Professional Documents
Culture Documents
ZXR10 M6000 (V2.00.20) Carrier-Class Router Configuration Guide (IPv4 BRAS)
ZXR10 M6000 (V2.00.20) Carrier-Class Router Configuration Guide (IPv4 BRAS)
Carrier-Class Router
Configuration Guide (IPv4 BRAS)
Version: 2.00.20
ZTE CORPORATION
No. 55, Hi-tech Road South, ShenZhen, P.R.China
Postcode: 518057
Tel: +86-755-26771900
Fax: +86-755-26770801
URL: http://support.zte.com.cn
E-mail: support@zte.com.cn
LEGAL INFORMATION
Copyright © 2014 ZTE CORPORATION.
The contents of this document are protected by copyright laws and international treaties. Any reproduction or
distribution of this document or any portion of this document, in any form by any means, without the prior written
consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by
contractual confidentiality obligations.
All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE
CORPORATION or of their respective owners.
This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions
are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,
title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the
use of or reliance on the information contained herein.
ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications
covering the subject matter of this document. Except as expressly provided in any written license between ZTE
CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter
herein.
ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice.
Users may visit the ZTE technical support website http://support.zte.com.cn to inquire for related information.
The ultimate right to interpret this product resides in ZTE CORPORATION.
Revision History
II
III
Figures............................................................................................................. I
Glossary .........................................................................................................V
IV
Intended Audience
This manual is intended for:
l Network planning engineers
l Commissioning engineers
l Maintaining engineers
Chapter Summary
Chapter 1, BRAS Service Describes functions and principles related to BRAS services.
Overview
Chapter 2, IPoEv4 Configuration Describes IPoEv4 principles, configuration commands and exam-
ples.
Chapter 5, VPDN Configuration Describes VPDN principles, configuration commands and exam-
ples.
Chapter 6, BRAS AAA Describes BRAS AAA principles, configuration commands and
Configuration examples.
Chapter 10, Page Push Configura- Describes the page push principles, configuration commands and
tion examples.
Chapter 11, BRAS SmartGroup Describes BRAS SmartGroup access principle, configuration
Access Configuration commands and examples.
Chapter 12, ATM Access Configu- Describes ATM access principle, configuration commands and
ration examples.
Chapter 13, Layer-3 Access Con- Describes the BRAS layer-3 access principles, configuration com-
figuration mands and examples.
Chapter 14, User-Side Multicastv4 Describes user-side multicastv4 principles, configuration com-
Configuration mands and examples.
Chapter 15, User-Side QoSv4 Describes user-side QoSv4 principles, configuration commands
Configuration and examples.
Chapter 16, LEASED-LINE Con- Describes the principles, configuration commands and examples
figuration for LEASED-LINE.
Chapter 17, User-Side Policy Describes the principles, configuration commands and examples
Routing Configuration for user-side policy routing.
Chapter 18, Dual Server Cluster Describes dual-server cluster hot-standby functional principles,
Hot Standby Configuration configuration commands and examples.
Chapter 19, Cold Standby Config- Describes cold standby functional principles, configuration com-
uration mands and examples.
Chapter 20, AC Separation Ac- Describes separation access configuration functional principles,
cess Configuration configuration commands, and examples.
Chapter 21, L2VPN Access Con- Describes L2VPN access functional principles, configuration com-
figuration mands, and examples.
Conventions
This manual uses the following conventions.
Typeface Meaning
Italics Variables in commands. It may also refer to other related manuals and documents.
Bold Menus, menu options, function names, input fields, option button names, check boxes,
drop-down lists, dialog box names, window names, parameters, and commands.
Constant Text that you type, program codes, filenames, directory names, and function names.
width
[] Optional parameters.
{} Mandatory parameters.
II
III
IV
1-1
User-Side Multicast
Multicast consists of network-side multicast and user-side multicast. They differ each other
in route egress. The egress of user-side multicast is a VBUI interface. There may be
several multicast users on this interface. Therefore, it is necessary to make several copies
of a multicast flow. The egress of network-side multicast is a common Layer 3 interface.
There are no users on this interface. Therefore, there is only copy of a multicast flow at
most. For details, refer to the "User-Side Multicastv4 Configuration" chapter.
User-Side Qos
The user-side QoSv4 function in the ZXR10 M6000's BRAS services includes rate limit
and congestion management. For details, refer to the "User-Side QoSv4 Configuration"
chapter.
1-2
According to the authentication modes, IPoEv4 service is classified into DHCP boot-strap
authentication access and DHCP+WEB authentication access. DHCP boot-strap
authentication access can be classified into DHCP Option60 authentication access and
DHCP circuit authentication access. The three access modes are DHCP-based.
According to the role that the ZXR10 M6000acts as (working as a DHCP server that is
responsible for assigning IP addresses, or working as a DHCP relay that is responsible
for forwarding packets) during subscriber access, there are two types of IPoEv4 service
network structures, as described below.
2-1
When receiving a DHCP Discover message sent by the client, ZXR10 M6000 assigns an
idle IP address from the address pool, and then it sends a DHCP Offer message as a reply
according to the information in the DHCP Discover message.
When receiving a DHCP Request message sent by the client, ZXR10 M6000 searches
for the address assignment information of the subscriber according to the client hardware
address in the message and the current vpnid. If the address assignment information of
the subscriber is found, ZXR10 M6000 replies with a DHCP Ack message, and then the
client can obtain an IP address and comes online successfully. Otherwise, ZXR10 M6000
replies with a DHCP Nak message.
When receiving the DHCP Nak message, the client sends a DHCP Discover messages
again, and starts to request an address through the DHCP again.
If no lease time is configured, the default lease time of the address that ZXR10 M6000
assigns to the subscriber is 3600 seconds. After 50% of the lease time passes, the client
sends a unicast DHCP Request message automatically to renew the lease. If the lease
is renewed successfully, the lease time is extended. Otherwise, after 87.5% of the lease
term passes, the client sends a broadcast request message to renew the lease time. If the
lease is not renewed successfully, the client cannot use this address when the lease time
expires. The client needs to start to request an address through the DHCP again.
When receiving the DHCP Release message sent by the client, ZXR10 M6000 releases
the binding between the address and the client, and reclaims the IP address.
Figure 2-3 shows the interaction flow between a DHCP client and a DHCP server.
2-2
Figure 2-3 Interaction Flow Between DHCP Client and DHCP Server
As DHCP messages are broadcast, they cannot go through several subnets. DHCP Relay
can solve this problem. It makes that a client and a server that are not on the same segment
can ping each other successfully. In this way, different clients can share the same DHCP
server.
Figure 2-5 shows the interaction flow between a DHCP client and a DHCP relay.
2-3
Figure 2-5 Interaction Flow Between DHCP Client and DHCP Relay
2-4
1. A subscriber logs in to the client, and sends a DHCP Discover message to request an
address through the DHCP.
2. When receiving the message, the ZXR10 M6000 obtains the Option60 information
from the message. Then it resolves the information according to the Option60
resolution method that the subscriber configures to obtain the information such as
username, password and domain name. By default, the username is the Medium
Access Control (MAC) address, and then authentication type is optionparse (that
is, resolve Option60 by domain name/password). After that, the ZXR10 M6000
obtains the authentication mode according to the domain name. If it is local
authentication, the ZXR10 M6000 triggers a local authentication flow. It compares the
subscriber information obtained with the local subscriber information configured. If the
information is consistent, the subscriber is considered to passes the authentication
successfully. The server assigns an IP address, and replies a DHCP Offer message.
If the information is not consistent, the server does not assign an address, or replies
a DHCP Offer message.
2-5
2-6
3. WEB authentication
The subscriber enters the username and password on the WEB authentication page to
attempt to access the page. The username format is "username configured @ current
domain name".
After receiving the authentication request form the subscriber, if CHAP authentication
is used, the portal server sends a challenge request message to the portal client (it is
ZXR10 M6000 here). After the portal client replies a challenge code, the portal server
sends an authentication request message that contains the username and password
the subscriber enters.
At this time, the portal client searches for the authentication mode after receiving the
username and password. If it is local authentication, the ZXR10 M6000 triggers a
local authentication flow. If it is RADIUS authentication, ZXR10 M6000 sends the
information to the RADIUS server for authentication.
If the subscriber passes the authentication successfully, the ZXR10 M6000 modifies
the ACL of the subscriber, and allows the subscriber to come online. At the same
time, the ZXR10 M6000 informs the portal server that the subscriber has passed the
authentication, and the portal server notifies the subscriber of the authentication result.
If the subscriber does not pass the authentication, the ZXR10 M6000 informs the portal
server that the subscriber fails to pass the authentication, and then the portal server
notifies the subscriber of the authentication result.
Steps
1. Configure a network-side interface.
2-7
2-8
multi: Supports the IPoE encapsulation type and PPPoE encapsulation type. Both
DHCP users and PPPoE users are allowed to access the services.
ip-over-ethernet: When the encapsulation type is set to IPoE, only DHCP users are
allowed to access the BRAS services.
mac: Uses the MAC address of a user as the username.
option60: Uses the option60 text as the username.
mac-option82: Uses the MAC address and the option82 text as the username.
default: Uses the default self-defined format ("host name" + "-" + "3-digit slot number"
+ "1-digit card number" + "two-digit port number" + "four-digit outer VLAN ID" + "0" +
"4-digit inner VLAN ID") to encapsulate user names.
option82-default: Uses the option82 field as the username preferentially. If the
option82 field carried in a request packet is null or invalid, the default format is used.
option: Uses "option60" as the domain name.
optionstring: Uses the information in the option60 field as the domain name. The
username type must be "option60" in such a situation.
optionparse: Uses the information in the option60 field as the domain name and
password. It is not required to configure the password type in such a situation.
config: Specifies a password configuration action.
2-9
6. Configure an SAL.
2-10
7. Configure a domain.
2-11
Command Function
– End of Steps –
2-12
Flow
1. Configure a domain and related authentication information. Here, local authentication
is used.
2. Configure a VBUI to be a virtual BRAS user-side interface. Configure an address pool
in VBUI configuration mode, and set the access domain to the domain created in Step
1.
3. Configure an interface in VCC configuration mode. Common users can come online
without any other configuration. For Option users, it is required to enable Option
authentication.
4. Enable the DHCP function in DHCP configuration mode, and set the DHCP server
mode in VBUI-ip-pool configuration mode.
Commands
Run the following commands on the ZXR10 M6000.
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type local
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#domain option60
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)#dhcp-mode server
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#local-sub 00-69-96-00-00-01 domain-name
option60 password 123
ZXR10(config-submanage-local-sub)#exit
ZXR10(config-submanage)#exit
2-13
ZXR10(config)#interface vbui5
ZXR10(config-if-vbui5)#ip address 10.1.1.1 255.255.255.0
ZXR10(config-if-vbui5)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui5
ZXR10(config-vbui-if)#ip-pool pool-name dhcppool pool-id 5
ZXR10(config-vbui-if-ip-pool)#access-domain option60
ZXR10(config-vbui-if-ip-pool)#ip dhcp instance server 256
ZXR10(config-vbui-if-ip-pool)#member 1
ZXR10(config-vbui-if-ip-pool-member)#start-ip 10.1.1.1 end-ip 10.1.1.255
ZXR10(config-vbui-if-ip-pool-member)#exit
ZXR10(config-vbui-if-ip-pool)#exit
ZXR10(config-vbui-if)#exit
ZXR10(config-vbui)#exit
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface fei-0/4/0/4
ZXR10(config-vcc-if)#encapsulation ip-over-ethernet
ZXR10(config-vcc-if)#ipox authentication-type ipv4 dhcpv4 option
ZXR10(config-vcc-if)#dhcp-v4 auth-on-up username-type mac domain-type optionparse
/*For normal subscribers, the above two commands are not required*/
ZXR10(config-vcc-if)#exit
ZXR10(config-vcc)#exit
Verification
Check the BRAS domain configuration on the ZXR10 M6000, as shown below.
ZXR10#show running-config aim
! <AIM>
subscriber-manage
authentication-template zte
authentication-type local
$
domain option60
bind authentication-template zte
$
2-14
Check the configuration of the BRAS VCC interface and DHCP, as shown below.
ZXR10#show running-config uim
! <UIM>
vbui-configuration
interface vbui5
$
!
vcc-configuration
interface fei-0/4/0/4
ipox authentication-type ipv4 dhcpv4 option
encapsulation ip-over-ethernet
$
!
! </UIM>
2-15
Run the show subscriber ipox command, and verify that the subscriber is on line.
ZXR10(config)#show subscriber ipox
*******************************************************************************
Subscriber Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type :IPv4
user-identify :12
user-name :00-69-96-00-00-01
domain-name :option60
local-domain-name :option60
authorize-domain-name :option60
mac-address :0069.9600.0001
session-id :0
access-interface :fei-0/4/0/4
internal-vlan :0
external-vlan :0
authentication-mode :LOCAL
authentication-status :ACCEPT
record-status :CREATED
eap-type :FALSE
sibprofileid :0
hot-bak-status :NONE
authentication-time :2012/05/18 12:06:43
create-time :2012/05/18 12:06:43
online-time :13
limited-status :UNLIMITED
restTimeType :ABSOLUTE
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :IPv4 DHCP SERVER
ipv4-address :10.1.1.2
vrf-name :
vpn-id :0
gateway :10.1.1.1
primary-dns :
second-dns :
record-status :CREATED
*******************************************************************************
2-16
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
Flow
1. Configure the DHCP, a domain (including an alias, authentication mode and
accounting mode), a VBUI (including a gateway address, an address pool) and a
Virtual Channel Connection (VCC) (including the encapsulation mode).
2. Set the boot-strap authentication mode to circuit authentication.
3. For local authentication and RADIUS authentication, configure the usernames and
passwords on the local PC and RADIUS Server.
4. In BRAS configuration mode, configure the user circuit information and the
relationships between usernames, passwords and domain names. For RADIUS
authentication, it is unnecessary to configure the information on the local PC.
Commands
Configuration on ZXR10:
l Enable the DHCP function globally, and configure the DHCP server.
ZXR10(config)#ip dhcp server instance 256
2-17
ZXR10(config-dhcps-instance)#dhcp-pool zte
ZXR10(config-dhcps-instance)#exit
ZXR10(config)#dhcp
ZXR10(config-dhcp)#enable
ZXR10(config-dhcp)#exit
l Configure a domain.
ZXR10(config)#subscriber-manage
ZXR10(config-manage)#authentication-template zte
ZXR10(config-manage-authen-template)#authentication-type local
ZXR10(config-manage-authen-template)#exit
ZXR10(config-manage)#domain domain1
ZXR10(config-manage-domain)#dhcp-mode server
/*Configure a alias for VBUI binding, and set DHCP mode.*/
ZXR10(config-manage-domain)#bind authentication-template zte
/*Bind BARS authentication*/
ZXR10(config-manage-domain)#exit
ZXR10(config-manage)#local-subscriber wx domain-name domain1 password 123
/*Configure the username, password and domain name for the local PC*/
ZXR10(config-submanage-local-sub)#exit
ZXR10(config-manage)#circuit-map eth-cir external-vlan 0 internal-vlan-range 0
interface fei-0/4/0/15 wx domain1 123
/*Configure the user circuit information and the relationship between the username,
password and domain name*/
l Configure a user interface address.
ZXR10(config)#interface vbui200 /*Create a VBUI*/
ZXR10(config-if-vbui200)#ip address 40.0.0.1 255.255.255.0
/*Configure an IP address*/
ZXR10(config-if-vbui200)#exit
l Configure the VBUI parameters and an IP pool in VBUI configuration mode, and
configure the DHCP server in the IP pool.
ZXR10(config)#vbui-configuration /*VBUI configuration mode*/
ZXR10(config-vbui)#interface vbui200
ZXR10(config-vbui-if)#ip-pool pool-name 200 pool-id 200
ZXR10(config-vbui-if-ip-pool)#access-domain domain1
ZXR10(config-vbui-if-ip-pool)#ip dhcp instance server 256
ZXR10(config-vbui-if-ip-pool)#member 2
ZXR10(config-vbui-if-ip-pool-member)#start-ip 40.0.0.2 end-ip 40.0.0.10
/*Create an address pool*/
ZXR10(config-vbui-if-ip-pool-member)#exit
ZXR10(config-vbui-if-ip-pool)#pool-type dhcp
ZXR10(config-vbui-if-ip-pool)#exit
ZXR10(config-vbui-if)#exit
ZXR10(config-vbui)#exit
l Configure a VCC in circuit interface configuration mode, and set the encapsulation
type to IPoE on the interface connecting to the user.
2-18
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface fei-0/4/0/15 /*Enter a VCC interface*/
ZXR10(config-vcc-if)#encapsulation ip-over-ethernet /*Encapsulate IPoE*/
ZXR10(config-vcc-if)#ipox authentication-type ipv4 dhcpv4 cir-map
/*Enable circuit authentication for users accessing the network through DHCP*/
ZXR10(config-vcc-if)#exit
ZXR10(config-vcc)#exit
Verification
Check the configuration of circuit authentication, as shown below.
ZXR10#show running-config uim
! <UIM>
vbui-configuration
interface vbui200
$
vcc-configuration
interface fei-0/4/0/15
ipox authentication-type ipv4 dhcpv4 cir-map
/*The circuit authentication switch is enabled*/
encapsulation ip-over-ethernet
$
$
! </UIM>
Run the show subscriber ipox command, and verify that the subscriber is on line.
2-19
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type :IPv4
user-identify :11
user-name :wx
domain-name :domain1
local-domain-name :domain1
authorize-domain-name :domain1
mac-address :003a.96ab.0001
session-id :0
access-interface :fei-0/4/0/15
internal-vlan :0
external-vlan :0
authentication-mode :LOCAL
authentication-status :ACCEPT
record-status :CREATED
eap-type :FALSE
sibprofileid :0
hot-bak-status :NONE
authentication-time :2012/05/18 11:56:33
create-time :2012/05/18 11:56:33
online-time :17
limited-status :UNLIMITED
restTimeType :ABSOLUTE
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :IPv4 DHCP SERVER
ipv4-address :40.0.0.2
vrf-name :
vpn-id :0
gateway :40.0.0.1
primary-dns :
second-dns :
record-status :CREATED
*******************************************************************************
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
2-20
Configuration Flow
1. Configure the ordinary DHCP access.
2. Configure WEB authentication on a VCC.
3. Configure related attributes of the portal services. Configure a WEB Server, a WEB
ACL, and Web-web-force authentication, and bind them to the VBUI interface.
Configuration Commands
1. Configure an ordinary DHCP on the ZXR10:
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#domain domain1
ZXR10(config-submanage-domain)#dhcp-mode server
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#exit
ZXR10(config)#interface vbui1
2-21
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui1
ZXR10(config-vbui-if)#ip-pool pool-name 10 pool-id 10
ZXR10(config-vbui-if-ip-pool)#access-domain domain1
ZXR10(config-vbui-if-ip-pool)#ip dhcp instance server 256
ZXR10(config-vbui-if-ip-pool)#member 1
ZXR10(config-vbui-if-ip-pool-member)#start-ip 6.6.1.2 end-ip 6.6.1.30
ZXR10(config-vbui-if-ip-pool-member)#exit
ZXR10(config-vbui-if-ip-pool)#exit
ZXR10(config-vbui-if)#exit
ZXR10(config-vbui)#exit
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface fei-0/1/0/10
ZXR10(config-vcc-if)#pre-domain domain1
ZXR10(config-vcc-if)#encapsulation ip-over-ethernet
ZXR10(config-vcc-if)#ipox authentication-type ipv4 dhcpv4 web
ZXR10(config-vcc-if)#exit
ZXR10(config-vcc)#exit
ZXR10(config)#dhcp
ZXR10(config-dhcp)#enable
ZXR10(config-dhcp)#exit
ZXR10(config)#interface fei-0/1/0/11
/*Configure an address for the interface connecting to the WEB Server.*/
ZXR10(config-if-fei-0/1/0/11)#no shutdown
ZXR10(config-if-fei-0/1/0/11)#ip address 172.16.1.2 255.255.255.0
ZXR10(config-if-fei-0/1/0/11)#exit
2. Configure the attributes of the WEB server.
ZXR10(config)#subscriber-manag
ZXR10(config-submanage)#web-server 1
ZXR10(config-submanage-websvr-1)#http-param uas-id 1234
ZXR10(config-submanage-websvr-1)#http-param uas-name zte
ZXR10(config-submanage-websvr-1)#http-param user-name msg
ZXR10(config-submanage-websvr-1)#ip-add 172.16.1.1
/*The address of the WEB server*/
ZXR10(config-submanage-websvr-1)#url http://172.16.1.1:88/LoginOn.jsp
2-22
Verification
Run the show running-config portal command to view the WEB server configuration.
2-23
Run the show configuration submanage web-server command to check the status and
attributes of the WEB server configuration, as shown below.
ZXR10(config)#show configuration submanage web-server
Portal server-id 1:
ip-addr : 172.16.1.1
backupIp 1: 0.0.0.0
backupIp 2: 0.0.0.0
backupIp 3: 0.0.0.0
backupIp 4: 0.0.0.0
backupIp 5: 0.0.0.0
vbui-bind-counter : 3
version : 2 key : zte
udp-port : 50100
main listening-port : 2000
second listening-port 1 : 0
second listening-port 2 : 0
second listening-port 3 : 0
second listening-port 4 : 0
uas-ip: 172.16.1.2 uas-ifindex: 108
url : http://172.16.1.1
http-para:
uas-name : zte
user-name : msg
uas-id : 1234
user-mac-key :
Run the show configuration submanage listening-port command to check the status of the
listening port for the WEB server, as shown below.
ZXR10(config)#show configuration submanage listening-port
listening-port: 2000 regedit-flag: TRUE
Run the show subscriber ipox interface command, and verify that the subscriber is on line.
ZXR10(config)#show subscriber ipox interface fei-0/1/0/10
*******************************************************************************
Subscriber Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type :IPv4
user-identify :25843
user-name :zte
2-24
domain-name :domain1
local-domain-name :domain1
mac-address :001d.0f1d.ae83
session-id :0
access-interface :fei-0/1/0/10
internal-vlan :0
external-vlan :10
authentication-mode :LOCAL
authentication-status :ACCEPT
record-status :CREATED
sibprofileid :0
hot-bak-status :NONE
authentication-time :2011/08/08 14:11:33
create-time :2011/08/08 14:08:26
online-time :24
charge-status :NORMAL
restTimeType :ABSOLUTE
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :IPv4 DHCP SERVER
ipv4-address :6.6.1.2
vrf-name :
vpn-id :0
gateway :6.6.1.1
primary-dns :0.0.0.0
second-dns :0.0.0.0
record-status :CREATED
*******************************************************************************
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
2-25
Configuration Flow
1. Configure a domain and related authentication information. Here, local authentication
is used.
2. Configure a VBUI to be a virtual BRAS user-side interface. Set the access domain to
the domain created in Step 1.
3. Configure an interface in VCC configuration mode. Ordinary users can come online
without any other configuration. For Option users, it is necessary to enable Option
authentication.
4. Configure an IP DHCP relay server group, specify a relay agent, and bind the relay
server group.
5. Enable DHCP function in DHCP configuration mode, and set DHCP relay mode in
VBUI ip pool configuration mode.
Configuration Commands
Configuration on the ZXR10 M6000 relay:
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type local
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#domain option60
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)#dhcp-mode relay
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#local-subscriber 00-69-96-00-00-01 domain-name
option60 password 123
ZXR10(config-submanage-local-sub)#exit
ZXR10(config-submanage)#exit
ZXR10(config)#interface vbui5
2-26
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui5
ZXR10(config-vbui-if)#ip-pool pool-name dhcppool pool-id 5
ZXR10(config-vbui-if-ip-pool)#access-domain option60
ZXR10(config-vbui-if-ip-pool)#ip dhcp instance relay 1
ZXR10(config-vbui-if-ip-pool)#exit
ZXR10(config-vbui-if)#exit
ZXR10(config-vbui)#exit
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface fei-0/4/0/4
ZXR10(config-vcc-if)#ipox authentication-type ipv4 dhcpv4 option
ZXR10(config-vcc-if)#dhcp-v4 auth-on-up username-type mac domain-type
optionparse /*The two commands are not required for normal users.*/
ZXR10(config-vcc-if)#encapsulation ip-over-ethernet
ZXR10(config-vcc-if)#exit
ZXR10(config-vcc)#exit
ZXR10(config)#dhcp
ZXR10(config-dhcp)#enable
ZXR10(config-dhcp)#exit
ZXR10(config)#interface gei-0/1/1/1
ZXR10(config-if-gei-0/1/1/1)#no shutdown
ZXR10(config-if-gei-0/1/1/1)#ip address 1.1.1.2 255.255.255.0
ZXR10(config-if-gei-0/1/1/1)#exit
2-27
R2(config-if-gei-0/0/0/1)#exit
R2(config)#ip pool yq
R2(config-ip-pool)#range 10.1.1.1 10.1.1.254 255.255.255.0
R2(config-ip-pool)#exit
R2(config)#dhcp
R2(config)#enable
R2(config-dhcp)#interface gei-0/0/0/1
R2(config-dhcp-if-gei-0/0/0/1)#mode server
R2(config-dhcp-if-gei-0/0/0/1)#policy dhcppolicy
R2(config-dhcp-if-gei-0/0/0/1)#exit
R2(config-dhcp)#exit
Configuration Verification
Check the BRAS domain configuration, as shown below:
ZXR10#show running-config aim
! <AIM>
subscriber-manage
authentication-template zte
authentication-type local
$
domain option60
bind authentication-template zte
dhcp-mode relay
$
local-subscriber 00-69-96-00-00-01 domain-name option60 password 123
$
$
! </AIM>
2-28
ZXR10#show running-config am
! <AM>
vbui-configuration
interface vbui5
ip-pool pool-name dhcppool pool-id 5
access-domain option60
ip dhcp instance relay 1
$
$
$
! </AM>
Check the configuration of the BRAS VCC interface and DHCP, as shown below:
ZXR10#show running-config uim
! <UIM>
vbui-configuration
interface vbui5
$
$
vcc-configuration
interface fei-0/4/0/4
encapsulation ip-over-ethernet
ipox authentication-type ipv4 dhcpv4 option
$
$
! </UIM>
2-29
ip-pool yq
$
ip dhcp policy dhcppolicy 1
dhcp-pool dhcppool
relay-agent 10.1.1.1
$
dhcp
enable
interface gei-0/0/0/1
mode server
policy dhcppolicy
$
$
!</DHCP>
Run the show subscriber ipox command, and verify that the user is on line.
ZXR10(config)#show subscriber ipox
*******************************************************************************
Subscriber Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type :IPv4
user-identify :13
user-name :00-69-96-00-00-01
domain-name :option60
local-domain-name :option60
authorize-domain-name :option60
mac-address :0069.9600.0001
session-id :
access-interface :fei-0/4/0/4
internal-vlan :0
external-vlan :0
authentication-mode :LOCAL
authentication-status :ACCEPT
record-status :CREATED
eap-type :FALSE
sibprofileid :0
hot-bak-status :NONE
authentication-time :2012/05/18 16:04:52
create-time :2012/05/18 16:04:52
online-time :32
limited-status :UNLIMITED
2-30
restTimeType :ABSOLUTE
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :IPv4 DHCP RELAY
ipv4-address :10.1.1.1
vrf-name :
vpn-id :0
gateway :10.1.1.1
primary-dns :
second-dns :
record-status :CREATED
*******************************************************************************
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
2-31
Configuration Flow
1. Configure DHCP, a domain (including an alias, authentication mode and accounting
mode), a VBUI (including a gateway address, an address pool) and a VCC (including
encapsulation mode).
2. Set the boot-strap authentication mode to circuit authentication.
3. If local authentication is used, configure the username and password on the ZXR10
M6000. If RADIUS authentication is used, configure the username and password on
the RADIUS server.
4. In BRAS configuration mode, configure the user circuit information and the relationship
between the username, password and domain name. For RADIUS authentication, it
is unnecessary to configure the information on the ZXR10 M6000.
5. Run the ip dhcp relay server group command, and run ip dhcp relay instance
command to specify a relay agent, and bind it to a relay server group. and bind the
relay server group.
6. Enable the DHCP function in DHCP configuration mode, and set a DHCP relay mode
in VBUI ip pool configuration mode.
Configuration Commands
Configuration on the ZXR10 M6000 relay:
/*Enable DHCP function globally, configure DHCP Relay.*/
ZXR10(config)#ip dhcp relay server group 1
ZXR10(config-dhcpr-server-group)#server 1 1.1.1.1 security
ZXR10(config-dhcpr-server-group)#exit
ZXR10(config)#ip dhcp relay instance 1
ZXR10(config-dhcpr-instance)#relay server group 1
ZXR10(config-dhcpr-instance)#relay agent 40.0.0.1
ZXR10(config-dhcpr-instance)#exit
ZXR10(config)#dhcp
ZXR10(config-dhcp)#enable
ZXR10(config-dhcp)#exit
/*Configure a domain*/
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#domain domain1 /*Create a domain numbered 200*/
ZXR10(config-submanage-domain)#dhcp-mode relay
/*Configure a alias used for VBUI binding and set DHCP mode.*/
ZXR10(config-submanage-domain)#exit
2-32
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#circuit-map eth-cir external-vlan 0 internal-vlan-range 0
interface fei-0/4/0/15 wangxiang domain1 123
/*Configure the user circuit information and the relationship between the username,
password and domain name*/
ZXR10(config-submanage)#local-subscriber wangxiang domain-name domain1
password 123
/*For local authentication only, used to configure the username,
password and domain name*/
ZXR10(config-submanage-local-sub)#exit
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type local
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#domain domain1
ZXR10(config-submanage-domain)#bind authentication-template zte
2-33
R2(config)#ip pool yq
R2(config-ip-pool)#range 40.1.1.1 40.1.1.254 255.255.255.0
R2(config-ip-pool)#exit
R2(config)#dhcp
R2(config)#enable
R2(config-dhcp)#interface gei-0/0/0/1
R2(config-dhcp-if-gei-0/0/0/1)#mode server
R2(config-dhcp-if-gei-0/0/0/1)#policy dhcppolicy
R2(config-dhcp-if-gei-0/0/0/1)#exit
R2(config-dhcp)#exit
Verification
Check the configuration of circuit authentication, as shown below.
2-34
encapsulation ip-over-ethernet
ipox authentication-type ipv4 dhcpv4 cir-map
/*Circuit authentication is enabled.*/
$
$
! </UIM>
Run the show running-config dhcp command, check the configuration of the DHCP server.
R2#show running-config dhcp
!<DHCP>
ip dhcp pool dhcppool
ip-pool yq
$
ip dhcp policy dhcppolicy 1
dhcp-pool dhcppool
relay-agent 40.1.1.1
$
dhcp
enable
interface gei-0/0/0/1
mode server
policy dhcppolicy
$
!</DHCP>
Run the show subscriber ipox command, and verify that the user is on line.
2-35
-------------------------------------------------------------------------------
session: total up down
2-36
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
Configuration Flow
1. Configure ordinary DHCP access.
2. Enable WEB authentication on a VCC.
3. Configure related attributes of portal services, and configure a WEB Server, a WEB
ACL and WEB-page push authentication. Bind the configuration to the VBUI interface.
4. Configure authentication template (local authentication or RADIUS authentication).
5. Configure ip-pool, ip dhcp pool, ip dhcp policy on DHCP Server, and configure a static
route to the VBUI interface.
2-37
Configuration Commands
1. Configure ordinary DHCP on the ZXR10 M6000:
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#domain domain1
ZXR10(config-submanage-domain)#dhcp-mode relay
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#exit
ZXR10(config)#interface vbui1
ZXR10(config-if-vbui1)#ip address 6.6.1.1 255.255.255.0
ZXR10(config-if-vbui1)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui1
ZXR10(config-vbui-if)#ip-pool pool-name 10 pool-id 10
ZXR10(config-vbui-if-ip-pool)#access-domain domain1
ZXR10(config-vbui-if-ip-pool)#ip dhcp instance relay 1
ZXR10(config-vbui-if-ip-pool)#exit
ZXR10(config-vbui-if)#exit
ZXR10(config-vbui)#exit
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface fei-0/1/0/10
ZXR10(config-vcc-if)#pre-domain domain1
ZXR10(config-vcc-if)#encapsulation ip-over-ethernet
ZXR10(config-vcc-if)#ipox authentication-type ipv4 dhcpv4 web
ZXR10(config-vcc-if)#exit
ZXR10(config-vcc)#exit
ZXR10(config)#interface fei-0/1/0/11
ZXR10(config-if-fei-0/1/0/11)#no shutdown
/*Configure the address of the interface connecting to the WEB Server*/
ZXR10(config-if-fei-0/1/0/11)#ip address 172.16.1.2 255.255.255.0
ZXR10(config-if-fei-0/1/0/11)#exit
ZXR10(config)#ip dhcp relay server group 1
ZXR10(config-dhcpr-server-group)#server 1 1.1.1.1 security
ZXR10(config-dhcpr-server-group)#exit
ZXR10(config)#dhcp
2-38
ZXR10(config-dhcp)#enable
ZXR10(config-dhcp)#exit
2. Configure attributes of the WEB Server.
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#web-server 1
ZXR10(config-submanage-websvr-1)#http-param uas-id 1234
ZXR10(config-submanage-websvr-1)#http-param uas-name zte
ZXR10(config-submanage-websvr-1)#http-param user-name msg
ZXR10(config-submanage-websvr-1)#ip-add 172.16.1.1
/*The address of the WEB Server*/
ZXR10(config-submanage-websvr-1)#url http://172.16.1.1:88/LoginOn.jsp
/*URL of the redirect page*/
ZXR10(config-submanage-websvr-1)#uas-ip 172.16.1.2 interface fei-0/1/0/11
/*Configure an address of the interface for the ZXR10 M6000 connecting to the
WEB Server*/
ZXR10(config-submanage-websvr-1)#version v2 key zte
ZXR10(config-submanage-websvr-1)#exit
3. Configure an ACL for WEB-page push authentication to forward packets.
ZXR10(config)#ipv4-access-list zte
ZXR10(config-ipv4-acl)#rule 10 permit ip any 172.16.1.1 0.0.0.0
ZXR10(config-ipv4-acl)#rule 20 permit ip any 172.16.1.2 0.0.0.0
ZXR10(config-ipv4-acl)#rule 30 permit ip any 6.6.1.1 0.0.0.0
ZXR10(config-ipv4-acl)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui1
ZXR10(config-vbui-if)#web-server 1 /*Bind the WEB Server*/
ZXR10(config-vbui-if)#web-force authentication /*WEB-page push authentication*/
ZXR10(config-vbui-if)#web-acl zte
/*Configure an ACL to define the criteria for sending or receiving packets*/
ZXR10(config-vbui-if)#exit
4. Configure WEB authentication.
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type local
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#domain domain1
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#local-subscriber zte domain-name domain1 password 123
ZXR10(config-submanage-local-sub)#end
ZXR10(config)#interface fei-0/1/0/9
ZXR10(config-if-fei-0/1/0/9)#no shutdown
ZXR10(config-if-fei-0/1/0/9)#ip address 1.1.1.2 255.255.255.0
2-39
ZXR10(config-if-fei-0/1/0/9)#exit
5. Configure on ZXR10 M6000 Server:
R2(config)#interface fei-0/1/0/9
R2(config-if-fei-0/1/0/9)#ip address 1.1.1.1 255.255.255.0
R2(config-if-fei-0/1/0/9)#exit
R2(config)#ip pool yq
R2(config-ip-pool)#range 6.6.1.1 6.6.1.254 255.255.255.0
R2(config-ip-pool)#exit
R2(config)#dhcp
R2(config)#enable
R2(config-dhcp)#interface fei-0/1/0/9
R2(config-dhcp-if-fei-0/1/0/9)#mode server
R2(config-dhcp-if-fei-0/1/0/9)#policy dhcppolicy
R2(config-dhcp-if-fei-0/1/0/9)#exit
R2(config-dhcp)#exit
Verification
Check the DHCP+WEB authentication configuration.
