.3
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
family-identify : 0
user-name : zex123
mac-address : 0010.9400.0001
session-id : 5007
eap-type : FALSE
sibprofileid : 0
15-15

domain-priority : 0
create-time : 2012/08/06 16:13:10
online-time : 19
dpi-policy : 0
vpdnAcctClass :
route-map-name :
ani-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
vrf-name :
vpn-id : 0
15-16

primary-dns :
second-dns :
igmpProfile : 0
nat-type : NONE
nat-multi-flag : 0
nat-domain-id : 0
nat-acl-no : 0
nat-block-id : 0
nat-pool-id : 2048
nat-ipv4-address : 0.0.0.0
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
15-17

-----------------------------------------------------------------------
15.3.4 Example: Configuring a Downstream QoS Policy (PQ Rate

Limit)
Overview
As shown in Figure 15-5, subscribers access the Internet through PPPoE. It is required to
configure PQ rate limit for subscribers.
Figure 15-5 Networking Topology for PQ Rate Limit
Configuration Flow
1. Configure PPPoE.
2. Configure a class-map according to the IP precedence in global configuration mode.
4. Configure an authorization template in subscriber management configuration mode.
mode.
configuration mode.
15-18

ZXR10(config)#class-map ipp01 match-all
ZXR10(config-cmap)#match precedence 0-1
ZXR10(config)#
ZXR10(config)#policy-map ipp_pq
ZXR10(config-pmap)#class ipp01
ZXR10(config-pmap-c)#priority-level 1
ZXR10(config-submanage-author-template)#qos-policy-output ipv4 ipp_pq
mode.
15-19

ZXR10(config-submanage)#
configuration mode.
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
family-identify : 0
user-name : zex123
mac-address : 0010.9400.0001
session-id : 5008
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
create-time : 2012/08/06 16:27:30
online-time : 24
dpi-policy : 0
15-20

vpdnAcctClass :
route-map-name :
ani-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
vrf-name :
vpn-id : 0
igmpProfile : 0
nat-type : NONE
nat-multi-flag : 0
nat-domain-name :
nat-acl-no : 0
15-21

nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown: ipp_pq
qos-shapping : 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
15-22

15.3.5 Example: Configuring a Downstream QoS Policy (WFQ Rate

Limit)
Overview
As shown in Figure 15-6, subscribers access the Internet through PPPoE. It is required to
configure WFQ rate limit for subscribers.
Figure 15-6 Networking Topology for WFQ Rate Limit
Configuration Flow
1. Configure PPPoE.
mode.
configuration mode.
2. Configure a class-map according to IP precedence in global configuration mode.
15-23


ZXR10(config)#policy-map ipp_wfq
ZXR10(config-pmap-c)#bandwidth percent 40
ZXR10(config-pmap)#exit
ZXR10(config-submanage-author-template)#qos-policy-output ipv4 ipp_wfq
mode.
configuration mode.
*******************************************************************************
15-24

-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
family-identify : 0
user-name : zex123
mac-address : 0010.9400.0001
session-id : 5008
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
create-time : 2012/08/06 16:42:44
online-time : 24
dpi-policy : 0
vpdnAcctClass :
route-map-name :
ani-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
15-25


-----------------------------------------------------------------------
-----------------------------------------------------------------------
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
vrf-name :
vpn-id : 0
igmpProfile : 0
nat-type : NONE
nat-multi-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown: ipp_wfq
qos-shapping : 0
15-26

-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
15-27

15-28

Chapter 16
LEASED-LINE Configuration
Table of Contents
LEASED-LINE Introduction ......................................................................................16-1
Configuring the LEASED-LINE Function...................................................................16-3
LEASED-LINE Configuration Instance......................................................................16-5
16.1 LEASED-LINE Introduction

LEASED-LINE Overview
LEASED-LINE refers to a dedicated enterprise line, which connects big customers through
a subinterface or physical interface so that QoS policy management can be performed on
the interface, which is used as a big customer line user. One interface supports multiple
VLANs and IP addresses. The BRAS uses the interface as a user to implement policy
distribution and interconnection to the DACS (Differentiation Access & Application Control
System). Two steps are included:
1. When a big customer line user is created, user information is reported to the DACS.
2. BRAS implements QoS policy initialization and RADIUS CoA (Change of Attribute)
distribution to refresh a QoS policy.
For details, see Figure 16-1.
16-1

Figure 16-1 LEASED-LINE Application
The steps in the figure describe how to intelligently speed up the QoS policy management
on LEASED-LINE users.
1. When a LEASED-LINE user is created, user information is reported to the DACS.

2. The user accesses the speedup page and applies for bandwidth regulation.
3. The speedup page delivers the speedup request to the DACS.
4. The DACS notifies the BRAS to refresh the QoS policy through the CoA and regulate
the user bandwidth.
In Figure 16-1, the dotted lines indicate that the devices are connected through the network
and are not necessarily directly connected. The RADIUS is not connected because it can
be connected flexibly.
16-2

Chapter 16 LEASED-LINE Configuration
Application Scenarios
LEASED-LINE users have the following characteristics:
l They can use the intelligent speedup service based on static IP addresses.
l BRAS configurations of the dedicated government and enterprise line users bored on
the current network do not need to be modified a lot.
For the application scenario, see Figure 16-1, in which, line users 1, 2, and 3 are
directly connected to the BRAS1 through a subinterface or physical interface and can be
intelligently speed up through the LEASED-LINE function.
16.2 Configuring the LEASED-LINE Function

This procedure describes how to configure the LEASED-LINE function.
Context
Configure a user name, domain name, and password for a dedicated line user when getting
online.
l If local authentication is used, create a local user.
l If RADIUS authentication is used, a local user is not needed.
Steps
1. Configure a local user, which can be used to get online after a dedicated line user is
locally authenticated.

mode.
2 ZXR10(config-if-interface-name)#ip address Sets the interface IP address

<ip-address><net-mask> and subnet mask.
3 ZXR10(config)#subscriber-manage Enters user management

configuration mode.
4 ZXR10(config-submanage)#authentication-template Creates an authentication

<authen-template-name> template.
5 ZXR10(config-submanage-authen-template)#aut Sets the authentication mode.

hentication-type {none | local | radius | local-radius |
6 ZXR10(config-submanage)#authorization-template Creates an authorization

7 ZXR10(config-submanage-author-template)#authori Sets the authorization type.

zation-type {none | radius | mix-radius}
8 ZXR10(config-submanage)#domain <domain-name> Creates a user domain.
16-3


authentication-template <authen-template-name> template.

authorization-template <author-template-name> template.
11 ZXR10(config-submanage)#local-subscriber <sub-name> Creates a local user.

domain-name <domain-name> password <password>
2. Configure a LEASED-LINE user.
1 ZXR10(config)#leased-line-configuration Enters LEASED-LINE

configuration mode.
2 ZXR10(config-leased-line)#interface <interface-na Enters LEASED-LINE

me> interface mode.
3 ZXR10(config-leased-line-if-interface-name)#ip- Sets the address of a line user.

list <ip list> mask <mask> If ip-list is not configured, that
means the IP address is in the
same network segment as the
interface address.
4 ZXR10(config-leased-line-if-interface-name)#u Sets a line user name,

ser-name <user-name> domain-name <domain-name> password, and domain name.
password <password>
Command Function
ZXR10#show running-config leased-line Displays all line user

configurations.
4. Maintain the LEASED-LINE function.
Command Function
ZXR10#debug leased-line all Enables all debug functions of

the LEASED-LINE module.
ZXR10#debug leased-line interface <interface-name> Enables the debug function

filtered by a specified interface.
ZXR10#show debug leased-line Displays the status of the debug

functions on the LEASED-LINE
module.
16-4

16.3 LEASED-LINE Configuration Instance

Configuration Description
To configure the LEASED-LINE function for a user, use the ZXR10 M6000 as the BRAS
server and a PC as the line user client, see Figure 16-2.
Figure 16-2 LEASED-LINE Configuration Instance
Configuration Flow
1. Configure an IP address for an interface.
2. Enter LEASED-LINE configuration mode.
3. Create a LEASED-LINE interface and configure ip-list and user-name in
LEASED-LINE interface mode.
Run the following commands on the BRAS:
ZXR10(config)#leased-line-configuration
ZXR10(config-leased-line)#interface gei-0/6/0/4
ZXR10(config-leased-line-if)#ip-list 4.6.0.99 mask 255.255.255.255
/*This comamnd is optional. The configuration can be in the same
network segment with the interface address or different network segments.*/
ZXR10 (config-leased-line-if)#user-name leased-line domain-name leased-line-domain
password 1111
ZXR10 (config-leased-line-if)#!
ZXR10#show subscriber leased-line verbose
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
16-5

user-identify : 10
family-identify : 0
user-name : leased-line
domain-name : leased-line-domain
local-domain-name : leased-line-domain
authorize-domain-name : leased-line-domain
mac-address : 0000.0000.0000
session-id : 0
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
vbui-interface :
create-time : 2013/06/21 17:34:09
online-time : 19
dpi-policy : 0
vpdnAcctClass :
route-map-name :
ani-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
-----------------------------------------------------------------------
16-6

-----------------------------------------------------------------------
restTime(s) : unlimited restFlow(KB) : unlimited
absTimeout(s) : unlimited idleTimeout(s) : 0
sessionLimitType: acctSession : 17341045---0376000000000
0000000
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : LEASED_LINE
ipv4-address : 4.6.0.99/32
gateway-address :
vrf-name :
vpn-id : 0
primary-dns :
second-dns :
ip-pool-name :
igmpProfile : 0
nat-type : NONE
nat-multi-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName : 444
aclOutName: 444
ispAclInName : dll
ispAclOutName: ddde
16-7

specialAclName:
-----------------------------------------------------------------------
QOS information
-----------------------------------------------------------------------
profileNameUp :
profileNameDown:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
*******************************************************************************
16-8

