No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of PPPoE+

Overview of PPPoE+

Background

PPPoE uses a remote access device to provide the access service for clients on the Ethernet, and controls and charges each connected client. PPPoE uses the client/server model. The PPPoE client sends a connection request to the PPPoE server. After the PPPoE client and PPPoE server complete negotiation, the PPPoE server provides access control and authentication functions.

PPPoE has good authentication and security mechanisms, but has some limitations. The PPPoE server authenticates a user using the user name and password. If the account is embezzled, the embezzler can use the account to access the Internet easily. PPPoE+ is used to solve this problem.

PPPoE+ is deployed on the Switch that is located between PCs and the Broadband Remote Access Server (BRAS), as shown in Figure 11-1. The Switch sends PPPoE Active Discovery (PAD) packets containing information about the interface connected to the PPPoE client such as the slot ID/subcard ID/interface number, VLAN ID, and MAC address to the PPPoE server. The user account and access interface information are both authenticated, preventing user account embezzling.

Figure 11-1  PPPoE+ network

PPPoE+ working process

PPPoE involves three stages: Discovery stage, Session stage, and Terminate stage. PPPoE+ is applied in the Discovery stage and Session stage. Figure 11-2 shows the PPPoE+ working process.

Figure 11-2  PPPoE+ working process

  1. The PPPoE client sends PPPoE Active Discovery Initial (PADI) packets to the PPPoE server.
  2. The Switch obtains a PADI packet and adds information about the interface connected to the PPPoE client such as the slot ID/subcard ID/interface number, VLAN ID, and MAC address to the PADI packet in tagged mode, and forwards the packet to the PPPoE server.
  3. After receiving the PADI packet in tagged mode, the BRAS sends a PPPoE Active Discovery Offer (PADO) packet to the PPPoE client.
  4. After receiving the PADO packet, the PPPoE client sends a PPPoE Active Discovery Request (PADR) packet.
  5. After obtaining the PADR packet, the Switch adds PPPoE+ tags to the PADR packet and sends the packet to the BRAS.
  6. After receiving the PADR packet in tagged mode, the BRAS generates a unique PPP session ID and sends a PPPoE Active Discovery Session-confirmation (PADS) packet to the PPPoE client. If no fault occurs, the BRAS and PPPoE client enter the Session stage.
  7. At the Session stage, PPP negotiation is performed and PPP packets are transmitted between the PPPoE client and the BRAS. After PPP negotiation is complete, the BRAS encapsulates PPPoE+ tags in the Radius NAS-Port-ID attribute of RADIUS packets and sends the packets to the RADIUS server. The RADIUS server authenticates the user account and access interface information based on the Radius NAS-Port-ID attribute.
  8. After a PPPoE session is established, the PPPoE client and PPPoE server can send PPPoE Active Discovery Terminate (PADT) packets to end the session.
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 136410

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next