Run the show running-config portal command to check the WEB Server configuration.
ZXR10 (config)# show running-config portal
! <PORTAL>
subscriber-manage
web-server 1
http-param uas-name zte
http-param user-name msg
http-param uas-id 1234
ip-addr 172.16.1.1.
uas-ip 172.16.1.2 interface fei-0/1/0/11
url http://172.16.1.1:88
2-40
Run the show configuration submanage web-server to check the status and attributes of the
WEB Server configuration, as shown below.
ZXR10#show configuration submanage web-server
Portal server-id 1:
ip-addr : 172.16.1.1
backupIp 1: 0.0.0.0
backupIp 2: 0.0.0.0
backupIp 3: 0.0.0.0
backupIp 4: 0.0.0.0
backupIp 5: 0.0.0.0
vbui-bind-counter : 3
version : 2 key : zte
udp-port : 50100
main listening-port : 2000
second listening-port 1 : 0
second listening-port 2 : 0
second listening-port 3 : 0
second listening-port 4 : 0
uas-ip: 172.16.1.2 uas-ifindex: 108
url : http://172.16.1.1
http-para:
uas-name : zte
user-name : msg
uas-id : 1234
user-mac-key :
Run the show configuration submanage listening-port command to check the status of the
listening port for the WEB Server, as shown below.
ZXR10(config)#show configuration submanage listening-port
listening-port: 2000 regedit-flag: TRUE
Run the show subscriber ipox interface command, and verify that the user is on line.
ZXR10 (config)#show subscriber ipox interface fei-0/1/0/10
*******************************************************************************
Subscriber Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type :IPv4
user-identify :25847
user-name :zte
2-41
domain-name :domain1
local-domain-name :domain1
mac-address :001d.0f1d.ae83
session-id :0
access-interface :fei-0/1/0/10
internal-vlan :0
external-vlan :0
authentication-mode :LOCAL
authentication-status :ACCEPT
record-status :CREATED
sibprofileid :0
hot-bak-status :NONE
authentication-time :2011/08/08 14:19:38
create-time :2011/08/08 14:18:38
online-time :16
charge-status :NORMAL
restTimeType :ABSOLUTE
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :IPv4 DHCP RELAY
ipv4-address :6.6.1.2
vrf-name :
vpn-id :0
gateway :6.6.1.1
primary-dns :0.0.0.0
second-dns :0.0.0.0
record-status :CREATED
*******************************************************************************
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
2-42
3-1
3-2
1. When receiving the ARP request from the subscriber, the ZXR10 M6000 determines
whether the subscriber has been configured, and then it compares whether the
subscriber information in the ARP request is the same as that stored on the device. If
a match is found, the subscriber is legal and allowed to come online.
2. The ZXR10 M6000 authenticates the subscriber, obtains related authorization
information, and then sends a reply to acknowledge the ARP request.
3. After related data is sent, the subscriber comes online.
The PC connects the an interface on ZXR10 M6000 directly or through a switch, and then
connects to the Internet. In the scenario where the ZXR10 M6000 device sends an ARP
request on its own initiative, the working flow is described below.
1. The active detection function should have been configured for the IP-HOSTv4
subscriber. The ZXR10 M6000 broadcasts an ARP request on its own initiative.
2. The subscriber receives the ARP request, and then sends a reply.
3. The ZXR10 M6000 receives the ARP reply. The procedure of coming online is the
same as that in the scenario where the subscriber sends an ARP request on his own
initiative.
4. If there is no reply within the permitted number of detections, the ZXR10 M6000 stops
sending the ARP requests. If the subscriber gets online before the detection timer
runs out, ZXR10 M6000 sends an ARP unicast message.
Steps
1. Configure a network-side interface.
3-3
3. Configure a domain.
3-4
<start-ip>, <end-ip>: Specifies the start IP address and the end IP address for members
in the address pool. One member can be configured with 4096 IP addresses at most.
5. Configure a user-side interface.
Command Function
3-5
Command Function
– End of Steps –
Configuration Flow
1. Configure a VBUI to be the virtual BRAS user-side interface. Configure an address
pool in VBUI configuration mode, and configure a static address.
2. Configure an interface in VCC configuration mode.
3. Return to VBUI configuration mode, and configure an IP-HOST subscriber on the
VBUI.
3-6
Commands
Configuration on ZXR10:
ZXR10(config)#radius authentication-group 10
ZXR10(config-authgrp-10)#server 1 192.168.107.9 master key uas
ZXR10(config-authgrp-10)#deadtime 0
ZXR10(config-authgrp-10)#user-name-format include-domain
ZXR10(config-authgrp-10)#nas-ip-address 192.168.60.5
ZXR10(config-authgrp-10)#exit
ZXR10(config)#radius accounting-group 10
ZXR10(config-acctgrp-10)#server 1 192.168.107.9 master key uas
ZXR10(config-acctgrp-10)#deadtime 0
ZXR10(config-acctgrp-10)#user-name-format include-domain
ZXR10(config-acctgrp-10)#nas-ip-address 192.168.60.5
ZXR10(config-acctgrp-10)#local-buffer enable
ZXR10(config-acctgrp-10)#exit
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type radius
ZXR10(config-submanage-authen-template)#authentication-radius-group 10
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#authorization-type mix-radius
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#accounting-template zte
ZXR10(config-submanage-accounting-template)#accounting-type radius
ZXR10(config-submanage-accounting-template)#accounting-radius-group first 10
ZXR10(config-submanage-accounting-template)#exit
ZXR10(config-submanage)#domain domain199
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)#bind authorization-template zte
ZXR10(config-submanage-domain)#bind accounting-template zte
ZXR10(config-submanage-domain)#exit
ZXR10 (config-submanage)#exit
ZXR10(config)#interface vbui20
ZXR10(config-if-vbui20)#ip address 20.0.0.1 255.255.255.0
ZXR10(config-if-vbui20)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui20
ZXR10(config-vbui-if)#ip-pool pool-name iphostpool pool-id 20
ZXR10(config-vbui-if-ip-pool)#access-domain domain199
3-7
ZXR10(config-vbui-if-ip-pool)#member 1
ZXR10(config-vbui-if-ip-pool-member)#start-ip 20.0.0.1 end-ip 20.0.0.255
ZXR10(config-vbui-if-ip-pool-member)#static-ip 20.0.0.2
ZXR10(config-vbui-if-ip-pool-member)#exit
ZXR10(config-vbui-if-ip-pool)#exit
ZXR10(config-vbui-if)#exit
ZXR10(config-vbui)#exit
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface gei-0/3/0/6
ZXR10(config-vcc-if)#exit
ZXR10(config-vcc)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui20
ZXR10(config-vbui-if)#ip-host 20.0.0.2 gei-0/3/0/6 user-info IPHOST domain199 123
ZXR10(config-vbui-if)#end
Verification
Check the IP-HOSTv4 subscriber interface configuration, as shown below.
ZXR10#show running-config uim
! <UIM>
vbui-configuration
interface vbui20
$
$
vcc-configuration
interface gei-0/3/0/6
$
!
! </UIM>
ZXR10#show running-config ip-host
!<IPHOST>
vbui-configuration
interface vbui20
ip-host 20.0.0.2 gei-0/3/0/6 user-info IPHOST domain199 123
$
$
!</IPHOST>
ZXR10#show running-config am
! <AM>
vbui-configuration
3-8
interface vbui20
ip-pool pool-name iphostpool pool-id 20
access-domain domain199
member 1
start-ip 20.0.0.1 end-ip 20.0.0.255
static-ip 20.0.0.2
$
$
$
! </AM>
3-9
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
3-10
In such a model, through PPPoE, each subscriber has his or her own PPP stack, access
control, and Type Of Service (ToS). Subscribers can implement online operations on
familiar interfaces. A service provider can establish a unique PPP session with each
access subscriber. Access control and accounting can be executed for each subscriber.
The PPPoE provides the following benefits:
l The installation and operation mode are similar to those in a dial-up network.
l No configuration is needed on the XDSL modem of subscribers.
l Allowing several subscribers to share the same high-speed data access link.
l Meeting the requirements of small-scale enterprises and telecommuting.
l Terminal users can access several Internet Service Providers (ISPs). The dynamic
service selection function makes ISPs provide new services more easily .
l Compatible with all current XDSL Modem and Digital Subscriber Line Access
Multiplexer (DSLAM).
l Compatible with ISP access structures.
4-1
In general, a successful PPPoE access is divided into two states, the discovery stage and
the session stage. The functions of the two stages are described below.
1. The discovery stage is to establish a link layer connection between the host and the
BRAS device (to discover the MAC of the BRAS device), and generate a PPPoE
session ID. The session ID is carried along with the PPP dial-up service until the
session ends.
2. The session stage is responsible for negotiation of data-link layer parameters
(including authentication and Maximum Receive Unit (MRU)) and negotiation of
network-layer parameters (including IP address).
The procedure of the PPPoE discovery is described below.
1. A host broadcasts a PADI message on the Ethernet. The message contains the ToS
information that the host expects.
2. After all BRAS devices on the Ethernet receive the message, they compare the service
requested in the message with the service that can be provided by themselves. The
access concentrator that provides the service requested by the host replies a PADO
message.
3. The host may receive PADO messages from several BRAS devices. The host selects
an access concentrator that can provide the service among the access concentrators
that replies a PADO message according to the information in the message and
certain conditions. Then the host sends a PADR unicast session request message
that contains the information of the requested service.
4. After the BRAS device receives the PADR message, it replies a PADS message that
contains a session ID that identifies the PPPoE session between the BRAS device
and the host uniquely.
After the discovery stage ends, the session stage begins. Once entering the PPPoE
session stage, the host and the access concentrator send PPP data according to PPP
and negotiate parameters.
4-2
The packets transmitted in this stage must keep session ID fixed in the discovery stage.
At the two ends of the PPP session, there are peer entities. Either entity can begin or
end a connection. The establishment of a PPP connection includes LCP negotiation, user
authentication and IP Control Protocol (IPCP) negotiation.
LCP negotiation is responsible for the attribute negotiation of the link between the host and
the access server. The attributes include:
l MRU
l The authentication protocol used in the authentication stage (PAP or CHAP)
l Whether to use the magic number option
l Whether to compress the protocol field
l Whether to compress the address field and the control field
The PPP supports PAP authentication and CHAP authentication. After the authentication
ends, IPCP negotiation begins. It is mainly to negotiate the network address. The PPPoE
IPCP procedure is similar to the LCP procedure. The difference is that LCP requests the
link layer options while IPCP requests the network layer option.
Steps
1. Configure a network-side interface.
2. Configure a domain.
4-3
4-4
4-5
<time-value>: Keepalive time (in seconds) for the PPPoX template, in the unit of
second, range: 10 to 14400.
<count-value>: Keepalive number for the PPPoX template, range: 1 to 10.
<mru-value>: MRU (in bytes) of the PPPoX template, range: 128 to 1492.
6. Verify the configurations.
Command Function
– End of Steps –
4-6
(such as HUB or LAN switch) between the host and the BRAS. Packets passing through
Layer-2 devices do not undergo any changes or encapsulation.
Configuration Flow
1. Configure an IP address on the network-side interface fei-0/10/1/2.
2. Configure an authentication template, an authorization template and an accounting
template, and bind them to a domain. Configure a PPPoE template and configure
related PPP attributes in the template.
3. Configure a user-side interface, and configure an address pool on the VBUI interface.
Bind the address pool with the domain.
4. Configure a subscriber through the RADIUS software.
5. Bind the PPPoE template to the VCC interface.
Configuration Commands
1. The network-side interface configuration is as follows:
ZXR10(config)#interface fei-0/10/1/2
ZXR10(config-if-fei-0/10/1/2)#no shutdown
ZXR10(config-if-fei-0/10/1/2)#ip address 200.0.0.100 255.255.0.0
ZXR10(config-if-fei-0/10/1/2)#exit
2. The domain configuration is as follows:
ZXR10(config)#interface fei-0/10/1/3
ZXR10(config-if-fei-0/10/1/3)#no shutdown
ZXR10(config-if-fei-0/10/1/3)#ip address 192.168.5.110 255.255.0.0
ZXR10(config-if-fei-0/10/1/3)#exit
ZXR10(config)#radius authentication-group 10
ZXR10(config-authgrp-10)#server 1 192.168.112.111 master key zte
ZXR10(config-authgrp-10)#deadtime 0
ZXR10(config-authgrp-10)#user-name-format include-domain
ZXR10(config-authgrp-10)#nas-ip-address 192.168.5.110
ZXR10(config-authgrp-10)#exit
ZXR10(config)#subscriber-manage
4-7
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type radius
ZXR10(config-submanage-authen-template)#authentication-radius-group 10
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#authorization-type mix-radius
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#accounting-template zte
ZXR10(config-submanage-accounting-template)#accounting-type radius
ZXR10(config-submanage-accounting-template)#exit
ZXR10(config-submanage)#pppox-cfg 199
ZXR10(config-submanage-pppox)#ppp authentication pap
ZXR10(config-submanage-pppox)#exit
ZXR10(config-submanage)#domain domain199
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)#bind authorization-template zte
ZXR10(config-submanage-domain)#bind accounting-template zte
ZXR10(config-submanage-domain)#exit
3. The user-side interface configuration is as follows:
ZXR10(config)#interface vbui199
ZXR10(config-if-vbui199)#ip address 199.1.1.1 255.255.0.0
ZXR10(config-if-vbui199)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui199
ZXR10(config-vbui-if)#ip-pool pool-name pool199 pool-id 199
ZXR10(config-vbui-ip-pool)#access-domain domain199
ZXR10(config-vbui-ip-pool)#pppoe-dns-server 1.1.1.1
ZXR10(config-vbui-ip-pool)#pppoe-dns-server 2.2.2.2 second
ZXR10(config-vbui-ip-pool)#member 1
ZXR10(config-vbui-ip-pool-member)#start-ip 199.1.1.2 end-ip 199.1.2.1
ZXR10(config-vbui-ip-pool-member)#exit
4. The user-side circuit configuration is as follows:
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface fei-0/10/1/1
ZXR10(config-vcc-if)#pppox template 199
ZXR10(config-vcc-if)#encapsulation ppp-over-ethernet
ZXR10(config-vcc-if)#end
Configuration Verification
Execute the show subscriber pppox command, and verify that the subscriber is online, as
shown below.
4-8
-------------------------------------------------------------------------------
session: total up down
4-9
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
Configuration Flow
1. Configure an IP address on the network-side interface fei-0/10/1/2.
2. Configure an authentication template, an authorization template and an accounting
template, and bind them to a domain. Configure a PPPoE template, and configure
related PPP attributes in the template.
3. Configure a user-side interface, and configure an address pool for the VBUI interface.
Bind the address pool to the domain.
4. Configure a subscriber through the RADIUS software.
4-10
Configuration Commands
1. The network-side interface configuration is as follows:
ZXR10(config)#interface fei-0/10/1/2
ZXR10(config-if-fei-0/10/1/2)#no shutdown
ZXR10(config-if-fei-0/10/1/2)#ip address 200.0.0.100 255.255.0.0
ZXR10(config-if-fei-0/10/1/2)#exit
2. The domain configuration is as follows:
ZXR10(config)#interface fei-0/10/1/3
ZXR10(config-if-fei-0/10/1/3)#no shutdown
ZXR10(config-if-fei-0/10/1/3)#ip address 192.168.5.110 255.255.0.0
ZXR10(config-if-fei-0/10/1/3)#exit
ZXR10(config)#radius authentication-group 10
ZXR10(config-authgrp-10)#server 1 192.168.112.111 master key zte
ZXR10(config-authgrp-10)#deadtime 0
ZXR10(config-authgrp-10)#user-name-format include-domain
ZXR10(config-authgrp-10)#nas-ip-address 192.168.5.110
ZXR10(config-authgrp-10)#exit
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type radius
ZXR10(config-submanage-authen-template)#authentication-radius-group 10
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#authorization-type mix-radius
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#accounting-template zte
ZXR10(config-submanage-accounting-template)#accounting-type none
ZXR10(config-submanage-accounting-template)#exit
ZXR10(config-submanage)#pppox-cfg 199
ZXR10(config-submanage-pppox)#ppp authentication pap
ZXR10(config-submanage-pppox)#exit
ZXR10(config-submanage)#domain domain199
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)#bind authorization-template zte
ZXR10(config-submanage-domain)#bind accounting-template zte
ZXR10(config-submanage-domain)#exit
3. The user-side interface configuration is as follows:
ZXR10(config)#interface vbui199
ZXR10(config-if-vbui199)#ip address 199.1.1.1 255.255.0.0
4-11
ZXR10(config-if-vbui199)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui199
ZXR10(config-vbui-if)#ip-pool pool-name pool199 pool-id 199
ZXR10(config-vbui-ip-pool)#access-domain domain199
ZXR10(config-vbui-ip-pool)#pppoe-dns-server 1.1.1.1
ZXR10(config-vbui-ip-pool)#pppoe-dns-server 2.2.2.2 second
ZXR10(config-vbui-ip-pool)#member 1
ZXR10(config-vbui-ip-pool-member)#start-ip 199.1.1.1 end-ip 199.1.2.1
ZXR10(config-vbui-ip-pool-member)#exit
4. The user-side circuit configuration is as follows:
ZXR10(config)#interface fei-0/10/1/1.1
ZXR10(config-if-fei-0/10/1/1.1)#exit
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface fei-0/10/1/1.1
ZXR10(config-vcc-if)#pppox template 199
ZXR10(config-vcc-if)#encapsulation ppp-over-ethernet
ZXR10(config-vcc-if)#exit
ZXR10(config-vcc)#exit
ZXR10(config)#vlan-configuration
ZXR10(config-vlan)#interface fei-0/10/1/1.1
ZXR10(config-vlan-if-fei-0/10/1/1.1)#encapsulation-dot1q 100
/*It also can be set to a QinQ interface.*/
ZXR10(config-vlan-if-fei-0/10/1/1.1)#end
Configuration Verification
Execute the show subscriber pppox command, and verify that the subscriber is online, as
shown below.
ZXR10(config)#show subscriber pppox
*******************************************************************************
Subscriber Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type :IPv4
user-identify :17
user-name :PPPOE
domain-name :domain199
local-domain-name :domain199
authorize-domain-name :domain199
mac-address :0010.9400.0001
session-id :2
access-interface :fei-0/10/1/1.1
4-12
internal-vlan :0
external-vlan :100
authentication-mode :RADIUS
authentication-status :ACCEPT
record-status :CREATED
eap-type :FALSE
sibprofileid :0
hot-bak-status :NONE
authentication-time :2012/05/21 14:28:32
create-time :2012/05/21 14:28:32
online-time :12
limited-status :UNLIMITED
restTimeType :ABSOLUTE
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :IPv4 PPPox
ipv4-address :199.1.1.2
vrf-name :
vpn-id :0
gateway :199.1.1.1
primary-dns :1.1.1.1
second-dns :2.2.2.2
record-status :CREATED
*******************************************************************************
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
4-13
Configuration Flow
1. Configure the IP address of the fei-0/10/1/2 interface on the network side.
2. Configure an authentication template, an authorization template, and an accounting
template, and associate them with a domain. Configure a PPPoE template, and set
the related PPP attributes in the template.
3. Configure a user-side interface, and configure an address pool on the VBUI interface.
Associate the address pool with the domain.
4. Configure users on the RADIUS server.
5. Associate the VCC interface with the PPPoE template.
6. Enable account sharing in the domain.
Configuration Commands
1. Run the following commands on the ZXR10 M6000 to configure a network-side
interface:
ZXR10(config)#interface fei-0/10/1/2
ZXR10(config-if-fei-0/10/1/2)#no shutdown
ZXR10(config-if-fei-0/10/1/2)#ip address 200.0.0.100 255.255.0.0
ZXR10(config-if-fei-0/10/1/2)#exit
2. Run the following commands on the ZXR10 M6000 to configure a domain:
ZXR10(config)#interface fei-0/10/1/3
ZXR10(config-if-fei-0/10/1/3)#no shutdown
4-14
ZXR10(config)#radius authentication-group 10
ZXR10(config-authgrp-10)#server 1 192.168.112.111 master key zte
ZXR10(config-authgrp-10)#deadtime 0
ZXR10(config-authgrp-10)#user-name-format include-domain
ZXR10(config-authgrp-10)#nas-ip-address 192.168.5.110
ZXR10(config-authgrp-10)#exit
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type radius
ZXR10(config-submanage-authen-template)#authentication-radius-group 10
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#authorization-template 199
ZXR10(config-submanage-author-template)#authorization-type mix-radius
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#accounting-template 199
ZXR10(config-submanage-accounting-template)#accounting-type radius
ZXR10(config-submanage-accounting-template)#exit
ZXR10(config-submanage)#pppox-cfg 199
ZXR10(config-submanage-pppox)#ppp authentication pap
ZXR10(config-submanage-pppox)#exit
ZXR10(config-submanage)#domain domain199
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)#bind authorization-template zte
ZXR10(config-submanage-domain)#bind accounting-template zte
ZXR10(config-submanage-domain)#account-share enable
/*Enables account sharing*/
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#exit
3. Run the following commands on the ZXR10 M6000 to configure a user-side interface:
ZXR10(config)#interface vbui199
ZXR10(config-if-vbui199)#ip address 199.1.1.1 255.255.0.0
ZXR10(config-if-vbui199)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui199
ZXR10(config-vbui-if)#ip-pool pool-name pool199 pool-id 199
ZXR10(config-vbui-ip-pool)#access-domain domain199
ZXR10(config-vbui-ip-pool)#pppoe-dns-server 1.1.1.1
4-15
Configuration Verification
Run the show subscriber pppox user-name command to check whether multiple users with
the same username have come online. The execution result is displayed as follows:
-------------------------------------------------------------------------------
session: total up down
IPv4 4 4 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 4 4 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 4 4 0 0 0
-------------------------------------------------------------------------------
4-16
Configuration Flow
1. Configure an authentication template, an authorization template, and an accounting
template, and associate them with a domain. Configure a PPPoE template, and set
the related PPP attributes in the template. Configure local users.
2. Configure exact binding information in the local-subscriber.
3. Configure a user-side interface, and configure an address pool on the VBUI interface.
Associate the address pool with the domain.
4. Associate the VCC interface with the PPPoE template.
Configuration Commands
1. Run the following commands on the ZXR10 M6000 to configure a domain:
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type local
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#authorization-type mix-radius
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#pppox-cfg 199
ZXR10(config-submanage-pppox)#ppp authentication pap
ZXR10(config-submanage-pppox)#exit
ZXR10(config-submanage)#domain domain199
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)#bind authorization-template zte
ZXR10(config-submanage-domain)#exit
4-17
100
ZXR10(config-submanage-local-sub)#exit
ZXR10(config-submanage)#exit
3. Run the following commands on the ZXR10 M6000 to configure a user-side interface:
ZXR10(config)#interface vbui199
ZXR10(config-if-vbui199)#ip address 199.1.1.1 255.255.0.0
ZXR10(config-if-vbui199)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui199
ZXR10(config-vbui-if)#ip-pool pool-name pool199 pool-id 199
ZXR10(config-vbui-ip-pool)#access-domain domain199
ZXR10(config-vbui-ip-pool)#pppoe-dns-server 1.1.1.1
ZXR10(config-vbui-ip-pool)#pppoe-dns-server 2.2.2.2 second
ZXR10(config-vbui-ip-pool)#member 1
ZXR10(config-vbui-ip-pool-member)#start-ip 199.1.1.1 end-ip 199.1.2.254
ZXR10(config-vbui-ip-pool-member)#exit
ZXR10(config-vbui-ip-pool)#exit
ZXR10(config-vbui-if)#exit
ZXR10(config-vbui)#exit
4. Run the following commands on the ZXR10 M6000 to configure a VCC:
ZXR10(config)#interface gei-0/0/0/2.1
ZXR10(config-gei-0/0/0/2.1)#exit
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface gei-0/0/0/2.1
ZXR10(config-vcc-if)#pppox template 199
ZXR10(config-vcc-if)#encapsulation ppp-over-ethernet
ZXR10(config-vcc-if)#exit
ZXR10(config-vcc)#exit
ZXR10(config)#vlan-configuration
ZXR10(config-vlan)#interface gei-0/0/0/2.1
ZXR10(config-vlan-if-gei-0/0/0/2.1)#qinq range internal-vlan-range 1-200
external-vlan-range 1
ZXR10(config-vlan-if-gei-0/0/0/2.1)#end
Configuration Verification
Run the show subscriber pppox command to check whether subscribers have come
online. The execution result is displayed as follows:
4-18
-------------------------------------------------------------------------------
subscriber-access-type :IPv4
user-identify :16
user-name :pppoeee
domain-name :domain199
local-domain-name :domain199
authorize-domain-name :domain199
mac-address :0010.94ab.8801
session-id :8
access-interface :gei-0/0/0/2.1
internal-vlan :100
external-vlan :1
authentication-mode :LOCAL
authentication-status :ACCEPT
record-status :CREATED
eap-type :FALSE
sibprofileid :0
hot-bak-status :NONE
authentication-time :2011/04/05 09:17:43
create-time :2011/04/05 09:17:43
online-time :14
limited-status :UNLIMITED
restTimeType :ABSOLUTE
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------
IPv4 Information
--------------------------------------------------------------------------
subscriber-type :IPv4 PPPox
ipv4-address :199.1.1.3
vrf-name :
vpn-id :0
gateway :199.1.1.1
primary-dns :1.1.1.1
second-dns :2.2.2.2
record-status :CREATED
**************************************************************************
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
4-19
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
It can be seen that one subscriber fails to establish a dial-up connection through the
gei-0/0/0/2.1 interface associated with the VCC, outer-VLAN 2, and inner-VLAN 50,
while the other subscriber successfully establishes a dial-up connection through the
gei-0/0/0/2.1 interface, outer-VLAN 1, and inner-VLAN 100.
Configuration Flow
1. Configure an authentication template, an authorization template, and an accounting
template, and associate them with a domain. Configure a PPPoE template, and set
related PPP attributes in the template. Configure local users.
2. Configure the multi-level domain name resolution direction.
3. Configure a user-side interface, and configure an address pool on the VBUI interface.
Associate the address pool with the domain.
4. Associate the VCC interface with the PPPoE template.
Configuration Commands
1. Run the following commands on the ZXR10 M6000 to configure a domain:
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type local
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#authorization-type mix-radius
ZXR10(config-submanage-author-template)#exit
4-20
ZXR10(config-submanage)#pppox-cfg 199
ZXR10(config-submanage-pppox)#ppp authentication pap
ZXR10(config-submanage-pppox)#exit
ZXR10(config-submanage)#domain zte
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)#bind authorization-template zte
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#domain kaka@zte
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)#bind authorization-template zte
ZXR10(config-submanage-domain)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui199
ZXR10(config-vbui-if)#ip-pool pool-name pool199 pool-id 199
ZXR10(config-vbui-ip-pool)#access-domain zte
ZXR10(config-vbui-ip-pool)#access-domain kaka@zte
ZXR10(config-vbui-ip-pool)#pppoe-dns-server 1.1.1.1
ZXR10(config-vbui-ip-pool)#pppoe-dns-server 2.2.2.2 second
ZXR10(config-vbui-ip-pool)#member 1
ZXR10(config-vbui-ip-pool-member)#start-ip 199.1.1.1 end-ip 199.1.2.254
ZXR10(config-vbui-ip-pool-member)#exit
ZXR10(config-vbui-ip-pool)#exit
ZXR10(config-vbui-if)#exit
ZXR10(config-vbui)#exit
4-21
ZXR10(config)#vlan-configuration
ZXR10(config-vlan)#interface gei-0/0/0/2.1
ZXR10(config-vlan-if-gei-0/0/0/2.1)#qinq range internal-vlan-range 1-200
external-vlan-range 1
ZXR10(config-vlan-if-gei-0/0/0/2.1)#end
Configuration Verification
A subscriber attempts to start a dial-up connection through the gei-0/0/0/2.1 interface
(associated with the VCC) by using uu@kaka@zte. Run the show subscriber command
to check the domain name resolution result, username information, and whether the
subscriber has come online. The execution result is displayed as follows:
ZXR10(config)#show subscriber pppox
**************************************************************************
Subscriber Information
--------------------------------------------------------------------------
Basic Information
--------------------------------------------------------------------------
subscriber-access-type :IPv4
user-identify :18
user-name :uu@kaka /*username*/
domain-name :zte /*domain name*/
local-domain-name :zte
authorize-domain-name :zte
mac-address :0010.94ab.cc01
session-id :12
access-interface :gei-0/0/0/2.1
internal-vlan :100
external-vlan :1
authentication-mode :LOCAL
authentication-status :ACCEPT
record-status :CREATED
eap-type :FALSE
sibprofileid :0
hot-bak-status :NONE
4-22
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
ZXR10(config-submanage)#no domainname-parse-direction
The subscriber attempts to start a dial-up connection through the gei-0/0/0/2.1 interface by
using guu@kaka@zte again. Run the show subscriber command to check the domain
name resolution result and whether the subscriber has come online.
4-23
Subscriber Information
--------------------------------------------------------------------------
Basic Information
--------------------------------------------------------------------------
subscriber-access-type :IPv4
user-identify :19
user-name :uu /*username*/
domain-name :kaka@zte /*domain name*/
local-domain-name :kaka@zte
authorize-domain-name :kaka@zte
mac-address :0010.94ab.cc01
session-id :13
access-interface :gei-0/0/0/2.1
internal-vlan :100
external-vlan :1
authentication-mode :LOCAL
authentication-status :ACCEPT
record-status :CREATED
eap-type :FALSE
sibprofileid :0
hot-bak-status :NONE
authentication-time :2011/04/05 10:38:49
create-time :2011/04/05 10:38:49
online-time :8
limited-status :UNLIMITED
restTimeType :ABSOLUTE
vpdnAcctClass :
route-map-name :
--------------------------------------------------------------------------
IPv4 Information
--------------------------------------------------------------------------
subscriber-type :IPv4 PPPox
ipv4-address :199.1.1.2
vrf-name :
vpn-id :0
gateway :199.1.1.1
primary-dns :1.1.1.1
second-dns :2.2.2.2
record-status :CREATED
**************************************************************************
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
4-24
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
After the specified domain name resolution direction is deleted, the default resolution
direction is from left to right. This means that, for uu@kaka@zte, the domain name is
kaka@zte, and the username is uu.
4-25
4-26
5-1
(generally on the Windows 2000–based platform), which restricts the platform the user
uses.
In general, the VPDN gateway is a router or a VPDN private server.
Tunnel Technology
Tunnel technology is one of the basic technologies to establish a secure Virtual Private
Network (VPN). It is similar to point-to-point connection technology. It is to establish a
data tunnel on the public network, and transmit packets over this tunnel.
A tunnel is established according to the tunnel protocol. There are Layer–2 tunnel
protocols and Layer–3 tunnel protocols.
l Layer–2 tunnel protocols include L2F, PPP Tunnel Protocol (PPTP) and Layer–2
Tunnel Protocol (L2TP). It is used to encapsulate different network protocols to the
PPP, and then encapsulate the packets into the tunnel protocol. The packets after
dual-layer encapsulation are transmitted according the Layer–2 protocol.
l Layer–3 protocols include General Routing Encapsulation (GRE) and IP Security
Protocol (IPSec). The essential difference between Layer–2 tunnel protocols and
Layer–3 tunnel protocol is that the received packets are encapsulated by using which
protocols.
L2TP is a Layer–2 tunnel protocol drafted by IETF, and is set down by Microsoft, Ascend,
Cisco and 3COM. It combines the advantages of PPTP and L2F. It is accepted by many
corporations, and has become the IETF industrial standard related to Layer–2 tunnel
protocols.
5-2
The above figure shows three common construction modes of L2TP. It also shows the
three elements required to construct an L2TP network: L2TP Network Server (LNS), L2TP
Access Concentrator (LAC) and client.
l LNS: It is an VPN server on the L2TP enterprise side. The LNS implements final
authorization and authentication for subscribers, receiving the tunnel from an LAC,
receiving connection requests, and establishing PPP tunnels connecting the LNS and
subscribers.
l LAC: It is an L2TP access device. The LAC provides Authentication, Authorization and
Accounting (AAA) services for different subscriber accesses, establishes connections
for tunnels and sessions, and implements proxy authentication for VPN subscribers. It
is an access device that provides the VPN service on the ISP side. It can be physically
a router supporting L2TP, an access server or a special VPN server.
l Client: It is a dial-up client.
L2TP Overview
The PPP session is carried over an L2TP tunnel session. PPP frames are transmitted over
the tunnel. Figure 5-2 illustrates the encapsulation procedure of the data.
5-3
The above figure shows the position of L2TP in the Transfer Control Protocol/Internet
Protocol (TCP/IP) hierarchic structure. It also shows the stack structure and encapsulation
procedure of an IP packet during the transmission procedure.
1. After receiving a PPP frame from a client, the LAC adds an L2TP header in front of
the PPP frame. The entire L2TP message, including the L2TP header and payload,
is encapsulated by using the User Datagram Protocol (UDP) and then forwarded.
2. The initial end of the L2TP tunnel selects an available UDP port (Port 1701 or another
port), and sends the data to Port 1701 of the destination host.
3. The receiver selects an idle port (Port 1701 or another port) in its system. It sends
its reply to the UDP port of the initial end, and sets its UDP source port to the idle
port. Once a connection is established between the source and destination ends, the
connection keeps unchanged during the life period of the tunnel.
4. When the IP layer receives the UDP packet, it adds an IP header. At this time, the IP
packet contains a second IP packet, but the two IP addresses are different. In general,
the IP address of the subscriber packet is a private address, and the IP address on
the LAC is a public address. Until now, the encapsulation of VPN private data is
completed.
5. On the LNS side, when receiving the L2TP/VPN IP packet, the LNS removes the
IP header, UDP header and the L2TP header, and then it obtains the PPP frame
of the subscriber. It removes the PPP header and then obtain the IP packet. Till
now, the LNS obtains the IP packet of the subscriber. In this way, IP data of the
subscriber is transmitted transparently through a tunnel. At the same time, the entire
PPP header/frame is not changed during the transmission.
