Configuration Examples for Routers in Typical Enterprise Scenarios 4.0
Example for Configuring PPPoE Access
This section provides an example for configuring PPPoE access. A networking diagram is provided to help you understand the configuration procedure. This example covers networking requirements, configuration roadmap, configuration procedure, and configuration files.
Applicable Products and Versions
- NE40E series routers running V800R011C10 or a later version
- ME60 series routers running V800R011C10 or a later version
- NetEngine 8000E M8, NetEngine 8000 M14, NetEngine 8000 M8K, and NetEngine 8000 M14K routers running V800R012C10 or a later version
- NetEngine 8000 X routers running V800R012C10 or a later version
Precautions
No. |
Precaution |
Impact |
Workaround |
|---|---|---|---|
1 |
If the number of connection requests is restricted based on a specified MAC address of a PPPoE user, the chasten function takes effect only when one MAC address maps to one session. |
If the chasten function is implemented based on a specified board for PPPoE users who go online through inter-board trunk interfaces, the number of connection requests must be recalculated after an active/standby processing board switchover. |
You are advised not to enable the chasten function based on a specified MAC address after one-to-many mapping between one MAC address and multiple sessions is enabled. |
2 |
The device cannot function as a PPPoE client. |
None |
Plan services properly. |
Prerequisites
- Required special boards
- Boards that support user access have been deployed on the user side.
- Required license items
Table 1-40 Required license items
License
Description
Statistical Dimension
Model
BNG Function License
By default, a maximum of 32K users are supported per BNG. The license can be separately obtained to increase the number of users to 128K. PPPoE, IPoE, L2TP, DAA, and EDSG functions are included.
By device
NE40E series, ME60 series, NetEngine 8000E M8, NetEngine 8000 M14, NetEngine 8000 M8K, NetEngine 8000 M14K, and NetEngine 8000 X
Subscribers Quantity(1k Subscribers)
The license controls the number of online users.
By subscriber
NE40E series, NetEngine 8000E M8, NetEngine 8000 M14, NetEngine 8000 M8K, NetEngine 8000 M14K, and NetEngine 8000 X
Quantity of Access Subscribers(1k Subscribers)
This license controls the number of BAS access users. One license is required for every 1000 activated users.
By subscriber
ME60-X3X8X16
BNG Subscribers Quantity(1k Subscribers)
This license controls the number of BAS access users. One license is required for every 1000 activated users.
By subscriber
NetEngine 8000 X
PPPoE/IPoE Function License
This license controls the PPPoE/IPoE function.
By board
NE40E-X3X8X16
PPPoE/IPoE Port License(per G)
This license helps build a new business model based on CM fixed boards. Ports on a CM fixed board are restricted if a license that controls basic port functions is not purchased. Service functions cannot be used if a license that controls corresponding service functions is not purchased. This license controls PPPoE and IPoE functions for ports on CM fixed boards.
By port
NE40E-X3X8X16, NetEngine 8000 X
PPPoE/IPoE Function License
This license controls the PPPoE/IPoE function of a device.
By device
NE40E-X3X8X16, NE40E-X1X2
Networking Requirements
On the network shown in Figure 1-15, the requirements are as follows:
The user belongs to the domain isp1 and accesses the Internet through GE 0/1/2 on the router in PPPoE mode. The connected device supports the dial-up function.
RADIUS authentication and RADIUS accounting are used.
The IP address of the RADIUS server is 192.168.7.249. The authentication and accounting ports are 1645 and 1646, respectively. The RADIUS+1.1 protocol is adopted, with the key being itellin123456@123.
The IP address of the DNS server is 192.168.7.252.
Configuration Roadmap
Configure a virtual template (VT).
Configure AAA schemes.
Configure a RADIUS server group.
Configure an IPv4 address pool.
Configure a domain.
Bind the VT to an interface.
Configure a BAS interface and a network-side interface.
Data Preparation
- VT number
- Authentication and accounting schemes and their names
- RADIUS server group name and RADIUS server address
- DNS server address
- User access domain
- BAS interface parameters
Procedure
- Configure a VT.
<HUAWEI> system-view[~HUAWEI] interface Virtual-Template 1
[*HUAWEI-Virtual-Template1] ppp authentication-mode chap
[*HUAWEI-Virtual-Template1] commit
[~HUAWEI-Virtual-Template1] quit
- Configure an authentication scheme.