Chapter 17
User-Side Policy Routing
Configuration
Table of Contents
User-Side Policy Routing Overview ..........................................................................17-1
Configuring User-Side Policy Routing.......................................................................17-1
Example: User-Side Policy Routing Configuration ....................................................17-2
17.1 User-Side Policy Routing Overview

For the principles of policy routing and route-map, refer to the "ROUTE-MAP Policy
Configuration" section in ZXR10 M6000 Carrier-Class Configuration Guide (Policy
Template).
On the ZXR10 M6000, network administrator can bind a route-map in
authorization-template mode to choose the path of user's packets.
Upon arrival of a packet, the ZXR10 M6000 determines whether a route-map is specified
for the corresponding user.
l If no route-map is specified, the normal procedure is applied: Search for the matched
destination IP address in the routing table and, if a match is found, the packet is
forwarded to the pre-configured next-hop.
l If a route-map is specified, the packet is forwarded based on the defined actions.
17.2 Configuring User-Side Policy Routing

This procedure describes how to configure user-side policy routing to enable packets to
be transmitted over the specified paths.
Steps
1. Configure user-side policy routing.
1 ZXR10(config)#subscriber-manage Enters subscriber-manage

configuration mode.
2 ZXR10(config-submanage)#authorization-template Enters authorization template

17-1

3 ZXR10(config-submanage-author-template)#ip Binds the policy route-map to

policy route-map <route-map-name> the authorization template.
Command Description
ZXR10#show running-config aim [all] Shows all ATM-related

information, including the
domain configuration.
ZXR10#show configuration submanage template Shows the local domain

authorization-template {<author-template-name>| all} configuration.
17.3 Example: User-Side Policy Routing Configuration

Overview
A PC user tries to establish a dial-up connection (account: user1@pppoe), see Figure
17-1.
Figure 17-1 Networking Topology for User-Side Policy Routing Configuration
Configuration Flow
2. Specify a route-map for the domain in subscriber-manage mode.
1. For the basic configuration of PPPoE user access, refer to the "PPPoEv4 Configuration
Examples" section.
2. Specify a router-map for the domain where the user is located.
ZXR10(config-submanage-author-template)#authentication-type local
ZXR10(config-submanage-author-template)#ip policy route-map zte
ZXR10(config-submanage)#domain pppoe
17-2

Chapter 17 User-Side Policy Routing Configuration

3. After the user establishes a dial-up connection, verify that the route-map configuration
in the user table takes effect.
After a PC user establishes a dial-up connection (username/password: user1@pppoe) ,
run the show subscriber pppox interface command on the BRAS to view the detailed user
information. route-map-name refers to the route-map name.
ZXR10#show subscriber pppox interface gei-0/6/1/11
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify :1
user-name :zte
mac-address :0010.9400.0001
session-id :1
internal-vlan :0
external-vlan :0
eap-type :FALSE
sibprofileid :0
create-time :2012/08/06 14:09:26
online-time :1050
vpdnAcctClass :
route-map-name :zte
-------------------------------------------------------------------------------
IPv4 Information
17-3

-------------------------------------------------------------------------------
vrf-name :
vpn-id :0
gateway :199.1.1.1
second-dns :2.2.2.2
*******************************************************************************
-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
17-4

Chapter 18
Dual Server Cluster Hot
Standby Configuration
Table of Contents
Dual-Server Cluster Hot Standby Overview ..............................................................18-1
Configuring Hot Standby ..........................................................................................18-5
Hot Standby Configuration Example .........................................................................18-9
18.1 Dual-Server Cluster Hot Standby Overview

Dual-Server Cluster Hot Standby Introduction
The main early applications of the Internet were web browsing and data sharing. In that
stage, the carriers thought that 99.99% usability of the Internet access service was enough.
However, the Internet services has infiltrated into various applications quickly. The main
applications have changed, including online personal financing, service operation, online
video service and online game. These applications largely rely on the network and service
reliability. Internet users cannot bear network disconnection and service interruption.
In addition, the future network is a combined network orienting to IP bearing. Compared
with the new services such as High Internet Service (HIS), Next Generation Network
(NGN), IPRAN and Internet Protocol Television (IPTV), this network is more sensitive
to faults. The loss brought by the faults is more serious. The conventional redundancy
of important components on devices or redundancy in the link layer cannot meet the
requirements for Mean Time Between Failures (MTBF) and Mean Time To Recovery
(MTTR) on core devices of the operators. Now, a solution that can accomplish real-time
redundancy and smooth changeover between (or among) devices is needed urgently.
Users are unaware of this solution at the service layer.
Figure 18-1 shows an application situation for the dual server cluster hot standby solution.
18-1

Figure 18-1 Networking Topology for Cluster Hot Standby Solution
In a dual server cluster, the active device and the standby device are seen in one
autonomous system. They accomplish backup inside the autonomous system without
changing the action characteristics of outside devices. Users and back-end devices are
unaware of device changeover.
The difference of the networking structure between BRAS dual server hot standby and the
stand-alone BRAS service is that a backup device is added. The active/standby backup
between two devices are implemented through a heartbeat line or the LSP mode. In
general, the backup mode is 1:1 or 1+1.
At present, the ZXR10 M6000 mainly supports the PPPOE, IPOE, and IP-HOST access
service. However, the VPDN service is not supported.
Redundancy Application
In practice, service reliability can be deployed according to demands. The possible
application situations are 1:1 redundancy, 1+1 redundancy, N:1 redundancy and N+1
redundancy.
18-2

Chapter 18 Dual Server Cluster Hot Standby Configuration
1:1 redundancy means to deploy one standby device for an active device. The standby
device is redundancy for the active device completely, see Figure 18-2.
Figure 18-2 1:1 Redundancy Application
l In normal conditions, users are not connected to the standby device. In the case
where there is a fault on the active device or on the link between the active device
and the aggregation switch, the traffic is be changed over to the standby device.
l When the active device recoveries, the traffic is changed over to the active device
again.
In a 1:1 redundancy situation, the standby device is in Standby state for a long time. There
is no traffic on its downlink in normal conditions. The standby device only synchronizes
user information with the active device. This application is suitable for redundancy
deployed between devices at different office addresses. It is used for traffic planning and
unified user management. In general, 1:1 redundancy is used for important office and
broadband users, thus ensuring the network reliability.
When several standby groups share the address pool and changeover is executed in
some standby groups, the redundancy mode is handed over to 1+1 from 1:1. In other
words, 1:1 redundancy means that there is one active device and one backup device. 1+1
redundancy means that these two devices are mutual backup. At present, ZXR10 M6000
BRAS supports 1:1 redundancy and 1+1 redundancy.
Link Detection
During service backup implementations, it is necessary to know the link states first. Virtual
Router Redundancy Protocol (VRRP) is used to detect the links.
VRRP is a fault-tolerance protocol. In general, a default route is configured on each host

on a network. In this way, a packet whose destination is not in a local network segment
sent by a host is sent to Router A through the default route. So a host can communicate
with the outside network. When Router A has a fault, all the hosts whose next hop is
Router A in the local network segment cannot communicate with the outside network.
VRRP is designed to solve such problems on LANs supporting multicast or broadcast
(such as Ethernet). VRRP organizes a group of routers (including a Master router and
several Backup routers) on a LAN into a virtual router which is called a backup group. The
virtual router has its own IP address (this IP address may be the same as the interface
18-3

address of a router in the backup group). The routers in the backup group also have their
own IP addresses. The hosts on the LAN only know the IP address of the virtual router.
The hosts do not know the IP address of the Master router and the IP addresses of the
Backup routers.
Therefore, the hosts on the network communicates with other networks through this virtual
router. If the Master router in the backup group fails, a new Master router is elected from
the Backup routers according to a certain policy, and routing services still work for the
hosts on the network. So, the hosts can communicate with the outside network without
interruption.
SIBP
SIBP is a standardized protocol that is used for synchronizing user information between
devices. It supports multiple access modes, including PPPoE, IPoE private line and
IP-HOST, It also supports user multicast, COA and accounting service/authorization
information, and so forth. During transmission, only service information is involved. It is
irrelevant to the device operating system and inside accomplishment.
The SIBP provides two functions. One function is customizing the synchronization
rule of user information, shielding the service accomplishment inside the device, and
distributing protocol data to a specific process. We recommend that you use the
TCP as the transmission channel. The SIBP does not provide transmission reliability.
The other function is providing device-level protocol interactions, accomplishing batch
synchronization applications, and accomplishing device-level resource management and
control.
In general, the information is synchronized between devices in real time. Synchronization
is triggered by events such as user getting online, getting offline, joining a multicast group,
and leaving a multicast group. Timers also can synchronize traffic accounting information
periodically. However, when all user information is lost due to a device-level fault, it is
necessary to support batch synchronization of user information. The granularity is a
backup group. There are two conditions that can trigger batch synchronization.
l The device obtains the number of users from the remote end through SIBP protocol
interactions, and compares the number of users in the local backup group with that in
the remote backup group. If the number is not the same for several times, the device
sends an SIBP protocol synchronization application. When an SIBP connection is
disconnected, the device executes synchronization compulsively.
l The device establishes the state machine of the backup group, and starts batch
synchronization according to the local active/standby state and SIBP state. The state
machine is maintained in unit of backup group. The state machine negotiation of the
protocol is determined by the following states:
à The TCP connection state

à The VRRP protocol state
à The service state (it is APPREADY by default in current accomplishment)
18-4

Where, the active state set of the protocol state machine is: The VRRP protocol state
is MASTER on the local device, the service state on the local device is normal, the
TCP connection is established successfully, and the VRRP protocol is SLAVE at the
remote device; The standby state set of the protocol state machine is: The VRRP
protocol state is SLAVE, the service state on the local device is normal, and the TCP
connection is established successfully; In other state sets, the protocol state machine
is INITIAL. Figure 18-3 shows the state changes.
Figure 18-3 Dual Server Cluster Hot Standby State Transfer
When (MASTER, SLAVE) appears between two points of the state machines, service
information will be synchronized from the active device to the standby device (both
real-time synchronization and batch synchronization). When a user comes online, his
or her information is synchronized from the active device to the standby device. If
backup information is lost due to a backup group-level/device-level fault, and if the
synchronization channel state machine of the backup group form the active and standby
relation again, the active device uses the batch synchronization mode to synchronize all
user information to the standby device again.
18.2 Configuring Hot Standby