5-4
5-5
Steps
1. Configure the basic functions of VPDN.
5-6
3. Configure LAC.
5-7
4. Configure LNS.
5-8
5. Configure LTS.
Command Function
5-9
Command Function
ZXR10#show vpdn tunnel {brief | local-tunnel-id Shows the VPDN tunnel information.
<tunnel-id>| remote-name <remote-name>|summary |
statistic }
7. Maintain VPDN.
Command Function
ZXR10#debug l2tp {all | data | error | event | packet} Shows the L2TP debugging
information.
– End of Steps –
Configuration Flow
1. Enter subscriber management configuration mode. Configure an authentication
template, configure local authentication for the authentication template, and then exit
to subscriber-manage configuration mode.
2. Create and enter domain configuration mode. Bind the authentication template to the
domain, and enable the tunnel-domain function. Set the alias of the domain, and exit
to subscriber-manage configuration mode.
5-10
Configuration Commands
Configuration on the LAC device:
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type local
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#domain l2tp
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)#tunnel-domain enable
ZXR10(config-submanage-domain)#exit
ZXR10(config)#interface gei-0/2/0/2
ZXR10(config-if-gei-0/2/0/2)#no shutdown
ZXR10(config-if-gei-0/2/0/2)#exit
/*Configure a vcc*/
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface gei-0/2/0/2
ZXR10(config-vcc-if)#encapsulation ppp-over-ethernet
ZXR10(config-vcc-if)#pppox template 1
5-11
ZXR10(config-vcc-if)#exit
ZXR10(config-vcc)#exit
ZXR10(config)#interface gei-0/2/0/7
ZXR10(config-if-gei-0/2/0/7)#no shutdown
ZXR10(config-if-gei-0/2/0/7)#ip address 102.1.1.2 255.255.255.0
ZXR10(config-if-gei-0/2/0/7)#exit
Configuration Verification
Execute the show running-config vpdn all command, and verify that the tunnel attributes
are properly set.
ZXR10(config)#show running-config vpdn all
! <VPDN>
vpdn-group zte
#service-type lac
#ip tcp adjust-mss 1400
#calling-number-format none
domain l2tp
local name ztelac
terminate-from hostname ztelns
#no force-local-chap
#no l2tp hidden
#no l2tp tunnel authentication
#l2tp tunnel hello 60
#l2tp tunnel receive-window 4
#l2tp tunnel retransmit retries 5
#l2tp tunnel retransmit timeout 8
#l2tp tunnel timeout no-session 15
5-12
The all parameter is used to display the default configuration. The result shows that
VPDN is enabled in global configuration mode. The configuration information (including
the default group) is displayed.
Execute the show vpdn tunnel brief command, and verify that the tunnel has been
established.
ZXR10(config)#show vpdn tunnel brief
LTID RTID RemoteName State RemoteAddr RemotePort Sessions
26566 59221 ztelns Established 102.1.1.1 1701 1
In the above information, "EST" in the "State" column means that the tunnel has been
established successfully.
Execute the show subscriber vpdn lac command, and verify that the subscribes has been
online.
ZXR10(config)#show subscriber vpdn lac
*******************************************************************************
Subscriber Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type :IPv4
user-identify :20
user-name :lac1
domain-name :l2tp
5-13
local-domain-name :l2tp
authorize-domain-name :l2tp
mac-address :0010.9434.0a01
session-id :14
access-interface :gei-0/2/0/2
internal-vlan :0
external-vlan :0
authentication-mode :LOCAL
authentication-status :ACCEPT
record-status :CREATED
eap-type :FALSE
sibprofileid :0
hot-bak-status :NONE
authentication-time :2011/04/05 13:58:56
create-time :2011/04/05 13:58:56
online-time :207
limited-status :UNLIMITED
restTimeType :ABSOLUTE
vpdnAcctClass :L2TP
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :VPDN
local-sessionid :1
local-tunnelid :26566
remote-sessionid :123
remote-tunnelid :59221
ipv4-address :
vrf-name :
vpn-id :0
tunnel-vrf-name :
tunnel-vpn-id :0
lac-ipv4-address :102.1.1.2
lns-ipv4-address :102.1.1.1
record-status :CREATED
*******************************************************************************
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
5-14
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
Configuration Flow
1. On the one hand, an LTS works as an LNS to respond the tunnel connection request
of the LAC on the user side. On the other hand, the LTS works as an LAC to send a
tunnel connection request to the LNS (or another LTS) on the server side. Therefore,
to configure an LTS, it is necessary to create two L2TP groups. One group works as
an LNS to receive the tunnel connection request sent by the LAC. The other group
works as an LAC to send the tunnel connection request to the LNS.
2. Configure addresses on the interfaces connected to the LAC and the LNS.
3. Create a virtual template in global configuration mode, and enter virtual template
configuration mode. Set the mode to PPP, and bind the template to an interface.
4. Configure domains of the L2TP subscribers.
5. Configure an LAC.
6. Configure an LNS.
Configuration Commands
Configuration of LTS:
5-15
R2(config)#interface gei-0/2/0/1
R2(config-if-gei-0/2/0/1)#no shutdown
R2(config-if-gei-0/2/0/1)#ip address 101.1.1.2 255.255.255.0
R2(config-if-gei-0/2/0/1)#exit
R2(config)#interface gei-0/2/0/2
R2(config-if-gei-0/2/0/2)#no shutdown
R2(config-if-gei-0/2/0/2)#ip address 102.1.1.2 255.255.255.0
R2(config-if-gei-0/2/0/2)#exit
R2(config)#interface virtual_template20
R2(config-if-virtual_template20)#mode ppp
R2(config-if-virtual_template20)#ip unnumbered gei-0/2/0/1
R2(config-if-virtual_template20)#exit
/*Configure PPP*/
R2(config)#ppp
R2(config-ppp)#interface virtual_template20
R2(config-ppp-if-virtual_template20)#keepalive 20
R2(config-ppp-if-virtual_template20)#ppp authentication pap
R2(config-ppp-if-virtual_template20)#ppp pap sent-username lac1@l2tp password 123
R2(config-ppp-if-virtual_template20)#bind-ip-pool zte
R2(config-ppp-if-virtual_template20)#exit
R2(config-ppp)#exit
R2(config)#vpdn
R2(config-vpdn)#enable
R2(config-vpdn)#multihop /*Enable the LTS function*/
R2(config-vpdn)#tsa-id lts /*Configure the tsa-id of the device*/
R2(config-vpdn)#exit
5-16
R2(config)#subscriber-manage
R2(config-submanage)#authentication-template zte
R2(config-submanage-authen-template)#authentication-type local
R2(config-submanage-authen-template)#exit
R2(config)#subscriber-manage
R2(config-submanage)#authorization-template zte
R2(config-submanage-author-template)#authorization-type radius
R2(config-submanage-author-template)#vpdn-group lac
R2(config-submanage-author-template)#exit
R2(config-submanage)#domain l2tp
R2(config-submanage-domain)#bind authentication-template zte
R2(config-submanage-domain)#bind authorization-template zte
R2(config-submanage-domain)#exit
R2(config-submanage)#local-subscriber lac1 domain-name l2tp
password 123
R2(config-submanage-local-sub)#exit
R2(config-submanage)#exit
Configuration Verification
Run the show vpdn tunnel brief command, and verify that the tunnel state is proper. When
a subscriber is online, the system generates two tunnels automatically. One tunnel is
between the LAC and the LTS. The other tunnel is between the LTS and the LNS.
ZXR10(config)#show vpdn tunnel brief
L2TP Tunnel Infomation
==============================================================================
LTID RTID RemoteName State RemoteAddr RemotePort Sessions
13928 61336 ztelac Established 101.1.1.1 1701 1
61554 8187 ztelns Established 102.1.1.1 1701 1
Run the show running-config ppp all command, and verify that the PPP configuration is
proper.
5-17
bind-ip-pool zte
!
!</ppp>
Run the show running-config vpdn all command, and verify that the PPP configuration
is proper.
R2(config)#show running-config vpdn all
! <VPDN>
vpdn-group lns
service-type lns
#ip tcp adjust-mss 1400
#calling-number-format none
local name lns
terminate-from hostname ztelac
#no force-local-chap
#no l2tp hidden
#l2tp tunnel hello 60
#l2tp tunnel receive-window 4
#l2tp tunnel retransmit retries 5
#l2tp tunnel retransmit timeout 8
#l2tp tunnel timeout no-session 15
#l2tp tunnel timeout setup 10
#lcp renegotiation always
#no lns-send-sli
local name lns
#max-session 16000
#max-session-per-tunnel 16000
virtual-template 20
#set-dscp-outer 48
$
vpdn-group lac
#service-type lac
#ip tcp adjust-mss 1400
#calling-number-format none
domain l2tp
local name lac
terminate-from hostname ztelns
#no force-local-chap
#no l2tp hidden
#no l2tp tunnel authentication
#l2tp tunnel hello 60
#l2tp tunnel receive-window 4
#l2tp tunnel retransmit retries 5
#l2tp tunnel retransmit timeout 8
#l2tp tunnel timeout no-session 15
5-18
Configuration Flow
1. Configure an address pool that assigns addresses to subscribers.
2. Create a virtual template in global configuration mode, and enter the virtual template.
Set the mode to PPP, and bind an interface.
3. Enter subscriber management configuration mode. Configure the domain name,
username and password. Set the domain name to L2T, set the username to lac1,
and set the password to 123.
5-19
4. Enter the virtual template in PPP configuration mode. Set the authentication mode to
PAP and bind the address pool.
5. Enter the interface connecting to the LAC directly, and then configure an IP address.
6. Exit to global configuration mode, and then enter VPDN configuration mode. Configure
a VPDN group. Configure the type of service of the VPDN group. Configure the source
IP address, destination IP address, local name and remote name of the tunnel. Bind
the virtual interface, and disable tunnel authentication.
7. Configure the domain and local user information on the LNS. Ensure that it is the same
as that on the LAC.
Configuration Commands
Configuration on the LNS device:
/*Configure an IP pool*/
R2(config)#ip pool zte
R2(config-ip-pool)#range 135.1.0.1 135.1.255.254 255.255.0.0
R2(config-ip-pool)#exit
R2(config)#interface gei-0/2/0/2
R2(config-if-gei-0/2/0/2)#no shutdown
R2(config-if-gei-0/2/0/2)#ip address 102.1.1.1 255.255.255.0
R2(config-if-gei-0/2/0/2)#exit
/*Configure PPP*/
R2(config)#ppp
R2(config-ppp)#interface virtual_template20
R2(config-ppp-if-virtual_template20)#keepalive 20
R2(config-ppp-if-virtual_template20)#ppp authentication pap
R2(config-ppp-if-virtual_template20)#bind-ip-pool zte
R2(config-ppp-if-virtual_template20)#exit
R2(config-ppp)#exit
5-20
Configuration Verification
Execute the show vpdn tunnel brief command, and verify that the tunnel has been
established.
R2(config)#show vpdn tunnel brief
LTID RTID RemoteName State RemoteAddr RemotePort Sessions
59221 26566 ztelac Established 102.1.1.2 1701 1
Execute the show running-config vpdn all command, and verify that the VPDN configuration
is proper, as shown below.
R2(config)#show running-config vpdn all
! <VPDN>
vpdn-group zte
service-type lns
#ip tcp adjust-mss 1400
#calling-number-format none
local name ztelns
terminate-from hostname ztelac
#no force-local-chap
#no l2tp hidden
#no l2tp tunnel authentication
5-21
Run the show ip local pool command to check whether the address pool is properly set.
The execution result is displayed as follows:
ZXR10(config)#show ip local pool
PoolName Begin End Mask Free Used
zte 135.1.0.1 135.1.255.254 16 65533 1
TotalPool: 1
Run the show subscriber vpdn lns command to check whether the subscriber has come
online. The execution result is displayed as follows:
5-22
domain-name :l2tp
local-domain-name :l2tp
authorize-domain-name :l2tp
mac-address :0000.0000.0000
session-id :0
access-interface :virtual_template20
internal-vlan :0
external-vlan :0
authentication-mode :LOCAL
authentication-status :ACCEPT
record-status :CREATED
eap-type :FALSE
sibprofileid :0
hot-bak-status :NONE
authentication-time :2012/07/27 14:34:25
create-time :2012/07/27 14:34:25
online-time :454
limited-status :UNLIMITED
restTimeType :ABSOLUTE
vpdnAcctClass :L2TP
route-map-name :
--------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :IPv4 L2TP LNS
local-sessionid :123
local-tunnelid :59221
remote-sessionid :1
remote-tunnelid :26566
ipv4-address :135.1.0.1
vrf-name :
vpn-id :0
lac-ipv4-address :102.1.1.2
lns-ipv4-address :102.1.1.1
record-status :CREATED
**************************************************************************
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
5-23
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
The output information indicates that the subscriber has come online.
Configuration Flow
1. Configure dynamic PAT conversion.
2. Configure the PPPoE, VCC interface, and PPPoX template.
3. Configure the address pool that contains IP addresses to be allocated to users.
4. Create and enter the virtual template in global mode, set the mode to PPP, and bind
an interface.
5. Enter the virtual template in PPP mode, set the user authentication mode to PAP, and
bind the address pool.
6. Enter configuration mode of the interface directly connected to the LAC, and set its IP
address.
7. Enter VPDN configuration mode, and configure VPDN groups, including the service
type, source IP address of the channel, local end name of the channel, remote end
name of the channel. Bind the virtual interface, and disable the channel authentication
function.
8. Configure the domain and local user information for the LNS end, which should be the
same as those for the LAC end.
Configuration Commands
Configure the LAC as follows:
/*Configure dynamic PAT conversion*/
5-24
R1(config)#service 0/9/3 cgn_ext enable /*Enable the CGN function of the service board*/
R1(config)#cgn yf 1
R1(config-cgn)#location
R1(config-cgn-location)#node 1 SPU-0/9/3
R1(config-cgn-location)#exit
R11(config-cgn)#cgn-pool dynamic-pat poolid 3 mode pat
R1(config-cgn-patpool)#section 1 203.1.1.1 203.1.1.64
R1(config-cgn-patpool)#exit
R1(config-cgn)#domain 1 1 type bras ipv4-issue
R1(config-cgn-domain)#dynamic source rule-id 1 ipv4-list zte permit pool dynamic-pat
R1(config-submanage)#nat44-service kick-off-subscriber enable
R1(config-submanage)#exit
5-25
/*Configure the vbui interface and the address pool for PPPoE access*/
R1(config)#interface vbui118
R1(config-if-vbui118)#ip address 43.2.1.1 255.255.0
R1(config-if-vbui118)#exit
R1(config)#vbui-configuration
R1(config-vbui)#interface vbui118
R1(config-vbui-if)#ip-pool pool-name 118 pool-id 118
R1(config-vbui-if-ip-pool)#access-domain l2tp
R1(config-vbui-if-ip-pool)#pppoe-dns-server 22.222.222.22
R1(config-vbui-if-ip-pool)#member 1
R1(config-vbui-if-ip-pool-member)#start-ip 43.2.1.2 end-ip 43.2.10.2
R1(config-vbui-if-ip-pool-member)#exit
5-26
/*Configure the interface (of the LNS) used to directly connect to the LAC*/
R2(config-if-virtual_template20)#exit
/*Add a locally accessed user whose username is lac1@l2tp and password is 123*/
R2(config-submanage)#local-subscriber lac1 domain-name l2tp password 123
R2(config-submanage-local-sub)#exit
Configuration Verification
If the NAT function fails, and the user starts using the dial-up Internet service, the user type
is VPDN. Run the show running-config vpdn all to query the VPDN configuration.
5-27
#calling-number-format none
domain l2tp
local name ztelac
terminate-from hostname ztelns
#no force-local-chap
#no l2tp hidden
#no l2tp tunnel authentication
#l2tp tunnel hello 60
#l2tp tunnel receive-window 4
#l2tp tunnel retransmit retries 5
#l2tp tunnel retransmit timeout 8
#l2tp tunnel timeout no-session 15
#l2tp tunnel timeout setup 10
#lcp renegotiation always
#no lns-send-sli
#max-session 16000
#max-session-per-tunnel 16000
source-ip-addr 102.1.1.2
#set-dscp-outer 48
initiate-to-ip-addr 102.1.1.1 priority 50
$
vpdn
#vpdn-mode centralization
#calling-number-avp disable
#calling-number-format class1
#check-hostname-avp
enable
#invalid-peerip-timeout 300
#tid-alloc-mode first
#no multihop
#tunnel-num-per-spu 1000
$
! </VPDN>
Parameter all indicates to show default configuration, including whether the VPDN in global
mode is enabled or not, and the default group.
Run the show vpdn tunnel brief command to check whether the channel is established.
ZXR10(config)#show vpdn tunnel brief
LTID RTID RemoteName State RemoteAddr RemotePort Sessions
26566 59221 ztelns Established 102.1.1.1 1701 1
5-28
Subscriber Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type :IPv4
user-identify :20
user-name :lac1
domain-name :l2tp
local-domain-name :l2tp
authorize-domain-name :l2tp
mac-address :0010.9434.0a01
session-id :14
access-interface :gei-0/2/0/2
internal-vlan :0
external-vlan :0
authentication-mode :LOCAL
authentication-status :ACCEPT
record-status :CREATED
eap-type :FALSE
proxy-flag :
sibprofileid :0
hot-bak-status :NONE
authentication-time :2011/04/05 13:58:56
create-time :2011/04/05 13:58:56
online-time :207
limited-status :UNLIMITED
restTimeType :ABSOLUTE
vpdnAcctClass :L2TP
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :VPDN
local-sessionid :1
local-tunnelid :26566
remote-sessionid :123
remote-tunnelid :59221
ipv4-address :
vrf-name :
vpn-id :0
tunnel-vrf-name :
tunnel-vpn-id :0
lac-ipv4-address :102.1.1.2
lns-ipv4-address :102.1.1.1
record-status :CREATED
*******************************************************************************
5-29
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
5-30
6-1
A Network Access Server (NAS) can be a router, a terminal server or a host. It is an ingress
of the network, and works as a client in AAA server mode. The AAA working procedure is
described below.
1. A terminal subscriber sends a request of connecting to the network to the AAA client
(that is, the NAS).
2. The AAA client prompts the subscriber to type in the username and password. Then
it collects and forwards the information to the AAA server.
3. The AAA server executes the program (comparing the information with that in the
database), and then returns a result to the NAS. The result may be acceptance,
rejection or other related information.
4. The AAA client sends the result to the terminal subscriber. The subscriber, if passing
the authentication, is allowed to come online.
Steps
1. Configure AAA authentication.
6-2
6-3
Command Function
ZXR10#show running-config aaa [all | begin <string>| Shows the AAA configuration.
exclude <string>| include <string>]
ZXR10#show running-config radius [all | begin <string>| Shows the RADIUS configuration.
exclude <string>| include <string>]
Command Function
– End of Steps –
6-4
Configuration Flow
1. Configure AAA configuration related to the subscriber.
2. Bind an AAA template to the specified domain.
Configuration Commands
1. Configuration of AAA related to the subscriber on ZXR10:
Note:
Before the authentication template is associated with the accounting server,
corresponding RADIUS server should has been configured. For the RADIUS server
configuration, refer to the "RADIUS Configuration" chapter.
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template 2000
ZXR10(config-submanage-authen-template)#authentication-type local
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#authorization-template 20000
ZXR10(config-submanage-author-template)#authorization-type mix-radius
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#accounting-template 2000
6-5
ZXR10(config-submanage-accounting-template)#accounting-type radius
ZXR10(config-submanage-accounting-template)#accounting-radius-group first 1
ZXR10(config-submanage-accounting-template)#exit
2. Bind the AAA template to the domain.
ZXR10(config-submanage)#domain 2000
ZXR10(config-submanage-domain)#bind authentication-template 2000
ZXR10(config-submanage-domain)#bind authorization-template 20000
ZXR10(config-submanage-domain)#bind accounting-template 2000
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#local-subscriber 8888 domain-name 2000 password 123
ZXR10(config-submanage-local-sub)#bind author-template 20000
ZXR10(config-submanage-local-sub)#bind accounting-template 2000
ZXR10(config-submanage-local-sub)#exit
ZXR10(config-submanage)#circuit-map eth-cir external-vlan 0 internal-vlan-range 0
interface fei-0/10/0/7 zte 2000 123
ZXR10(config-submanage)#end
Configuration Verification
The configuration on ZXR10 is shown below.
$
accounting-template 2000
accounting-type radius
$
domain 2000
bind authentication-template 2000
bind authorization-template 20000
bind accounting-template 2000
$
local-subscriber 8888 domain-name 2000 password 123 bind author-template 20000
bind accounting-template 2000
$
circuit-map eth-cir external-vlan 0 internal-vlan-range0
interface fei-0/10/0/7 zte 2000 123
$ /*Circuit subscriber configuration information*/
6-6
! </AIM>
Note:
If local authentication mode is used, and if the subscriber wants to obtain information
related to authentication, authorization and accounting, it is necessary to bind related
templates to the local subscriber.
6-7
6-8
l Client/Server structure
An NAS is a RADIUS client. The client is responsible for transmitting subscriber
information to the RADIUS server and then handling the reply of the RADIUS server.
A client and a RADIUS server interact to perform authentication for each other
through the password. The password is not transmitted on the network. In addition,
to reduce the possibility that the subscriber password is detect on insecure networks,
the password transmitted between the client and the RADIUS server is encrypted.
l Good scalability
A RADIUS server supports several modes of authentication for subscribers. If a
subscriber provides the username and plaintext password, RADIUS supports PPP
PAP, CHAP and UNIX login.
7-1
RADIUS is carried over the UDP. The authentication port number defined officially is
1812, and the accounting port number defined officially is 1813.
7-2
(counter of IP packets and counter of bytes). The information can be used as the
basis of accounting and security audit.
The brief working flow between a RADIUS server, a RADIUS client and a subscriber is
described below:
1. The remote client sends an authentication or authorization request to the NAS (that is,
the RADIUS client).
2. The RADIUS client forms authentication or authorization packets according to the
request of the remote client, and then sends the packets to the RADIUS server for
authentication or authorization.
3. The RADIUS client receives the response packets from the RADIUS server, and
execute authentication or authorization for the remote client.
Steps
1. Configure the basic attributes of a RADIUS authentication group.
7-3
first: selects the current valid server as the authentication/accounting server for a new
calling subscriber.
round-robin: selects the next valid server as the authentication/accounting server for
a new calling subscriber.
alias <name-str>: The alias is a unique ASCII character string. The string can contain
any letter and number, excluding space. The length of the alias is 1 to 31.
3. Configure the calling-station-format and nas-port-id-format fields for the RADIUS
authentication group and accounting group.
The following commands are executed in RADIUS authentication mode. In RADIUS
accounting group mode, the same commands and parameters are used, except for
the configuration mode (ZXR10(config-acctgrp-number)#).
Command Function
7-4
Command Function
7-5
4. Configure other attributes of the RADIUS authentication group and accounting group.
The following commands are executed in RADIUS authentication group mode. In
RADIUS accounting group mode, the same commands and parameters are used,
except for the configuration mode (ZXR10(config-acctgrp-number)#).
Command Function
7-6
Command Function
Command Function
ZXR10#debug radius authentication error Shows the debugging error information of the
RADIUS authentication group.
ZXR10#debug radius authentication event Shows the debugging event information of the
RADIUS authentication group.
ZXR10#debug radius authentication packet {all Shows the debugging packet information of the
|<group-number>} RADIUS authentication group.
ZXR10#debug radius accounting error Shows the debugging error information of the
RADIUS accounting group.
ZXR10#debug radius accounting event Shows the debugging event information of the
RADIUS accounting group.
7-7
Command Function
ZXR10#debug radius accounting packet {all Shows the debugging packet information of the
|<group-number>} RADIUS accounting group.
– End of Steps –
Steps
1. Configure the basic attributes of the RADIUS client.
7-8
Command Function
Command Function
ZXR10#show configuration radius client-group {brief | all | Shows the client group
group-name <name>} configurations.
– End of Steps –
7-9
Configuration Flow
1. Configure an authentication group.
2. Configure connections to the RADIUS server on the ZXR10.
Configuration Commands
1. Configure an authentication group:
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template 2000
ZXR10(config-submanage-authen-template)#authentication-type radius
ZXR10(config-submanage-authen-template)#authentication-radius-group 2000
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#authorization-template 20000
ZXR10(config-submanage-author-template)#authorization-type radius
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#accounting-template 2000
ZXR10(config-submanage-accounting-template)#accounting-type radius
ZXR10(config-submanage-accounting-template)#accounting-radius-group first
2000
ZXR10(config-submanage-accounting-template)#exit
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#domain 2000
ZXR10(config-submanage-domain)#bind authentication-template 2000
ZXR10(config-submanage-domain)#bind authorization-template 20000
ZXR10(config-submanage-domain)#bind accounting-template 2000
7-10
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#circuit-map external-vlan 0 internal-vlan-range 0
interface fei-0/10/0/7 zte 2000 123
ZXR10(config-submanage)#exit
2. Configure a connection to the RADIUS server:
ZXR10(config)#radius authentication-group 2000
ZXR10(config-authgrp-2000)#server 1 192.168.11.23 master key uas port 1812
ZXR10(config-authgrp-2000)#nas-ip-address 192.168.5.16
ZXR10(config-authgrp-2000)#exit
Configuration Verification
Verify that the ATM configuration on the ZXR10 is proper.
ZXR10#show running-config aim
! <AIM>
subscriber-manage
authentication-template 2000
authentication-radius-group 2000 authentication-type radius
$
authorization-template 20000
authorization-type radius
$
accounting-template 2000
accounting-radius-group first 2000
accounting-type radius
$
domain 2000
bind authentication-template 2000
bind authorization-template 20000
bind accounting-template 2000
$
circuit-map eth-cir external-vlan 0 internal-vlan-range 0
interface fei-0/10/0/7 zte 2000 123
$ /*Circuit configuration information*/
! </AIM>
7-11
7-12
Configuration Flow
1. Configure the authentication proxy server and other parameters on the ZXR10.
2. Configure the RADIUS server listening port on the ZXR10.
3. Configure the access RADIUS client, specified proxy server, and other parameters on
the ZXR10.
4. Configure user management and access on the ZXR10.
Configuration Commands
1. Configure an authentication group on the ZXR10. For details, refer to the above
section.
2. Configure the listening port and the client:
ZXR10(config)#radius listening-port authentication 1812
ZXR10(config)#radius listening-port accounting 1813
ZXR10(config-radius-clientgrp)#client ip 123.124.125.126 key zte
ZXR10(config-radius-clientgrp)#authentication-server-group 2000
ZXR10(config-radius-clientgrp)#source-ip 192.168.10.101
3. Configure user management and access module (refer to “AC Separation Access
Configuration Instance”).
Configuration Verification
Run the show command to view the RADIUS authentication group information:
ZXR10(config)#show configuration radius client-group group-name zteac
!
radius client-group zteac
client ip 123.124.125.126 key
33A8EC1030727EB3A9B61002E10BDBEDB5BEA986F5505AD19582826921F45FCB
authentication-server-group 2000
dm-coa timeout 3
dm-coa max-retries 3
source-ip 192.168.10.101
attribute replace nas-ip-address enable
attribute replace nas-identifier enable
7-13
7-14
At present, dynamic VLAN can only be configured on VCC sub-interfaces. The commands
used for configuring a dynamic VLAN are the same as that used for configuring a static
VLAN. The differences are: It is necessary to configure dynamic VLAN tags, and only
range segment configuration (including single range and dual ranges) is supported. It
is required to ensure that dynamic VLAN information and the dynamic VLAN tag type
is consistent. After configuration, VLAN information is not deployed immediately. VLAN
information generation and deletion (or aged deletion) are triggered when users come
online or offline.
Figure 8-1 shows a dynamic VLAN network structure.
8-1
Steps
1. Configure a dynamic VLAN.
Command Function
– End of Steps –
8-2
Configuration Flow
1. Configure the DHCP, a domain (including the alias, authentication mode and
authorization mode), a VBUI (including the gateway address and address pool), and
a VCC (including the encapsulation mode).
2. Configure an SAL, and apply it to corresponding domain. Configure domain name
replacement.
3. Configure dynamic VLAN on an interface.
4. Set the boot-strap authentication mode to Circuit Authentication in BRAS circuit
configuration mode. Bind the SAL. For local authentication, configure the username
and the password for the ZXR10 M6000. For RADIUS authentication, configure the
username and the password for the RADIUS server.
5. Configure the user circuit information, and configure the relationship between the
username, password and domain name in subscriber management configuration
mode.
Configuration Commands
Configuration on the ZXR10.
Enable the DHCP function in global configuration mode, and configure the DHCP Server.
Configure a domain.
8-3
ZXR10(config-submanage)#domain domain1
ZXR10(config-submanage-domain)#bind authentication-template zte
/*Configure an alias of the domain, and bind it to the VBUI.
Configure the DHCP mode.*/
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#local-subscriber zte domain-name domain1 password
123
/*Configure the username, password and domain name saved locally*/
ZXR10(config-submanage-local-sub)#exit
ZXR10(config-submanage)#circuit-map eth-cir external-vlan 100
internal-vlan-range 200 interface fei-0/4/0/15.1 zte domain1 123
/*Configure user circuit information and the relationship between the username,
password and domain name.*/
Configure an SAL.
ZXR10(config-submanage)#sal 1
ZXR10(config-submanage-sal-1)#default domain domain1
ZXR10(config-submanage-sal-1)#exit
ZXR10(config-submanage)#exit
Enter VBUI configuration mode, configure VBUI parameters and an address pool, and
configure the DHCP Server in ip pool configuration mode.
ZXR10(config)#vbui-configuration /*VBUI configuration mode*/
ZXR10(config-vbui)#interface vbui200
ZXR10(config-vbui-if)#ip-pool pool-name 200 pool-id 200
ZXR10(config-vbui-if-ip-pool)#access-domain domain1
ZXR10(config-vbui-if-ip-pool)#ip dhcp instance server 256
ZXR10(config-vbui-if-ip-pool)#member 2
ZXR10(config-vbui-if-ip-pool-member)#start-ip 40.0.0.2 end-ip 40.0.0.10
/*Create an address pool*/
ZXR10(config-vbui-if-ip-pool-member)#exit
ZXR10(config-vbui-if-ip-pool)#pool-type dhcp
ZXR10(config-vbui-if-ip-pool)#exit
ZXR10(config-vbui-if)#exit
ZXR10(config-vbui)#exit
Set the encapsulation type to IPoE on the interface connecting to the user in circuit interface
configuration mode, and configure non-VLAN encapsulation.
ZXR10(config)#interface fei-0/4/0/15.1
ZXR10(config-if-fei-0/4/0/15.1)#exit
8-4
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface fei-0/4/0/15.1 /*Enter a VCC interface*/
ZXR10(config-vcc-if-fei-0/4/0/15.1)#bind sal 1 /*Bind the SAL*/
ZXR10(config-vcc-if-fei-0/4/0/15.1)#encapsulation ip-over-ethernet
/*Encapsulate IPOE*/
ZXR10(config-vcc-if-fei-0/4/0/15.1)#ipox authentication-type ipv4 dhcpv4 cir-map
/*Enable circuit authentication for the user accessing the network through the DHCP*/
ZXR10(config-vcc-if)#exit
ZXR10(config-vcc)#exit
Configuration Verification
Verify that the configuration on the sub-interface is proper.
ZXR10#show running-config-interface fei-0/4/0/15.1
!<Interface>
interface fei-0/4/0/15.1
$
!</Interface>
!<vlan>
vlan-configuration
interface fei-0/4/0/15.1
user-dynamic-vlan any-other-qinq /*Dynamic QinQ VLAN*/
qinq range internal-vlan-range 1-200 external-vlan-range 1-200
$
$
!</vlan>
!<AIM>
subscriber-manage
circuit-map eth-cir external-vlan 100 internal-vlan-range 200 interface
fei-0/4/0/15.1 zte domain1 123
$
!</AIM>
!<UIM>
vcc-configuration
interface fei-0/4/0/15.1
encapsulation ip-over-ethernet
8-5
8-6
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :IPv4 DHCP SERVER
ipv4-address :40.0.0.2
vrf-name :
vpn-id :0
gateway :40.0.0.1
primary-dns :
second-dns :
record-status :CREATED
*******************************************************************************
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
8-7
8-8
9-1
l When a subscriber accesses a network, an ISP can deny or permit the domain where
the subscriber is located, thus allowing or disallowing the subscriber to obtain related
resources.
l When a subscriber accesses a network, an ISP can translate the domain where the
subscriber is located, thus controlling the authentication, authorization and accounting
modes used by the subscriber.
An SAL provides the following functions, and the principles are described below:
l The SAL provides a default domain. Information sent by a subscriber may not contain
the domain name. If so, the access module cannot obtain the domain name and send
it to the AIM module in an authentication request packet. Without the domain name,
the AIM module cannot perform authentication or authorization. In this situation, the
default domain of an SAL can be configured to solve the problem. The SAL serial
number is bound to an logical interface.
l The SAL can translates domains. When the access module sends an SAL serial
number, if the domain name matches the source domain of the translation domain
entity, the domain is translated into a destination domain. If the domain name does
not match any translation entities, it is necessary to check whether the translate
any command is configured. If the command is configured, any access domain is
translated into a destination domain.
l The SAL can control a domain. When the access module reports the SAL number,
if the domain name obtained through the default domain and conversion domain
matches the permit domain or deny domain policy, the users within the domain are
allowed or restricted to access the network. If the deny any command is configured,
subscriber accesses from any domain are denied. After an SAL is configured, the
default status is permit any which indicates that subscriber accesses from any
domain are permitted.
l Change domain (change-domain): When the access module reports the SAL
number, if the domain name obtained through the default domain, conversion
domain, and control domain matches the change-domain, the change-domain is used
for authentication, and the local-domain obtained through a conversion is used as
the administrative domain.
l The SAL supports roaming domain. If the domain name of a subscriber is not in
the management range of the current system, when the access module sends the
domain name in an authentication request packet to the AIM module, the AIM module
cannot find the corresponding domain serial number according to the domain name.
In this situation, if a roaming domain is configured in an SAL, the MAIM module can
obtain the roaming domain according to the SAL serial number, and then it uses the
roaming domain to perform authentication and authorization. If the keep parameter
is configured in the roaming domain, the AIM uses the domain name sent by the
subscriber to perform authentication on the RADIUS server, and the AIM module
uses the roaming domain to perform local authentication, authorization and address
resource application.
9-2
9-3
Steps
1. Configure an SAL.
Command Function
9-4
Command Function
9-5
Command Function
ZXR10#show configuration submanage sal {<sal-number>| all } Shows the SAL configuration.
Command Function
– End of Steps –
9-6
Configuration Flow
1. Configure PPPoE subscriber access.
2. Configure an SAL to implement roaming.
3. Associate the SAL with the user-side circuit.
Configuration Commands
1. For PPPoE access configuration, refer to the "PPPoEv4 Configuration
Examples"section.