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme auth1
[*HUAWEI-aaa-authen-auth1] authentication-mode radius
[*HUAWEI-aaa-authen-auth1] commit
[~HUAWEI-aaa-authen-auth1] quit
- Configure an accounting scheme.
[~HUAWEI-aaa] accounting-scheme acct1
[*HUAWEI-aaa-accounting-acct1] accounting-mode radius
[*HUAWEI-aaa-accounting-acct1] commit
[~HUAWEI-aaa-accounting-acct1] quit
[~HUAWEI-aaa] quit
- Configure a RADIUS server group.
[~HUAWEI] radius-server group rd1
[*HUAWEI-radius-rd1] radius-server authentication 192.168.7.249 1645
[*HUAWEI-radius-rd1] radius-server accounting 192.168.7.249 1646
[*HUAWEI-radius-rd1] commit
[~HUAWEI-radius-rd1] radius-server type plus11
[~HUAWEI-radius-rd1] radius-server shared-key itellin123456@123
[*HUAWEI-radius-rd1] commit
[~HUAWEI-radius-rd1] quit
- Configure an address pool.
[~HUAWEI] ip pool pool1 bas local
[~HUAWEI-ip-pool-pool1] gateway 10.82.0.1 255.255.255.0
[~HUAWEI-ip-pool-pool1] section 0 10.82.0.2 10.82.0.200
[~HUAWEI-ip-pool-pool1] dns-server 192.168.7.252
[*HUAWEI-ip-pool-pool1] commit
[~HUAWEI-ip-pool-pool1] quit
- Configure a domain named isp1.
[~HUAWEI] aaa
[~HUAWEI-aaa] domain isp1
[*HUAWEI-aaa-domain-isp1] authentication-scheme auth1
[*HUAWEI-aaa-domain-isp1] accounting-scheme acct1
[*HUAWEI-aaa-domain-isp1] radius-server group rd1
[*HUAWEI-aaa-domain-isp1] commit
[~HUAWEI-aaa-domain-isp1] ip-pool pool1
[~HUAWEI-aaa-domain-isp1] quit
[~HUAWEI-aaa] quit
- Bind the VT to an interface.
[~HUAWEI] interface gigabitEthernet 0/1/2
[~HUAWEI-GigabitEthernet0/1/2] pppoe-server bind virtual-template 1
[*HUAWEI-GigabitEthernet0/1/2] commit
- Configure a BAS interface and a network-side interface.
[~HUAWEI-GigabitEthernet0/1/2] bas
[~HUAWEI-GigabitEthernet0/1/2-bas] access-type layer2-subscriber default-domain authentication isp1
[~HUAWEI-GigabitEthernet0/1/2-bas] authentication-method ppp
[~HUAWEI-GigabitEthernet0/1/2-bas] quit
[~HUAWEI-GigabitEthernet0/1/2] quit
[~HUAWEI] interface gigabitethernet 0/1/1
[~HUAWEI-GigabitEthernet0/1/1] ip address 192.168.7.1 255.255.255.0
[*HUAWEI-GigabitEthernet0/1/1] commit
[~HUAWEI-GigabitEthernet0/1/1] quit
![]()
In this example, the user goes online using a username carrying the domain name isp1. Therefore, you do not need to bind the BAS interface to an authentication domain. If a user goes online with a username that does not carry a domain name, you must specify an authentication domain on the BAS interface.
Configuration Files
#
sysname HUAWEI
#
radius-server group rd1
radius-server shared-key-cipher %^%#t6"k@.XLWT&KRNIY9VL'g!54/Mfhu5)Cq^TD,xAY*4^>9a9W|;sFla="jNg=%^%#
radius-server authentication 192.168.7.249 1645 weight 0
radius-server accounting 192.168.7.249 1646 weight 0
radius-server type plus11
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface gigabitEthernet0/1/2
pppoe-server bind Virtual-Template 1
bas
access-type layer2-subscriber default-domain authentication isp1
#
interface gigabitEthernet0/1/1
ip address 192.168.7.1 255.255.255.0
#
ip pool pool1 bas local
gateway 10.82.0.1 255.255.255.0
section 0 10.82.0.2 10.82.0.200
dns-server 192.168.7.252
#
aaa
authentication-scheme auth1
accounting-scheme acct1
domain isp1
authentication-scheme auth1
accounting-scheme acct1
radius-server group rd1
ip-pool pool1
#
return