This procedure describes how to configure hot standby.
Steps
1. Configure a Sib instance.
1 ZXR10(config)#sibmgr Enters sibmgr configuration

mode.
18-5

2 ZXR10(config-sibmgr)#sib-instance<instance-id> Enters sib-instance

configuration mode, the
range of <instance-id> is 1 to
128.
3 ZXR10(config-sibmgr-sib-instance-number)#descr Sets a description name

iption <description-name> of a sib-instance, 1 to 31
4 ZXR10(config-sibmgr-sib-instance-number)#bind Binds an interface.

interface<interface-name>
5 ZXR10(config-sibmgr-sib-instance-number)#bind Binds a sib-peer-group.

sib-peer-group<peer-group-name>
6 ZXR10(config-sibmgr-sib-instance-number)#bind Binds VRRP configured on an

vrrp<vrrp-id> interface <interface-name> interface.
7 ZXR10(config-sibmgr-sib-instance-number)#bind Binds a sib-policy.

sib-policy <policy-name>
2. Configure a Sib policy.
1 ZXR10(config)#sibmgr Enters sibmgr configuration

mode.
2 ZXR10(config-sibmgr)#sib-policy<policy-name> Sets a sib-policy, and enters

sib-policy configuration mode,
the range of <policy-id> is 1 to
128.
3 ZXR10(config-sibmgr-sib-policy)#traffic-redirect Sets an interface address

backup-ipv4-nexthop <ipv4-address> backup-interface of the standby link and an
<interface-name>[strict-rx] out-interface used when the
active link fails.
ZXR10(config-sibmgr-sib-policy)#traffic-redirect Configures the IP address of

backup-lsp <ipv4-address> the interface of the standby
link in case that the LSP active
link fails.
ZXR10(config-sibmgr-sib-policy)#traffic-redirect Configures the egress

backup-te-tunnel te_tunnel<1-16000> interface in case that the
active TE link fails.

backup-gre-tunnel gre_tunnel<1-4000> interface in case that the
active GRE link fails.
18-6


vrf <vrf-name> backup-gre-tunnel gre_tunnel<1-4000> interface of the standby link in
case that the active GRE VRF
accessed link fails.
<ipv4-address>: Next-hop address of the standby link.

<interface-name>: Out-interface of the standby link.
<vrf-name>: VRF name.
strict-rx: enables the loop-prevention function on the interface. This can prevent a
packet (sent from the network side to an offline user) to be looped back over the
heartbeat connection between active and standby devices.
3. Configure a Sib-Peer-Group.
1 ZXR10(config-sibmgr)#sib-peer-group <group-name>[g Enters sib-peer-group

lobal] configuration mode.
For the BRAS, the global
parameter must be
configured.
2 ZXR10(config-sibmgr-sib-peer-group- Sets the source and

peer)#remote-ip <remote-ip-address> port destination addresses of
<remote-port-number> local-ip <local-ip-address> port the TCP connection (for
<local-port-number>port-count <port-count>[<vrf-name>] synchronizing information
between active and standby
devices).
<remote-ip-address>: IP address of the remote standby device.

<remote-port-number>: port number of the remote standby device.
<local-ip-address>: IP address of the local device.
<local-port-number>: port number of the local device.
<port-count>: number of ports, range: 1–65. For the BRAS, this parameter must be
set to 1.
4. Configure a Profile.
1 ZXR10(config)#subscribe-manage Enters subscriber

mode.
18-7

2 ZXR10(config-submanage)#reference sib-instance Enters BRAS_PROFILE

<instance-id> configuration mode.
3 ZXR10(config-subscr-mgmt-profile-number)#alias Sets an alias for the profile,

<profile-name> range: 1–31 characters.
4 ZXR10(config-subscr-mgmt-profile-number)#traffic- Sets the intervals (in seconds)

back interval <time-interval> of backing up traffic, range:
10–3600.
5 ZXR10(config-subscr-mgmt-profile-number)#traffic- Sets the backup traffic

back threshold <traffic-threshold> threshold (in kbs), range:
1–10000000.
5. Configure a tunnel-id.

mode.
2 ZXR10(config-vpdn)#tunnel-id base <base tunnel ID> Sets the allocation range of

max <maximum number of tunnel IDs> tunnel IDs of the centralized
device. Default is none.
Command Function
ZXR10#show running-config sib Shows the sib configuration.
ZXR10#show running-config profile Shows the profile configuration.
ZXR10#show sib-instance <id>[verbose | Shows the sib instance information.

summary] verbose: detailed information.
summary: summary information.
ZXR10#show subscriber hot-bak sib-profile Shows the information about the hot standby
<sib-profileid>[statistics | verbose] user of the rack based on the sib-profileid.
<sib-profileid>: range: 1–128.
statistics: statistics information.
verbose: detailed information.
ZXR10#show subscriber hot-bak all [statistics | Shows the information about all hot standby
verbose] users.
statistics: statistics information.
verbose: detailed information.
ZXR10#show running-config vpdn Shows the information about VPDN

configuration.
18-8

18.3 Hot Standby Configuration Example

Figure 18-4 shows a networking topology for the hot standby configuration of the
dual-server cluster.
Figure 18-4 Hot Standby Configuration Example
Configuration Flow
1. Configure user access relating to the active device and the standby device. The
access configuration on the active and standby devices should be consistent.
For IPoE access, refer to the "IPoEv4 Configuration" chapter.
For PPPoE access, refer to the "PPPoEv4 Configuration" chapter.
For IP-HOST access, refer to the "IP-HOSTv4 Configuration" chapter.
2. Configure routes on BRAS1, BRAS2 and CR.

For the routing protocol configuration, refer to the “Configuration Guide (IPv4
Routing)”.
LSPmode: It is necessary to establish a Label Distribution Protocol (LDP) neighbor

relationship.
For LDP configuration, refer to the “Configuration Guide (MPLS)”.
Heartbeat line mode: There should be a heartbeat link between BRAS1 and BRAS2.
Configure the IP addresses and the routes.
3. Configure VRRP and BFD on BRAS1, BRAS2 and the switch.
18-9

For VRRP configuration, refer to the “Configuration Guide (Reliability)”.

4. Configure sibmgr in global configuration mode on BRAS1 and BRAS2.
5. Configure profiles on BRAS1 and BRAS2.
The configuration of BRAS1 (the active device):
ZXR10(config)#sibmgr
ZXR10(config-sibmgr)#sib-peer-group 1 global
ZXR10(config-sibmgr-sib-peer-group)#remote-ip 140.1.1.1 port 2000
local-ip 135.1.1.1 port 2000 port-count 1
/*140.1.1.1 refers to the loopback address of BRAS2, and*/
/*135.1.1.1 refers to the loopback address of BRAS1*/
/*2000 refers to the port number. It can be set as needed,*/
/*and should be consistent at both ends*/
/*The number of global groups must be one*/
ZXR10(config-sibmgr-sib-peer-group)#exit
ZXR10(config-sibmgr)#sib-policy 1
ZXR10(config-sibmgr-sib-policy)#traffic-redirect backup-lsp 1.1.1.20
/*1.1.1.20 is the loopback address of the standby device (BRAS2).It is necessary
for the LSP mode. It is unnecessary for the heartbeat line mode.*/
ZXR10(config-sibmgr-sib-policy)#exit
ZXR10(config-sibmgr)#sib-policy 2
ZXR10(config-sibmgr-sib-policy)#traffic-redirect backup-ipv4-nexthop
30.1.1.2 backup-interface xgei-0/6/1/1
/*30.1.1.2 is the address of the interface on the heartbeat line on BRAS2
connecting to BRAS1, that is, the direct connected next hop of xgei-0/6/1/1*/
ZXR10(config-sibmgr)#sib-policy gre
ZXR10(config-sibmgr-sib-policy)# traffic-redirect vrf lry backup-gre-tunnel
gre_tunnel4000 /*Configures the traffic redirect mode for the GRE tunnel
for VRF accessed subscribers*/
ZXR10(config-sibmgr)#sib-policy gre1
ZXR10(config-sibmgr-sib-policy)# traffic-redirecct backup-gre-tunnel
gre_tunnel4000 /*Configures the traffic redirect mode for the GRE tunnel*/
ZXR10(config-sibmgr)#sib-instance 1
ZXR10(config-sibmgr-sib-instance-1)#bind vrrp 9 interface gei-0/1/0/9.1
/*The gei-0/1/0/9.1 interface is the VRRP interface on BRAS1*/
ZXR10(config-sibmgr-sib-instance-1)#bind sib-policy 1
ZXR10(config-sibmgr-sib-instance-1)#bind sib-peer-group 1
18-10

ZXR10(config-sibmgr-sib-instance-1)#bind interface gei-0/1/0/9.2

/*The gei-0/1/0/9.2 and gei-0/1/0/9.3 interfaces are user access VCC interfaces.
All VCC interfaces of user accesses should be associated here. Otherwise,
hot standby cannot be performed*/
ZXR10(config-sibmgr-sib-instance-1)#exit
ZXR10(config-sibmgr)#exit
/*The configuration of the profile:*/

ZXR10(config-submanage)#gateway-redirect 19.1.0.0 255.255.0.0 backup-lsp 1.1.1.20
/*This command is only for the LSP mode. With this command, traffic is not
interrupted when the line card is plugged out and re-plugged. 19.1.0.0 is the
network segment of the IP on the VBUI interface. 1.1.1.20 is the address of the
standby LSP in LSP mode*/
ZXR10(config-submanage)#reference sib-instance 1
ZXR10(config-submanage-mgmt-profile-1)#traffic-back interval 10
/*This command is used for traffic synchronization between the active device and
the standby device. The traffic is synchronized once every 10 seconds.*/
ZXR10(config-submanage-mgmt-profile-1)#exit
The configuration of BRAS2 (the standby device):