2. Configure an SAL.
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#sal 1 /*Enter SAL configuration mode*/
ZXR10(config-submanage-sal-1)#permit domain pppoe
/*Allow subscriber with "pppoe" domain name to access*/
ZXR10(config-submanage-sal-1)#none domain dhcp
/*Configure the subscriber to roam to the DHCP domain for access.*/
ZXR10(config-submanage-sal-1)#exit
ZXR10(config-submanage)#exit
3. Associate the SAL with the user-side circuit.
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface gei-0/0/0/2
ZXR10(config-vcc-if)#bind sal 1
ZXR10(config-vcc-if)#exit
ZXR10(config-vcc)#exit
4. View the configuration.
ZXR10(config-submanage)# show running-config aim
!<AIM>
subscriber-manage
9-7
authentication-templatezte
authentication-type local
$
domaindhcp
bind authentication-template zte
$
sal 1
permit domain pppoe
none domain dhcp
$
local-subscriber user1 domain-name dhcp password 123
$
$
!</AIM>
ZXR10(config-submanage)#show running-config am
!<AM>
vbui-configuration
interface vbui200
ip-pool pool-name pool200 pool-id 4
access-domain dhcp
pppoe-dns-server 1.1.1.1
pppoe-dns-server 2.2.2.2 second
member 1
start-ip 120.121.1.2 end-ip 120.121.2.255
$
$
$
$
!</AM>
Configuration Verification
The PC uses the "user1@pppoe" account and password "123" to dial. After the subscriber
dials successfully, run the show subscriber ipv4 <ipv4-address> command on the BRAS to
view the detailed user information.
ZXR10(config)#show subscriber ipv4-address 120.121.1.2
*******************************************************************************
Subscriber Verbose Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type : IPv4
subscriber-author-type : IPv4
user-identify : 32
user-name : user1
9-8
domain-name : dhcp
local-domain-name : dhcp
authorize-domain-name : dhcp
mac-address : 0010.94a0.0c01
session-id : 38
authentication-mode : LOCAL
authentication-status : ACCEPT
record-status : CREATED
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
hot-bak-status : NONE
circuit-information : gei-0/0/0/2 [vlan:0 sec-vlan:0]
vbui-interface : vbui200
create-time : 2011/04/09 09:16:49
authentication-time : 2011/04/09 09:16:49
online-time : 743
limited-status : UNLIMITED
restTimeType : ABSOLUTE
dpi-policy : 0
user-priority-input :
user-priority-output :
vpdnAcctClass :
route-map-name :
calling-station-id :
ani-location
-----------------------------------------------------------------------
Identifier:
rack:0 frame:0 slot:0 sub-slot:0 port:0
XpiEnable:Disable xpi:0 xci:0
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
slot:0 sub-slot:0 port:0 port-type:
xpi:0 xci:0 AccessMethod:
-----------------------------------------------------------------------
accounting information
-----------------------------------------------------------------------
restTime(s) : 0(unlimited) restFlow(KB) : 0(unlimited)
absTimeout(s) : 0 idleTimeout(s) : 0
idleTraffic(KB) : 0 acctInterval(s): 0
9-9
sessionLimitType: acctSession :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 PPPox
ipv4-address : 120.121.1.2
gateway-address : 120.121.1.1
vrf-name :
vpn-id : 0
primary-dns :1.1.1.1
second-dns :2.2.2.2
ip-pool-name : pool200
igmpProfile : 0
tcp-session-limit : 0
tcp-syn-rate(Packets/s): 0
nat-type : NONE
nat-multi-flag : 0
nat-default-flag : 0
nat-domain-id : 0
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
nat-port-range : 0~0
abnormal-offline-keep : FALSE
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
subCarInfoUp-cir : 0 subCarInfoUp-pir : 0
subCarInfoUp-cbs : 0 subCarInfoUp-pbs : 0
subCarInfoDown-cir: 0 subCarInfoDown-pir: 0
subCarInfoDown-cbs: 0 subCarInfoDown-pbs: 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
9-10
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
float-accounting information
-----------------------------------------------------------------------
upDropPackets(Packets) : 0 upDropCycles : 0
downDropPackets(Packets): 0 downDropCycles : 0
ispUpBytes(Bytes) : 0 ispUpCycleCount : 0
ispDownBytes(Bytes) : 0 ispDownCycleCount : 0
isp2UpBytes(Bytes) : 0 isp2UpCycleCount : 0
isp2DownBytes(Bytes) : 0 isp2DownCycleCount: 0
upBytes(Bytes) : 0 upCycleCount : 0
downBytes(Bytes) : 0 downCycleCount : 0
upIspChargePackets : 0 upIspChargeCycleCount : 0
downIspChargePackets : 0 downIspChargeCycleCount : 0
upIsp2ChargePackets : 0 upIsp2ChargeCycleCount : 0
downIsp2ChargePackets : 0 downIsp2ChargeCycleCount : 0
upIspNoChargePackets : 0 upIspNoChargeCycleCount : 0
downIspNoChargePackets : 0 downIspNoChargeCycleCount : 0
upPackets(Packets) : 0 upPacketCycleCount : 0
downPackets(Packets) : 0 downPacketCycleCount : 0
Configuration Flow
1. Configure PPPoE subscriber access.
9-11
Configuration Commands
1. For PPPoE access configuration, refer to the "PPPoEv4 Configuration Example"
section. In this case, you need to configure the RADIUS accounting, and bind the
accounting template in this domain.
2. Configure the offline code adjustment function.
ZXR10(config-submanage)#session-offline-standardize 1000
3. After the subscriber comes online, clear the subscriber to make the subscriber offline.
Capture accounting end packets on the RADIUS client.
Configuration Verification
The PC uses the "user1@pppoe" account and password "123" to dial. After the subscriber
dials successfully, run the clear subscriber user-name user1 domain-name pppoe command
to clear the subscriber. Capture accounting end packets on the RADIUS client. The value
of the ACCT-Terminate-Cause field is USER_REQUEST.
Configuration Flow
1. Configure PPPoE subscriber access.
2. Configure authentication frequency control parameters.
3. Start several dial-up attempts by using an incorrect password, and view the forbidding
table.
4. During the forbidding period, the subscriber starts a dialling by using the correct
password. Check whether the subscriber has come online.
9-12
Configuration Commands
1. For PPPoE access configuration, refer to the "PPPoEv4 Configuration Examples"
section.
2. Configure the authentication frequency control function.
ZXR10(config)#sbscriber-manage
ZXR10(config-submanage)#authentic-request-ctrl control enable
ZXR10(config-submanage)#authentic-request-ctrl request-interval 30
ZXR10(config-submanage)#authentic-request-ctrl request-count 3 forbid-period
100 reset-period 4
3. The subscriber starts three dial-up attempts with an incorrect password. Display the
forbidding table.
4. During the forbidding period, the subscriber starts a dial-up attempt with the correct
password. Check whether the subscriber comes online.
Configuration Verification
The PC uses the "user1@pppoe" account and password "1234" to dial. After the
subscriber starts three dial-up attempts with an incorrect password, the authentication
fails, and check the control table on the BRAS.
ZXR10(config)#show submanage authentic-request-ctrl pppox slot 6 brief
--------------------------------------------------------------------------------
total: 1 peak_record: 1
During the forbidding period, that is, before 09:29:25, the subscriber starts a dial-up attempt
with the correct password. The subscriber cannot come online.
9-13
and come online. When the number of the used addresses in the address pool reaches
the threshold, view the alarm information.
Configuration Flow
1. Configure PPPoE subscriber access.
2. Configure an address pool, and configure the alarm threshold of the address pool in a
domain on the VBUI interface.
3. Multiple subscribers establish dial-up connections from the same domain.
4. When the number of the used addresses in the address pool reaches the threshold,
view the alarm.
Configuration Commands
1. For the PPPoE access configuration, refer to the "PPPoEv4 Configuration Examples"
section.
2. Configure an address pool, and configure the alarm threshold of the address pool in a
domain on the VBUI interface.
ZXR10(config)#interface vbui199
ZXR10(config-if-vbui199)#ip address 199.1.1.6 255.255.255.0
ZXR10(config-if-vbui199)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui199
ZXR10(config-vbui-if)#ip-pool pool-name pppoe pool-id 167
ZXR10(config-vbui-if-ip-pool)#access-domain pppoe
ZXR10(config-vbui-ip-pool)#pppoe-dns-server 1.1.1.1
ZXR10(config-vbui-ip-pool)#pppoe-dns-server 2.2.2.2 second
ZXR10(config-vbui-if-ip-pool)#member 1
ZXR10(config-vbui-if-ip-pool-member)#start-ip 199.1.1.10 end-ip 199.1.1.20
ZXR10(config-vbui-if-ip-pool-member)#exit
ZXR10(config-vbui-if-ip-pool)#exit
ZXR10(config-vbui-if)#!
ZXR10(config)#subscriber-manage
9-14
ZXR10(config-submanage)#domain pppoe
ZXR10(config-submanage-domain)#alarm-threshold upper-limit 80 lower-limit 20
ZXR10(config-submanage-domain)#exit
3. After multiple subscribers establish dial-up connections from the PPPoE domain, view
the alarm information.
Configuration Verification
Multiple PC users log onto the network by establishing PPPoE dial-up connections
(username/password: user1@pppoe/123).
When the number of occupied addresses in the address pool reaches the threshold, an
alarm arises.
An alarm 410102 ID 1963 level 5 occurred at 16:14:07 05-09-2011 sent by
ZXR10 MPU-0/20/0 %AM% IP resource of domain threshold reached
(Current = 72.73%,Threshold = 70.00%, Domain name = pppoe)
An alarm 410101 ID 1964 level 5 occurred at 16:14:07 05-09-2011 sent by
ZXR10 MPU-0/20/0 %AM% IP pool threshold reached (IP pool name = pppoe)
An alarm 410103 ID 1965 level 5 occurred at 16:14:07 05-09-2011 sent by ZXR10
MPU-0/20/0 %AM% IP resource of domain on VBUI threshold reached
(Current = 81.82%,Threshold = 80.00%, Domain name = pppoe, VBUI name = vbui199)
Configuration Flow
1. Configure the basic functions of PPPoE access.
9-15
9-16
Configuration Verification
A PC user (user1/123) starts a PPPoE dial-up connection. Run the show subscriber
command to check whether the PC user has come online. The execution result is displayed
as follows:
ZXR10(config)#show subscriber pppox
************************************************************************
Subscriber Information
------------------------------------------------------------------------
Basic Information
------------------------------------------------------------------------
subscriber-access-type :IPv4
user-identify :33
user-name :user1
domain-name :dhcp
local-domain-name :dhcp
authorize-domain-name :dhcp
mac-address :0010.94a0.0c01
session-id :43
access-interface :gei-0/0/0/2
internal-vlan :0
external-vlan :0
authentication-mode :LOCAL
authentication-status :ACCEPT
record-status :CREATED
eap-type :FALSE
sibprofileid :0
hot-bak-status :NONE
authentication-time :2011/04/09 10:35:45
create-time :2011/04/09 10:35:45
online-time :11
limited-status :UNLIMITED
restTimeType :ABSOLUTE
vpdnAcctClass :
route-map-name :
------------------------------------------------------------------------
9-17
IPv4 Information
------------------------------------------------------------------------
subscriber-type :IPv4 PPPox
ipv4-address :120.121.1.2
vrf-name :
vpn-id :0
gateway :120.121.1.1
primary-dns :1.1.1.1
second-dns :2.2.2.2
record-status :CREATED
************************************************************************
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
Configuration Flow
1. Configure the access of PPPoE users and IPoE users.
2. Configure the maximum number of PPPoE users and maximum number of IPoE users
allowed to access the network through the VCC interface.
9-18
Configuration Commands
1. For the basic configuration of PPPoE access, refer to the "PPPoEv4 Configuration
Examples" section. For the basic configuration of IPoE access, refer to the "IPoEv4
configuration examples" section.
2. Configure the maximum number of users allowed to access the network through the
VCC interface:
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface gei-0/0/0/2
ZXR10(config-vcc-if)#access max-ipox-session 20
ZXR10(config-vcc-if)#access max-pppox-session 30
ZXR10(config-vcc-if)#exit
ZXR10(config-vcc)#exit
3. View the configuration:
ZXR10(config)#show running-config uim
!<UIM>
vbui-configuration
interface vbui200
$
$
vcc-configuration
interface gei-0/0/0/2
access max-pppox-session 30
access max-ipox-session 20
ipox authentication-type ipv4 dhcpv4 cir-map
encapsulation multi
pppox template 123
$
$
!</UIM>
Configuration Verification
A large number of PC users start PPPoE dial-up connections and IPoE dial-up connections
through the same VCC interface. Run the show subscriber pppox circuit gei-0/0/0/2
statistics command to check whether these subscribers have come online. The execution
result is displayed as follows:
ZXR10(config)#show subscriber pppox circuit gei-0/0/0/2 statistics
-------------------------------------------------------------------------------
session: total up down
IPv4 30 30 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 30 30 0 0 0
9-19
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 30 30 0 0 0
-------------------------------------------------------------------------------
9-20
Authentication Push
The working procedure of authentication push is as follows:
1. Assign a PC attempting to access the network with an IP address.
Before the PC user passes Web authentication, the corresponding ACL is used to
restrict the user's access permissions. For example, the PC user can only access
some free websites (including portal websites).
2. Redirect the PC user to a Web user authentication page.
After the PC user launches a Web browser and enters an IP address, a TCP
connection is established between the PC and ZXR10 M6000, and then an HTTP
packet is sent to the Portal client (the ZXR10 M6000) for further processing.
The Portal client re-constructs an HTTP packet and sends it to the PC user. The
packet carries the address of redirecting the PC user to the Portal server. The user
accesses the Portal server after obtaining the redirection address. Upon receipt of an
HTTP request, the Portal server returns a Web user authentication page to the user.
3. Start web authentication on the user.
The user enters and submits the username and password on the Web authentication
page. The format of the username is username@name of the domain where the user
is located.
Upon receipt of the authentication request from the user, the Portal server determines
the authentication type. If the authentication type is CHAP authentication, the Portal
10-1
server sends a Challenge request to the Portal client (the ZXR10 M6000). After
the Portal server receives an acknowledgement from the Portal client, it sends an
authentication request carrying the entered username and password to the Portal
client.
After the Portal client receives the username and password, it searches for the
authentication mode based on the domain name. If the authentication mode is local
authentication, the local authentication flow is started. If the authentication mode is
RADIUS authentication, the Portal client sends the username and password to the
RADIUS server for authentication.
If authentication is passed, the ZXR10 M6000 permits the user to access the network,
and informs the Portal Server that the user has passed authentication. The Portal
Server informs the user of the authentication result on the Web page through HTTP
mode.
If authentication fails, theZXR10 M6000 informs the Portal server that the user fails to
pass authentication, and the Portal server informs the user of the authentication result
on the Web page through HTTP mode.
The ZXR10 M6000 supports authentication push for IPoX users and MHoX users.
Advertisement Push
The advertisement push works either in PADM or PORTAL mode.
l The working procedure of PADM-mode advertisement push is as follows:
1. After a user logs onto the network, a push page is displayed.
2. An IPCP negotiation starts. If the negotiation is successful, a URL is sent to the
user through a PPPoE PADM message.
3. Upon arrival of the PADM message, the client launches an IE browser, and a
specified page is displayed.
Note:
PROTAL mode is applicable to the case where the PADM message is unrecognizable
for some clients.
10-2
After a logged user launches a browser for the first time, the WEB page is redirected
to the page that is pre-configured on the BRAS, regardless of which address he or
she enters.
The ZXR10 M6000 supports restricted advertisement push for IPoX users, MHoX users,
and PPPoX users. It also supports non-restricted advertisement push for PPPoX users.
Arrear Push
Arrear push is divided into two types: RADIUS-based arrear push and forced push
(configured in the authorization template).
l The working procedure of the RADIUS-based arrear push is as follows:
1. A user passes RADIUS authentication.
2. The RADIUS server sends an "Authentication passed" message that carries
an arrear flag (ZTE_AUTH_ACTION) and an arrear URL. The arrear flag must
be sent through the RADIUS server, and the arrear URL can be obtained by
configuring a redirect URL in the local user template. The user redirection page
is provided by the arrear server.
3. Each time the user attempts to access the network, an arrear page is displayed,
prompting that the account is in arrears, and network access is denied.
The ZXR10 M6000 supports arrear push for IPoX users, PPPoX users, LNS users,
and MHoX users.
The ZXR10 M6000 supports forced push for IPoX users, PPPoX users, and LNS
users.
Steps
1. Configure forced push.
Before the authentication page push configuration, ensure that the network
access configuration of users and the corresponding PORTAL configuration
have been completed. The PORTAL configuration is performed in
config-submanage-websvr-server-id mode.
10-3
10-4
<count>: sets the page push amount for PPP users, range: 1–2147483647.
Note:
ppp url-mode {portal | padm} and ppp url <url> should be configured at the same
time; otherwise, the PPPoX advertisement push does not work.
10-5
10-6
Command Description
10-7
Command Description
– End of Steps –
Configuration Flow
1. Configure PPPoE user access.
2. Configure PPPoX advertisement push contents.
3. Configure the PORTAL server.
Configuration Procedure
1. For the basic configuration relating to PPPoE user access, refer to the "PPPoEv4
Configuration Examples" section, keep in mind that the authorization mode of the
authorization template should be set to mix-radius, that is, the push parameters are
sent through the ZXR10 M6000 or RADIUS router. The following use the procedure
of sending push parameters through the ZXR10 M6000 as an example.
2. Configure the PPPoX advertisement push.
10-8
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)authorization-type mix-radius
ZXR10(config-submanage-author-template)#ppp url-mode portal
ZXR10(config-submanage-author-template)#ppp url
http://192.168.105.112:88/LoginOn.jsp
ZXR10(config-submanage-author-template)#ppp web-force timer 5 count 3
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#exit
3. In the CMD window of the PORTAL server, configure a return route for the redirect
page.
C:\Documents and Settings\Administrator>route add 179.18.0.0 255.255.0.0
192.168.4.2 –p /*179.18.0.0/16 refers to the network segment
assigned to the user after he or she logs onto the network.
192.168.4.2 refers to the IP address of the BRAS,
and p refers to a permanent route*/
Configuration Verification
After the PC user successfully establishes a PPPoE dial-up connection
(username/password: user1@pppoe/123), run the show subscriber pppox <ipv4-address>
command on the BRAS to view the detailed information of the user. After launching a
browser, this user is redirected to the pre-configured page, regardless of which address
he or she enters.
ZXR10(config)#show subscriber pppox ipv4-address 179.18.0.2
*******************************************************************************
Subscriber Verbose Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type : IPv4
subscriber-author-type : IPv4
user-identify : 83
user-name : user1
domain-name : pppoe
local-domain-name : pppoe
authorize-domain-name : pppoe
mac-address : 0025.1165.5960
session-id : 92
authentication-mode : RADIUS
authentication-status : ACCEPT
record-status : CREATED
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
10-9
hot-bak-status : NONE
circuit-information : smartgroup6 [vlan:0 sec-vlan:0]
vbui-interface : vbui113
create-time : 2011/09/20 10:51:56
authentication-time : 2011/09/20 10:51:56
online-time : 383
limited-status :UNLIMITED
restTimeType : ABSOLUTE
vpdnAcctClass :
route-map-name :
ani-location
-----------------------------------------------------------------------
Identifier:
rack:0 frame:0 slot:0 sub-slot:0 port:0
XpiEnable:Disable xpi:0 xci:0
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
slot:0 sub-slot:0 port:0 port-type:
xpi:0 xci:0 AccessMethod:
-----------------------------------------------------------------------
accounting information
-----------------------------------------------------------------------
restTime(s) : 0(unlimited) restFlow(KB) : 0(unlimited)
absTimeout(s) : 0 idleTimeout(s) : 0
idleTraffic(KB) : 0 acctInterval(s): 600
sessionLimitType: 0 acctSession : 10515686ppp0dda0025116559600052
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 PPPox
ipv4-address : 179.18.0.2
gateway-address : 179.18.0.1
vrf-name :
vpn-id : 0
primary-dns : 1.1.1.1
second-dns : 2.2.2.2
ip-pool-name : pool199
igmpProfile : 0
tcp-session-limit : 0
10-10
tcp-syn-rate(Packets/s): 0
nat-type : NONE
nat-multi-flag : 0
nat-default-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
nat-port-range : 0~0
abnormal-offline-keep : FALSE
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
subCarInfoUp-cir : 0 subCarInfoUp-pir : 0
subCarInfoUp-cbs : 0 subCarInfoUp-pbs : 0
subCarInfoDown-cir: 0 subCarInfoDown-pir: 0
subCarInfoDown-cbs: 0 subCarInfoDown-pbs: 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
float-accounting information
-----------------------------------------------------------------------
upDropPackets(Packets) : 0 upDropCycles : 0
downDropPackets(Packets): 0 downDropCycles : 0
ispUpBytes(Bytes) : 0 ispUpCycleCount : 0
10-11
ispDownBytes(Bytes) : 0 ispDownCycleCount : 0
isp2UpBytes(Bytes) : 0 isp2UpCycleCount : 0
isp2DownBytes(Bytes) : 0 isp2DownCycleCount: 0
upBytes(Bytes) : 4675 upCycleCount : 0
downBytes(Bytes) : 10202 downCycleCount : 0
upIspChargePackets : 0 upIspChargeCycleCount : 0
downIspChargePackets : 0 downIspChargeCycleCount : 0
upIsp2ChargePackets : 0 upIsp2ChargeCycleCount : 0
downIsp2ChargePackets : 0 downIsp2ChargeCycleCount : 0
upIspNoChargePackets : 21 upIspNoChargeCycleCount : 0
downIspNoChargePackets : 19 downIspNoChargeCycleCount : 0
upPackets(Packets) : 21 upPacketCycleCount : 0
downPackets(Packets) : 19 downPacketCycleCount : 0
Configuration Flow
1. Configure PPPoE user access.
2. Configure the arrear advertisement push contents.
3. Configure the arrear server.
4. Verify the configuration.
Configuration Procedure
1. For the basic configuration relating to PPPoE user access, refer to the "PPPoEv4
Configuration Examples" section. The arrear push only supports sending the arrear
flag through the RADIUS server, and the redirect URL can be sent through the
10-12
ZXR10 M6000 or RADIOUS server. In this case, the authorization template should
be configured to use RADIUS authentication, and the authorization mode of the
authorization template can be set to mix-radius (that is, both the ZXR10 M6000 or
RADIUS router can send the push parameters). The following use the procedure of
sending a redirect URL through the ZXR10 M6000 as an example.
2. Configure the arrear push.
ZXR10(config)#ipv4-access-list owe
ZXR10(config-ipv4-acl)#rule permit ip any 192.168.112.106 0.0.0.0
ZXR10(config-ipv4-acl)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui1600
ZXR10(config-vbui-if)#redirect-web-acl owe
ZXR10(config-vbui-if)#exit
ZXR10(config-vbui)#exit
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#authorization-type mix-radius
ZXR10(config-submanage-author-template)#redirect-url
http://192.168.112.106:88/LoginOn.jsp
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#exit
3. In the CMD window of the arrear server, configure a return route for the redirect page.
C:\Documents and Settings\Administrator>route add 164.1.0.0 255.255.0.0
192.168.4.7 –p /*164.1.0.0/16 refers to the network segment assigned
to the user for accessing the network 192.168.4.7 refers to the IP address of the
BRAS, and p refers to a permanent route.*/
Configuration Verification
After a PC user successfully establishes a PPPoE dial-up connection
(username/password: user1@pppoe), run the show subscriber pppox interface verbose
command on the BRAS to view the detailed information of the user. Verify that
charge-status: OWE is displayed, that is, the arrear flag has been sent to the user. After
launching a browser, this user is redirected to the pre-configured page regardless of
which address he or she enters.
ZXR10(config)#show subscriber pppox interface smartgroup8.888 verbose
*******************************************************************************
Subscriber Verbose Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type : IPv4
subscriber-author-type : IPv4
10-13
user-identify : 35425
family-identify : 0
user-name : user1
domain-name : pppoe
local-domain-name : pppoe
authorize-domain-name : pppoe
mac-address : 0021.86f8.c5b1
session-id : 65
authentication-mode : RADIUS
authentication-status : ACCEPT
record-status : CREATED
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
hot-bak-status : NONE
circuit-information : smartgroup8.888 [vlan:350 sec-vlan:0]
vbui-interface : vbui1600
create-time : 2011/10/19 13:35:51
authentication-time : 2011/10/19 13:35:51
online-time : 3348
limited-status : OWE
restTimeType : ABSOLUTE
user-priority-input :
user-priority-output :
vpdnAcctClass :
route-map-name :
ani-location
-----------------------------------------------------------------------
Identifier:
rack:0 frame:0 slot:0 sub-slot:0 port:0
XpiEnable:Disable xpi:0 xci:0
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
slot:0 sub-slot:0 port:0 port-type:
xpi:0 xci:0 AccessMethod:
-----------------------------------------------------------------------
accounting information
-----------------------------------------------------------------------
restTime(s) : 0(unlimited) restFlow(KB) : 0(unlimited)
absTimeout(s) : 0 idleTimeout(s) : 0
10-14
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 PPPox
ipv4-address : 164.1.1.2
gateway-address : 164.1.1.1
vrf-name :
vpn-id : 0
primary-dns : 50.60.70.80
second-dns : 80.80.80.8
ip-pool-name :pool199
igmpProfile : 0
tcp-session-limit : 0
tcp-syn-rate(Packets/s): 0
nat-type : NONE
nat-multi-flag : 0
nat-default-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
nat-port-range : 0~0
abnormal-offline-keep : FALSE
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
subCarInfoUp-cir : 0 subCarInfoUp-pir : 0
subCarInfoUp-cbs : 0 subCarInfoUp-pbs : 0
subCarInfoDown-cir: 0 subCarInfoDown-pir: 0
subCarInfoDown-cbs: 0 subCarInfoDown-pbs: 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
10-15
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
float-accounting information
-----------------------------------------------------------------------
upDropPackets(Packets) : 0 upDropCycles : 0
downDropPackets(Packets): 0 downDropCycles : 0
ispUpBytes(Bytes) : 0 ispUpCycleCount : 0
ispDownBytes(Bytes) : 0 ispDownCycleCount : 0
isp2UpBytes(Bytes) : 0 isp2UpCycleCount : 0
isp2DownBytes(Bytes) : 0 isp2DownCycleCount: 0
upBytes(Bytes) : 3318 upCycleCount : 0
downBytes(Bytes) : 9582 downCycleCount : 0
upIspChargePackets : 0 upIspChargeCycleCount : 0
downIspChargePackets : 0 downIspChargeCycleCount : 0
upIsp2ChargePackets : 0 upIsp2ChargeCycleCount : 0
downIsp2ChargePackets : 0 downIsp2ChargeCycleCount : 0
upIspNoChargePackets : 16 upIspNoChargeCycleCount : 0
downIspNoChargePackets : 12 downIspNoChargeCycleCount : 0
upPackets(Packets) : 16 upPacketCycleCount : 0
downPackets(Packets) : 12 downPacketCycleCount : 0
10-16
11-1
When a subscriber comes online through a cross-board SmartGroup interface, the BRAS
device synchronizes the information (including protocol data and related service data)
associated with the subscriber to all line cards of the member interfaces. If one of the
line cards powers down, the subscriber does not fall offline. All protocol packets of the
subscriber are handed over to other member boards. In addition, the downlink packets
can be shared through the load sharing function of the Link Aggregation Control Protocol
(LACP).
At present, BRAS Smartgroup access supports the IPoE boot-strap authentication and
PPPoE function. The difference from the IPoE function and PPPoE function described
previously is that the SmartGroup interface here is an aggregation interface supporting
cross-board accesses.
Context
The differences between the configuration of BRAS SmartGroup access and those of
IPoE access and PPPoE access is that a SmartGroup interface is associated with a VCC
interface on the user side. Here, only the configuration commands of a SmartGroup
interface are described. For other configuration commands, refer to the "Configuring
IPoEv4" section and the "Configuring PPPoEb4" section.
Steps
1. To configure a BRAS SmartGroup interface, perform the following steps:
11-2
on: static trunk. The LACP does not run in this mode. Both aggregated ends should
be set to "on" mode.
Note:
The aggregation mode of the interface should be consistent with that of the
SmartGroup interface. Otherwise, the interface cannot be added to the SmartGroup.
Command Function
– End of Steps –
11-3
As shown in Figure 11-1, interfaces gei-0/1/0/1 and gei-0/1/0/2 on the ZXR10 M6000 are
connected to interfaces gei_3/1 and gei_3/2 on the LAN switch, respectively. Interfaces
gei-0/1/0/1 and gei-0/1/0/2 are aggregated to a SmartGroup.
Configuration Flow
1. Create a SmartGroup logical access interface, and configure LACP attribute on the
interface.
2. Add member ports to the SmartGroup interface.
3. Configure an AAA authentication template, and associate it with a domain. Configure
a PPPoE template, and configure related PPP attributes in the template.
4. Configure a user-side interface, and configure a PPPoE address pool on the interface.
Associate the interface with the domain.
5. Configure a subscriber through the RADIUS software.
6. Create a VCC sub-interface. Associate the PPPoE template with the VCC interface.
Configure QinQ on the VCC sub-interface.
Configuration Commands
1. Create a SmartGroup logical access interface, and configure the LACP attribute on
the interface.
ZXR10(config)#interface smartgroup64
ZXR10(config-if-smartgroup64)#exit
ZXR10(config)#lacp
ZXR10(config-lacp)#interface smartgroup64
ZXR10(config-lacp-sg-if-smartgroup64)#lacp mode on
ZXR10(config-lacp-sg-if-smartgroup64)#exit
ZXR10(config-lacp)#exit
2. Add member ports to the SmartGroup interface.
ZXR10(config)#lacp
ZXR10(config-lacp)#interface gei-0/1/0/1
ZXR10(config-lacp-member-if-gei-0/1/0/1)#smartgroup 64 mode on
ZXR10(config-lacp-member-if-gei-0/1/0/1)#exit
ZXR10(config-lacp)#interface gei-0/1/0/2
ZXR10(config-lacp-member-if-gei-0/1/0/2)#smartgroup 64 mode on
11-4
ZXR10(config-lacp-member-if-gei-0/1/0/2)#exit
ZXR10(config-lacp)#exit
3. Configure an AAA authentication template, and associate it with a domain. Configure
a PPPoE template, and configure related PPP attributes in the template.
ZXR10(config)#interface gei-0/2/0/2
ZXR10(config-if-gei-0/2/0/2)#no shutdown
ZXR10(config-if-gei-0/2/0/2)#ip address 192.168.5.110 255.255.0.0
ZXR10(config-if-gei-0/2/0/2)#exit
ZXR10(config)#radius authentication-group 10
ZXR10(config-authgrp-10)#server 1 192.168.112.111 master key zte
ZXR10(config-authgrp-10)#deadtime 0
ZXR10(config-authgrp-10)#user-name-format include-domain
ZXR10(config-authgrp-10)#nas-ip-address 192.168.5.110
ZXR10(config-authgrp-10)#exit
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type radius
ZXR10(config-submanage-authen-template)#authentication-radius-group 10
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#authorization-type none
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#accounting-template zte
ZXR10(config-submanage-accounting-template)#accounting-type none
ZXR10(config-submanage-accounting-template)#exit
ZXR10(config-submanage)#pppox-cfg 199
ZXR10(config-submanage-pppox)#exit
ZXR10(config-submanage)#domain domain199
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)#bind authorization-template zte
ZXR10(config-submanage-domain)#bind accounting-template zte
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#exit
4. Configure a user-side interface, and configure a PPPoE address pool on the interface.
Associate the interface with the domain.
ZXR10(config)#interface vbui199
ZXR10(config-if-vbui199)#ip address 199.1.1.1 255.255.0.0
ZXR10(config-if-vbui199)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui199
11-5
ZXR10(config)#vlan-configuration
ZXR10(config-vlan)#interface smartgroup64.1
ZXR10(config-vlan-if-smartgroup64.1)#qinq internal-vlanid 1
external-vlanid 100
ZXR10(config-vlan-if-smartgroup64.1)#end
Configuration Verification
Execute the show subscriber command, and verify that the subscriber has been online, as
shown below.
ZXR10(config)#show subscriber ipv4-address 199.1.1.2
*******************************************************************************
Subscriber Verbose Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type : IPv4
subscriber-author-type : IPv4
user-identify : 155
family-identify : 0
user-name : pppoe
domain-name : domain199
local-domain-name : domain199
authorize-domain-name : domain199
mac-address : 0010.9400.0bf6
11-6
session-id : 15
authentication-mode : RADIUS
authentication-status : ACCEPT
record-status : CREATED
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
hot-back-status : NONE
circuit-information : smartgroup64.1 [vlan:100 sec-vlan:1]
vbui-interface : vbui199
create-time : 2011/05/09 11:10:15
authentication-time : 2011/05/09 11:10:15
online-time : 16
limited-status : UNLIMITED
restTimeType : ABSOLUTE
vpdnAcctClass :
dpi-policy : 0
user-priority-input :
user-priority-output :
route-map-name :
calling-station-id :
ani-location
-----------------------------------------------------------------------
Identifier:
rack:0 frame:0 slot:0 sub-slot:0 port:0
XpiEnable:Disable xpi:0 xci:0
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
slot:0 sub-slot:0 port:0 port-type:
xpi:0 xci:0 AccessMethod:
-----------------------------------------------------------------------
accounting information
-----------------------------------------------------------------------
restTime(s) : 0(unlimited) restFlow(KB) : 0(unlimited)
absTimeout(s) : 0 idleTimeout(s) : 0
idleTraffic(KB) : 0 acctInterval(s): 600
sessionLimitType: 0 acctSession : 15215591ppp0e25001094000
001000f
-------------------------------------------------------------------------------
11-7
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 PPPox
ipv4-address : 199.1.1.2
gateway-address : 199.1.1.1
vrf-name :
vpn-id : 0
primary-dns : 1.1.1.1
second-dns : 2.2.2.2
ip-pool-name : pool199
igmpProfile : 0
tcp-session-limit : 0
tcp-syn-rate(Packets/s): 0
nat-type : NONE
nat-multi-flag : 0
nat-default-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
nat-port-range : 0~0
abnormal-offline-keep : FALSE
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
subCarInfoUp-cir : 0 subCarInfoUp-pir : 0
subCarInfoUp-cbs : 0 subCarInfoUp-pbs : 0
subCarInfoDown-cir: 0 subCarInfoDown-pir: 0
subCarInfoDown-cbs: 0 subCarInfoDown-pbs: 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
11-8
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
float-accounting information
-----------------------------------------------------------------------
upDropPackets(Packets) : 0 upDropCycles : 0
downDropPackets(Packets): 0 downDropCycles : 0
ispUpBytes(Bytes) : 0 ispUpCycleCount : 0
ispDownBytes(Bytes) : 0 ispDownCycleCount : 0
isp2UpBytes(Bytes) : 0 isp2UpCycleCount : 0
isp2DownBytes(Bytes) : 0 isp2DownCycleCount: 0
upBytes(Bytes) : 0 upCycleCount : 0
downBytes(Bytes) : 0 downCycleCount : 0
upIspChargePackets : 0 upIspChargeCycleCount : 0
downIspChargePackets : 0 downIspChargeCycleCount : 0
upIsp2ChargePackets : 0 upIsp2ChargeCycleCount : 0
downIsp2ChargePackets : 0 downIsp2ChargeCycleCount : 0
upIspNoChargePackets : 0 upIspNoChargeCycleCount : 0
downIspNoChargePackets : 0 downIspNoChargeCycleCount : 0
upPackets(Packets) : 0 upPacketCycleCount : 0
downPackets(Packets) : 0 downPacketCycleCount : 0
11-9
Configuration Flow
1. Create a SmartGroup logical access interface, and configure LACP attribute on the
interface.