ZXR10(config)#sibmgr
ZXR10(config-sibmgr)#sib-peer-group 1 global
ZXR10(config-sibmgr-sib-peer-group)#remote-ip 135.1.1.1 port 2000
local-ip 140.1.1.1 port 2000 port-count 1
/*135.1.1.1 refers to the loopback address of BRAS1*/
/*and 140.1.1.1 refers to the loopback address of BRAS2*/
/*2000 is the port number. It can be set as needed, and*/
/*should be consistent at both ends.*/
/*The number of global groups must be one*/
ZXR10(config-sibmgr-sib-peer-group-peer)#exit
ZXR10(config-sibmgr-sib-peer-group-1)#exit
ZXR10(config-sibmgr)#sib-instance 1
ZXR10(config-sibmgr-sib-instance-1)#bind vrrp 9 interface gei-0/6/0/9.1
/*The gei-0/6/0/9.1 interface is the VRRP interface on BRAS2.*/
ZXR10(config-sibmgr-sib-instance-1)#bind sib-peer-group 1
/*The gei-0/6/0/9.2 and gei-0/6/0/9.3 interfaces are user access VCC interfaces.
All VCC interfaces for user access should be associated here. The port number,
sub-interface number on the standby device must be the same with that on the
active device. The slot number can be different.*/
ZXR10(config-sibmgr-sib-instance-1)#exit
18-11

ZXR10(config-sibmgr)#exit
/*The configuration of the profile:*/

ZXR10(config-submanage)#reference sib-instance 1
ZXR10(config-submanage-mgmt-profile-1)#traffic-back interval 10
ZXR10(config-submanage-mgmt-profile-1)#exit
Execute the show running-config sib command on the active BRAS1 to view the sib
configuration.
ZXR10(config)#show running-config sib
!<SIB>
sibmgr
sib-peer-group 1 global
peer 1
remote-ip 140.1.1.1 port 2000 local-ip 135.1.1.1 port 2000 port-count 1
$
sib-policy gre
traffic-redirect vrf lry backup-gre-tunnel gre_tunnel4000
$
sib-policy gre1
traffic-redirect backup-gre-tunnel gre_tunnel4000
$
sib-policy 1
traffic-redirect backup-lsp 1.1.1.20
$
sib-policy 2
traffic-redirect backup-ipv4-nexthop 30.1.1.2 backup-interface xgei-0/6/1/1
$
sib-instance 1
bind vrrp 9 interface gei-0/1/0/9.1
bind sib-policy 1
bind sib-peer-group 1
bind interface gei-0/1/0/9.2
$
!</SIB>
Run the show running-config profile command on the active BRAS1 to view the profile
configuration.
ZXR10(config)#show running-config profile

!<PROFILE>
18-12

subscriber-manage
gateway-redirect 19.1.0.0 255.255.0.0 1.1.1.20
reference sib-instance 1
traffic-back interval 10
$
!</PROFILE>
Execute the show running-config sib command on the standby BRAS1 to view the sib
configuration.
ZXR10(config)#show running-config sib
!<SIB>
sibmgr
sib-peer-group 1 global
peer 1
remote-ip 135.1.1.1 port 1000 local-ip 140.1.1.1 port 1000
$
$
sib-instance 1
bind vrrp 9 interface gei-0/6/0/9.1
bind sib-peer-group 1
$
!</SIB>
Run the show running-config profile command on the standby BRAS1 to view the profile
configuration.
ZXR10(config)#show running-config profile
!<PROFILE>
subscriber-manage
reference sib-instance 1
traffic-back interval 10
$
!</PROFILE>
18-13

18-14

Chapter 19
Cold Standby Configuration
Table of Contents
Cold Standby Overview ............................................................................................19-1
Configuring Cold Standby.........................................................................................19-2
Cold Standby Configuration Example .......................................................................19-4
19.1 Cold Standby Overview

Cold Standby Introduction
The broadband MAN service control layer is a specific layer for a service access network
to connect to a core switching network. BRAS devices play important roles. BRAS devices
are responsible for service access control and user management. To meet the demand of
high service quality provided by networks, the requirements for performance and reliability
of BRAS devices in the service control layer are higher.
If a fault occurs to a device or a port, it is necessary to solve the fault by manual interference
(for example, switching services to another device, resetting a board, or switching a port).
Manual interference takes time and the cost is high. The cold standby function provides
multiple links for user accesses. These links have different priorities. When a fault occurs
to the active link, a user can access the network through a standby link by initiating a new
session.
The cold standby function enhances users' satisfaction degree, and reduces operation and
maintenance personnel's work load.
Cold Standby Features

Cold standby can be implemented at the sub-port level. Standby ports can be configured
on the same or different devices (it is only required to ensure that the links between users
and standby ports are operating properly).
The relation between two links is determined by protocol negotiation or configuration.
Based on the mode of obtaining link priority, cold standby can be divided into two types:
l Implementing relation between interfaces through a competition protocol.

The active and standby relationship can be formed between links. The active link
responds to accesses. The standby link refuses accesses. If a fault occurs to the
active link, the standby link becomes the active link. Users can access the network
again. The previous active link does not do any special handling. Users are aged
automatically.
19-1

l Implementing relation between interfaces through configuration rules.

Different rules can be configured on the links to handle PPPoX PADO packets and
DHCP OFFER packets with delays, so that users access the network through the
active link.
The ZXR10 M6000 supports the following types of cold standby:
l Port-based cold standby: implements delayed access of users by:
à Odd MAC address
à Even MAC address
à Specified modulus and remainder of the modulo operation for an MAC address
l Board-based cold standby: implements delayed access of users on the specified

board.
l Device-based cold standby: implements delayed access of users on the device.
Based on the pre-configured policy, the ZXR10 M6000 extends the time in acknowledging
the first packet during the access of a user, which enables the corresponding client to
access the ZXR10 M6000 based on the response time. During the access of a PPPox
user, after receiving a PADI broadcast packet, the ZXR10 M6000 queries the time delay
policy and sends a PADO packet after the pre-defined time delay. During the access of
an IPoX user, after receiving a DISCOVERY packet, the ZXR10 M6000 queries the time
delay policy and sends an OFFER packet after the pre-defined time delay.
When the active link does not respond, users access the network through the standby
link. Multiple functions can be implemented based on different delay rules and conditions.
Compared with the two implementation modes, the delay solution has the following
advantages:
1. It does not need a link detection protocol.
2. It supports interconnections (without protocol support).
Compared to the policy that uses the competition protocol to implement active/standby
ports, the time delay policy does not need to detect packets to obtain link statuses, and
does not need to support device interconnection.
3. It is easy to implement.
19.2 Configuring Cold Standby

This procedure describes how to configure cold standby.
Context
Keep the following rules in mind during the cold standby configuration:
l Port-based cold standby is configured between the two ports on the same line card.
l Board-based cold standby is configured between the ports on different boards.
l Device-based cold standby is configured between the ports on different devices.
19-2

Chapter 19 Cold Standby Configuration
Steps
1. Configure cold standby.
l To configure port-based cold standby, perform the following steps:

mode.
2 ZXR10(config-vcc)#interface <interface-name> Enters VCC interface

service configuration mode.
3 ZXR10(config-vcc-if)#access-delay Sets the time delay on the

<delay-timer>[even-mac | odd-mac | mod-mac interface.
<modular> remainder <remainder>]
4 ZXR10(config-vcc-if)#nas logic-sysname Sets the system name,

<logic-sysname> range: 1–31 characters.
5 ZXR10(config-vcc-if)#nas logic-interface slot Sets logical information on

<slot-num> sub-slot <subslot-num> port <port-num> the interface.
<slot-num>: slot number,
range: 0–255.
<subslot-num>: sub-slot
number, range: 0–255.
<port-num>: port number,
range: 0–255.
6 ZXR10(config-vcc-if)#nas logic-ip <ip-address> Sets the logical IP address.
7 ZXR10(config-vcc-if)#nas ssid <ssid-info> Sets the Nas SSID

information, range: 18–31
characters.
<delay-timer>: delay time (in milliseconds), range: 50–2000.

even-mac : delay time for even MAC address users.
odd-mac: delay time for odd MAC address users.
<modular>: modulus of the self-defined MAC policy, range: 3–8. The modulo
operation is performed for the last 32 bits of a MAC address.
<remainder>: remainder of the self-defined MAC policy, range: 0–7.
l To configure board-based cold standby, perform the following steps:

mode.
19-3

2 ZXR10(config-submanage)#access-delay slot Sets the board-based cold

<slot-num> step <step-num> minimum-time standby policy.
<min-time> maximum-time <max-time>
<slot-num>: slot number, range: 0–15.

<step-num>: delay step (each time this setting is exceeded, a delay operation is
performed), range: 100–10000.
<min-time>: the minimum time delay (in milliseconds), range: 0–2000.
<max-time>: the maximum time delay (in milliseconds), range: 50–2000.
l To configure device-based cold standby, perform the following steps:

mode.
2 ZXR10(config-submanage)#access-delay Sets the device-based cold

step <step-num> minimum-time <min-time> standby policy.
maximum-time <max-time>
Command Function
ZXR10#show running-config uim Shows the configuration information of the

UIM module.
ZXR10#show running-config aim Shows the configuration information in

subscriber-manage mode.
19.3 Cold Standby Configuration Example

As shown in Figure 19-1, gei-0/0/0/6 of R1 and gei-0/0/0/6 of R2 are cold standby interfaces
for each other. Set gei-0/0/0/6 of R1 to active status, and set gei-0/0/0/6 of R2 to standby
status. In normal situations, users access the network through the active interface. If the
active interface is down, users access the network through the standby interface.
Keep the following rules in mind during the time delay configuration:
l Port-based delay is configured if cold standby is required between the two ports on
the same board.
19-4

Chapter 19 Cold Standby Configuration
l Board-based delay is configured if cold standby is required between the ports on

different boards.
l Device-based delay is configured if cold standby is required between the ports on
different devices.
Figure 19-1 Networking Topology for Cold Standby Function Configuration
Configuration Flow
1. Configure basic PPPoE/IPoE access.
2. Configure MAC delay/line card delay/overall system delay.
3. Configure a cold standby policy for the NAS.
For MAC delay/line card delay/overall system delay configuration, refer to the following
commands:
l Configure a MAC delay.
R1(config-vcc-if)#access-delay 50 mod-mac 3 remainder 1
/*Implements cold standby based on the remainder of the MAC address-based
mod operation*/
R1(config-vcc-if)#exit
R1(config-vcc)#exit
l Configure a line card delay.
R1(config-submanage)#access-delay slot 3 step 210 minimum-time 100
19-5

maximum-time 1500
l Configure an overall system delay.
R1(config-submanage)#access-delay step 240 minimum-time 150 maximum-time 2000
Configure a cold standby policy for the NAS.