2. Add member ports to the SmartGroup interface.
3. Configure an AAA authentication template, and associate it with a domain.
4. Configure a user-side interface, and configure an IP-HOST address pool on the
interface. Associate the interface with the domain.
5. Configure a subscriber through the RADIUS software.
6. Create a VCC sub-interface. Configure QinQ on the VCC sub-interface.
7. Configure IP-HOST with a VLAN, a username and a domain name on the VBUI
interface.
8. Configure a static IP address on the client. The IP address is the same as the IP-HOST
address.
Configuration Commands
1. Create a SmartGroup logical access interface, and configure the LACP attribute on
the interface.
ZXR10(config)#interface smartgroup64
ZXR10(config-if-smartgroup64)#exit
ZXR10(config)#lacp
ZXR10(config-lacp)#interface smartgroup64
ZXR10(config-lacp-sg-if-smartgroup64)#lacp mode on
ZXR10(config-lacp-sg-if-smartgroup64)#exit
2. Add member ports to the SmartGroup interface.
ZXR10(config)#lacp
ZXR10(config-lacp)#interface gei-0/1/0/1
ZXR10(config-lacp-member-if-gei-0/1/0/1)#smartgroup 64 mode on
ZXR10(config-lacp-member-if-gei-0/1/0/1)#exit
ZXR10(config-lacp)#interface gei-0/1/0/2
ZXR10(config-lacp-member-if-gei-0/1/0/2)#smartgroup 64 mode on
ZXR10(config-lacp-member-if-gei-0/1/0/2)#exit
3. Configure an AAA authentication template, and associate it with a domain.
11-10
ZXR10(config)#interface gei-0/2/0/2
ZXR10(config-if-gei-0/2/0/2)#no shutdown
ZXR10(config-if-gei-0/2/0/2)#ip address 192.168.5.110 255.255.0.0
ZXR10(config-if-gei-0/2/0/2)#exit
ZXR10(config)#radius authentication-group 10
ZXR10(config-authgrp-10)#server 1 192.168.112.111 master key zte
ZXR10(config-authgrp-10)#deadtime 0
ZXR10(config-authgrp-10)#user-name-format include-domain
ZXR10(config-authgrp-10)#nas-ip-address 192.168.5.110
ZXR10(config-authgrp-10)#exit
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type radius
ZXR10(config-submanage-authen-template)#authentication-radius-group 10
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#authorization-type none
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#accounting-template zte
ZXR10(config-submanage-accounting-template)#accounting-type none
ZXR10(config-submanage-accounting-template)#exit
ZXR10(config-submanage)#domain domain199
ZXR10(config-submanage-domain)#bind authentication-template xte
ZXR10(config-submanage-domain)#bind authorization-template zte
ZXR10(config-submanage-domain)#bind accounting-template zte
ZXR10(config-submanage-domain)#exit
4. Configure a user-side interface, and configure an IP-HOST address pool on the
interface. Associate the interface with the domain.
ZXR10(config)#interface vbui199
ZXR10(config-if-vbui199)#ip address 199.1.1.1 255.255.0.0
ZXR10(config-if-vbui199)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui199
ZXR10(config-vbui-if)#ip-pool pool-name pool199 pool-id 199
ZXR10(config-vbui-if-ip-pool)#access-domain domain199
ZXR10(config-vbui-if-ip-pool)#member 1
ZXR10(config-vbui-if-ip-pool-member)#start-ip 199.1.1.1 end-ip 199.1.2.1
ZXR10(config-vbui-if-ip-pool-member)#static-ip 199.1.1.10 199.1.1.100
ZXR10(config-vbui-if-ip-pool-member)#exit
11-11
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface smartgroup64.1
ZXR10(config-vcc-if)#encapsulation multi
ZXR10(config-vcc-if)#exit
ZXR10(config)#vlan-configuration
ZXR10(config-vlan)#interface smartgroup64.1
ZXR10(config-vlan-if-smartgroup64.1)#qinq internal-vlanid 1
external-vlanid 100
ZXR10(config-vlan-if-smartgroup64.1)#end
6. Configure IP-HOST with a VLAN, a username and a domain name on the VBUI
interface.
ZXR10 (config)#vbui-configuration
ZXR10(config-vbui)#interface vbui199
ZXR10(config-vbui-if)#ip-host 199.1.1.10 smartgroup64.1 vlan 100 sec-vlan 1
user-info iphost domain199 123 detect 5
Configure a static IP address on the client. The IP address is the same as the IP-HOST
address.
Configuration Verification
Execute the show subscriber command, and verify that the subscriber has been online, as
shown below.
ZXR10(config)#show subscriber ipv4-address 199.1.1.10
*******************************************************************************
Subscriber Verbose Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type : IPv4
subscriber-author-type : IPv4
user-identify : 156
family-identify : 0
user-name : iphost
domain-name : domain199
local-domain-name : domain199
authorize-domain-name : domain199
mac-address : 0010.9400.0bf6
session-id : 0
authentication-mode : RADIUS
authentication-status : ACCEPT
11-12
record-status : CREATED
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
hot-back-status : NONE
circuit-information : smartgroup64.1 [vlan:100 sec-vlan:1]
vbui-interface : vbui199
create-time : 2011/05/09 11:15:15
authentication-time : 2011/05/09 11:15:15
online-time : 20
limited-status : UNLIMITED
restTimeType : ABSOLUTE
dpi-policy : 0
user-priority-input :
user-priority-output :
vpdnAcctClass :
route-map-name :
calling-station-id :
ani-location
-----------------------------------------------------------------------
Identifier:
rack:0 frame:0 slot:0 sub-slot:0 port:0
XpiEnable:Disable xpi:0 xci:0
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
slot:0 sub-slot:0 port:0 port-type:
xpi:0 xci:0 AccessMethod:
-----------------------------------------------------------------------
accounting information
-----------------------------------------------------------------------
restTime(s) : 0(unlimited) restFlow(KB) : 0(unlimited)
absTimeout(s) : 0 idleTimeout(s) : 0
idleTraffic(KB) : 0 acctInterval(s): 600
sessionLimitType: 0 acctSession : 10182445---05f2001094000
0020000
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 HOST
11-13
ipv4-address : 199.1.1.10
gateway-address : 199.1.1.1
vrf-name :
vpn-id : 0
primary-dns :
second-dns :
ip-pool-name : pool199
igmpProfile : 0
tcp-session-limit : 0
tcp-syn-rate(Packets/s): 0
nat-type : NONE
nat-multi-flag : 0
nat-default-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
nat-port-range : 0~0
abnormal-offline-keep : FALSE
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
subCarInfoUp-cir : 0 subCarInfoUp-pir : 0
subCarInfoUp-cbs : 0 subCarInfoUp-pbs : 0
subCarInfoDown-cir: 0 subCarInfoDown-pir: 0
subCarInfoDown-cbs: 0 subCarInfoDown-pbs: 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
11-14
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
float-accounting information
-----------------------------------------------------------------------
upDropPackets(Packets) : 0 upDropCycles : 0
downDropPackets(Packets): 0 downDropCycles : 0
ispUpBytes(Bytes) : 0 ispUpCycleCount : 0
ispDownBytes(Bytes) : 0 ispDownCycleCount : 0
isp2UpBytes(Bytes) : 0 isp2UpCycleCount : 0
isp2DownBytes(Bytes) : 0 isp2DownCycleCount: 0
upBytes(Bytes) : 0 upCycleCount : 0
downBytes(Bytes) : 0 downCycleCount : 0
upIspChargePackets : 0 upIspChargeCycleCount : 0
downIspChargePackets : 0 downIspChargeCycleCount : 0
upIsp2ChargePackets : 0 upIsp2ChargeCycleCount : 0
downIsp2ChargePackets : 0 downIsp2ChargeCycleCount : 0
upIspNoChargePackets : 0 upIspNoChargeCycleCount : 0
downIspNoChargePackets : 0 downIspNoChargeCycleCount : 0
upPackets(Packets) : 0 upPacketCycleCount : 0
downPackets(Packets) : 0 downPacketCycleCount : 0
11-15
11-16
12-1
Context
ATM access differs from Ethernet access in that is applies the ULEI interface to the VCC
interface. To configure ATM access is to create a ULEI access interface, and then configure
a mapping relationship between the PVC and ULEI interface.
Steps
1. Configure ATM access on the ZXR10 M6000.
12-2
Command Function
– End of Steps –
Configuration Flow
1. Create a ULEI access interface, and configure the mapping relationship between the
ULEI interface and the ATM physical interface.
2. Configure the authentication, authorization, and accounting templates, and associate
them with the domain. Configure the PPPoX template, and configure the related PPP
attribute in this template.
3. Configure the interface on the user side, configure an address pool under the vbui
interface, and associate them with the domain.
4. Configure subscribers on the RADIUS server.
5. Set the VCC interface to the ULEI sub-interface, and associate the PPPoX template
with the VCC interface.
Configuration Commands
1. Create a ULEI access interface, and configure the mapping relationship between the
ULEI interface and the ATM physical interface.
ZXR10(config)#request interface ulei-0/0/0/2
12-3
ZXR10(config)#interface atm622-0/0/0/2
ZXR10(config-if-atm622-0/0/0/2)#pvc 1 0 32
ZXR10(config-if-atm622-0/0/0/2-atm-vc)#map-to ulei-0/0/0/2
ZXR10(config-if-atm622-0/0/0/2-atm-vc)#exit
ZXR10(config-if-atm622-0/0/0/2)#exit
2. Configure the authentication, authorization, and accounting templates, and associate
them with the domain. At the same time, configure the PPPoX template, and configure
the related PPP attribute in this template.
ZXR10(config)#interface gei-0/0/1/3
ZXR10(config-if-gei-0/0/1/3)#no shutdown
ZXR10(config-if-gei-0/0/1/3)#ip address 192.168.5.110 255.255.0.0
ZXR10(config-if-gei-0/0/1/3)#exit
ZXR10(config)#radius authentication-group 10
ZXR10(config-authgrp-10)#server 1 192.168.112.111 master key zte
ZXR10(config-authgrp-10)#deadtime 0
ZXR10(config-authgrp-10)#user-name-format include-domain
ZXR10(config-authgrp-10)#nas-ip-address 192.168.5.110
ZXR10(config-authgrp-10)#exit
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type radius
ZXR10(config-submanage-authen-template)#authentication-radius-group 10
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#authorization-type mix-radius
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#pppox-cfg 331
ZXR10(config-submanage-pppox)#exit
ZXR10(config-submanage)#domain zte.331
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)#bind authorization-template zte
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#exit
3. Configure the interface on the user side, configure the address pool under the vbui
interface, and associate them with the domain.
ZXR10(config)#interface vbui331
ZXR10(config-if-vbui331)#ip address 211.1.1.1 255.255.255.0
ZXR10(config-if-vbui331)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui331
ZXR10(config-vbui-if)#ip-pool pool-name 331 pool-id 331
ZXR10(config-vbui-if-ip-pool)#access-domain zte.331
12-4
ZXR10(config-vbui-if-ip-pool)#pppoe-dns-server 1.1.1.1
ZXR10(config-vbui-if-ip-pool)#pppoe-dns-server 2.2.2.2 second
ZXR10(config-vbui-if-ip-pool)#member 1
ZXR10(config-vbui-if-ip-pool-member)#start-ip 211.1.1.1 end-ip 211.1.1.255
ZXR10(config-vbui-if-ip-pool-member)#exit
ZXR10(config-vbui-if-ip-pool)#exit
ZXR10(config-vbui-if)#exit
ZXR10(config-vbui)#exit
4. Configure subscribers on the RADIUS server.
5. Configure the VCC interface.
ZXR10(config)#interface ulei-0/0/0/2.331
ZXR10(config-if-ulei-0/0/0/2.331)#no shutdown
ZXR10(config-if-ulei-0/0/0/2.331)#exit
ZXR10(config)#vlan-configuration
ZXR10(config-vlan)#interface ulei-0/0/0/2.331
ZXR10(config-vlan-if-ulei-0/0/0/2.331)#encapsulation-dot1q 331
ZXR10(config-vlan-if-ulei-0/0/0/2.331)#exit
ZXR10(config-vlan)#exit
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface ulei-0/0/0/2.331
ZXR10(config-vcc-if)#pppox template 331
ZXR10(config-vcc-if)#encapsulation ppp-over-ethernet
ZXR10(config-vcc-if)#exit
ZXR10(config-vcc)#exit
Configuration Verifications
Run the show subscriber pppox command, and verify that information of the online
subscribers is proper.
ZXR10(config)#show subscriber pppox
*******************************************************************************
Subscriber Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type :IPv4
user-identify :111
user-name :yanbd
domain-name :zte.331
local-domain-name :zte.331
authorize-domain-name :zte.331
mac-address :0010.9461.0001
session-id :5
12-5
access-interface :ulei-0/0/0/2.331
internal-vlan :0
external-vlan :331
authentication-mode :RADIUS
authentication-status :ACCEPT
record-status :CREATED
eap-type :FALSE
sibprofileid :0
hot-bak-status :NONE
authentication-time :2011/10/28 14:36:10
create-time :2011/10/28 14:36:10
online-time :216
limited-status :UNLIMITED
restTimeType :ABSOLUTE
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :IPv4 PPPox
ipv4-address :211.1.1.1
vrf-name :
vpn-id :0
gateway :211.1.1.0
primary-dns :1.1.1.1
second-dns :2.2.2.2
record-status :CREATED
*******************************************************************************
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
12-6
13-1
l Dynamic users obtain their IP addresses through the DHCP, and their authentication,
authorization and accounting are implemented through DHCP+WEB Portal or DHCP
Option60 mode.
l Static users have fixed IP addresses, and their service modes can be private
line (common Layer-3 IP forwarding) or user management. Their authentication,
authorization and accounting are implemented through WEB Portal mode.
Figure 13-1 shows how a client accesses the Layer-3 network for BRAS services. The
Layer-3 device between the client and the BRAS can be a router, a Layer-3 switch, a
CMTS or a Layer-3 capable device. A Layer-3 network supports the deployment of one or
multiple Layer-3 devices.
Figure 13-2 shows how a dynamic user's IP address is obtained through the DHCP in
a Layer-3 network: Upon receipt of a DHCP request, the Layer-3 device transfers the
message to the DHCP Server through its DHCP Relay, and then the DHCP Server assigns
an address to the dynamic user.
13-2
The procedure of different types of users access to the network is describes as follows.
1. Upon receipt of a DHCP Discover message from the PC client, the BRAS obtains
the user name by resolving it from the message based on Option60 and Option82,
and sends it to the RADIUS server for an authentication.
2. If the authentication is passed, the BRAS searches for the IP address pool based
on the address of the Relay Agent and Option60. If a match is found, it assigns
an IP address to the user.
3. The user is granted access to the network for BRAS services.
l WEB authentication
Figure 13-4 shows the flow of a WEB authentication.
13-3
1. Upon receipt of a DHCP Discover message from the PC client, the BRAS
searches for the IP address pool based on the address of the Relay agent,
Option60 and interface type. If a match is found, it assigns an IP address to the
user.
2. The PC client sends an HTTP message to the BRAS.
3. Based on the push mark of an item in the relation table, the BRAS redirects the
user to the authentication page that is pre-configured on the Portal Server.
4. After the user enters the username and password, an authentication request is
initiated. Upon arrival of the request, the Portal Server originates a Challenge
request to the BRAS based on the user information.
5. The BRAS returns a Challenge acknowledgement based on the user information.
6. The Portal Server sends an authentication request to the BRAS, and the BRAS
searches for the user information based on some indexes (such as the IP
address). If a match is found, the BRAS sends an authentication request to the
RADIUS server based on the user information and user type.
7. The RADIUS server authenticates the user information, and returns the result to
the BRAS. If the authentication is passed, the BRAS clears the push mark of the
item in the relation table, and updates the item. This means that the user can
access the external network services through the BRAS.
8. The BRAS sends the authentication result to the Portal Server, and the Portal
Server notifies the user of the authentication result.
9. The user is granted access to the network for BRAS services.
13-4
13-5
If a match is found, the BRAS sends an authentication request to the RADIUS server
based on the user information and user type.
8. The RADIUS server authenticates the user information, and returns the result to the
BRAS. If the authentication is passed, the BRAS clears the Push mark of the item in
the relation table, and updates the item. This means that the user can access the
external network services through the BRAS.
9. The BRAS sends the authentication result to the Portal Server, and the Portal Server
notifies the user of the authentication result.
10. The user is granted access to the network for BRAS services.
Context
Users can access the layer-3 networks through the DHCP or Multi-Hops Over X (MHOX,
where X refers to the access mode, such as Ethernet or ATM).
Steps
1. Configure an address pool.
2. Configure DHCP.
13-6
13-7
13-8
4. Configure a domain.
13-9
13-10
optionstring: Specifies the option60 content as the domain name, and specifies
"option60" as the username type.
optionparse: Applies the format of "domain name/password" to resolve the option60
field. The password type is not required.
13-11
Command Description
– End of Steps –
Context
Users can access the layer-3 networks through the DHCP or Multi-Hops Over X (MHOX,
where X refers to the access mode, such as Ethernet or ATM). The MHOX users are
sub-divided into the following categories:
l Static users (authorization only)
l Static users (authentication and authorization)
l Stream users
Steps
1. Configure an SAL.
13-12
2. Configure a domain.
13-13
Command Description
– End of Steps –
Context
Users can access the layer-3 networks through the DHCP or Multi-Hops Over X (MHOX,
where X refers to the access mode, such as Ethernet or ATM). The MHOX users are
sub-divided into the following categories:
13-14
Steps
1. Configure the Web server.
2. Configure a domain.
13-15
13-16
Command Description
– End of Steps –
Context
Users can access the layer-3 network through the DHCP or Multi-Hops Over X (MHOX,
where X refers to the access mode, such as Ethernet or ATM). The MHOX users are
sub-divided into the following categories:
13-17
Steps
1. Configure the Web server.
2. Configure a domain.
13-18
Command Description
13-19
Command Description
– End of Steps –
Configuration Flow
1. Configure DHCP Relay on the Relay device.
2. Configure a domain and an authentication template on the Server.
3. Configure layer-3 access and related information on the Server.
4. On the Server, configure a route to the Relay device.
5. After a DHCP option user establishes a dial-up connection, run the show subscriber
multi-hop command to view his or her information.
Configuration Procedure
1. The configuration on the Relay device is as follows:
ZXR10(config)#interface gei-0/0/0/1
ZXR10(config-if-gei-0/0/0/1)#no shutdown
ZXR10(config-if-gei-0/0/0/1)#ip address 183.8.0.1 255.255.0.0
13-20
ZXR10(config-if-gei-0/0/0/1)#exit
ZXR10(config)#interface gei-0/0/0/2
ZXR10(config-if-gei-0/0/0/2)#no shutdown
ZXR10(config-if-gei-0/0/0/2)#ip address 83.8.0.1 255.255.255.252
ZXR10(config-if-gei-0/0/0/2)#exit
ZXR10(config)#dhcp
ZXR10(config-dhcp)#enable
ZXR10(config-dhcp)#interface gei-0/0/0/1
ZXR10(config-dhcp-if-gei-0/0/0/1)#mode relay
ZXR10(config-dhcp-if-gei-0/0/0/1)#relay server group 1
ZXR10(config-dhcp-if-gei-0/0/0/1)#relay agent 183.8.0.1
ZXR10(config-dhcp-if-gei-0/0/0/1)#exit
ZXR10(config-dhcp)#exit
2. The domain configuration and authentication template configuration on the Server are
as follows:
ZXR10(config)#radius authentication-group 2000
ZXR10(config-authgrp-2000)#server 1 192.168.106.2 master key zte
ZXR10(config-authgrp-2000)#deadtime 0
ZXR10(config-authgrp-2000)#nas-ip-address 192.168.4.10
ZXR10(config-authgrp-2000)#exit
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type radius
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#authorization-type mix-radius
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#accounting-template zte
ZXR10(config-submanage-accounting-template)#accounting-type radius
ZXR10(config-submanage-accounting-template)#exit
13-21
ZXR10(config-submanage)#domain zy-mhox
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)#bind authorization-template zte
ZXR10(config-submanage-domain)#bind accounting-template zte
ZXR10(config-submanage-domain)#dhcp-mode server
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#local-subscriber zy-mhox domain-name zy-mhox password
test /*If local mode is applied in an AAA authentication, a local user
should be configured*/
ZXR10(config-submanage-local-sub)#exit
ZXR10(config-submanage)#exit
3. The layer-3 access configuration on the Server is as follows:
ZXR10(config)#interface gei-0/1/0/1
ZXR10(config-if-gei-0/1/0/1)#no shutdown
ZXR10(config-if-gei-0/1/0/1)#ip address 83.8.0.2 255.255.0.0
ZXR10(config-if-gei-0/1/0/1)#exit
ZXR10(config)#l3-access-configuration
ZXR10(config-l3-access)#interface gei-0/1/0/1
ZXR10(config-l3-access-if)#ipox authentication-type ipv4 dhcpv4 option
ZXR10(config-l3-access-if)#dhcp-v4 auth-on-up username-type option60 domain-type
optionstring passwordtype config test
ZXR10(config-l3-access-if)#exit
ZXR10(config-l3-access)#exit
ZXR10(config)#dhcp
ZXR10(config-dhcp)#enable
ZXR10(config-dhcp)#interface gei-0/1/0/1
13-22
ZXR10(config-dhcp-if-gei-0/1/0/1)#mode server
ZXR10(config-dhcp-if-gei-0/1/0/1)#policy zy-mhox
ZXR10(config-dhcp-if-gei-0/1/0/1)#user quota 32000
/*Specify a proper access number based on requirements*/
ZXR10(config-dhcp-if-gei-0/1/0/1)#exit
ZXR10(config-dhcp)#exit
4. On the Server, configure a route to the Relay device by using a static or dynamic
routing protocol. The following uses a static route as an example.
ZXR10(config)#ip route 183.8.0.0 255.255.0.0 83.8.0.1
Configuration Verification
After the user establishes a dial-up connection, run the show subscriber multi-hop
command on the Server to view his or her information.
ZXR10(config)#show subscriber multi-hop ipv4-address 183.8.0.2
**************************************************************************
Subscriber Verbose Information
--------------------------------------------------------------------------
Basic Information
--------------------------------------------------------------------------
subscriber-access-type : IPv4
subscriber-author-type : IPv4
user-identify : 1
family-identify : 0
user-name : zy-mhox
domain-name : zy-mhox
local-domain-name : zy-mhox
authorize-domain-name : zy-mhox
mac-address : 0010.94ab.0001
session-id : 0
authentication-mode : RADIUS
authentication-status : ACCEPT
record-status : CREATED
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
hot-bak-status : NONE
circuit-information : gei-0/1/0/1 [vlan:0 sec-vlan:0]
vbui-interface :
create-time : 2012/08/01 10:26:08
authentication-time : 2012/08/01 10:26:08
online-time : 206
limited-status : UNLIMITED
restTimeType : ABSOLUTE
user-priority-input :
13-23
user-priority-output :
vpdnAcctClass :
route-map-name :
calling-station-id :
ani-location
-----------------------------------------------------------------------
Identifier:
rack:0 frame:0 slot:0 sub-slot:0 port:0
XpiEnable:Disable xpi:0 xci:0
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
slot:0 sub-slot:0 port:0 port-type:
xpi:0 xci:0 AccessMethod:
-----------------------------------------------------------------------
accounting information
-----------------------------------------------------------------------
restTime(s) : 0(unlimited) restFlow(KB) : 0(unlimited)
absTimeout(s) : 0(unlimited) idleTimeout(s) : 0
idleTraffic(KB) : 0 acctInterval(s): 0
sessionLimitType: acctSession :
--------------------------------------------------------------------------
IPv4 Information
--------------------------------------------------------------------------
subscriber-type : IPv4 DHCP SERVER(L3)
ipv4-address : 183.8.0.2
gateway-address : 183.8.0.1
vrf-name :
vpn-id : 0
primary-dns :
second-dns :
ip-pool-name :
igmpProfile : 0
tcp-session-limit : 0
tcp-syn-rate(Packets/s): 0
nat-type : NONE
nat-multi-flag : 0
nat-default-flag : 0
nat-domain-name :
nat-acl-no : 0
13-24
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
nat-port-range : 0~0
abnormal-offline-keep : FALSE
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
subCarInfoUp-cir : 0 subCarInfoUp-pir : 0
subCarInfoUp-cbs : 0 subCarInfoUp-pbs : 0
subCarInfoDown-cir: 0 subCarInfoDown-pir: 0
subCarInfoDown-cbs: 0 subCarInfoDown-pbs: 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
float-accounting information
-----------------------------------------------------------------------
upDropPackets(Packets) : 0 upDropCycles : 0
downDropPackets(Packets): 0 downDropCycles : 0
ispUpBytes(Bytes) : 0 ispUpCycleCount : 0
ispDownBytes(Bytes) : 0 ispDownCycleCount : 0
isp2UpBytes(Bytes) : 0 isp2UpCycleCount : 0
isp2DownBytes(Bytes) : 0 isp2DownCycleCount: 0
upBytes(Bytes) : 0 upCycleCount : 0
downBytes(Bytes) : 0 downCycleCount : 0
upIspChargePackets : 0 upIspChargeCycleCount : 0
13-25
downIspChargePackets : 0 downIspChargeCycleCount : 0
upIsp2ChargePackets : 0 upIsp2ChargeCycleCount : 0
downIsp2ChargePackets : 0 downIsp2ChargeCycleCount : 0
upIspNoChargePackets : 0 upIspNoChargeCycleCount : 0
downIspNoChargePackets : 0 downIspNoChargeCycleCount : 0
upPackets(Packets) : 0 upPacketCycleCount : 0
downPackets(Packets) : 0 downPacketCycleCount : 0
Configuration Flow
1. Configure DHCP Relay on the Relay device.
2. Configure a domain and an authentication template on the Server.
3. Configure layer-3 access and DHCP Server on the Server.
4. On the Server, configure a route to the Relay device.
5. After a DHCP WEB user successfully logs onto the network, run the show subscriber
multi-hop command to view his or her information.
Configuration Procedure
DHCP WEB user access differs from DHCP Option user access only in the L3 interface
configuration.
For detailed procedure of the web-acl and web-server-group configuration, refer to the
"IPoEv4 Configuration Examples" section.
The WEB configuration on the Server is as follows:
ZXR10(config)#l3-access-configuration
ZXR10(config-l3-access)#interface gei-0/1/0/1
ZXR10(config-l3-access-if-gei-0/1/0/1)# ipox authentication-type ipv4 dhcpv4 web
13-26
ZXR10(config-l3-access-if-gei-0/1/0/1)#web-acl zy-mhox
ZXR10(config-l3-access-if-gei-0/1/0/1)#web-server-group 1
ZXR10(config-l3-access-if-gei-0/1/0/1)#web-force authentication
ZXR10(config-l3-access-if-gei-0/1/0/1)#exit
ZXR10(config-l3-access)#exit
Configuration Verification
After a DHCP WEB user logs onto the network, run the show subscriber multi-hop
command on the Server to view the user information.
ZXR10(config)#show subscriber multi-hop ipv4-address 183.8.0.2
*******************************************************************************
Subscriber Verbose Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type : IPv4
subscriber-author-type : IPv4
user-identify : 988
family-identify : 0
user-name : test
domain-name : test
local-domain-name : zy-mhox
authorize-domain-name : zhengchang
mac-address : 0014.7880.ba70
session-id : 0
authentication-mode : RADIUS
authentication-status : ACCEPT
record-status : CREATED
eap-type : FALSE
sibprofileid : 0
domain-priority : 4
hot-bak-status : NONE
circuit-information : gei-0/1/0/1 [vlan:0 sec-vlan:0]
vbui-interface :
create-time : 2011/12/19 16:01:13
authentication-time : 2011/12/19 16:01:41
online-time : 72
limited-status : UNLIMITED
restTimeType : ABSOLUTE
dpi-policy : 0
user-priority-input :
user-priority-output :
vpdnAcctClass :
route-map-name :
13-27
calling-station-id :
ani-location
-----------------------------------------------------------------------
Identifier:
rack:0 frame:0 slot:0 sub-slot:0 port:0
XpiEnable:Disable xpi:0 xci:0
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
slot:0 sub-slot:0 port:0 port-type:
xpi:0 xci:0 AccessMethod:
-----------------------------------------------------------------------
accounting information
-----------------------------------------------------------------------
restTime(s) : 100 restFlow(KB) : 0(unlimited)
absTimeout(s) : 0 idleTimeout(s) : 0
idleTraffic(KB) : 0 acctInterval(s): 600
sessionLimitType: time acctSession : 16014274---117c00147880b
a700005
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 DHCP SERVER(L3)
ipv4-address : 183.8.0.2
gateway-address : 183.8.0.1
vrf-name :
vpn-id : 0
primary-dns :
second-dns :
ip-pool-name :
igmpProfile : 0
tcp-session-limit : 0
tcp-syn-rate(Packets/s): 0
nat-type : NONE
nat-multi-flag : 0
nat-default-flag : 0
nat-domain-name : 0
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
13-28
nat-ipv4-address :
nat-port-range : 0~0
abnormal-offline-keep : FALSE
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
subCarInfoUp-cir : 2048 subCarInfoUp-pir : 2048
subCarInfoUp-cbs : 250 subCarInfoUp-pbs : 250
subCarInfoDown-cir: 2048 subCarInfoDown-pir: 2048
subCarInfoDown-cbs: 250 subCarInfoDown-pbs: 250
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName : isp1-in
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
float-accounting information
-----------------------------------------------------------------------
upDropPackets(Packets) : 0 upDropCycles : 0
downDropPackets(Packets): 0 downDropCycles : 0
ispUpBytes(Bytes) : 0 ispUpCycleCount : 0
ispDownBytes(Bytes) : 0 ispDownCycleCount : 0
isp2UpBytes(Bytes) : 0 isp2UpCycleCount : 0
isp2DownBytes(Bytes) : 0 isp2DownCycleCount: 0
upBytes(Bytes) : 0 upCycleCount : 0
downBytes(Bytes) : 60 downCycleCount : 0
upIspChargePackets : 0 upIspChargeCycleCount : 0
downIspChargePackets : 0 downIspChargeCycleCount : 0
upIsp2ChargePackets : 0 upIsp2ChargeCycleCount : 0
13-29
downIsp2ChargePackets : 0 downIsp2ChargeCycleCount : 0
upIspNoChargePackets : 0 upIspNoChargeCycleCount : 0
downIspNoChargePackets : 1 downIspNoChargeCycleCount : 0
upPackets(Packets) : 0 upPacketCycleCount : 0
downPackets(Packets) : 1 downPacketCycleCount : 0
Configuration Flow
1. Configure DHCP Relay on the Relay device.
2. Configure a domain and an authentication template on the Server.
3. Configure layer-3 access on the Server.
4. On the Server, configure a route to the Relay device.
5. After a static user successfully logs onto the network, run the show subscriber multi-hop
command to view his or her information.
Configuration Procedure
1. The configuration on the Relay device is as follows:
ZXR10(config)#interface gei-0/0/0/1
ZXR10(config-if-gei-0/0/0/1)#no shutdown
ZXR10(config-if-gei-0/0/0/1)#ip address 183.8.0.1 255.255.0.0
ZXR10(config-if-gei-0/0/0/1)#exit
ZXR10(config)#interface gei-0/0/0/2
ZXR10(config-if-gei-0/0/0/2)#no shutdown
ZXR10(config-if-gei-0/0/0/2)#ip address 83.8.0.1 255.255.255.252
ZXR10(config-if-gei-0/0/0/2)#exit
2. The domain configuration and authentication template configuration on the Server are
as follows:
13-30
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type radius
ZXR10(config-submanage-authen-template)#authentication-radius-group 2000
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#authorization-type mix-radius
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#accounting-template zte
ZXR10(config-submanage-accounting-template)#accounting-type radius
ZXR10(config-submanage-accounting-template)#accounting-radius-group first 2000
ZXR10(config-submanage-accounting-template)#exit
ZXR10(config-submanage)#domain zy-mhox
ZXR10(config-submanage-domain-2000)#bind authentication-template zte
ZXR10(config-submanage-domain-2000)#bind authorization-template zte
ZXR10(config-submanage-domain-2000)#bind accounting-template zte
ZXR10(config-submanage-domain)#dhcp-mode server
ZXR10(config-submanage-domain-2000)#exit
ZXR10(config-submanage)#local-subscriber zy-mhox domain-name zy-mhox password
test /*If local mode is applied in an AAA authentication, a local user
should be configured*/
ZXR10(config-submanage-local-sub)#exit
ZXR10(config-submanage)#exit
3. The layer-3 access configuration on the Server is as follows:
ZXR10(config)#interface gei-0/1/0/1
ZXR10(config-if-gei-0/1/0/1)#no shutdown
ZXR10(config-if-gei-0/1/0/1)#ip address 83.8.0.2 255.255.0.0
ZXR10(config-if-gei-0/1/0/1)#exit
ZXR10(config)#l3-access-configuration
13-31
ZXR10(config-l3-access)#interface gei-0/1/0/1
ZXR10(config-l3-access-if)#pre-domain zy-mhox
ZXR10(config-l3-access-if)#ipox authentication-type ipv4 dhcpv4 web
ZXR10(config-l3-access-if)#web-acl zy-mhox
ZXR10(config-l3-access-if)#web-server-group 1
ZXR10(config-l3-access-if)#web-force authentication
/*The logged static users can be WEB-authenticated.
Prior to the command, the WEB and SAL should be configured and
validated. Otherwise, related attributes in the user table may be null. */
ZXR10(config-l3-access-if)#ipv4-multi-host start-ip 183.8.0.2 end-ip 183.8.0.10
/*The network segment should not conflict with other existing IP addresses*/
ZXR10(config-l3-access-if)#exit
ZXR10(config-l3-access)#exit
4. On the Server, configure a route to the Relay device by using a static or dynamic
routing protocol. The following uses a static route as an example.
ZXR10(config)#ip route 183.8.0.0 255.255.0.0 83.8.0.1
Configuration Verification
After a static user logs onto the network, run the show subscriber multi-hop command on
the Server to view the user information.