R1(config-vcc-if)#nas logic-sysname E15E11 /*NAS device name*/
R1(config-vcc-if)#nas logic-interface slot 5 sub-slot 0 port 3
/*Access port number*/
R1(config-vcc-if)#end
Check the MAC delay and NAS configuration on the VCC interface.
R1#show running-config uim
! <UIM>
vbui-configuration
interface vbui1234
$
$s
encapsulation multi
pppox template 1000
access-delay 50 mod-mac 3 remainder 1 /*MAC delay*/
nas logic-sysname E15E11 /*NAS device name*/
nas logic-interface slot 5 sub-slot 0 port 3 /*Access port number*/
$
Check the configuration of overall system delay and line card delay on the submanage.
R1#show running-config aim
! <AIM>
subscriber-manage
location-error-access enable
accounting syslog enable
access-delay slot 3 step 210 minimum-time 100 maximum-time 1500
/*Line card delay*/
access-delay step 240 minimum-time 150 maximum-time 2000
/*Overall system delay*/
19-6

Chapter 20
AC Separation Access
Configuration
Table of Contents
AC Separation Access .............................................................................................20-1
Configuring AC Separation Access...........................................................................20-2
AC Separation Access Configuration Instance .........................................................20-5
20.1 AC Separation Access

The AC separation on the ZXR10 M6000 is used in WLAN access to enable key
transmission at the air interface. The ZXR10 M6000 uses the RADIUS proxy scheme,
which uses the AC as the authentication initiating point. The ZXR10 M6000 implements
the authentication flow and key transmission at the air-interface as the RADIUS proxy. In
addition, the ZXR10 M6000 implements access user charging as the charging point. AC
separation access has no special requirements for downstream AC devices. The network
is relatively simple.
For the typical network of AC separation access, see Figure 20-1.
Figure 20-1 Typical Network for AC Separation Access
The following describes the AC separation access flow:

1. The client connects to a wireless network.
2. The client initiates an EAP authentication request. The request message reaches
the AC through the AP. The AC initiates an EAPOR message as the authentication
initiating point.
20-1

3. The ZXR10 receives the EAPOR message and sends the message to the RADIUS
server for EAP authentication as an authentication relay.
4. The RADIUS server returns the authentication result, which is further sent to the AC
by the ZXR10.
5. The EAP authentication passes, and the air-interface key interaction ends.
6. A DHCP address is allocated to users through the AC. The ZXR10 also provides L3
access interfaces for the AC to implement the DHCP function.
7. After the DHCP address is allocated to a user and the user accesses the AC, a
charging start message is initiated.
8. After receiving the charging start message, the ZXR10 activates the timer for user
traffic.
9. The client accesses the network, and the traffic reaches the ZXR10. The ZXR10 user
gets online, and charging starts.
10. When the user requests to get offline, the AC triggers sending charging termination
messages to the ZXR10.
11. After the user gets offline, the ZXR10 notifies the AC that the user is offline through
the DM.
Note:
Currently a downstream AC can be a L3 device.
The AC must be able to trigger a charging start message after the user obtains an address
and trigger a charging termination message after the user gets offline.
20.2 Configuring AC Separation Access

This procedure describes how to configure the AC separation access function.
Steps
1. Enable the DHCP function and configure the interface DHCP mode to DHCP server.
1 ZXR10(config)#dhcp Enters DHCP configuration

mode.
2 ZXR10(config-dhcp)#enable Enables the DHCP function.
3 ZXR10(config-dhcp)#interface <interface-name> Enters DHCP interface

configuration mode.
4 ZXR10(config-dhcp-if-interface-name)#mode Sets the DHCP operation

server mode of the enabled interface
to DHCP server.
20-2

Chapter 20 AC Separation Access Configuration
1 ZXR10(config)#ip pool <pool-name> Sets an address pool

and enters address pool
configuration mode.
2 ZXR10(config-ip-pool)#range <start-ip><end-ip><ma Sets an IP pool address

sk> segment, including an initial
address, termination address,
and mask of the address
segment.
3. Configure a DHCP Pool.
1 ZXR10(config)#ip dhcp pool <dhcppool-name> Sets a DHCP pool and enters

DHCP Pool configuration
mode.
2 ZXR10(config-dhcp-pool)#ip-pool <ippool-name> Binds the IP Pool to the DHCP

pool.
3 ZXR10(config-dhcp-pool)#lease-time {[infinite]|[<days Sets the lease period for the

><hours><minutes>]} IP address that is leased to
the client by DHCP server.
Default, 1 hour.
If infinite is selected, that
means the lease period is
unlimited.
4 ZXR10(config-dhcp-pool)#dns-server <ip-address>[<ip Sets the DNS address that

-address>][<ip-address>][<ip-address>][<ip-address>][<ip-a the DHCP server returns to a
ddress>][<ip-address>][<ip-address>] user.
Multiple DNS addresses can
be configured.
5 ZXR10(config-dhcp-pool)#default-router Sets the default gateway.

<ip-address>[<ip-address>][<ip-address>] At most 8 gateways can be
configured.
4. Bind a DHCP policy to an interface and configure a quota for a DHCP user.
1 ZXR10(config-dhcp)#interface <interface-name> Enters DHCP interface

configuration mode.
2 ZXR10(config-dhcp-if-interface-name)#policy Binds the DHCP policy to the

<policy-name> interface.
20-3

3 ZXR10(config-dhcp-if-interface-name)#user quota Sets the quota for the user,

<limit-value> that is, the maximum number
of DHCP clients that are
allowed to connect to the
interface.
5. Configure the RADIUS PROXY. For details, refer to “Configuring the RADIUS PROXY”.
1 ZXR10(config-submanage)#domain <domain-name> Enters BRAS domain

configuration mode.
2 ZXR10(config-submanage-domain)#bind Binds the domain to an

authentication-template <authentication template-name> authentication template. One
domain can be bound to only
one authentication template.
3 ZXR10(config-submanage-domain)#bind Binds the domain to an

authorization-template <authorization template-name> authorization template. One
domain can be bound to only
one authorization template.
4 ZXR10(config-submanage-domain)#bind Binds the domain to a charging

accounting-template <accounting template-name> template. One domain can be
bound to only one charging
template.
7. Configure a user-side L3 interface.
1 ZXR10(config)#l3-access-configuration Enters BRAS-L3-ACCESS

mode.
2 ZXR10(config-l3-access)#interface <interface-name> Enters BRAS-L3-ACCESS

interface service mode.
3 ZXR10(config-l3-access-if)#radius-proxy enable Enables the proxy RADIUS

function.
8. Configure the aging time.
20-4

1 ZXR10(config-submanage)#user-template-session Sets the temporary user

time-out <time> information timeout period,
default, 300 seconds, range:
60–500 seconds.
2 ZXR10(config-submanage)#user-template-session Sets the timeout period before

waiting-online <time> a user gets online, default:
no timeout period, range:
60–1800 seconds.
9. Verify the configuration result.
Command Function
ZXR10#show running radius Displays the proxy RADIUS

configuration.
ZXR10#show running dhcp Displays the DHCP configuration.
ZXR10#show running urc Displays the aging time.
ZXR10#show running uim Displays the UIM configuration.
20.3 AC Separation Access Configuration Instance

Scenarios
Before configuring AC separation on the ZXR10, a proxy RADIUS must be configured,
and the proxy flag on the L3 interface must be enabled, see Figure 20-2. If necessary, a
DHCP server is required to allocate addresses for downstream devices.
Figure 20-2 AC Separation Access Configuration Instance
Configuration Flow
1. Set the AC device as a DHCP relay and the authentication initiating point.
2. Set the ZXR10 as the proxy RADIUS and the charging initiator.
20-5

3. Set the L3 interface as a DHCP server interface.

4. Set a pre-domain.
The configurations on the ZXR10 include the following:
1. Configure proxy authentication on the ZXR10. For details, refer to “RADIUS PROXY
SERVER Configuration Instance”.
2. Configure the ZXR10 as a DHCP server. For details, refer to “DHCP Server Configu-
ration Instance”.
3. Configure an L3 interface and enable the AC separation flag by using the following
commands:
ZXR10(config-l3-access-if)#pre-domain zte
ZXR10(config-l3-access-if)#radius-proxy enable
4. Configure a domain by using the following commands:
ZXR10(config-submanage)#domain zte
5. Configure the aging time before getting online.
ZXR10(config-submanage)#user-template-session time-out 100
ZXR10(config-submanage)#user-template-session waiting-online 200
Run the following command to check the DHCP configuration:

!<dhcp>
20-6

ip dhcp relay instance 1

relay agent 12.1.1.1
relay server group 1
$
ip dhcp relay server group 1
server 1 100.10.2.2 security
$
ip dhcp pool mhox-ac
ip-pool mhox-ac
$
ip dhcp policy mhox-ac 1
dhcp-pool mhox-ac
$
dhcp
enable
$
!</dhcp>
Run the following command to check the RADIUS configuration:

ZXR10(config-l3-access-if)#show running-config radius
!<radius>
radius authentication-group 2
attribute forbid standard 44 send
server 2 100.10.2.2 key encrypted
$
radius accounting-group 2
server 2 100.10.2.2 key encrypted
$
radius client-group 2
client ip 100.10.2.2 key encrypted
$
radius listening-port authentication 1812
radius listening-port accounting 1813
!</radius>
Run the following command to check the UIM configuration:
ZXR10(config-l3-access-if)#show running-config uim

!<uim>
l3-access-configuration
20-7

pre-domain zte
radius-proxy enable account-mode
$
$
!</uim>
Run the following command to check the URC configuration:

ZXR10(config-l3-access-if)#show running-config urc
!<URC>
subscriber-manage
user-template-session time-out 100
user-template-session waiting-online 200
$
!</URC>
Run the following command to check the configurations of all users:

ZXR10(config-l3-access-if)#show subscriber all
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify :81
user-name :zte
domain-name :zte
local-domain-name :zte
authorize-domain-name :zte
mac-address :0010.9400.3501
session-id :0
internal-vlan :0
external-vlan :0
eap-type :FALSE
proxy-flag :Proxy
sibprofileid :0
create-time :2013/08/18 02:21:32
online-time :3823
20-8

vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :IPv4 Multi-Hop
vrf-name :
vpn-id :0
gateway :
primary-dns :
second-dns :
*******************************************************************************
-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
20-9

20-10

Chapter 21
L2VPN Access Configuration
Table of Contents
L2VPN Access .........................................................................................................21-1
Configuring L2VPN Access ......................................................................................21-3
L2VPN Access Configuration Instance .....................................................................21-3
21.1 L2VPN Access

Overview
The MPLS VPN service is widely used now. The VPN services based on the MPLS include
MPLS L3VPN and MPLS L2VPN. MPLS L2VPN includes a VPLS and a VLL. The VLL is
only applicable to point-to-point network application mode. The VPLS implements a VPN
network from multiple points to multiple points. The VPLS provides a resolution for network
operators who used the point-to-point L2VPN service before. With the VPLS, operators
cannot enter users' internal routing layer, which is possible in the L3VPN.
L2VPN provides L2 VPN services based on the MPLS network and connects users to the
public network or the L3VPN service of the bearer network through the L2VPN tunnel. The
user information to be maintained on the access network devices is reduced. Lower-end
devices can be used in the access network and the network cost is reduced. The access
network is transparent for users, who can directly access the public network or L3VPN.
The network is more flexible and easier.
Basic Concepts
l Virtual Private LAN Service (VPLS): a Point-To-Multipoint L2VPN service provided in
the public network. The VPLS enables user sites in different areas to be connected
through the MAN/WAN. These sites are interconnected as they were in the same LAN.
l Virtual Leased Line (VLL): a point-to-point L2VPN service provided in the public
network. The VLL enables two sites to be interconnected as they were directly
connected with cables. But it does not support multipoint-to-multipoint exchange for
service providers.
l Custom Edge (CE): connects the devices of service providers. CE devices of the
MPLS L2VPN may be router exchanges or hosts. CE devices are independent of
service providers' networks and cannot "perceive" the VPN.
l Provider Edge Router (PE): connected to the CE and implements VPN service access.
It implements message mapping and forwarding from the private network to the public
tunnel and from the public tunnel to the private network. A PE can be further classified
into a UPE and an NPE.
21-1

l User facing-Provider Edge (UPE): convergence devices for users to access the VPN.
l Network Provider Edge (NPE): located at the core domain edge of the VPLS network
and provides VPLS transmission between core networks.
l Pseudo Wire Edge to Edge Emulation (PWE3): PWE3 is an end-to-end L2 service
bearer technology and is a point-to-point L2VPN.
l Virtual Forwarding Instance (VFI): One VPN corresponds to one VFI, which is used to
record the VPN ID of the local VPN, the local interfaces added to this VPN, and the
peer router information.
l Attachment Circuit (AC): connection between the CE and PE, which can be a real
physical interface or a virtual interface. All user messages on the AC must be
forwarded to the peer without any processing, including the L2 and L3 protocol
messages of users.
l Pseudo Circuit (PW): a bi-directional virtual connection between two VFIs of a VPN.
It is composed of two single-directional MPLS VCs and is carried on the LSP and
created by the PW signaling protocol. For the VPLS, the PW is just like a direct path
from a local AC to a peer, through which, L2 data is transmitted.
l Label Switched Path (LSP): In the MPLS network, peripheral devices add MPLS labels
to messages, intra-network devices forward the messages in accordance with the
labels. The path that the labelled messages go through is named Label Switched
Path.
Typical MAN
For the typical MAN, see Figure 21-1. CE devices are composed of core switches,
which form an access layer. Use an SR router as the PE (a UPE and an NPE) to form a
convergence layer. The backbone layer uses a core router as a P router.
Figure 21-1 Typical MAN
All terminals access the network through the ADSL family gateway and are connected
to different uplink core switches through GE optical interfaces from the DSLAM. The
core switches and convergence routers form a mixed GE ring network. This ensures the
network reliability at the access layer. The backbone layer, control gateway, and core
routers form the dual-homing attribute, which is basic for network reliability. The service
21-2

Chapter 21 L2VPN Access Configuration
layer is composed of various service servers, gateways, and firewalls to provide elaborate
services for users.
L2VPN and L3VPN are bridged through the ULEI interface. Users get online through the
ULEI interface and access the network.
21.2 Configuring L2VPN Access

This procedure describes how to configure the L2VPN access function.
Steps
1. For how to bridge the L2VPN and L3VPN, refer to the Configuration Guide (VPN)
manual for this product.
2. For user access configurations, select one from IPoEv4, IP-Hostv4, PPPoEv4, and
VPDN. For details, refer to the Configuration Guide (IPv4 BRAS) manual for this
product.
21.3 L2VPN Access Configuration Instance

Configuration Description
For a VPLS network with only a BRAS, the BRAS must act as an L2VPN PE and be
able to configure a VCC for user access. In addition, it cannot be self-looped through
physical interfaces to avoid port resource waste. A virtaul bridge interface L2VPN ULEI can
meet the requirements. This configuration instance describes how to enable PPPoX users
to access the L2VPN through the virtual bridge interface L2VPN ULEI. For the network
topology, see Figure 21-2.
Figure 21-2 L2VPN Access Configuration Instance
Configuration Flow
1. Bridge the L2 VPN and L3 VPN.
2. Configure the L2VPN.
3. Configure the VCC on the ULEI interface.
4. Configure basic parameters for the PPPoX to get online. For details, refer to the
Configuration Guide (IPv4 BRAS) manual for this product.
21-3

1. Create two ULEI interfaces and bind the two interfaces to be a bridge interface.
ZXR10(config)#request interface ulei-0/5/1/1 /*Create a ULEI inteface.*/
ZXR10(config)#request interface ulei-0/5/1/2
ZXR10(config)#interface ulei-0/5/1/1
ZXR10(config-if-ulei-0/5/1/1)#no shutdown /*Open an interface.*/
ZXR10(config-if-ulei-0/5/1/1)#exit
ZXR10(config)#interface ulei-0/5/1/2
ZXR10(config-if-ulei-0/5/1/2)#no shutdown
ZXR10(config-if-ulei-0/5/1/2)#exit
ZXR10(config)#service-bridging virtual-links /*Enter bridge configuration
mode.*/
ZXR10(config-bridge)#virtual-link ulei-0/5/1/1 ulei-0/5/1/2 /*Bind two ULEI
interfaces.*/
ZXR10(config-bridge)#exit
2. Configure the L2VPN.
ZXR10(config)#mpls l2vpn enable /*Globally enable the L2VPN function.*/
ZXR10(config)#vpls zte-vpn1 /*Create a VPLS instance.*/
ZXR10(config-vpls-zte-vpn1)#access-point ulei-0/5/1/1 /*Bind the ULEI interface to
the VPLS.*/
ZXR10(config-vpls-zte-vpn1-ac-ulei-0/5/1/1)#access-params ethernet
ZXR10(config-vpls-zte-vpn1-ac-ulei-0/5/1/1-eth)#!
ZXR10(config-vlan-if-gei-0/7/0/3.300)#encapsulation-dot1q 300 /*Encapsulate the VLAN to
the interface.*/
ZXR10(config-vlan-if-gei-0/7/0/3.300)#exit
ZXR10(config)#vpls zte-vpn1
ZXR10(config-vpls-zte-vpn1)#access-point ulei-0/7/0/3.300 /*Bind an ordinary physical
interface to the VPLS.*/
ZXR10(config-vpls-zte-vpn1-ac-gei-0/7/0/3.300)#access-params ethernet
ZXR10(config-vpls-zte-vpn1-ac-gei-0/7/0/3.300-eth)#
3. Configure a VCC on the ULEI interface:
ZXR10(config-vcc)#interface ulei-0/5/1/2
ZXR10(config-vcc-if)#encapsulation multi
21-4

Chapter 21 L2VPN Access Configuration
4. For how to configure the VBUI, Domain, and PPPoX, refer to the Configuration Guide
(IPv4 BRAS) manual for this product .
Check the ULEI configurations:
ZXR10(config)#show running-config-interface ulei-0/5/1/2
!<port-request-info>
request interface ulei-0/5/1/2
!</port-request-info>
!<Interface>
interface ulei-0/5/1/2
no shutdown
$
!</Interface>
!<UBRIDGE>
service-bridging virtual-links
virtual-link ulei-0/5/1/1 ulei-0/5/1/2
$
!</UBRIDGE>
!<uim>
vcc-configuration
interface ulei-0/5/1/2
encapsulation multi
pppox template 1000
$
$
!</uim>
Check the information about PPPoX users getting online:

ZXR10#show subscriber pppox
***************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-identify :58
user-name :sublm2000-201
domain-name :lm2000-201
local-domain-name :lm2000-201
authorize-domain-name :lm2000-201
mac-address :0010.1400.0001
session-id :6
access-interface :ulei-0/5/1/2 /*The interface on which the user dials up
21-5

to get online is ulei-0/5/1/2.*/

internal-vlan :0
external-vlan :0
eap-type :FALSE
sibprofileid :0
create-time :2013/09/02 17:13:42
online-time :548
restTimeType :RERENT
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
vrf-name :
vpn-id :0
gateway :201.8.0.1
***************************************************************************
-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
The above output indicates that the user is online.
21-6