ZXR10(config)#show subscriber multi-hop ipv4-address 183.8.0.2
*******************************************************************************
Subscriber Verbose Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type : IPv4
subscriber-author-type : IPv4
user-identify : 986
family-identify : 0
user-name : test
domain-name : test
local-domain-name : zy-mhox
authorize-domain-name : zhengchang
mac-address : 0000.0000.0000
session-id : 0
authentication-mode : RADIUS
authentication-status : ACCEPT
record-status : CREATED
eap-type : FALSE
sibprofileid : 0
domain-priority : 4
hot-bak-status : NONE
circuit-information : gei-0/1/01 [vlan:0 sec-vlan:0]
13-32
vbui-interface :
create-time : 2011/12/19 15:53:15
authentication-time : 2011/12/19 15:53:30
online-time : 21
limited-status : UNLIMITED
restTimeType : ABSOLUTE
dpi-policy : 0
user-priority-input :
user-priority-output :
vpdnAcctClass :
route-map-name :
ani-location
-----------------------------------------------------------------------
Identifier:
rack:0 frame:0 slot:0 sub-slot:0 port:0
XpiEnable:Disable xpi:0 xci:0
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
slot:0 sub-slot:0 port:0 port-type:
xpi:0 xci:0 AccessMethod:
-----------------------------------------------------------------------
accounting information
-----------------------------------------------------------------------
restTime(s) : 100 restFlow(KB) : 0(unlimited)
absTimeout(s) : 0 idleTimeout(s) : 0
idleTraffic(KB) : 0 acctInterval(s): 600
sessionLimitType: time acctSession : 15533123---09b4000000000
0000004
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 Multi-Hop
ipv4-address : 183.8.0.2
gateway-address :
vrf-name :
vpn-id : 0
primary-dns :
second-dns :
ip-poolId : 0
13-33
igmpProfile : 0
tcp-session-limit : 0
tcp-syn-rate(Packets/s): 0
nat-type : NONE
nat-multi-flag : 0
nat-default-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
nat-port-range : 0~0
abnormal-offline-keep : FALSE
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
subCarInfoUp-cir : 2048 subCarInfoUp-pir : 2048
subCarInfoUp-cbs : 250 subCarInfoUp-pbs : 250
subCarInfoDown-cir: 2048 subCarInfoDown-pir: 2048
subCarInfoDown-cbs: 250 subCarInfoDown-pbs: 250
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName : isp1-in
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
float-accounting information
-----------------------------------------------------------------------
upDropPackets(Packets) : 0 upDropCycles : 0
13-34
downDropPackets(Packets): 0 downDropCycles : 0
ispUpBytes(Bytes) : 852 ispUpCycleCount : 0
ispDownBytes(Bytes) : 0 ispDownCycleCount : 0
isp2UpBytes(Bytes) : 0 isp2UpCycleCount : 0
isp2DownBytes(Bytes) : 0 isp2DownCycleCount: 0
upBytes(Bytes) : 852 upCycleCount : 0
downBytes(Bytes) : 5964 downCycleCount : 0
upIspChargePackets : 4 upIspChargeCycleCount : 0
downIspChargePackets : 0 downIspChargeCycleCount : 0
upIsp2ChargePackets : 0 upIsp2ChargeCycleCount : 0
downIsp2ChargePackets : 0 downIsp2ChargeCycleCount : 0
upIspNoChargePackets : 0 upIspNoChargeCycleCount : 0
downIspNoChargePackets : 5 downIspNoChargeCycleCount : 0
upPackets(Packets) : 4 upPacketCycleCount : 0
downPackets(Packets) : 5 downPacketCycleCount : 0
Configuration Flow
1. Configure DHCP Relay on the Relay device.
2. Configure a domain and an authentication template on the Server.
3. Configure layer-3 access and related information on the Server.
4. On the Server, configure a route to the Relay device.
5. After a stream user successfully logs onto the network, run the show subscriber multi-
hop command to view his or her information.
Configuration Procedure
Stream user access differs from static user access only in the L3 interface configuration.
13-35
For detailed procedure of the web-acl and web-server-group configuration, refer to the
"IPoEv4 Configuration Examples" section.
Configure the stream information on the Server.
ZXR10(config)#l3-access-configuration
ZXR10(config-l3-access)#interface gei-0/1/0/1
ZXR10(config-l3-access-if)#pre-domain zy-mhox
ZXR10(config-l3-access-if)#ipox authentication-type ipv4 dhcpv4 web
ZXR10(config-l3-access-if)#web-acl zy-mhox
ZXR10(config-l3-access-if)#web-server-group 1
ZXR10(config-l3-access-if)#web-force authentication
ZXR10(config-l3-access-if)#ipv4 user-access-list 183.8.0.0 mask 255.255.0.0
ZXR10(config-l3-access-if)#exit
ZXR10(config-l3-access)#exit
Configuration Verification
After a stream user logs onto the network, run the show subscriber multi-hop command on
the server to view the user information.
ZXR10(config)#show subscriber multi-hop ipv4-address 183.8.0.246
*******************************************************************************
Subscriber Verbose Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type : IPv4
subscriber-author-type : IPv4
user-identify : 985
family-identify : 0
user-name : test
domain-name : test
local-domain-name : zy-mhox
authorize-domain-name : zhengchang
mac-address : 0000.0000.0000
session-id : 0
authentication-mode : RADIUS
authentication-status : ACCEPT
record-status : CREATED
eap-type : FALSE
sibprofileid : 0
domain-priority : 4
hot-bak-status : NONE
circuit-information :gei-0/1/0/1 [vlan:0 sec-vlan:0]
vbui-interface :
create-time : 2011/12/19 15:51:34
13-36
ani-location
-----------------------------------------------------------------------
Identifier:
rack:0 frame:0 slot:0 sub-slot:0 port:0
XpiEnable:Disable xpi:0 xci:0
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
slot:0 sub-slot:0 port:0 port-type:
xpi:0 xci:0 AccessMethod:
-----------------------------------------------------------------------
accounting information
-----------------------------------------------------------------------
restTime(s) : 100 restFlow(KB) : 0(unlimited)
absTimeout(s) : 0 idleTimeout(s) : 0
idleTraffic(KB) : 0 acctInterval(s): 600
sessionLimitType: time acctSession : 15514277---1459000000000
0000003
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 Multi-Hop
ipv4-address : 183.8.0.246
gateway-address :
vrf-name :
vpn-id : 0
primary-dns :
second-dns :
ip-pool-name :
igmpProfile : 0
13-37
tcp-session-limit : 0
tcp-syn-rate(Packets/s): 0
nat-type : NONE
nat-multi-flag : 0
nat-default-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
nat-port-range : 0~0
abnormal-offline-keep : FALSE
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
subCarInfoUp-cir : 2048 subCarInfoUp-pir : 2048
subCarInfoUp-cbs : 250 subCarInfoUp-pbs : 250
subCarInfoDown-cir: 2048 subCarInfoDown-pir: 2048
subCarInfoDown-cbs: 250 subCarInfoDown-pbs: 250
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName : isp1-in
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
float-accounting information
-----------------------------------------------------------------------
upDropPackets(Packets) : 0 upDropCycles : 0
downDropPackets(Packets): 0 downDropCycles : 0
13-38
ispUpBytes(Bytes) : 0 ispUpCycleCount : 0
ispDownBytes(Bytes) : 0 ispDownCycleCount : 0
isp2UpBytes(Bytes) : 0 isp2UpCycleCount : 0
isp2DownBytes(Bytes) : 0 isp2DownCycleCount: 0
upBytes(Bytes) : 0 upCycleCount : 0
downBytes(Bytes) : 0 downCycleCount : 0
upIspChargePackets : 0 upIspChargeCycleCount : 0
downIspChargePackets : 0 downIspChargeCycleCount : 0
upIsp2ChargePackets : 0 upIsp2ChargeCycleCount : 0
downIsp2ChargePackets : 0 downIsp2ChargeCycleCount : 0
upIspNoChargePackets : 0 upIspNoChargeCycleCount : 0
downIspNoChargePackets : 0 downIspNoChargeCycleCount : 0
upPackets(Packets) : 0 upPacketCycleCount : 0
downPackets(Packets) : 0 downPacketCycleCount : 0
13-39
13-40
l On the one hand, IPoE or PPPoE subscribers joining to IGMP groups can come online
through user-side multicast.
14-1
l On the other hand, after a subscriber joins an IGMP group, the maintenance of a
basic IGMP user multicast group is similar to that of network-side multicast. The
corresponding querier queries whether the user multicast group exists. The existence
of a user multicast group relies on the existence of users. If there is no user, the user
multicast group leaves.
Through the IGMP, a router records whether there is a group member of a specific multicast
group in the local segment instead of the corresponding relationship between the multicast
group and the host.
IGMP provides information that is necessary when packets are forwarded to the destination
(the last stage). The multicast routers and the hosts that receive multicast data exchange
information. The information is collected from the group members of the hosts that are
directly connected to the multicast routers.
IGMP employs two kinds of packets, group member query packets and group member
report packets.
l A multicast router periodically sends group member query packets to all hosts to know
which specific group members exist in the connected subnets.
l The hosts returns group member report packets, reporting the multicast group which
they belong to.
l When a host joins a new group, it sends a Join packet immediately instead of waiting
for a query for cases where the host is the first member of that group.
When a host starts to receive packets as a member of a group, the multicast router checks
whether members of the group take part in the process by periodically querying the group.
The multicast router continues to forward data as long as a host is still taking part in the
process.
When the host leaves the group, the multicast router receives a leaving packet and then it
immediately queries whether there are still active group members in the group. If any, the
multicast router continues to forward data. If not, it does not forward data.
Context
For more public multicast configuration commands, refer to “ZXR10 M6000 Configuration
Guide (IPv4 Multicast)”.
14-2
Steps
1. Configure public IP multicast.
<access-list-name>: name of the access list for the SSM group, 1 to 31 characters in
length.
14-3
b. After sending query message, the querier waits for the member report sent from
the host that receives the query message for a period. The wait duration is
the maximum response time carried in the query message. By default, it is 10
seconds.
c. After receiving the query message, a host member in the network segment
reduces a random deviation value based on the maximum response time. This
result is used as the own response time of the host member. During this period, if
the querier receives a report from another host member, this host member cancels
the report. Otherwise, the host member sends the host report when the response
time expires. Therefore, extending the maximum response time increases the
14-4
Command Function
14-5
14-6
Command Function
ZXR10#show ip igmp user group <group-address>[int Shows the number of users in the
erface <interface-name>]{summary | ipox | pppox | all} multicast group. The interface can be
specified.
ZXR10#show ip igmp user ip <ip-address>[group Shows the information about the user in
<group-ip-address>] the multicast group.
14-7
Command Function
Command Function
– End of Steps –
Configuration Flow
1. Configure an IP address on the network-side interface gei-0/0/1/1.
2. Configure an address on the VBUI interface. Enable PIM-SM on the network-side
interface and the VBUI interface.
14-8
Configuration Commands
1. Configuration on the network-side interface:
ZXR10(config)#interface gei-0/0/1/1
ZXR10(config-if-gei-0/0/1/1)#no shutdown
ZXR10(config-if-gei-0/0/1/1)#ip address 200.0.0.100 255.255.0.0
ZXR10(config-if-gei-0/0/1/1)#exit
ZXR10(config)#ip multicast-routing
ZXR10(config-mcast)#router pim
ZXR10(config-mcast-pim)#interface gei-0/0/1/1
ZXR10(config-mcast-pim-if-gei-0/0/1/1)#pimsm
ZXR10(config-mcast-pim-if-gei-0/0/1/1)#exit
ZXR10(config-mcast-pim)#exit
ZXR10(config-mcast)#exit
2. Configuration of the multicast template:
/*Allow Group 225.0.0.1 to 225.0.0.10 access to the network*/
ZXR10(config)#ipv4-access-list iptv
ZXR10(config-ipv4-acl)#rule 1 permit igmp any 225.0.0.1 0.0.0.0
ZXR10(config-ipv4-acl)#rule 2 permit igmp any 225.0.0.2 0.0.0.0
ZXR10(config-ipv4-acl)#rule 3 permit igmp any 225.0.0.3 0.0.0.0
ZXR10(config-ipv4-acl)#rule 4 permit igmp any 225.0.0.4 0.0.0.0
ZXR10(config-ipv4-acl)#rule 5 permit igmp any 225.0.0.5 0.0.0.0
ZXR10(config-ipv4-acl)#rule 6 permit igmp any 225.0.0.6 0.0.0.0
ZXR10(config-ipv4-acl)#rule 7 permit igmp any 225.0.0.7 0.0.0.0
ZXR10(config-ipv4-acl)#rule 8 permit igmp any 225.0.0.8 0.0.0.0
ZXR10(config-ipv4-acl)#rule 9 permit igmp any 225.0.0.9 0.0.0.0
ZXR10(config-ipv4-acl)#rule 10 permit igmp any 225.0.0.10 0.0.0.0
ZXR10(config-ipv4-acl)#exit
ZXR10(config)#subscriber-manage
14-9
ZXR10(config-submanage)#igmp service-profile 1
ZXR10(config-submanage-igmp-service-profile-1)#access-group iptv
ZXR10(config-submanage-igmp-service-profile-1)#max-groups 40
ZXR10(config-submanage-igmp-service-profile-1)#max-prw-groups 50
ZXR10(config-submanage-igmp-service-profile-1)#prw-group 225.1.1.0
255.255.255.255 3 30 /*Set the preview group to 225.1.1.0,
the preview number to three, and the preview period 30 seconds*/
ZXR10(config-submanage-igmp-service-profile-1)#exit
ZXR10(config-submanage)#exit
3. Enable PIM-SM on the VBUI interface.
ZXR10(config)#interface vbui5
ZXR10(config-if-vbui5)#ip address 10.1.1.1 255.255.255.0
ZXR10(config-if-vbui5)#exit
ZXR10(config)#ip multicast-routing
ZXR10(config-mcast)#router pim
ZXR10(config-mcast-pim)#interface vbui5
ZXR10(config-mcast-pim-if-vbui5)#pimsm
ZXR10(config-mcast-pim-if-vbui5)#exit
ZXR10(config-mcast-pim)#exit
ZXR10(config-mcast)#exit
4. Bind the multicast template to the authorization template. Configure an authentication
template and an accounting template. (Here, IPoE Option60 access is used as an
example. For other access mode, refer to the "IPoEv configuration" section.)
5. If RADIUS authentication is used, deploy the attributes. RADIUS server deploys ZTE
private attribute ZTE-Service-Profile.
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#authorization-type mix-radius
ZXR10(config-submanage-author-template)#igmp service-profile 1
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type local
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#domain option60
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)#bind authorization-template zte
ZXR10(config-submanage-domain)#dhcp-mode server
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#local-subscriber 00-69-96-00-00-01 domain-name
option60 password 123
ZXR10(config-submanage-local-sub)#exit
ZXR10(config-submanage)#exit
ZXR10(config)#vbui-configuration
14-10
ZXR10(config-vbui)#interface vbui5
ZXR10(config-vbui-if)#ip-pool pool-name dhcppool pool-id 5
ZXR10(config-vbui-if-ip-pool)#access-domain option60
ZXR10(config-vbui-if-ip-pool)#ip dhcp instance server 256
ZXR10(config-vbui-if-ip-pool)#member 1
ZXR10(config-vbui-if-ip-pool-member)#start-ip 10.1.1.1 end-ip 10.1.1.255
ZXR10(config-vbui-if-ip-pool-member)#exit
ZXR10(config-vbui-if-ip-pool)#exit
ZXR10(config-vbui-if)#exit
ZXR10(config-vbui)#exit
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface gei-0/1/0/6
ZXR10(config-vcc-if)#ipox authentication-type ipv4 dhcpv4 option
ZXR10(config-vcc-if)#dhcp-v4 auth-on-up username-type mac domain-type optionparse
/*The two commands are not required for common subscribers*/
ZXR10(config-vcc-if)#encapsulation ip-over-ethernet
ZXR10(config-vcc-if)#exit
ZXR10(config-vcc)#exit
ZXR10(config)#dhcp
ZXR10(config-dhcp)#enable
ZXR10(config-dhcp)#end
Configuration Verification
Execute the show subscriber ip command, and verify that the multicast template is deployed
to subscribers after the subscribers come online. If the value of igmpProfile is 0, the
deployment fails, and the subscribers cannot be added to the multicast groups. The output
information, "igmp service-profile 1", indicates that the multicast template is successfully
deployed to the subscribers.
ZXR10(config)#show subscriber ipv4-address 10.1.1.2
************************************************************************
Subscriber Verbose Information
------------------------------------------------------------------------
Basic Information
------------------------------------------------------------------------
subscriber-access-type : IPv4
subscriber-author-type : IPv4
user-identify : 215
family-identify : 8
user-name : 00-69-96-00-00-01
14-11
domain-name : option60
local-domain-name : option60
authorize-domain-name : option60
mac-address : 0069.9600.0001
session-id :
authentication-mode : LOCAL
authentication-status : ACCEPT
record-status : CREATED
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
hot-bak-status : NONE
circuit-information : gei-0/1/0/6 [vlan:0 sec-vlan:0]
vbui-interface : vbui5
create-time : 2012/08/06 17:21:34
authentication-time : 2012/08/06 17:21:34
online-time : 191
limited-status : UNLIMITED
restTimeType : ABSOLUTE
dpi-policy : 0
user-priority-input :
user-priority-output :
vpdnAcctClass :
route-map-name :
calling-station-id :
ani-location
-----------------------------------------------------------------------
Identifier:
rack:0 frame:0 slot:0 sub-slot:0 port:0
XpiEnable:Disable xpi:0 xci:0
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
slot:0 sub-slot:0 port:0 port-type:
xpi:0 xci:0 AccessMethod:
-----------------------------------------------------------------------
accounting information
-----------------------------------------------------------------------
restTime(s) : 0(unlimited) restFlow(KB) : 0(unlimited)
absTimeout(s) : 0 idleTimeout(s) : 0
idleTraffic(KB) : 0 acctInterval(s): 0
14-12
sessionLimitType: 0 acctSession :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
subCarInfoUp-cir : 0 subCarInfoUp-pir : 0
subCarInfoUp-cbs : 0 subCarInfoUp-pbs : 0
subCarInfoDown-cir: 0 subCarInfoDown-pir: 0
subCarInfoDown-cbs: 0 subCarInfoDown-pbs: 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
14-13
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
float-accounting information
-----------------------------------------------------------------------
upDropPackets(Packets) : 0 upDropCycles : 0
downDropPackets(Packets): 0 downDropCycles : 0
ispUpBytes(Bytes) : 0 ispUpCycleCount : 0
ispDownBytes(Bytes) : 0 ispDownCycleCount : 0
isp2UpBytes(Bytes) : 0 isp2UpCycleCount : 0
isp2DownBytes(Bytes) : 0 isp2DownCycleCount: 0
upBytes(Bytes) : 0 upCycleCount : 0
downBytes(Bytes) : 0 downCycleCount : 0
upIspChargePackets : 0 upIspChargeCycleCount
: 0
downIspChargePackets : 0 downIspChargeCycleCount
: 0
upIsp2ChargePackets : 0 upIsp2ChargeCycleCount
: 0
downIsp2ChargePackets : 0 downIsp2ChargeCycleCount
: 0
upIspNoChargePackets : 0 upIspNoChargeCycleCount
: 0
downIspNoChargePackets : 0 downIspNoChargeCycleCount
: 0
upPackets(Packets) : 0 upPacketCycleCount
: 0
downPackets(Packets) : 0 downPacketCycleCount
: 0
After the subscribers obtain the addresses, they are added to the multicast group.
Execute the show ip igmp snooping command, and verify that the multicast groups that
the subscribers are added to.
14-14
Execute the show ip igmp groups command, and verify that table items that are generated
after subscribers join the multicast group.
ZXR10(config)#show ip igmp groups
Total: 10 groups
Group addr Interface Present Expire Last Reporter
225.0.0.1 vbui5 00:09:04 never 10.1.1.1
225.0.0.2 vbui5 00:09:04 never 10.1.1.1
225.0.0.3 vbui5 00:09:04 never 10.1.1.1
225.0.0.4 vbui5 00:09:04 never 10.1.1.1
225.0.0.5 vbui5 00:09:04 never 10.1.1.1
225.0.0.6 vbui5 00:09:04 never 10.1.1.1
225.0.0.7 vbui5 00:09:04 never 10.1.1.1
225.0.0.8 vbui5 00:09:04 never 10.1.1.1
225.0.0.9 vbui5 00:09:04 never 10.1.1.1
225.0.0.10 vbui5 00:09:04 never 10.1.1.1
14-15
Configuration Flow
1. Configure an IP address on the network-side interface gei-0/0/1/1.
2. Configure an address on the VBUI interface. Enable PIM-SM on the network-side
interface and the VBUI interface.
3. Configure a multicast template. Configure a security ACL in the multicast template.
Configure the number of multicast groups that can access the network, or the entities
of static groups and preview groups.
4. Configure an authentication template, an authorization template and an accounting
template. Associate the multicast template (as authorization information) with the
authorization template, so that local authentication and authorization can be deployed
to the subscribers through the multicast template.
5. Configure an address pool for PPPoE subscribers on the VBUI interface. Configure
an access domain.
6. Configure a VCC interface. Configure the online mode of corresponding PPPoE
subscribers. Bind the PPPoX template to the VCC interface.
7. If RADIUS authentication is used, it is necessary to configure the RADIUS server
and related attribute entities of the multicast template to be deployed on the RADIUS
server.
Configuration Commands
1. Configure the network-side interface:
ZXR10(config)#interface gei-0/0/1/1
ZXR10(config-if-gei-0/0/1/1)#no shutdown
ZXR10(config-if-gei-0/0/1/1)#ip address 200.0.0.100 255.255.0.0
ZXR10(config-if-gei-0/0/1/1)#exit
ZXR10(config)#ip multicast-routing
ZXR10(config-mcast)#router pim
ZXR10(config-mcast-pim)#interface gei-0/0/1/1
ZXR10(config-mcast-pim-if-gei-0/0/1/1)#pimsm
ZXR10(config-mcast-pim-if-gei-0/0/1/1)#exit
ZXR10(config-mcast-pim)#exit
14-16
ZXR10(config-mcast)#exit
2. Configure the multicast template:
/*Allow Group 225.0.0.1 to 225.0.0.10 access to the network*/
ZXR10(config)#ipv4-access-list iptv
ZXR10(config-ipv4-acl)#rule 1 permit igmp any 225.0.0.1 0.0.0.0
ZXR10(config-ipv4-acl)#rule 2 permit igmp any 225.0.0.2 0.0.0.0
ZXR10(config-ipv4-acl)#rule 31 permit igmp any 225.0.0.3 0.0.0.0
ZXR10(config-ipv4-acl)#rule 4 permit igmp any 225.0.0.4 0.0.0.0
ZXR10(config-ipv4-acl)#rule 5 permit igmp any 225.0.0.5 0.0.0.0
ZXR10(config-ipv4-acl)#rule 6 permit igmp any 225.0.0.6 0.0.0.0
ZXR10(config-ipv4-acl)#rule 7 permit igmp any 225.0.0.7 0.0.0.0
ZXR10(config-ipv4-acl)#rule 8 permit igmp any 225.0.0.8 0.0.0.0
ZXR10(config-ipv4-acl)#rule 9 permit igmp any 225.0.0.9 0.0.0.0
ZXR10(config-ipv4-acl)#rule 10 permit igmp any 225.0.0.10 0.0.0.0
ZXR10(config-ipv4-acl)#exit
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#igmp service-profile 1
ZXR10(config-submanage-igmp-service-profile-1)#access-group iptv
ZXR10(config-submanage-igmp-service-profile-1)#max-groups 40
ZXR10(config-submanage-igmp-service-profile-1)#max-prw-groups 50
ZXR10(config-submanage-igmp-service-profile-1)#prw-group 225.1.1.0 255.255.255
.255 3 30 /*Set the preview group to 225.1.1.0, preview number to three,
and preview period to 30 seconds*/
ZXR10(config-submanage-igmp-service-profile-1)#exit
ZXR10(config-submanage)#exit
3. Enable PIM-SM on the VBUI interface.
ZXR10(config)#interface vbui5
ZXR10(config-if-vbui5)#ip address 10.1.1.1 255.255.255.0
ZXR10(config-if-vbui5)#exit
ZXR10(config)#ip multicast-routing
ZXR10(config-mcast)#router pim
ZXR10(config-mcast-pim)#interface vbui5
ZXR10(config-mcast-pim-if-vbui5)#pimsm
ZXR10(config-mcast-pim-if-vbui5)#exit
ZXR10(config-mcast-pim)#exit
ZXR10(config-mcast)#exit
4. Bind the multicast template to the authorization template. Configure an authentication
template and an accounting template.
5. If RADIUS authentication is used, deploy the attributes. RADIUS server deploys
ZTE-Service-Profile, one of ZTE private attributes.
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#pppox-cfg 1
ZXR10(config-submanage-pppox)#ppp authentication chap
14-17
ZXR10(config-submanage-pppox)#exit
ZXR10(config-submanage)#exit
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#authorization-type mix-radius
ZXR10(config-submanage-author-template)#igmp service-profile 1
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type local
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#domain domain5
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)#bind authorization-template zte
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#local-subscriber aaa domain-name domain5
password 123
ZXR10(config-submanage-local-sub)#exit
ZXR10(config-submanage)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui5
ZXR10(config-vbui-if)#ip-pool pool-name pool5 pool-id 5
ZXR10(config-vbui-if-ip-pool)#access-domain domain5
ZXR10(config-vbui-ip-pool)#pppoe-dns-server 1.1.1.1
ZXR10(config-vbui-ip-pool)#pppoe-dns-server 2.2.2.2 second
ZXR10(config-vbui-if-ip-pool)#member 1
ZXR10(config-vbui-if-ip-pool-member)#start-ip 10.1.1.1 end-ip 10.1.1.255
ZXR10(config-vbui-if-ip-pool-member)#exit
ZXR10(config-vbui-if-ip-pool)#exit
ZXR10(config-vbui-if)#exit
ZXR10(config-vbui)#exit
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface gei-0/1/0/6
ZXR10(config-vcc-if)#encapsulation ppp-over-ethernet
ZXR10(config-vcc-if)#pppox template 1
ZXR10(config-vcc-if)#exit
ZXR10(config-vcc)#exit
14-18
Configuration Verification
Execute the show subscriber to see the online subscribers. Execute the show sub ipv4-add
ress command to see the IP addresses of subscribers, and verify that the igmpProfile has
been deployed to the subscribers.
ZXR10(config)#show subscriber ipv4-address 10.1.1.2
*********************************************************************
Subscriber Verbose Information
---------------------------------------------------------------------
Basic Information
---------------------------------------------------------------------
subscriber-access-type : IPv4
subscriber-author-type : IPv4
user-identify : 227
family-identify : 0
user-name : aaa
domain-name : domain5
local-domain-name : domain5
authorize-domain-name : domain5
mac-address : 0010.9400.0001
session-id : 338
authentication-mode : LOCAL
authentication-status : ACCEPT
record-status : CREATED
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
hot-bak-status : NONE
circuit-information : gei-0/1/0/6 [vlan:0 sec-vlan:0]
vbui-interface : vbui5
create-time : 2012/08/06 16:56:29
authentication-time : 2012/08/06 16:56:29
online-time : 19
limited-status : UNLIMITED
restTimeType : ABSOLUTE
dpi-policy : 0
user-priority-input :
user-priority-output :
vpdnAcctClass :
route-map-name :
calling-station-id :
ani-location
------------------------------------------------------------------
Identifier:
14-19
onu-location
------------------------------------------------------------------
Identifier:
slot:0 sub-slot:0 port:0 port-type:
xpi:0 xci:0 AccessMethod:
------------------------------------------------------------------
accounting information
------------------------------------------------------------------
restTime(s) : 0(unlimited) restFlow(KB) : 0(unlimited)
absTimeout(s) : 0 idleTimeout(s) : 0
idleTraffic(KB) : 0 acctInterval(s): 0
sessionLimitType: 0 acctSession :
----------------------------------------------------------------------
IPv4 Information
----------------------------------------------------------------------
subscriber-type : IPv4 PPPox
ipv4-address : 10.1.1.2
gateway-address : 10.1.1.1
vrf-name :
vpn-id : 0
primary-dns : 1.1.1.1
second-dns : 2.2.2.2
ip-pool-name : pool5
igmpProfile : 1
tcp-session-limit : 0
tcp-syn-rate(Packets/s): 0
nat-type : NONE
nat-multi-flag : 0
nat-default-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
nat-port-range : 0~0
abnormal-offline-keep : FALSE
QOS information
------------------------------------------------------------------
14-20
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
subCarInfoUp-cir : 0 subCarInfoUp-pir : 0
subCarInfoUp-cbs : 0 subCarInfoUp-pbs : 0
subCarInfoDown-cir: 0 subCarInfoDown-pir: 0
subCarInfoDown-cbs: 0 subCarInfoDown-pbs: 0
------------------------------------------------------------------
framed-route
------------------------------------------------------------------
count : 0
------------------------------------------------------------------
user-acl
------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
------------------------------------------------------------------
float-accounting information
------------------------------------------------------------------
upDropPackets(Packets) : 0 upDropCycles : 0
downDropPackets(Packets): 0 downDropCycles : 0
ispUpBytes(Bytes) : 0 ispUpCycleCount : 0
ispDownBytes(Bytes) : 0 ispDownCycleCount : 0
isp2UpBytes(Bytes) : 0 isp2UpCycleCount : 0
isp2DownBytes(Bytes) : 0 isp2DownCycleCount: 0
upBytes(Bytes) : 0 upCycleCount : 0
downBytes(Bytes) : 0 downCycleCount : 0
upIspChargePackets : 0 upIspChargeCycleCount : 0
downIspChargePackets : 0 downIspChargeCycleCount : 0
upIsp2ChargePackets : 0 upIsp2ChargeCycleCount : 0
downIsp2ChargePackets : 0 downIsp2ChargeCycleCount : 0
upIspNoChargePackets : 0 upIspNoChargeCycleCount : 0
downIspNoChargePackets : 0 downIspNoChargeCycleCount : 0
upPackets(Packets) : 0 upPacketCycleCount : 0
downPackets(Packets) : 0 downPacketCycleCount : 0
14-21
After subscribers obtain addresses, they are added to the multicast groups. Execute the
show ip igmp snooping command to see the multicast groups that the subscribers have
been added to.
ZXR10(config)#show ip igmp snooping
Flags: Type--Instance Type, ID--Instance ID, Dr--Drop,
P--Prejoin, R--Remote, MH--MaxHost, S--Static, D--Dynamic
IP-G:IP-GLOBAL
Index Type ID Name Source Group Flag MH Ports
--------------------------------------------------------------------------------
1 VBUI 44 vbui5 0.0.0.0 225.0.0.10 -- 4000 D:gei-0/1/0/6;
2 VBUI 44 vbui5 0.0.0.0 225.0.0.9 -- 4000 D:gei-0/1/0/6;
3 VBUI 44 vbui5 0.0.0.0 225.0.0.8 -- 4000 D:gei-0/1/0/6;
4 VBUI 44 vbui5 0.0.0.0 225.0.0.7 -- 4000 D:gei-0/1/0/6;
5 VBUI 44 vbui5 0.0.0.0 225.0.0.6 -- 4000 D:gei-0/1/0/6;
6 VBUI 44 vbui5 0.0.0.0 225.0.0.5 -- 4000 D:gei-0/1/0/6;
7 VBUI 44 vbui5 0.0.0.0 225.0.0.4 -- 4000 D:gei-0/1/0/6;
8 VBUI 44 vbui5 0.0.0.0 225.0.0.3 -- 4000 D:gei-0/1/0/6;
9 VBUI 44 vbui5 0.0.0.0 225.0.0.2 -- 4000 D:gei-0/1/0/6;
10 VBUI 44 vbui5 0.0.0.0 225.0.0.1 -- 4000 D:gei-0/1/0/6;
Execute the show ip igmp groups command to see the table items that are generated after
subscribers join the multicast groups.
14-22
15-1
l The broadband gateway must identify a logical interface and a session according
to the subscriber access position information, IP address, PPPoE session and
subscriber line position information.
H-QoS supports flow classification, scheduling policy and congestion management.
l Flow classification
Flow classification is to classify traffic by marking, thus to treat and handle the flows
with differentiation. This ensures that special packets can be treated and handled
better than other packets.
ZXR10 M6000 supports flow classification on the basis of SVLAN and CVLAN,.
l Scheduling policy
The bandwidth assignment by a superior scheduler to a junior scheduler can be static
(that is, assign the bandwidth through Committed Access Rate (CAR)) or dynamic.
Static bandwidth assignment is suitable to the network of which the network structure
is not changed much. If the network structure changes, the number of subscribers
on the link assigned with many bandwidths decreases suddenly, the bandwidth is
wasted. In such a situations, it is necessary to schedule the bandwidth through
dynamic assignment, so that the network bandwidth can be used fully. At present,
there are the following scheduling policies, Priority Queuing (PQ), Weighted Fair
Queuing (WFQ), and Low Latency Queueing (LLQ).
l Congestion management
The congestion management function of User-side QoS is on the basis of PQ.
PQ is configured through a policy map. Four queues can be configured, including a
high queue, a medium queue, a normal queue and a low queue. The priorities of the
four queues decreases one by one. According to the PQ algorithm, a packet is put
into one of the four queues according to the rules configured in advance to wait to be
sent. Packets that do not match any rules are handled according to the default rule
(typically, the packets are put into the normal queue).
During packet transmission, the packets in the high queue are forwarded with a
precedence (as long as there are packets in a queue with a higher priority, packets in
other queues with lower priorities should wait until all the packets in the queue with
a higher priority are sent).
15-2
Steps
1. Configure flow classification.
2. Configure a policy.
15-3
6 ZXR10(config-pmap-c)#police cir <cir> cbs <cbs>[pir Sets the traffic policing of the
<pir> pbs <pbs>] policy class.
15-4
Note:
Before the user-side QoSv4 configuration, the policy map sent by the RADIUS server
should be already configured on the router, and does not need to bind to a domain.
Command Function
– End of Steps –
15-5
Configuration Flow
1. Configure PPPoE.
2. Configure input rate limit in the authorization template.
3. Bind the authorization template to the domain.
4. Bind the authorization template to the local subscriber.
Configuration Commands
1. For the PPPoE configuration, refer to the "PPPoEv4 Configuration" chapter.
2. Configure input rate limit in the authorization template in subscriber management
configuration mode.
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#sub-car-input ipv4 cir 7000 cbs
100 pir 8000 pbs 100 /*The PIR should be larger than the CIR*/
ZXR10(config-submanage-author-template)#exit
3. Bind the authorization template to the domain in subscriber management configuration
mode.
ZXR10(config-submanage)#domain domain500
ZXR10(config-submanage-domain)#bind authorization-template zte
ZXR10(config-submanage-domain)#exit
4. Bind the authorization template to the local subscriber in subscriber management
configuration mode.