Chapter 22
Relation Binding Between
Domain Name and WEB
Server
Table of Contents
Overview ..................................................................................................................22-1
Binding a Domain to a Web Server...........................................................................22-1
Configuration Example for Binding a Domain to a Web Server .................................22-2
22.1 Overview
All WEB server configuration commands are executed through the vbui interface.
Because the vbui interface is not bound to a domain, an online user cannot distinguish
the corresponding URL push address. To distinguish the push address based on the
domain name, a domain name needs to be bound to a WEB server.
You can simultaneously bind a domain to a WEB server and bind a WEB server to the vbui
interface. The WEB server bound to a domain takes precedence over that bound to the
vbui interface. This binding function is unavailable for the push address configuration of
IPv6 users.
22.2 Binding a Domain to a Web Server

This procedure describes how to bind a domain to a Web server.
Steps
1. Create a Web server.
1 ZXR10(config)#subscriber-manage Enters BRAS global mode.
2 ZXR10(config-submanage)#web-server<number> Creates a Web server. The

Web server number ranges
from 1 through 10.
22-1

Command Function
ZXR10(config-submanage-websvr-number)#ip-addr Configures the IP address of the

<ip-address>{[port <udp-port>]|[backup]} Web server.
ZXR10(config-submanage-websvr-number)#url <url> Configures the push page

address.
ZXR10(config-submanage-websvr-number)#uas-ip Configures the IP address used

<ip-address> interface <interface-name> by the local device to connect to
the Web server.
ZXR10(config-submanage-websvr-number)#version {v1| v2 Configures the version ID of

[key <key>]| v3}[key <key>] the portal, and the password
used to communicate with the
authentication server.
3. Bind a domain to the Web server.
1 ZXR10(config-submanage)#domain<domain-name> Enters configuration mode of

a domain.
2 ZXR10(config-submanage-domain)#web-server<numb Binds the domain to the Web

er> server created in the previous
step.
Step Function
ZXR10(config)#show running-config portal Queries all configuration related

to the Web server.
ZXR10(config)#show configuration submanage web-server Queries status and property

information of the Web server.
22.3 Configuration Example for Binding a Domain to

a Web Server
As shown in Figure 22-1. The address of the virtual vbui interface is 6.6.1.1, and the ZXR10
connects to the Web server through interface fei-0/1/0/11. DHCP and Web authentication
is required when client PC1 accesses the Internet. Web server 10 is bound to the domain.
22-2

Chapter 22 Relation Binding Between Domain Name and WEB Server
Figure 22-1 Binding Instance Between a Domain and a Web Server
Configuration Flow
1. Configure common DHCP access.
2. Configure a Web server.
3. Configure the Web push address and its ACL.
4. Configure Web authentication, and bind a domain to the Web server.
1. Configure the common DHCP on the ZXR10 as follows:
22-3


ZXR10(config)#dhcp
/*Configure the IP address of the interface used to connect to the Web server*/
2. Configure a Web server as follows:
ZXR10(config)#subscriber-manag
ZXR10(config-submanage)#web-server 10 /*Create Web server 10*/
ZXR10(config-submanage-websvr-10)#http-param uas-id 1234 /*This command is optional*/
ZXR10(config-submanage-websvr-10)#http-param uas-name zte /*This command is optional*/
ZXR10(config-submanage-websvr-10)#http-param user-name msg/*This command is optional*/
/*Configure the IP address of the Web server*/
ZXR10(config-submanage-websvr-10)#url http://172.16.1.1:88
/*Configure the push page*/
/*Configure the IP address
(of the network exit) used to bind the local domain and the Web server*/
ZXR10(config-submanage-websvr-10)#version v2 key zte
ZXR10(config-submanage-websvr-10)#exit
3. Configure the Web push address and its ACL as follows:
ZXR10(config-vbui-if)#web-force authentication /*Force Web authentication*/
ZXR10(config-vbui-if)#web-acl zte /*Configure the ACL for message delivery*/
22-4

4. Configure Web authentication, and bind a domain to the Web server as follows:
ZXR10(config-submanage-domain)web-server 10 /*Bind the Web Server to domain 1*/
ZXR10(config-submanage)#local-subscriber zte domain-name domain1 password 123
Run the show running-config portal command to query all related configuration of the Web
server.
ZXR10(config)#show running-config portal
! <PORTAL>
!
subscriber-manage
web-server 10
ip-addr 172.16.1.1
url http://172.16.1.1:88
version v2 key zte
$
$
! </PORTAL>
Run the show configuration submanage web-server command to query the status and
properties of the Web server.
ZXR10(config)#show configuration submanage web-server

Portal server-id 10:
ip-addr : 172.16.1.1
backupIp 1: 0.0.0.0
backupIp 2: 0.0.0.0
backupIp 3: 0.0.0.0
backupIp 4: 0.0.0.0
backupIp 5: 0.0.0.0
22-5

udp-port : 50100
url : http://172.16.1.1
http-para:
uas-name : zte
user-name : msg
uas-id : 1234
user-mac-key :
Run the show configuration submanage listening-port command to query the status of the
Web server listening port.
Run the show subscriber ipox interface command to check whether the user is online.
ZXR10(config)#show subscriber ipox interface fei-0/1/0/10
*******************************************************************************
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
user-name :zte
session-id :0
internal-vlan :0
external-vlan :10
sibprofileid :0
create-time :2011/08/08 14:08:26
online-time :24
22-6

vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
vrf-name :
vpn-id :0
gateway :6.6.1.1
second-dns :0.0.0.0
*******************************************************************************
-------------------------------------------------------------------------------
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
-------------------------------------------------------------------------------
The above command output indicates that the user is online.
22-7

22-8

Figures
Figure 2-1 Basic IPoE Network Structure .................................................................. 2-1
Figure 2-2 Network Structure When ZXR10 M6000 Works as a Server..................... 2-2
Figure 2-3 Interaction Flow Between DHCP Client and DHCP Server ....................... 2-3
Figure 2-4 Network Structure When ZXR10 M6000 Works as a Relay ...................... 2-3
Figure 2-5 Interaction Flow Between DHCP Client and DHCP Relay ........................ 2-4
Figure 2-6 Network Topology of DHCP Boot-Strap Authentication............................. 2-4
Figure 2-7 Network Topology of DHCP+WEB Authentication .................................... 2-6
Figure 2-8 Network Topology of Option Authentication Configuration (Server
Mode) ................................................................................................... 2-13
Figure 2-9 Network Topology of Circuit Authentication Configuration....................... 2-17
Figure 2-10 Network Topology of DHCP+WEB Authentication Configuration ........... 2-21
Figure 2-11 Option Authentication Configuration Example (Relay Mode)................. 2-26
Figure 2-12 Network Topology of Circuit Authentication (Relay Mode) .................... 2-31
Figure 2-13 Network Topology of DHCP+WEB Authentication (Relay Mode) ........... 2-37
Figure 3-1 Network Structure for IP-HOST Services ................................................. 3-2
Figure 3-2 Basic IP-HOST Network Structure ........................................................... 3-6
Figure 4-1 PPPoE Communication Flow .................................................................. 4-2
Figure 4-2 Basic PPPoE Network Structure .............................................................. 4-7
Figure 4-3 Basic PPPoEoVv4 Network Structure .................................................... 4-10
Figure 4-4 Account Sharing Configuration Example ................................................ 4-14
Figure 4-5 Exact Binding Configuration Example .................................................... 4-17
Figure 4-6 Example of the Multi-Level Domain Name Resolution
Configuration ........................................................................................ 4-20
Figure 5-1 Three Access Modes of L2TP .................................................................. 5-3
Figure 5-2 L2TP Encapsulation Procedure of PPP Frames ....................................... 5-4
Figure 5-3 L2TP Packet Encapsulation Structure ...................................................... 5-4
Figure 5-4 Typical LTS .............................................................................................. 5-5
Figure 5-5 Typical L2TP LTS Application Network Structure...................................... 5-5
Figure 5-6 LAC Configuration Example ................................................................... 5-10
Figure 5-7 Networking Topology for LTS Configuration............................................ 5-15
Figure 5-8 LNS Configuration Example ................................................................... 5-19
Figure 5-9 Flexible Protection Solution Example in L2TP Mode .............................. 5-24

Figure 6-1 AAA General Frame Diagram .................................................................. 6-2

Figure 6-2 BRAS AAA Configuration Example .......................................................... 6-5
Figure 7-1 Typical Network Structure for RADIUS ..................................................... 7-2
Figure 7-2 RADIUS Network with a Proxy Server...................................................... 7-2
Figure 7-3 BRAS RADIUS Configuration Example .................................................. 7-10
Figure 7-4 RADIUS Proxy Server Configuration Instance ....................................... 7-13
Figure 8-1 Dynamic VLAN Network Structure ........................................................... 8-1
Figure 8-2 Network Topology for Dynamic VLAN Configuration................................. 8-3
Figure 9-1 Network Structure for PPPoE Roaming Access ....................................... 9-7
Figure 9-2 Network Structure for Subscriber Offline Code Adjustment .................... 9-11
Figure 9-3 Networking Topology for Authentication Frequency Control.................... 9-12
Figure 9-4 Network Topology for Authentication Frequency Control
Configuration ........................................................................................ 9-14
Figure 9-5 Default Domain Configuration Example.................................................. 9-15
Figure 9-6 Example of the User Access Control Configuration ............................... 9-18
Figure 10-1 Networking Topology for PPPoX Advertisement Push .......................... 10-8
Figure 10-2 Networking Topology for Arrear Push ................................................. 10-12
Figure 11-1 Network Topology for PPPoE-Mode QinQ Access ................................ 11-4
Figure 11-2 Networking Topology for IP-HOST-Mode QinQ Access....................... 11-10
Figure 12-1 Networking Topology for PPPoEoA User Access ................................. 12-2
Figure 12-2 Networking Topology for ATM Access .................................................. 12-3
Figure 13-1 Networking Topology for Layer-3 Access ............................................. 13-2
Figure 13-2 Example: Dynamic User Obtains IP Address in Layer-3
Network ................................................................................................ 13-3
Figure 13-3 DHCP OPTION Authentication Flow .................................................... 13-3
Figure 13-4 DHCP WEB Authentication Flow.......................................................... 13-4
Figure 13-5 Static/Stream User Access to the Network ........................................... 13-5
Figure 13-6 Networking Topology for DHCP OPTION User Access....................... 13-20
Figure 13-7 Networking Topology for DHCP WEB User Access ............................ 13-26
Figure 13-8 Networking Topology for Static User Access ...................................... 13-30
Figure 13-9 Networking Topology for Stream User Access.................................... 13-35
Figure 14-1 Networking Topology for Subscriber Multicast Access.......................... 14-8
Figure 14-2 Networking Topology for PPPoEv4 Subscriber Multicast
Access................................................................................................ 14-16
Figure 15-1 QoS Application ................................................................................... 15-3
Figure 15-2 Networking Topology for Input SUB-CAR Rate Limit ............................ 15-6
II

Figures
Figure 15-3 Networking Topology for Output SUB-CAR Rate Limit.......................... 15-9
Figure 15-4 Rate Limit (VCC VLAN-Based) Configuration Example ...................... 15-13
Figure 15-5 Networking Topology for PQ Rate Limit.............................................. 15-18
Figure 15-6 Networking Topology for WFQ Rate Limit........................................... 15-23
Figure 16-1 LEASED-LINE Application ................................................................... 16-2
Figure 16-2 LEASED-LINE Configuration Instance ................................................. 16-5
Figure 17-1 Networking Topology for User-Side Policy Routing Configuration ........... 17-2
Figure 18-1 Networking Topology for Cluster Hot Standby Solution......................... 18-2
Figure 18-2 1:1 Redundancy Application................................................................. 18-3
Figure 18-3 Dual Server Cluster Hot Standby State Transfer .................................. 18-5
Figure 18-4 Hot Standby Configuration Example ................................................... 18-9
Figure 19-1 Networking Topology for Cold Standby Function Configuration ............ 19-5
Figure 20-1 Typical Network for AC Separation Access .......................................... 20-1
Figure 20-2 AC Separation Access Configuration Instance ..................................... 20-5
Figure 21-1 Typical MAN ........................................................................................ 21-2
Figure 21-2 L2VPN Access Configuration Instance................................................. 21-3
Figure 22-1 Binding Instance Between a Domain and a Web Server....................... 22-3
III

Figures
IV

Glossary
AAA
- Authentication, Authorization and Accounting
AC
- Access Controller
ACL
- Access Control List
ADSL
- Asymmetric Digital Subscriber Line
AP
- Access Point
ARP
- Address Resolution Protocol
ATM
- Asynchronous Transfer Mode
BFD
- Bidirectional Forwarding Detection
BRAS
- Broadband Remote Access Server
CAR
- Committed Access Rate
CHAP
- Challenge Handshake Authentication Protocol
CIR
- Committed Information Rate
DHCP
- Dynamic Host Configuration Protocol
DNS
- Domain Name Server
DSL
- Digital Subscriber Line
DSLAM
- Digital Subscriber Line Access Multiplexer
EAP
- Extend Authentication Protocol

GRE
- General Routing Encapsulation
H-QoS
- Hierarchical-QoS
HIS
- High Internet Service
HTTP
- Hypertext Transfer Protocol
IGMP
- Internet Group Management Protocol
IPCP
- IP Control Protocol
IPSec
- IP Security Protocol
IPTV
- Internet Protocol Television
IPoE
- Internet Protocol over Ethernet
ISDN
- Integrated Services Digital Network
ISP
- Internet Service Provider
L2TP
- Layer2 Tunnel Protocol
LAC
- L2TP Access Concentrator
LACP
- Link Aggregation Control Protocol
LAN
- Local Area Network
LDP
- Label Distribution Protocol
LLQ
- Low Latency Queueing
LNS
- L2TP Network Server
LSP
- Label Switched Path
VI

Glossary
MAC
- Media Access Control
MAN
- Metropolitan Area Network
MPLS
- Multiprotocol Label Switching
MRU
- Maximum Receive Unit
MTBF
- Mean Time Between Failures
MTTR
- Mean Time To Recovery
NAS
- Network Access Server
NE
- Network Element
NGN
- Next Generation Network
PC
- Personal Computer
PIR
- Peak Information Rate
PPP
- Point to Point Protocol
PPPoE
- Point to Point Protocol over Ethernet
PPTP
- PPP Tunnel Protocol
PQ
- Priority Queuing
PSTN
- Public Switched Telephone Network
PVC
- Permanent Virtual Circuit
RADIUS
- Remote Authentication Dial In User Service
SAL
- Service Access-List
VII

SSM
- Source Specific Multicast
TCP
- Transmission Control Protocol
TCP/IP
- Transmission Control Protocol/Internet Protocol
ToS
- Type of Service
UDP
- User Datagram Protocol
URL
- Uniform Resource Locator
VCC
- Virtual Channel Connection
VCC
- Virtual Customer Circuit
VLAN
- Virtual Local Area Network
VLL
- Virtual Leased Line
VPDN
- Virtual Private Dialup Network
VPLS
- Virtual Private LAN Service
VPN
- Virtual Private Network
VRF
- Virtual Route Forwarding
VRRP
- Virtual Router Redundancy Protocol
WAN
- Wide Area Network
WEB
- Web
WFQ
- Weighted Fair Queuing
VIII

ZXR10 M6000 (V2.00.20) Carrier-Class Router Configuration Guide (IPv4 BRAS)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ZXR10 M6000 (V2.00.20) Carrier-Class Router Configuration Guide (IPv4 BRAS)

Uploaded by

Copyright:

Available Formats

ZXR10 M6000

Revision No. Revision Date Revision Reason

R2.1 2014-10-15 Fourth edition.

Adds chapter “Relation Binding Between Domain Name and WEB

R2.0 2014-02-15 Third edition.

R1.1 2013-08-30 Second edition.

“LEASED-LINE Configuration” is added.

“AC Separation Access Configuration” is added.

“L2VPN Access Configuration” is added.

R1.0 2013-07-05 First edition.

Serial Number: SJ-20140211164601-022

Publishing Date: 2014-10-15 (R2.1)

SJ-20140211164601-022|2014-10-15 (R2.1) ZTE Proprietary and Confidential

Chapter 3 IP-HOSTv4 Configuration......................................................... 3-1

Chapter 4 PPPoEv4 Configuration............................................................ 4-1

Chapter 5 VPDN Configuration ................................................................. 5-1

SJ-20140211164601-022|2014-10-15 (R2.1) ZTE Proprietary and Confidential

Chapter 6 BRAS AAA Configuration ........................................................ 6-1

Chapter 7 BRAS RADIUS Configuration .................................................. 7-1

Chapter 8 Dynamic VLAN Configuration.................................................. 8-1

Chapter 9 Subscriber Management Configuration.................................. 9-1

Chapter 10 Page Push Configuration ..................................................... 10-1

Chapter 11 BRAS SmartGroup Access Configuration.......................... 11-1

SJ-20140211164601-022|2014-10-15 (R2.1) ZTE Proprietary and Confidential

Chapter 12 ATM Access Configuration .................................................. 12-1

Chapter 13 Layer-3 Access Configuration ............................................. 13-1

Chapter 14 User-Side Multicastv4 Configuration .................................. 14-1

Chapter 15 User-Side QoSv4 Configuration .......................................... 15-1

Chapter 16 LEASED-LINE Configuration ............................................... 16-1

SJ-20140211164601-022|2014-10-15 (R2.1) ZTE Proprietary and Confidential

Chapter 17 User-Side Policy Routing Configuration ............................ 17-1

Chapter 18 Dual Server Cluster Hot Standby Configuration................ 18-1

Chapter 19 Cold Standby Configuration ................................................ 19-1

Chapter 20 AC Separation Access Configuration ................................. 20-1

Chapter 21 L2VPN Access Configuration .............................................. 21-1

Chapter 22 Relation Binding Between Domain Name and WEB

SJ-20140211164601-022|2014-10-15 (R2.1) ZTE Proprietary and Confidential

What Is in This Manual

Chapter 3, IP-HOSTv4 Describes IP-HOSTv4 principles, configuration commands and

Chapter 4, PPPoEv4 Describes PPPoEv4 principles, configuration commands and ex-

Chapter 7, BRAS RADIUS Describes BRAS RADIUS principles, configuration commands

Chapter 8, Dynamic VLAN Describes dynamic VLAN principles, configuration commands

Chapter 9, Subscriber Describes subscriber management principles, configuration com-

SJ-20140211164601-022|2014-10-15 (R2.1) ZTE Proprietary and Confidential

Chapter 22, Relation Binding Be-

SJ-20140211164601-022|2014-10-15 (R2.1) ZTE Proprietary and Confidential

| Separates individual parameters in a series of parameters.

Warning: indicates a potentially hazardous situation. Failure to comply can result in

Caution: indicates a potentially hazardous situation. Failure to comply can result in

Note: provides additional information about a certain topic.

SJ-20140211164601-022|2014-10-15 (R2.1) ZTE Proprietary and Confidential

SJ-20140211164601-022|2014-10-15 (R2.1) ZTE Proprietary and Confidential

Dynamic Subscriber Access

Static Subscriber Access

SJ-20140211164601-022|2014-10-15 (R2.1) ZTE Proprietary and Confidential

Subscriber Authentication, Authorization and Accounting

Dynamic VLAN Access

Smartgroup Interface Access

SJ-20140211164601-022|2014-10-15 (R2.1) ZTE Proprietary and Confidential

2.1 IPoEv4 Overview

Figure 2-1 Basic IPoE Network Structure

SJ-20140211164601-022|2014-10-15 (R2.1) ZTE Proprietary and Confidential

Network Structure When ZXR10 M6000 Works as a Server

Figure 2-2 Network Structure When ZXR10 M6000 Works as a Server