ZXR10(config-submanage)#local-subscriber zex123 domain-name
domain500 password 123
ZXR10(config-submanage-local-sub)#bind author-template zte
ZXR10(config-submanage-local-sub)#exit
ZXR10(config-submanage)#exit
Configuration Verification
Execute the show subscriber ipv4-address 222.0.0.1 command to see the QoS attribute after
subscribers come online, as shown below.
ZXR10(config)#show subscriber ipv4-address 222.0.0.1
***************************************************************************
Subscriber Verbose Information
---------------------------------------------------------------------------
Basic Information
15-6
---------------------------------------------------------------------------
subscriber-access-type : IPv4
subscriber-author-type : IPv4
user-identify : 84026
family-identify : 0
user-name : zex123
domain-name : domain500
local-domain-name : domain500
authorize-domain-name : domain500
mac-address : 0010.9400.b001
session-id : 14102
authentication-mode : LOCAL
authentication-status : ACCEPT
record-status : CREATED
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
hot-back-status : NONE
circuit-information : gei-0/10/1/1 [vlan:0 sec-vlan:0]
vbui-interface : vbui1
create-time : 2012/08/06 15:45:55
authentication-time : 2012/08/06 15:45:55
online-time : 1009
limited-status : UNLIMITED
restTimeType : ABSOLUTE
dpi-policy : 0
user-priority-input :
user-priority-output :
vpdnAcctClass :
route-map-name :
calling-station-id :
ani-location
-----------------------------------------------------------------------
Identifier:
rack:0 frame:0 slot:0 sub-slot:0 port:0
XpiEnable:Disable xpi:0 xci:0
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
slot:0 sub-slot:0 port:0 port-type:
xpi:0 xci:0 AccessMethod:
-----------------------------------------------------------------------
15-7
accounting information
-----------------------------------------------------------------------
restTime(s) : 0(unlimited) restFlow(KB) : 0(unlimited)
absTimeout(s) : 0 idleTimeout(s) : 0
idleTraffic(KB) : 0 acctInterval(s): 0
sessionLimitType: 0 acctSession :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 PPPox
ipv4-address : 222.0.0.1
gateway-address : 222.0.0.86
vrf-name :
vpn-id : 0
primary-dns :1.1.1.1
second-dns : 2.2.2.2
ip-pool-name : pool500
igmpProfile : 0
tcp-session-limit : 0
tcp-syn-rate(Packets/s): 0
nat-type : NONE
nat-multi-flag : 0
nat-default-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
nat-port-range : 0~0
abnormal-offline-keep : FALSE
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
subCarInfoUp-cir : 7000 subCarInfoUp-pir : 8000
subCarInfoUp-cbs : 100 subCarInfoUp-pbs : 100
subCarInfoDown-cir: 0 subCarInfoDown-pir: 0
subCarInfoDown-cbs: 0 subCarInfoDown-pbs: 0
-----------------------------------------------------------------------
15-8
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName: portal
aclInName : test
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
float-accounting information
-----------------------------------------------------------------------
upDropPackets(Packets) : 0 upDropCycles : 0
downDropPackets(Packets): 0 downDropCycles : 0
ispUpBytes(Bytes) : 0 ispUpCycleCount : 0
ispDownBytes(Bytes) : 0 ispDownCycleCount: 0
upBytes(Bytes) : 0 upCycleCount : 0
downBytes(Bytes) : 0 downCycleCount : 0
upIspChargePackets : 0 upIspChargeCycleCount : 0
downIspChargePackets : 0 downIspChargeCycleCount : 0
upIspNoChargePackets : 0 upIspNoChargeCycleCount : 0
downIspNoChargePackets : 0 downIspNoChargeCycleCount : 0
upPackets(Packets) : 0 upPacketCycleCount : 0
downPackets(Packets) : 0 downPacketCycleCount : 0
*****************************************************************************
15-9
Configuration Flow
1. Configure PPPoE.
2. Configure output rate limit in the authorization template in subscriber management
configuration mode.
3. Bind the authorization template to the domain in subscriber management configuration
mode.
4. Bind the authorization template to the local subscriber in subscriber management
configuration mode.
Configuration Commands
1. For the PPPoE configuration, refer to the "PPPoEv4 Configuration" chapter.
2. Configure output rate limit in the authorization template in subscriber management
configuration mode.
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#sub-car-output ipv4 cir 7000
cbs 100 pir 8000 pbs 100
ZXR10(config-submanage-author-template)#exit
3. Bind the authorization template to the domain in subscriber management configuration
mode.
ZXR10(config-submanage)#domain domain500
ZXR10(config-submanage-domain)#bind authorization-template zte
ZXR10(config-submanage-domain)#exit
4. Bind the authorization template to the local subscriber in subscriber management
configuration mode.
ZXR10(config-submanage)#local-subscriber zex123 domain-name
domain500 password 123
ZXR10(config-submanage-local-sub)#bind author-template zte
ZXR10(config-submanage-local-sub)#exit
ZXR10(config-submanage)#exit
Configuration Verification
Execute the show subscriber ipv4-address 222.0.0.1 command to see the QoS attribute after
subscribers come online, as shown below.
15-10
family-identify : 0
user-name : zex123
domain-name : domain500
local-domain-name : domain500
authorize-domain-name : domain500
mac-address : 0010.9400.b001
session-id : 14102
authentication-mode : LOCAL
authentication-status : ACCEPT
record-status : CREATED
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
hot-back-status : NONE
circuit-information : gei-0/10/1/1 [vlan:0 sec-vlan:0]
vbui-interface : vbui1
create-time : 2012/08/06 15:59:37
authentication-time : 2012/08/06 15:59:37
online-time : 1009
limited-status : UNLIMITED
restTimeType : ABSOLUTE
dpi-policy : 0
user-priority-input :
user-priority-output :
vpdnAcctClass :
route-map-name :
calling-station-id :
ani-location
-----------------------------------------------------------------------
Identifier:
rack:0 frame:0 slot:0 sub-slot:0 port:0
XpiEnable:Disable xpi:0 xci:0
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
slot:0 sub-slot:0 port:0 port-type:
xpi:0 xci:0 AccessMethod:
-----------------------------------------------------------------------
accounting information
-----------------------------------------------------------------------
restTime(s) : 0(unlimited) restFlow(KB) : 0(unlimited)
15-11
absTimeout(s) : 0 idleTimeout(s) : 0
idleTraffic(KB) : 0 acctInterval(s): 0
sessionLimitType: 0 acctSession :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 PPPox
ipv4-address : 222.0.0.1
gateway-address : 222.0.0.86
vrf-name :
vpn-id : 0
primary-dns : 1.1.1.1
second-dns : 2.2.2.2
ip-pool-name : pool500
igmpProfile : 0
tcp-session-limit : 0
tcp-syn-rate(Packets/s): 0
nat-type : NONE
nat-multi-flag : 0
nat-default-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
nat-port-range : 0~0
abnormal-offline-keep : FALSE
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
subCarInfoUp-cir : 0 subCarInfoUp-pir : 0
subCarInfoUp-cbs : 0 subCarInfoUp-pbs : 0
subCarInfoDown-cir: 7000 subCarInfoDown-pir: 8000
subCarInfoDown-cbs: 100 subCarInfoDown-pbs: 100
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
15-12
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName: portal
aclInName : test
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
float-accounting information
-----------------------------------------------------------------------
upDropPackets(Packets) : 0 upDropCycles : 0
downDropPackets(Packets): 0 downDropCycles : 0
ispUpBytes(Bytes) : 0 ispUpCycleCount : 0
ispDownBytes(Bytes) : 0 ispDownCycleCount: 0
upBytes(Bytes) : 0 upCycleCount : 0
downBytes(Bytes) : 0 downCycleCount : 0
upIspChargePackets : 0 upIspChargeCycleCount : 0
downIspChargePackets : 0 downIspChargeCycleCount : 0
upIspNoChargePackets : 0 upIspNoChargeCycleCount : 0
downIspNoChargePackets : 0 downIspNoChargeCycleCount : 0
upPackets(Packets) : 0 upPacketCycleCount : 0
downPackets(Packets) : 0 downPacketCycleCount : 0
*****************************************************************************
15-13
Configuration Flow
1. Configure PPPoE.
2. Configure class-maps according to the VLAN in global configuration mode.
3. Configure a policy-map in global configuration mode.
4. Configure service-policies in global configuration mode.
Configuration Commands
1. For the PPPoE configuration, refer to the "PPPoEv4 Configuration" chapter.
2. Configure class-maps in global configuration mode.
ZXR10(config)#class-map invlan1 match-all
ZXR10(config-cmap)#match in-vlan 1-2
ZXR10(config-cmap)#exit
ZXR10(config)#class-map invlan2 match-all
ZXR10(config-cmap)#match in-vlan 3-4
ZXR10(config-cmap)#exit
ZXR10(config)#class-map invlan3 match-all
ZXR10(config-cmap)#match in-vlan 5-6
ZXR10(config-cmap)#exit
ZXR10(config)#
3. Configure a policy-map in global configuration mode.
ZXR10(config)#policy-map invlan_police
ZXR10(config-pmap)#class invlan1
ZXR10(config-pmap-c)#police cir 1000 cbs 100
ZXR10(config-pmap-c)#exit
ZXR10(config-pmap)#class invlan2
ZXR10(config-pmap-c)#police cir 2000 cbs 100
ZXR10(config-pmap-c)#exit
ZXR10(config-pmap)#class invlan3
ZXR10(config-pmap-c)#police cir 3000 cbs 100
ZXR10(config-pmap-c)#exit
ZXR10(config-pmap)#exit
4. Configure service-policies in global configuration mode.
ZXR10(config)#interface gei-0/10/1/1.1
ZXR10(config-if-gei-0/10/1/1.1)#exit
ZXR10(config)#vlan-configuration
ZXR10(config-vlan)#interface gei-0/10/1/1.1
ZXR10(config-vlan-if-gei-0/10/1/1.1)#qinq internal-vlanid 2 external-vlanid 1
ZXR10(config-vlan-if-gei-0/10/1/1.1)#!
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface gei-0/10/1/1.1
ZXR10(config-vcc-if)#encapsulation ppp-over-ethernet
ZXR10(config-vcc-if)#pppox template 100
ZXR10(config-vcc-if)#ipoe-transmitmodeswitch ipv4 user
15-14
ZXR10(config-vcc-if)#!
ZXR10(config)#interface gei-0/10/1/2.1
ZXR10(config-if-gei-0/10/1/2.1)#exit
ZXR10(config)#vlan-configuration
ZXR10(config-vlan)#interface gei-0/10/1/2.1
ZXR10(config-vlan-if-gei-0/10/1/2.1)#qinq internal-vlanid 2 external-vlanid 1
ZXR10(config-vlan-if-gei-0/10/1/2.1)#!
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface gei-0/10/1/2.1
ZXR10(config-vcc-if)#encapsulation ppp-over-ethernet
ZXR10(config-vcc-if)#pppox template 100
ZXR10(config-vcc-if)#ipoe-transmitmodeswitch ipv4 user
ZXR10(config-vcc-if)#!
Configuration Verification
The QoS attribute is for ports, and therefore it is not displayed in the user attribute table
and output information from the show subscriber ipv4-address 222.0.0.3 command. The
rate-limiting effect can be verified by sending traffic only.
ZXR10#show subscriber ipv4-address 222.0.0.3
*******************************************************************************
Subscriber Verbose Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type : IPv4
subscriber-author-type : IPv4
user-identify : 1590
family-identify : 0
user-name : zex123
domain-name : domain500
local-domain-name : domain500
authorize-domain-name : domain500
mac-address : 0010.9400.0001
session-id : 5007
authentication-mode : LOCAL
authentication-status : ACCEPT
record-status : CREATED
eap-type : FALSE
sibprofileid : 0
15-15
domain-priority : 0
hot-bak-status : NONE
circuit-information : gei-0/10/1/1 [vlan:0 sec-vlan:0]
vbui-interface : vbui1
create-time : 2012/08/06 16:13:10
authentication-time : 2012/08/06 16:13:10
online-time : 19
limited-status : UNLIMITED
restTimeType : ABSOLUTE
dpi-policy : 0
user-priority-input :
user-priority-output :
vpdnAcctClass :
route-map-name :
calling-station-id :
ani-location
-----------------------------------------------------------------------
Identifier:
rack:0 frame:0 slot:0 sub-slot:0 port:0
XpiEnable:Disable xpi:0 xci:0
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
slot:0 sub-slot:0 port:0 port-type:
xpi:0 xci:0 AccessMethod:
-----------------------------------------------------------------------
accounting information
-----------------------------------------------------------------------
restTime(s) : 0(unlimited) restFlow(KB) : 0(unlimited)
absTimeout(s) : 0 idleTimeout(s) : 0
idleTraffic(KB) : 0 acctInterval(s): 0
sessionLimitType: acctSession :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 PPPox
ipv4-address : 222.0.0.3
gateway-address : 222.0.0.86
vrf-name :
vpn-id : 0
15-16
primary-dns :
second-dns :
ip-pool-name : pool500
igmpProfile : 0
tcp-session-limit : 0
tcp-syn-rate(Packets/s): 0
nat-type : NONE
nat-multi-flag : 0
nat-default-flag : 0
nat-domain-id : 0
nat-acl-no : 0
nat-block-id : 0
nat-pool-id : 2048
nat-ipv4-address : 0.0.0.0
nat-port-range : 0~0
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown:
qos-shapping : 0
subCarInfoUp-cir : 0 subCarInfoUp-pir : 0
subCarInfoUp-cbs : 0 subCarInfoUp-pbs : 0
subCarInfoDown-cir: 0 subCarInfoDown-pir: 0
subCarInfoDown-cbs: 0 subCarInfoDown-pbs: 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
float-accounting information
15-17
-----------------------------------------------------------------------
upDropPackets(Packets) : 0 upDropCycles : 0
downDropPackets(Packets): 0 downDropCycles : 0
ispUpBytes(Bytes) : 0 ispUpCycleCount : 0
ispDownBytes(Bytes) : 0 ispDownCycleCount : 0
isp2UpBytes(Bytes) : 0 isp2UpCycleCount : 0
isp2DownBytes(Bytes) : 0 isp2DownCycleCount: 0
upBytes(Bytes) : 0 upCycleCount : 0
downBytes(Bytes) : 0 downCycleCount : 0
upIspChargePackets : 0 upIspChargeCycleCount : 0
downIspChargePackets : 0 downIspChargeCycleCount : 0
upIsp2ChargePackets : 0 upIsp2ChargeCycleCount : 0
downIsp2ChargePackets : 0 downIsp2ChargeCycleCount : 0
upIspNoChargePackets : 0 upIspNoChargeCycleCount : 0
downIspNoChargePackets : 0 downIspNoChargeCycleCount : 0
upPackets(Packets) : 0 upPacketCycleCount : 0
downPackets(Packets) : 0 downPacketCycleCount : 0
Configuration Flow
1. Configure PPPoE.
2. Configure a class-map according to the IP precedence in global configuration mode.
3. Configure a policy-map in global configuration mode.
4. Configure an authorization template in subscriber management configuration mode.
5. Bind the authorization template to the domain in subscriber management configuration
mode.
6. Bind the authorization template to the local subscriber in subscriber management
configuration mode.
15-18
Configuration Commands
1. For the PPPoE configuration, refer to the "PPPoEv4 Configuration" chapter.
2. Configure a class-map according to the IP precedence in global configuration mode.
ZXR10(config)#class-map ipp01 match-all
ZXR10(config-cmap)#match precedence 0-1
ZXR10(config-cmap)#exit
ZXR10(config)#class-map ipp23 match-all
ZXR10(config-cmap)#match precedence 2-3
ZXR10(config-cmap)#exit
ZXR10(config)#class-map ipp45 match-all
ZXR10(config-cmap)#match precedence 4-5
ZXR10(config-cmap)#exit
ZXR10(config)#class-map ipp67 match-all
ZXR10(config-cmap)#match precedence 6-7
ZXR10(config-cmap)#exit
ZXR10(config)#
3. Configure a policy-map in global configuration mode.
ZXR10(config)#policy-map ipp_pq
ZXR10(config-pmap)#class ipp01
ZXR10(config-pmap-c)#police cir 1000 cbs 100
ZXR10(config-pmap-c)#priority-level 1
ZXR10(config-pmap-c)#exit
ZXR10(config-pmap)#class ipp23
ZXR10(config-pmap-c)#police cir 3000 cbs 200
ZXR10(config-pmap-c)#priority-level 2
ZXR10(config-pmap-c)#exit
ZXR10(config-pmap)#class ipp45
ZXR10(config-pmap-c)#police cir 5000 cbs 400
ZXR10(config-pmap-c)#priority-level 3
ZXR10(config-pmap-c)#exit
ZXR10(config-pmap)#class ipp67
ZXR10(config-pmap-c)#police cir 7000 cbs 600
ZXR10(config-pmap-c)#priority-level 4
ZXR10(config-pmap-c)#exit
4. Configure an authorization template in subscriber management configuration mode.
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#qos-policy-output ipv4 ipp_pq
ZXR10(config-submanage-author-template)#exit
5. Bind the authorization template to the domain in subscriber management configuration
mode.
ZXR10(config-submanage)#domain domain500
ZXR10(config-submanage-domain)#bind authorization-template zte
ZXR10(config-submanage-domain)#exit
15-19
ZXR10(config-submanage)#
6. Bind the authorization template to the local subscriber in subscriber management
configuration mode.
ZXR10(config-submanage)#local-subscriber zex123 domain-name
domain500 password 123
ZXR10(config-submanage-local-sub)#bind author-template zte
ZXR10(config-submanage-local-sub)#exit
ZXR10(config-submanage)#exit
Configuration Verification
Execute the show subscriber ipv4-address 222.0.0.4 command to see the QoS attribute after
subscribers come online, as shown below.
ZXR10#show subscriber ipv4-address 222.0.0.4
*******************************************************************************
Subscriber Verbose Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type : IPv4
subscriber-author-type : IPv4
user-identify : 1591
family-identify : 0
user-name : zex123
domain-name : domain500
local-domain-name : domain500
authorize-domain-name : domain500
mac-address : 0010.9400.0001
session-id : 5008
authentication-mode : LOCAL
authentication-status : ACCEPT
record-status : CREATED
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
hot-bak-status : NONE
circuit-information : gei-0/10/1/1 [vlan:0 sec-vlan:0]
vbui-interface : vbui1
create-time : 2012/08/06 16:27:30
authentication-time : 2012/08/06 16:27:30
online-time : 24
limited-status : UNLIMITED
restTimeType : ABSOLUTE
dpi-policy : 0
user-priority-input :
15-20
user-priority-output :
vpdnAcctClass :
route-map-name :
calling-station-id :
ani-location
-----------------------------------------------------------------------
Identifier:
rack:0 frame:0 slot:0 sub-slot:0 port:0
XpiEnable:Disable xpi:0 xci:0
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
slot:0 sub-slot:0 port:0 port-type:
xpi:0 xci:0 AccessMethod:
-----------------------------------------------------------------------
accounting information
-----------------------------------------------------------------------
restTime(s) : 0(unlimited) restFlow(KB) : 0(unlimited)
absTimeout(s) : 0 idleTimeout(s) : 0
idleTraffic(KB) : 0 acctInterval(s): 0
sessionLimitType: acctSession :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 PPPox
ipv4-address : 222.0.0.4
gateway-address : 222.0.0.86
vrf-name :
vpn-id : 0
primary-dns : 1.1.1.1
second-dns : 2.2.2.2
ip-pool-name : pool500
igmpProfile : 0
tcp-session-limit : 0
tcp-syn-rate(Packets/s): 0
nat-type : NONE
nat-multi-flag : 0
nat-default-flag : 0
nat-domain-name :
nat-acl-no : 0
15-21
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
nat-port-range : 0~0
abnormal-offline-keep : FALSE
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown: ipp_pq
qos-shapping : 0
subCarInfoUp-cir : 0 subCarInfoUp-pir : 0
subCarInfoUp-cbs : 0 subCarInfoUp-pbs : 0
subCarInfoDown-cir: 0 subCarInfoDown-pir: 0
subCarInfoDown-cbs: 0 subCarInfoDown-pbs: 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
float-accounting information
-----------------------------------------------------------------------
upDropPackets(Packets) : 0 upDropCycles : 0
downDropPackets(Packets): 0 downDropCycles : 0
ispUpBytes(Bytes) : 0 ispUpCycleCount : 0
ispDownBytes(Bytes) : 0 ispDownCycleCount : 0
isp2UpBytes(Bytes) : 0 isp2UpCycleCount : 0
isp2DownBytes(Bytes) : 0 isp2DownCycleCount: 0
upBytes(Bytes) : 0 upCycleCount : 0
downBytes(Bytes) : 0 downCycleCount : 0
upIspChargePackets : 0 upIspChargeCycleCount : 0
15-22
downIspChargePackets : 0 downIspChargeCycleCount : 0
upIsp2ChargePackets : 0 upIsp2ChargeCycleCount : 0
downIsp2ChargePackets : 0 downIsp2ChargeCycleCount : 0
upIspNoChargePackets : 0 upIspNoChargeCycleCount : 0
downIspNoChargePackets : 0 downIspNoChargeCycleCount : 0
upPackets(Packets) : 0 upPacketCycleCount : 0
downPackets(Packets) : 0 downPacketCycleCount : 0
Configuration Flow
1. Configure PPPoE.
2. Configure a class-map according to the IP precedence in global configuration mode.
3. Configure a policy-map in global configuration mode.
4. Configure an authorization template in subscriber management configuration mode.
5. Bind the authorization template to the domain in subscriber management configuration
mode.
6. Bind the authorization template to the local subscriber in subscriber management
configuration mode.
Configuration Commands
1. For the PPPoE configuration, refer to the "PPPoEv4 Configuration" chapter.
2. Configure a class-map according to IP precedence in global configuration mode.
ZXR10(config)#class-map ipp01 match-all
ZXR10(config-cmap)#match precedence 0-1
ZXR10(config-cmap)#exit
ZXR10(config)#class-map ipp23 match-all
ZXR10(config-cmap)#match precedence 2-3
ZXR10(config-cmap)#exit
ZXR10(config)#class-map ipp45 match-all
15-23
Configuration Verification
Execute the show subscriber ipv4-address 222.0.0.4 command to see the QoS attribute after
subscribers come online, as shown below.
ZXR10#show subscriber ipv4-address 222.0.0.4
*******************************************************************************
Subscriber Verbose Information
15-24
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type : IPv4
subscriber-author-type : IPv4
user-identify : 1591
family-identify : 0
user-name : zex123
domain-name : domain500
local-domain-name : domain500
authorize-domain-name : domain500
mac-address : 0010.9400.0001
session-id : 5008
authentication-mode : LOCAL
authentication-status : ACCEPT
record-status : CREATED
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
hot-bak-status : NONE
circuit-information : gei-0/10/1/1 [vlan:0 sec-vlan:0]
vbui-interface : vbui1
create-time : 2012/08/06 16:42:44
authentication-time : 2012/08/06 16:42:44
online-time : 24
limited-status : UNLIMITED
restTimeType : ABSOLUTE
dpi-policy : 0
user-priority-input :
user-priority-output :
vpdnAcctClass :
route-map-name :
calling-station-id :
ani-location
-----------------------------------------------------------------------
Identifier:
rack:0 frame:0 slot:0 sub-slot:0 port:0
XpiEnable:Disable xpi:0 xci:0
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
slot:0 sub-slot:0 port:0 port-type:
15-25
accounting information
-----------------------------------------------------------------------
restTime(s) : 0(unlimited) restFlow(KB) : 0(unlimited)
absTimeout(s) : 0 idleTimeout(s) : 0
idleTraffic(KB) : 0 acctInterval(s): 0
sessionLimitType: acctSession :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : IPv4 PPPox
ipv4-address : 222.0.0.4
gateway-address : 222.0.0.86
vrf-name :
vpn-id : 0
primary-dns : 1.1.1.1
second-dns : 2.2.2.2
ip-pool-name : pool500
igmpProfile : 0
tcp-session-limit : 0
tcp-syn-rate(Packets/s): 0
nat-type : NONE
nat-multi-flag : 0
nat-default-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
nat-port-range : 0~0
abnormal-offline-keep : FALSE
QOS information
-----------------------------------------------------------------------
aclInName:
aclOutName:
profileNameUp:
profileNameDown: ipp_wfq
qos-shapping : 0
subCarInfoUp-cir : 0 subCarInfoUp-pir : 0
subCarInfoUp-cbs : 0 subCarInfoUp-pbs : 0
subCarInfoDown-cir: 0 subCarInfoDown-pir: 0
15-26
subCarInfoDown-cbs: 0 subCarInfoDown-pbs: 0
-----------------------------------------------------------------------
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName :
aclOutName:
ispAclInName :
ispAclOutName:
specialAclName:
-----------------------------------------------------------------------
float-accounting information
-----------------------------------------------------------------------
upDropPackets(Packets) : 0 upDropCycles : 0
downDropPackets(Packets): 0 downDropCycles : 0
ispUpBytes(Bytes) : 0 ispUpCycleCount : 0
ispDownBytes(Bytes) : 0 ispDownCycleCount : 0
isp2UpBytes(Bytes) : 0 isp2UpCycleCount : 0
isp2DownBytes(Bytes) : 0 isp2DownCycleCount: 0
upBytes(Bytes) : 0 upCycleCount : 0
downBytes(Bytes) : 0 downCycleCount : 0
upIspChargePackets : 0 upIspChargeCycleCount : 0
downIspChargePackets : 0 downIspChargeCycleCount : 0
upIsp2ChargePackets : 0 upIsp2ChargeCycleCount : 0
downIsp2ChargePackets : 0 downIsp2ChargeCycleCount : 0
upIspNoChargePackets : 0 upIspNoChargeCycleCount : 0
downIspNoChargePackets : 0 downIspNoChargeCycleCount : 0
upPackets(Packets) : 0 upPacketCycleCount : 0
downPackets(Packets) : 0 downPacketCycleCount : 0
15-27
15-28
16-1
The steps in the figure describe how to intelligently speed up the QoS policy management
on LEASED-LINE users.
In Figure 16-1, the dotted lines indicate that the devices are connected through the network
and are not necessarily directly connected. The RADIUS is not connected because it can
be connected flexibly.
16-2
Application Scenarios
LEASED-LINE users have the following characteristics:
l They can use the intelligent speedup service based on static IP addresses.
l BRAS configurations of the dedicated government and enterprise line users bored on
the current network do not need to be modified a lot.
For the application scenario, see Figure 16-1, in which, line users 1, 2, and 3 are
directly connected to the BRAS1 through a subinterface or physical interface and can be
intelligently speed up through the LEASED-LINE function.
Context
Configure a user name, domain name, and password for a dedicated line user when getting
online.
l If local authentication is used, create a local user.
l If RADIUS authentication is used, a local user is not needed.
Steps
1. Configure a local user, which can be used to get online after a dedicated line user is
locally authenticated.
16-3
Command Function
Command Function
– End of Steps –
16-4
Configuration Flow
1. Configure an IP address for an interface.
2. Enter LEASED-LINE configuration mode.
3. Create a LEASED-LINE interface and configure ip-list and user-name in
LEASED-LINE interface mode.
Configuration Procedure
Run the following commands on the BRAS:
ZXR10(config)#interface gei-0/6/0/4
ZXR10(config-if-gei-0/6/0/4)#no shutdown
ZXR10(config-if-gei-0/6/0/4)#ip address 64.64.64.1 255.255.255.0
ZXR10(config-if-gei-0/6/0/4)#exit
ZXR10(config)#leased-line-configuration
ZXR10(config-leased-line)#interface gei-0/6/0/4
ZXR10(config-leased-line-if)#ip-list 4.6.0.99 mask 255.255.255.255
/*This comamnd is optional. The configuration can be in the same
network segment with the interface address or different network segments.*/
ZXR10 (config-leased-line-if)#user-name leased-line domain-name leased-line-domain
password 1111
ZXR10 (config-leased-line-if)#!
Configuration Verification
ZXR10#show subscriber leased-line verbose
*******************************************************************************
Subscriber Verbose Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
16-5
subscriber-access-type : IPv4
subscriber-author-type : IPv4
user-identify : 10
family-identify : 0
user-name : leased-line
domain-name : leased-line-domain
local-domain-name : leased-line-domain
authorize-domain-name : leased-line-domain
mac-address : 0000.0000.0000
session-id : 0
authentication-mode : LOCAL
authentication-status : ACCEPT
record-status : CREATED
eap-type : FALSE
sibprofileid : 0
domain-priority : 0
hot-bak-status : NONE
circuit-information : gei-0/6/0/4 [vlan:0 sec-vlan:0]
vbui-interface :
create-time : 2013/06/21 17:34:09
authentication-time : 2013/06/21 17:34:09
online-time : 19
limited-status : UNLIMITED
restTimeType : ABSOLUTE
dpi-policy : 0
user-priority-input :
user-priority-output :
vpdnAcctClass :
route-map-name :
calling-station-id :
ani-location
-----------------------------------------------------------------------
Identifier:
rack:0 frame:0 slot:0 sub-slot:0 port:0
XpiEnable:Disable xpi:0 xci:0
-----------------------------------------------------------------------
onu-location
-----------------------------------------------------------------------
Identifier:
slot:0 sub-slot:0 port:0 port-type:
xpi:0 xci:0 AccessMethod:
-----------------------------------------------------------------------
16-6
accounting information
-----------------------------------------------------------------------
restTime(s) : unlimited restFlow(KB) : unlimited
absTimeout(s) : unlimited idleTimeout(s) : 0
idleTraffic(KB) : 0 acctInterval(s): 60
sessionLimitType: acctSession : 17341045---0376000000000
0000000
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type : LEASED_LINE
ipv4-address : 4.6.0.99/32
gateway-address :
vrf-name :
vpn-id : 0
primary-dns :
second-dns :
ip-pool-name :
igmpProfile : 0
tcp-session-limit : 0
tcp-syn-rate(Packets/s): 0
nat-type : NONE
nat-multi-flag : 0
nat-default-flag : 0
nat-domain-name :
nat-acl-no : 0
nat-block-id : 0
nat-pool-name :
nat-ipv4-address :
nat-port-range : 0~0
abnormal-offline-keep : FALSE
framed-route
-----------------------------------------------------------------------
count : 0
-----------------------------------------------------------------------
user-acl
-----------------------------------------------------------------------
webAclName:
aclInName : 444
aclOutName: 444
ispAclInName : dll
ispAclOutName: ddde
16-7
specialAclName:
-----------------------------------------------------------------------
QOS information
-----------------------------------------------------------------------
profileNameUp :
profileNameDown:
subCarInfoUp-cir : 11111 subCarInfoUp-pir : 33333
subCarInfoUp-cbs : 22222 subCarInfoUp-pbs : 44444
subCarInfoDown-cir: 11111 subCarInfoDown-pir: 33333
subCarInfoDown-cbs: 22222 subCarInfoDown-pbs: 44444
-----------------------------------------------------------------------
float-accounting information
-----------------------------------------------------------------------
upDropPackets(Packets) : 0 upDropCycles : 0
downDropPackets(Packets): 0 downDropCycles : 0
ispUpBytes(Bytes) : 0 ispUpCycleCount : 0
ispDownBytes(Bytes) : 0 ispDownCycleCount : 0
isp2UpBytes(Bytes) : 0 isp2UpCycleCount : 0
isp2DownBytes(Bytes) : 0 isp2DownCycleCount: 0
upBytes(Bytes) : 0 upCycleCount : 0
downBytes(Bytes) : 0 downCycleCount : 0
upIspChargePackets : 0 upIspChargeCycleCount : 0
downIspChargePackets : 0 downIspChargeCycleCount : 0
upIsp2ChargePackets : 0 upIsp2ChargeCycleCount : 0
downIsp2ChargePackets : 0 downIsp2ChargeCycleCount : 0
upIspNoChargePackets : 0 upIspNoChargeCycleCount : 0
downIspNoChargePackets : 0 downIspNoChargeCycleCount : 0
upPackets(Packets) : 0 upPacketCycleCount : 0
downPackets(Packets) : 0 downPacketCycleCount : 0
*******************************************************************************
16-8
l If no route-map is specified, the normal procedure is applied: Search for the matched
destination IP address in the routing table and, if a match is found, the packet is
forwarded to the pre-configured next-hop.
l If a route-map is specified, the packet is forwarded based on the defined actions.
Steps
1. Configure user-side policy routing.
17-1
Command Description
– End of Steps –
Configuration Flow
1. Configure PPPoE user access.
2. Specify a route-map for the domain in subscriber-manage mode.
3. Verify the configuration.
Configuration Procedure
1. For the basic configuration of PPPoE user access, refer to the "PPPoEv4 Configuration
Examples" section.
2. Specify a router-map for the domain where the user is located.
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#authentication-type local
ZXR10(config-submanage-author-template)#ip policy route-map zte
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#domain pppoe
17-2
Configuration Verification
After a PC user establishes a dial-up connection (username/password: user1@pppoe) ,
run the show subscriber pppox interface command on the BRAS to view the detailed user
information. route-map-name refers to the route-map name.
ZXR10#show subscriber pppox interface gei-0/6/1/11
*******************************************************************************
Subscriber Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type :IPv4
user-identify :1
user-name :zte
domain-name :domain199
local-domain-name :domain199
authorize-domain-name :domain199
mac-address :0010.9400.0001
session-id :1
access-interface :gei-0/6/1/11
internal-vlan :0
external-vlan :0
authentication-mode :LOCAL
authentication-status :ACCEPT
record-status :CREATED
eap-type :FALSE
sibprofileid :0
hot-bak-status :NONE
authentication-time :2012/08/06 14:09:26
create-time :2012/08/06 14:09:26
online-time :1050
limited-status :UNLIMITED
restTimeType :ABSOLUTE
vpdnAcctClass :
route-map-name :zte
-------------------------------------------------------------------------------
IPv4 Information
17-3
-------------------------------------------------------------------------------
subscriber-type :IPv4 PPPox
ipv4-address :199.1.1.2
vrf-name :
vpn-id :0
gateway :199.1.1.1
primary-dns :1.1.1.1
second-dns :2.2.2.2
record-status :CREATED
*******************************************************************************
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
17-4
Figure 18-1 shows an application situation for the dual server cluster hot standby solution.
18-1
In a dual server cluster, the active device and the standby device are seen in one
autonomous system. They accomplish backup inside the autonomous system without
changing the action characteristics of outside devices. Users and back-end devices are
unaware of device changeover.
The difference of the networking structure between BRAS dual server hot standby and the
stand-alone BRAS service is that a backup device is added. The active/standby backup
between two devices are implemented through a heartbeat line or the LSP mode. In
general, the backup mode is 1:1 or 1+1.
At present, the ZXR10 M6000 mainly supports the PPPOE, IPOE, and IP-HOST access
service. However, the VPDN service is not supported.
Redundancy Application
In practice, service reliability can be deployed according to demands. The possible
application situations are 1:1 redundancy, 1+1 redundancy, N:1 redundancy and N+1
redundancy.
18-2
1:1 redundancy means to deploy one standby device for an active device. The standby
device is redundancy for the active device completely, see Figure 18-2.
l In normal conditions, users are not connected to the standby device. In the case
where there is a fault on the active device or on the link between the active device
and the aggregation switch, the traffic is be changed over to the standby device.
l When the active device recoveries, the traffic is changed over to the active device
again.
In a 1:1 redundancy situation, the standby device is in Standby state for a long time. There
is no traffic on its downlink in normal conditions. The standby device only synchronizes
user information with the active device. This application is suitable for redundancy
deployed between devices at different office addresses. It is used for traffic planning and
unified user management. In general, 1:1 redundancy is used for important office and
broadband users, thus ensuring the network reliability.
When several standby groups share the address pool and changeover is executed in
some standby groups, the redundancy mode is handed over to 1+1 from 1:1. In other
words, 1:1 redundancy means that there is one active device and one backup device. 1+1
redundancy means that these two devices are mutual backup. At present, ZXR10 M6000
BRAS supports 1:1 redundancy and 1+1 redundancy.
Link Detection
During service backup implementations, it is necessary to know the link states first. Virtual
Router Redundancy Protocol (VRRP) is used to detect the links.
18-3
address of a router in the backup group). The routers in the backup group also have their
own IP addresses. The hosts on the LAN only know the IP address of the virtual router.
The hosts do not know the IP address of the Master router and the IP addresses of the
Backup routers.
Therefore, the hosts on the network communicates with other networks through this virtual
router. If the Master router in the backup group fails, a new Master router is elected from
the Backup routers according to a certain policy, and routing services still work for the
hosts on the network. So, the hosts can communicate with the outside network without
interruption.
SIBP
SIBP is a standardized protocol that is used for synchronizing user information between
devices. It supports multiple access modes, including PPPoE, IPoE private line and
IP-HOST, It also supports user multicast, COA and accounting service/authorization
information, and so forth. During transmission, only service information is involved. It is
irrelevant to the device operating system and inside accomplishment.
The SIBP provides two functions. One function is customizing the synchronization
rule of user information, shielding the service accomplishment inside the device, and
distributing protocol data to a specific process. We recommend that you use the
TCP as the transmission channel. The SIBP does not provide transmission reliability.
The other function is providing device-level protocol interactions, accomplishing batch
synchronization applications, and accomplishing device-level resource management and
control.
In general, the information is synchronized between devices in real time. Synchronization
is triggered by events such as user getting online, getting offline, joining a multicast group,
and leaving a multicast group. Timers also can synchronize traffic accounting information
periodically. However, when all user information is lost due to a device-level fault, it is
necessary to support batch synchronization of user information. The granularity is a
backup group. There are two conditions that can trigger batch synchronization.
l The device obtains the number of users from the remote end through SIBP protocol
interactions, and compares the number of users in the local backup group with that in
the remote backup group. If the number is not the same for several times, the device
sends an SIBP protocol synchronization application. When an SIBP connection is
disconnected, the device executes synchronization compulsively.
l The device establishes the state machine of the backup group, and starts batch
synchronization according to the local active/standby state and SIBP state. The state
machine is maintained in unit of backup group. The state machine negotiation of the
protocol is determined by the following states:
18-4
Where, the active state set of the protocol state machine is: The VRRP protocol state
is MASTER on the local device, the service state on the local device is normal, the
TCP connection is established successfully, and the VRRP protocol is SLAVE at the
remote device; The standby state set of the protocol state machine is: The VRRP
protocol state is SLAVE, the service state on the local device is normal, and the TCP
connection is established successfully; In other state sets, the protocol state machine
is INITIAL. Figure 18-3 shows the state changes.
When (MASTER, SLAVE) appears between two points of the state machines, service
information will be synchronized from the active device to the standby device (both
real-time synchronization and batch synchronization). When a user comes online, his
or her information is synchronized from the active device to the standby device. If
backup information is lost due to a backup group-level/device-level fault, and if the
synchronization channel state machine of the backup group form the active and standby
relation again, the active device uses the batch synchronization mode to synchronize all
user information to the standby device again.
Steps
1. Configure a Sib instance.
18-5
18-6
strict-rx: enables the loop-prevention function on the interface. This can prevent a
packet (sent from the network side to an offline user) to be looped back over the
heartbeat connection between active and standby devices.
3. Configure a Sib-Peer-Group.
<port-count>: number of ports, range: 1–65. For the BRAS, this parameter must be
set to 1.
4. Configure a Profile.
18-7
5. Configure a tunnel-id.
Command Function
ZXR10#show subscriber hot-bak sib-profile Shows the information about the hot standby
<sib-profileid>[statistics | verbose] user of the rack based on the sib-profileid.
<sib-profileid>: range: 1–128.
statistics: statistics information.
verbose: detailed information.
ZXR10#show subscriber hot-bak all [statistics | Shows the information about all hot standby
verbose] users.
statistics: statistics information.
verbose: detailed information.
– End of Steps –
18-8
Configuration Flow
1. Configure user access relating to the active device and the standby device. The
access configuration on the active and standby devices should be consistent.
For IPoE access, refer to the "IPoEv4 Configuration" chapter.
For PPPoE access, refer to the "PPPoEv4 Configuration" chapter.
For IP-HOST access, refer to the "IP-HOSTv4 Configuration" chapter.
Heartbeat line mode: There should be a heartbeat link between BRAS1 and BRAS2.
Configure the IP addresses and the routes.
3. Configure VRRP and BFD on BRAS1, BRAS2 and the switch.
18-9
Configuration Commands
The configuration of BRAS1 (the active device):
ZXR10(config)#sibmgr
ZXR10(config-sibmgr)#sib-peer-group 1 global
ZXR10(config-sibmgr-sib-peer-group)#remote-ip 140.1.1.1 port 2000
local-ip 135.1.1.1 port 2000 port-count 1
/*140.1.1.1 refers to the loopback address of BRAS2, and*/
/*135.1.1.1 refers to the loopback address of BRAS1*/
/*2000 refers to the port number. It can be set as needed,*/
/*and should be consistent at both ends*/
/*The number of global groups must be one*/
ZXR10(config-sibmgr-sib-peer-group)#exit
ZXR10(config-sibmgr)#sib-policy 1
ZXR10(config-sibmgr-sib-policy)#traffic-redirect backup-lsp 1.1.1.20
/*1.1.1.20 is the loopback address of the standby device (BRAS2).It is necessary
for the LSP mode. It is unnecessary for the heartbeat line mode.*/
ZXR10(config-sibmgr-sib-policy)#exit
ZXR10(config-sibmgr)#sib-policy 2
ZXR10(config-sibmgr-sib-policy)#traffic-redirect backup-ipv4-nexthop
30.1.1.2 backup-interface xgei-0/6/1/1
/*30.1.1.2 is the address of the interface on the heartbeat line on BRAS2
connecting to BRAS1, that is, the direct connected next hop of xgei-0/6/1/1*/
ZXR10(config-sibmgr-sib-policy)#exit
ZXR10(config-sibmgr)#sib-policy gre
ZXR10(config-sibmgr-sib-policy)# traffic-redirect vrf lry backup-gre-tunnel
gre_tunnel4000 /*Configures the traffic redirect mode for the GRE tunnel
for VRF accessed subscribers*/
ZXR10(config-sibmgr-sib-policy)#exit
ZXR10(config-sibmgr)#sib-policy gre1
ZXR10(config-sibmgr-sib-policy)# traffic-redirecct backup-gre-tunnel
gre_tunnel4000 /*Configures the traffic redirect mode for the GRE tunnel*/
ZXR10(config-sibmgr-sib-policy)#exit
ZXR10(config-sibmgr)#sib-instance 1
ZXR10(config-sibmgr-sib-instance-1)#bind vrrp 9 interface gei-0/1/0/9.1
/*The gei-0/1/0/9.1 interface is the VRRP interface on BRAS1*/
ZXR10(config-sibmgr-sib-instance-1)#bind sib-policy 1
ZXR10(config-sibmgr-sib-instance-1)#bind sib-peer-group 1
18-10
18-11
ZXR10(config-sibmgr)#exit
Configuration Verification
Execute the show running-config sib command on the active BRAS1 to view the sib
configuration.
ZXR10(config)#show running-config sib
!<SIB>
sibmgr
sib-peer-group 1 global
peer 1
remote-ip 140.1.1.1 port 2000 local-ip 135.1.1.1 port 2000 port-count 1
$
sib-policy gre
traffic-redirect vrf lry backup-gre-tunnel gre_tunnel4000
$
sib-policy gre1
traffic-redirect backup-gre-tunnel gre_tunnel4000
$
sib-policy 1
traffic-redirect backup-lsp 1.1.1.20
$
sib-policy 2
traffic-redirect backup-ipv4-nexthop 30.1.1.2 backup-interface xgei-0/6/1/1
$
sib-instance 1
bind vrrp 9 interface gei-0/1/0/9.1
bind sib-policy 1
bind sib-peer-group 1
bind interface gei-0/1/0/9.2
bind interface gei-0/1/0/9.3
$
!</SIB>
Run the show running-config profile command on the active BRAS1 to view the profile
configuration.
18-12
subscriber-manage
gateway-redirect 19.1.0.0 255.255.0.0 1.1.1.20
reference sib-instance 1
traffic-back interval 10
$
!</PROFILE>
Execute the show running-config sib command on the standby BRAS1 to view the sib
configuration.
ZXR10(config)#show running-config sib
!<SIB>
sibmgr
sib-peer-group 1 global
peer 1
remote-ip 135.1.1.1 port 1000 local-ip 140.1.1.1 port 1000
$
$
sib-instance 1
bind vrrp 9 interface gei-0/6/0/9.1
bind sib-peer-group 1
bind interface gei-0/1/0/9.2
bind interface gei-0/1/0/9.3
$
!</SIB>
Run the show running-config profile command on the standby BRAS1 to view the profile
configuration.
ZXR10(config)#show running-config profile
!<PROFILE>
subscriber-manage
reference sib-instance 1
traffic-back interval 10
$
!</PROFILE>
18-13
18-14
19-1
Based on the pre-configured policy, the ZXR10 M6000 extends the time in acknowledging
the first packet during the access of a user, which enables the corresponding client to
access the ZXR10 M6000 based on the response time. During the access of a PPPox
user, after receiving a PADI broadcast packet, the ZXR10 M6000 queries the time delay
policy and sends a PADO packet after the pre-defined time delay. During the access of
an IPoX user, after receiving a DISCOVERY packet, the ZXR10 M6000 queries the time
delay policy and sends an OFFER packet after the pre-defined time delay.
When the active link does not respond, users access the network through the standby
link. Multiple functions can be implemented based on different delay rules and conditions.
Compared with the two implementation modes, the delay solution has the following
advantages:
1. It does not need a link detection protocol.
2. It supports interconnections (without protocol support).
Compared to the policy that uses the competition protocol to implement active/standby
ports, the time delay policy does not need to detect packets to obtain link statuses, and
does not need to support device interconnection.
3. It is easy to implement.
Context
Keep the following rules in mind during the cold standby configuration:
l Port-based cold standby is configured between the two ports on the same line card.
l Board-based cold standby is configured between the ports on different boards.
l Device-based cold standby is configured between the ports on different devices.
19-2
Steps
1. Configure cold standby.
l To configure port-based cold standby, perform the following steps:
19-3
Command Function
– End of Steps –
19-4
Configuration Flow
1. Configure basic PPPoE/IPoE access.
2. Configure MAC delay/line card delay/overall system delay.
3. Configure a cold standby policy for the NAS.
Configuration Commands
For MAC delay/line card delay/overall system delay configuration, refer to the following
commands:
l Configure a MAC delay.
R1(config)#vcc-configuration
R1(config-vcc)#interface gei-0/0/0/6
R1(config-vcc-if)#access-delay 50 mod-mac 3 remainder 1
/*Implements cold standby based on the remainder of the MAC address-based
mod operation*/
R1(config-vcc-if)#exit
R1(config-vcc)#exit
l Configure a line card delay.
R1(config)#subscriber-manage
R1(config-submanage)#access-delay slot 3 step 210 minimum-time 100
19-5
maximum-time 1500
R1(config-submanage)#exit
l Configure an overall system delay.
R1(config)#subscriber-manage
R1(config-submanage)#access-delay step 240 minimum-time 150 maximum-time 2000
R1(config-submanage)#exit
Configuration Verification
Check the MAC delay and NAS configuration on the VCC interface.
R1#show running-config uim
! <UIM>
vbui-configuration
interface vbui1234
$
$s
interface gei-0/0/0/6
encapsulation multi
ipox authentication-type ipv4 dhcpv4 cir-map
pppox template 1000
access-delay 50 mod-mac 3 remainder 1 /*MAC delay*/
nas logic-sysname E15E11 /*NAS device name*/
nas logic-interface slot 5 sub-slot 0 port 3 /*Access port number*/
$
Check the configuration of overall system delay and line card delay on the submanage.
R1#show running-config aim
! <AIM>
subscriber-manage
location-error-access enable
accounting syslog enable
access-delay slot 3 step 210 minimum-time 100 maximum-time 1500
/*Line card delay*/
access-delay step 240 minimum-time 150 maximum-time 2000
/*Overall system delay*/
19-6
20-1
3. The ZXR10 receives the EAPOR message and sends the message to the RADIUS
server for EAP authentication as an authentication relay.
4. The RADIUS server returns the authentication result, which is further sent to the AC
by the ZXR10.
5. The EAP authentication passes, and the air-interface key interaction ends.
6. A DHCP address is allocated to users through the AC. The ZXR10 also provides L3
access interfaces for the AC to implement the DHCP function.
7. After the DHCP address is allocated to a user and the user accesses the AC, a
charging start message is initiated.
8. After receiving the charging start message, the ZXR10 activates the timer for user
traffic.
9. The client accesses the network, and the traffic reaches the ZXR10. The ZXR10 user
gets online, and charging starts.
10. When the user requests to get offline, the AC triggers sending charging termination
messages to the ZXR10.
11. After the user gets offline, the ZXR10 notifies the AC that the user is offline through
the DM.
Note:
Currently a downstream AC can be a L3 device.
The AC must be able to trigger a charging start message after the user obtains an address
and trigger a charging termination message after the user gets offline.
Steps
1. Enable the DHCP function and configure the interface DHCP mode to DHCP server.
20-2
4. Bind a DHCP policy to an interface and configure a quota for a DHCP user.
20-3
5. Configure the RADIUS PROXY. For details, refer to “Configuring the RADIUS PROXY”.
6. Configure a domain.
20-4
Command Function
– End of Steps –
Configuration Flow
1. Set the AC device as a DHCP relay and the authentication initiating point.
2. Set the ZXR10 as the proxy RADIUS and the charging initiator.
20-5
Configuration Commands
The configurations on the ZXR10 include the following:
1. Configure proxy authentication on the ZXR10. For details, refer to “RADIUS PROXY
SERVER Configuration Instance”.
2. Configure the ZXR10 as a DHCP server. For details, refer to “DHCP Server Configu-
ration Instance”.
3. Configure an L3 interface and enable the AC separation flag by using the following
commands:
ZXR10(config)#l3-access-configuration
ZXR10(config-l3-access)#interface gei-0/2/0/8
ZXR10(config-l3-access-if)#pre-domain zte
ZXR10(config-l3-access-if)#radius-proxy enable
4. Configure a domain by using the following commands:
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#authentication-type local
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#authorization-template zte
ZXR10(config-submanage-author-template)#authorization-type mix-radius
ZXR10(config-submanage-author-template)#exit
ZXR10(config-submanage)#accounting-template zte
ZXR10(config-submanage-accounting-template)#accounting-type radius
ZXR10(config-submanage-accounting-template)#accounting-radius-group first 1
ZXR10(config-submanage-accounting-template)#exit
ZXR10(config-submanage)#domain zte
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)#bind authorization-template zte
ZXR10(config-submanage-domain)#bind accounting-template zte
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#exit
5. Configure the aging time before getting online.
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#user-template-session time-out 100
ZXR10(config-submanage)#user-template-session waiting-online 200
Configuration Verification
Run the following command to check the DHCP configuration:
20-6
20-7
interface gei-0/2/0/8
pre-domain zte
radius-proxy enable account-mode
$
$
!</uim>
20-8
restTimeType :ABSOLUTE
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :IPv4 Multi-Hop
ipv4-address :11.1.1.2
vrf-name :
vpn-id :0
gateway :
primary-dns :
second-dns :
record-status :CREATED
*******************************************************************************
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
20-9
20-10
Basic Concepts
l Virtual Private LAN Service (VPLS): a Point-To-Multipoint L2VPN service provided in
the public network. The VPLS enables user sites in different areas to be connected
through the MAN/WAN. These sites are interconnected as they were in the same LAN.
l Virtual Leased Line (VLL): a point-to-point L2VPN service provided in the public
network. The VLL enables two sites to be interconnected as they were directly
connected with cables. But it does not support multipoint-to-multipoint exchange for
service providers.
l Custom Edge (CE): connects the devices of service providers. CE devices of the
MPLS L2VPN may be router exchanges or hosts. CE devices are independent of
service providers' networks and cannot "perceive" the VPN.
l Provider Edge Router (PE): connected to the CE and implements VPN service access.
It implements message mapping and forwarding from the private network to the public
tunnel and from the public tunnel to the private network. A PE can be further classified
into a UPE and an NPE.
21-1
l User facing-Provider Edge (UPE): convergence devices for users to access the VPN.
l Network Provider Edge (NPE): located at the core domain edge of the VPLS network
and provides VPLS transmission between core networks.
l Pseudo Wire Edge to Edge Emulation (PWE3): PWE3 is an end-to-end L2 service
bearer technology and is a point-to-point L2VPN.
l Virtual Forwarding Instance (VFI): One VPN corresponds to one VFI, which is used to
record the VPN ID of the local VPN, the local interfaces added to this VPN, and the
peer router information.
l Attachment Circuit (AC): connection between the CE and PE, which can be a real
physical interface or a virtual interface. All user messages on the AC must be
forwarded to the peer without any processing, including the L2 and L3 protocol
messages of users.
l Pseudo Circuit (PW): a bi-directional virtual connection between two VFIs of a VPN.
It is composed of two single-directional MPLS VCs and is carried on the LSP and
created by the PW signaling protocol. For the VPLS, the PW is just like a direct path
from a local AC to a peer, through which, L2 data is transmitted.
l Label Switched Path (LSP): In the MPLS network, peripheral devices add MPLS labels
to messages, intra-network devices forward the messages in accordance with the
labels. The path that the labelled messages go through is named Label Switched
Path.
Typical MAN
For the typical MAN, see Figure 21-1. CE devices are composed of core switches,
which form an access layer. Use an SR router as the PE (a UPE and an NPE) to form a
convergence layer. The backbone layer uses a core router as a P router.
All terminals access the network through the ADSL family gateway and are connected
to different uplink core switches through GE optical interfaces from the DSLAM. The
core switches and convergence routers form a mixed GE ring network. This ensures the
network reliability at the access layer. The backbone layer, control gateway, and core
routers form the dual-homing attribute, which is basic for network reliability. The service
21-2
layer is composed of various service servers, gateways, and firewalls to provide elaborate
services for users.
L2VPN and L3VPN are bridged through the ULEI interface. Users get online through the
ULEI interface and access the network.
Steps
1. For how to bridge the L2VPN and L3VPN, refer to the Configuration Guide (VPN)
manual for this product.
2. For user access configurations, select one from IPoEv4, IP-Hostv4, PPPoEv4, and
VPDN. For details, refer to the Configuration Guide (IPv4 BRAS) manual for this
product.
– End of Steps –
Configuration Flow
1. Bridge the L2 VPN and L3 VPN.
2. Configure the L2VPN.
3. Configure the VCC on the ULEI interface.
4. Configure basic parameters for the PPPoX to get online. For details, refer to the
Configuration Guide (IPv4 BRAS) manual for this product.
21-3
Configuration Procedure
1. Create two ULEI interfaces and bind the two interfaces to be a bridge interface.
ZXR10(config)#request interface ulei-0/5/1/1 /*Create a ULEI inteface.*/
ZXR10(config)#request interface ulei-0/5/1/2
ZXR10(config)#interface ulei-0/5/1/1
ZXR10(config-if-ulei-0/5/1/1)#no shutdown /*Open an interface.*/
ZXR10(config-if-ulei-0/5/1/1)#exit
ZXR10(config)#interface ulei-0/5/1/2
ZXR10(config-if-ulei-0/5/1/2)#no shutdown
ZXR10(config-if-ulei-0/5/1/2)#exit
ZXR10(config)#service-bridging virtual-links /*Enter bridge configuration
mode.*/
ZXR10(config-bridge)#virtual-link ulei-0/5/1/1 ulei-0/5/1/2 /*Bind two ULEI
interfaces.*/
ZXR10(config-bridge)#exit
2. Configure the L2VPN.
ZXR10(config)#mpls l2vpn enable /*Globally enable the L2VPN function.*/
ZXR10(config)#vpls zte-vpn1 /*Create a VPLS instance.*/
ZXR10(config-vpls-zte-vpn1)#access-point ulei-0/5/1/1 /*Bind the ULEI interface to
the VPLS.*/
ZXR10(config-vpls-zte-vpn1-ac-ulei-0/5/1/1)#access-params ethernet
ZXR10(config-vpls-zte-vpn1-ac-ulei-0/5/1/1-eth)#!
ZXR10(config)#interface gei-0/7/0/3.300
ZXR10(config-if-gei-0/7/0/3.300)#exit
ZXR10(config)#vlan-configuration
ZXR10(config-vlan)#interface gei-0/7/0/3.300
ZXR10(config-vlan-if-gei-0/7/0/3.300)#encapsulation-dot1q 300 /*Encapsulate the VLAN to
the interface.*/
ZXR10(config-vlan-if-gei-0/7/0/3.300)#exit
ZXR10(config-vlan)#exit
ZXR10(config)#vpls zte-vpn1
ZXR10(config-vpls-zte-vpn1)#access-point ulei-0/7/0/3.300 /*Bind an ordinary physical
interface to the VPLS.*/
ZXR10(config-vpls-zte-vpn1-ac-gei-0/7/0/3.300)#access-params ethernet
ZXR10(config-vpls-zte-vpn1-ac-gei-0/7/0/3.300-eth)#
3. Configure a VCC on the ULEI interface:
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface ulei-0/5/1/2
ZXR10(config-vcc-if)#encapsulation multi
ZXR10(config-vcc-if)#pppox template 1000
ZXR10(config-vcc-if)#exit
21-4
4. For how to configure the VBUI, Domain, and PPPoX, refer to the Configuration Guide
(IPv4 BRAS) manual for this product .
Configuration Verification
Check the ULEI configurations:
ZXR10(config)#show running-config-interface ulei-0/5/1/2
!<port-request-info>
request interface ulei-0/5/1/2
!</port-request-info>
!<Interface>
interface ulei-0/5/1/2
no shutdown
$
!</Interface>
!<UBRIDGE>
service-bridging virtual-links
virtual-link ulei-0/5/1/1 ulei-0/5/1/2
$
!</UBRIDGE>
!<uim>
vcc-configuration
interface ulei-0/5/1/2
encapsulation multi
pppox template 1000
$
$
!</uim>
21-5
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
21-6
22.1 Overview
All WEB server configuration commands are executed through the vbui interface.
Because the vbui interface is not bound to a domain, an online user cannot distinguish
the corresponding URL push address. To distinguish the push address based on the
domain name, a domain name needs to be bound to a WEB server.
You can simultaneously bind a domain to a WEB server and bind a WEB server to the vbui
interface. The WEB server bound to a domain takes precedence over that bound to the
vbui interface. This binding function is unavailable for the push address configuration of
IPv6 users.
Steps
1. Create a Web server.
22-1
Command Function
Step Function
– End of Steps –
22-2
Configuration Flow
1. Configure common DHCP access.
2. Configure a Web server.
3. Configure the Web push address and its ACL.
4. Configure Web authentication, and bind a domain to the Web server.
Configuration Commands
1. Configure the common DHCP on the ZXR10 as follows:
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#domain domain1
ZXR10(config-submanage-domain)#dhcp-mode server
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#exit
ZXR10(config)#interface vbui1
ZXR10(config-if-vbui1)#ip address 6.6.1.1 255.255.255.0
ZXR10(config-if-vbui1)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui1
ZXR10(config-vbui-if)#ip-pool pool-name 10 pool-id 10
ZXR10(config-vbui-if-ip-pool)#access-domain domain1
ZXR10(config-vbui-if-ip-pool)#ip dhcp instance server 256
ZXR10(config-vbui-if-ip-pool)#member 1
ZXR10(config-vbui-if-ip-pool-member)#start-ip 6.6.1.2 end-ip 6.6.1.30
ZXR10(config-vbui-if-ip-pool-member)#exit
ZXR10(config-vbui-if-ip-pool)#exit
ZXR10(config-vbui-if)#exit
ZXR10(config-vbui)#exit
ZXR10(config)#vcc-configuration
ZXR10(config-vcc)#interface fei-0/1/0/10
ZXR10(config-vcc-if)#pre-domain domain1
22-3
ZXR10(config-vcc-if)#encapsulation ip-over-ethernet
ZXR10(config-vcc-if)#ipox authentication-type ipv4 dhcpv4 web
ZXR10(config-vcc-if)#exit
ZXR10(config-vcc)#exit
ZXR10(config)#dhcp
ZXR10(config-dhcp)#enable
ZXR10(config-dhcp)#exit
ZXR10(config)#interface fei-0/1/0/11
/*Configure the IP address of the interface used to connect to the Web server*/
ZXR10(config-if-fei-0/1/0/11)#no shutdown
ZXR10(config-if-fei-0/1/0/11)#ip address 172.16.1.2 255.255.255.0
ZXR10(config-if-fei-0/1/0/11)#exit
2. Configure a Web server as follows:
ZXR10(config)#subscriber-manag
ZXR10(config-submanage)#web-server 10 /*Create Web server 10*/
ZXR10(config-submanage-websvr-10)#http-param uas-id 1234 /*This command is optional*/
ZXR10(config-submanage-websvr-10)#http-param uas-name zte /*This command is optional*/
ZXR10(config-submanage-websvr-10)#http-param user-name msg/*This command is optional*/
ZXR10(config-submanage-websvr-10)#ip-add 172.16.1.1
/*Configure the IP address of the Web server*/
ZXR10(config-submanage-websvr-10)#url http://172.16.1.1:88
/*Configure the push page*/
ZXR10(config-submanage-websvr-10)#uas-ip 172.16.1.2 interface fei-0/1/0/11
/*Configure the IP address
(of the network exit) used to bind the local domain and the Web server*/
ZXR10(config-submanage-websvr-10)#version v2 key zte
ZXR10(config-submanage-websvr-10)#exit
3. Configure the Web push address and its ACL as follows:
ZXR10(config)#ipv4-access-list zte
ZXR10(config-ipv4-acl)#rule 10 permit ip any 172.16.1.1 0.0.0.0
ZXR10(config-ipv4-acl)#rule 20 permit ip any 172.16.1.2 0.0.0.0
ZXR10(config-ipv4-acl)#rule 30 permit ip any 6.6.1.1 0.0.0.0
ZXR10(config-ipv4-acl)#exit
ZXR10(config)#vbui-configuration
ZXR10(config-vbui)#interface vbui1
ZXR10(config-vbui-if)#web-force authentication /*Force Web authentication*/
ZXR10(config-vbui-if)#web-acl zte /*Configure the ACL for message delivery*/
ZXR10(config-vbui-if)#exit
22-4
ZXR10(config-vbui)#exit
4. Configure Web authentication, and bind a domain to the Web server as follows:
ZXR10(config)#subscriber-manage
ZXR10(config-submanage)#authentication-template zte
ZXR10(config-submanage-authen-template)#exit
ZXR10(config-submanage)#domain domain1
ZXR10(config-submanage-domain)#bind authentication-template zte
ZXR10(config-submanage-domain)web-server 10 /*Bind the Web Server to domain 1*/
ZXR10(config-submanage-domain)#exit
ZXR10(config-submanage)#local-subscriber zte domain-name domain1 password 123
ZXR10(config-submanage-local-sub)#exit
ZXR10(config-submanage)#end
Configuration Verification
Run the show running-config portal command to query all related configuration of the Web
server.
ZXR10(config)#show running-config portal
! <PORTAL>
!
subscriber-manage
web-server 10
http-param uas-name zte
http-param user-name msg
http-param uas-id 1234
ip-addr 172.16.1.1
uas-ip 172.16.1.2 interface fei-0/1/0/11
url http://172.16.1.1:88
version v2 key zte
$
$
! </PORTAL>
Run the show configuration submanage web-server command to query the status and
properties of the Web server.
22-5
udp-port : 50100
main listening-port : 2000
second listening-port 1 : 0
second listening-port 2 : 0
second listening-port 3 : 0
second listening-port 4 : 0
uas-ip: 172.16.1.2 uas-ifindex: 108
url : http://172.16.1.1
http-para:
uas-name : zte
user-name : msg
uas-id : 1234
user-mac-key :
Run the show configuration submanage listening-port command to query the status of the
Web server listening port.
ZXR10(config)#show configuration submanage listening-port
listening-port: 2000 regedit-flag: TRUE
Run the show subscriber ipox interface command to check whether the user is online.
ZXR10(config)#show subscriber ipox interface fei-0/1/0/10
*******************************************************************************
Subscriber Information
-------------------------------------------------------------------------------
Basic Information
-------------------------------------------------------------------------------
subscriber-access-type :IPv4
user-identify :25843
user-name :zte
domain-name :domain1
local-domain-name :domain1
authorize-domain-name :domain1
mac-address :001d.0f1d.ae83
session-id :0
access-interface :fei-0/1/0/10
internal-vlan :0
external-vlan :10
authentication-mode :LOCAL
authentication-status :ACCEPT
record-status :CREATED
sibprofileid :0
hot-bak-status :NONE
authentication-time :2011/08/08 14:11:33
create-time :2011/08/08 14:08:26
online-time :24
22-6
limited-status :UNLIMITED
restTimeType :ABSOLUTE
vpdnAcctClass :
route-map-name :
-------------------------------------------------------------------------------
IPv4 Information
-------------------------------------------------------------------------------
subscriber-type :IPv4 DHCP SERVER
ipv4-address :6.6.1.2
vrf-name :
vpn-id :0
gateway :6.6.1.1
primary-dns :0.0.0.0
second-dns :0.0.0.0
record-status :CREATED
*******************************************************************************
-------------------------------------------------------------------------------
session: total up down
IPv4 1 1 0
IPv6 0 0 0
-------------------------------------------------------------------------------
[Notes:hot-bak-status: master,slave,init; other-status: none]
subscriber: total none master slave init
ipv4-stack: 1 1 0 0 0
ipv6-stack: 0 0 0 0 0
dual-stack: 0 0 0 0 0
all-stack: 1 1 0 0 0
-------------------------------------------------------------------------------
22-7
22-8
II
Figure 15-3 Networking Topology for Output SUB-CAR Rate Limit.......................... 15-9
Figure 15-4 Rate Limit (VCC VLAN-Based) Configuration Example ...................... 15-13
Figure 15-5 Networking Topology for PQ Rate Limit.............................................. 15-18
Figure 15-6 Networking Topology for WFQ Rate Limit........................................... 15-23
Figure 16-1 LEASED-LINE Application ................................................................... 16-2
Figure 16-2 LEASED-LINE Configuration Instance ................................................. 16-5
Figure 17-1 Networking Topology for User-Side Policy Routing Configuration ........... 17-2
Figure 18-1 Networking Topology for Cluster Hot Standby Solution......................... 18-2
Figure 18-2 1:1 Redundancy Application................................................................. 18-3
Figure 18-3 Dual Server Cluster Hot Standby State Transfer .................................. 18-5
Figure 18-4 Hot Standby Configuration Example ................................................... 18-9
Figure 19-1 Networking Topology for Cold Standby Function Configuration ............ 19-5
Figure 20-1 Typical Network for AC Separation Access .......................................... 20-1
Figure 20-2 AC Separation Access Configuration Instance ..................................... 20-5
Figure 21-1 Typical MAN ........................................................................................ 21-2
Figure 21-2 L2VPN Access Configuration Instance................................................. 21-3
Figure 22-1 Binding Instance Between a Domain and a Web Server....................... 22-3
III
IV
BRAS
- Broadband Remote Access Server
CAR
- Committed Access Rate
CHAP
- Challenge Handshake Authentication Protocol
CIR
- Committed Information Rate
DHCP
- Dynamic Host Configuration Protocol
DNS
- Domain Name Server
DSL
- Digital Subscriber Line
DSLAM
- Digital Subscriber Line Access Multiplexer
EAP
- Extend Authentication Protocol
GRE
- General Routing Encapsulation
H-QoS
- Hierarchical-QoS
HIS
- High Internet Service
HTTP
- Hypertext Transfer Protocol
IGMP
- Internet Group Management Protocol
IPCP
- IP Control Protocol
IPSec
- IP Security Protocol
IPTV
- Internet Protocol Television
IPoE
- Internet Protocol over Ethernet
ISDN
- Integrated Services Digital Network
ISP
- Internet Service Provider
L2TP
- Layer2 Tunnel Protocol
LAC
- L2TP Access Concentrator
LACP
- Link Aggregation Control Protocol
LAN
- Local Area Network
LDP
- Label Distribution Protocol
LLQ
- Low Latency Queueing
LNS
- L2TP Network Server
LSP
- Label Switched Path
VI
MAC
- Media Access Control
MAN
- Metropolitan Area Network
MPLS
- Multiprotocol Label Switching
MRU
- Maximum Receive Unit
MTBF
- Mean Time Between Failures
MTTR
- Mean Time To Recovery
NAS
- Network Access Server
NE
- Network Element
NGN
- Next Generation Network
PC
- Personal Computer
PIR
- Peak Information Rate
PPP
- Point to Point Protocol
PPPoE
- Point to Point Protocol over Ethernet
PPTP
- PPP Tunnel Protocol
PQ
- Priority Queuing
PSTN
- Public Switched Telephone Network
PVC
- Permanent Virtual Circuit
RADIUS
- Remote Authentication Dial In User Service
SAL
- Service Access-List
VII
SSM
- Source Specific Multicast
TCP
- Transmission Control Protocol
TCP/IP
- Transmission Control Protocol/Internet Protocol
ToS
- Type of Service
UDP
- User Datagram Protocol
URL
- Uniform Resource Locator
VCC
- Virtual Channel Connection
VCC
- Virtual Customer Circuit
VLAN
- Virtual Local Area Network
VLL
- Virtual Leased Line
VPDN
- Virtual Private Dialup Network
VPLS
- Virtual Private LAN Service
VPN
- Virtual Private Network
VRF
- Virtual Route Forwarding
VRRP
- Virtual Router Redundancy Protocol
WAN
- Wide Area Network
WEB
- Web
WFQ
- Weighted Fair Queuing
VIII